Successfully reported this slideshow.
The Need for PCI TotalFBO User Conference Presented by Branden R. Williams [email_address] http://brandenwilliams.com/ Sep...
PCI Data Security Standard Overview 2001-3 Payment application best practices Program announced 2005 2004 Programs combine...
Defining Compliance/Validation <ul><li>Compliance </li></ul><ul><ul><li>You are, at this moment, meeting all of the requir...
Why breaches happen: Firefighting and PCI <ul><li>QSA Issues </li></ul><ul><ul><li>QSA is not thorough </li></ul></ul><ul>...
Case Studies: A company gets it oh so wrong <ul><li>Fail every year, but remediate in 60 days </li></ul><ul><li>Out of com...
Case Studies: A company gets it Large US-Based Service Provider <ul><li>Pass most years, minor gaps fixed in days </li></u...
Case Studies: A company gets it right Medium US-Based Service Provider <ul><li>Pass every year </li></ul><ul><ul><li>Asses...
What keeps you up at night? As an executive, Data Security SHOULD keep you up at night! <ul><li>Breaches are expensive </l...
General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or ...
Upcoming SlideShare
Loading in …5
×

Total FBO User Conference

1,716 views

Published on

Branden reviews major issues surrounding PCI and how to handle compliance and security.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Total FBO User Conference

  1. 1. The Need for PCI TotalFBO User Conference Presented by Branden R. Williams [email_address] http://brandenwilliams.com/ September 17, 2009
  2. 2. PCI Data Security Standard Overview 2001-3 Payment application best practices Program announced 2005 2004 Programs combined into Payment Card Industry (PCI) Data Security Standards (DSS) 12 core requirements Scanning requirements for public-facing systems PCI security standards Council formed and PCI DSS version 1.1 released 2006 PA-DSS released New SAQs released PCI version 1.2 2008 Separate Visa (2001) and MasterCard (2003) programs The History of PCI DSS
  3. 3. Defining Compliance/Validation <ul><li>Compliance </li></ul><ul><ul><li>You are, at this moment, meeting all of the requirements related to PCI </li></ul></ul><ul><ul><li>Yes, for real </li></ul></ul><ul><li>Validation </li></ul><ul><ul><li>QSA or Internal Audit (for merchants) reviews controls </li></ul></ul><ul><ul><li>Decides you are compliant </li></ul></ul><ul><ul><li>Fill out Attestation </li></ul></ul>
  4. 4. Why breaches happen: Firefighting and PCI <ul><li>QSA Issues </li></ul><ul><ul><li>QSA is not thorough </li></ul></ul><ul><ul><li>Does not ask the right questions </li></ul></ul><ul><ul><li>Is not interviewing the right people </li></ul></ul><ul><ul><li>Does not sample correctly </li></ul></ul><ul><li>Merchant/Service Provider </li></ul><ul><ul><li>Hides things from the QSA </li></ul></ul><ul><ul><li>Intentionally chooses easy QSA </li></ul></ul><ul><ul><li>Falsifies documentation </li></ul></ul><ul><li>PCI must be a partnership! </li></ul><ul><li>Company that PCI is enforced upon is ultimately responsible for compliance! </li></ul>The Fire Inspector Analogy
  5. 5. Case Studies: A company gets it oh so wrong <ul><li>Fail every year, but remediate in 60 days </li></ul><ul><li>Out of compliance for most of year </li></ul><ul><ul><li>Risk breach in between </li></ul></ul><ul><ul><li>No repeatable processes </li></ul></ul><ul><ul><li>Compliance viewed as “audit” </li></ul></ul><ul><li>Security/Compliance office buried </li></ul><ul><ul><li>All reporting to IT? </li></ul></ul><ul><ul><li>CISO unable to sell MGT </li></ul></ul><ul><ul><li>Process stagnates </li></ul></ul>Medium US-Based Retail, <1,000 Locations
  6. 6. Case Studies: A company gets it Large US-Based Service Provider <ul><li>Pass most years, minor gaps fixed in days </li></ul><ul><li>In compliance for most of year </li></ul><ul><ul><li>Fixated on compliance </li></ul></ul><ul><ul><li>Read letter of the law </li></ul></ul><ul><ul><li>Do not use risk model </li></ul></ul><ul><li>Security needs to grow </li></ul><ul><ul><li>Wireless IPS </li></ul></ul><ul><ul><li>Log Management </li></ul></ul><ul><ul><li>Governance </li></ul></ul>
  7. 7. Case Studies: A company gets it right Medium US-Based Service Provider <ul><li>Pass every year </li></ul><ul><ul><li>Assessment scope < 1% </li></ul></ul><ul><ul><li>Assessment done in one week </li></ul></ul><ul><li>In compliance all year </li></ul><ul><ul><li>Program rooted in security </li></ul></ul><ul><ul><li>Understand intent of requirement </li></ul></ul><ul><ul><li>Spend for security, get compliant free </li></ul></ul><ul><li>Simple & Elegant PMT Systems </li></ul><ul><ul><li>Complex ≠ Competitive Advantage </li></ul></ul><ul><ul><li>Simplicity + Elegance = Competitive Advantage </li></ul></ul><ul><li>Go into assessment knowing outcome </li></ul>
  8. 8. What keeps you up at night? As an executive, Data Security SHOULD keep you up at night! <ul><li>Breaches are expensive </li></ul><ul><ul><li>Fees </li></ul></ul><ul><ul><li>Fines </li></ul></ul><ul><ul><li>CapEx for hardware </li></ul></ul><ul><li>Breaches ‘cost’ more today </li></ul><ul><ul><li>Weak economy </li></ul></ul><ul><ul><li>Weak sales </li></ul></ul><ul><ul><li>Flat growth </li></ul></ul><ul><ul><li>Harder to measure </li></ul></ul><ul><li>Breaches put you at a competitive disadvantage </li></ul><ul><ul><li>20 years FTC mandated audits? </li></ul></ul><ul><ul><li>Cash allocation erased? </li></ul></ul>
  9. 9. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Branden R. Williams reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Unpublished work of Branden R. Williams. © All rights reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of Branden R. Williams. Access to this work is restricted to Branden R. Williams and any employee who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected or adapted without the prior written consent of Branden R. Williams.

×