Don’t Fear PCI DSS! Even Though It Can Be Scary At Times July 16-17, 2009  Napa Valley Marriott July 16-17, 2009  Napa Val...
WARNING! <ul><li>This is a very, very, very basic PCI DSS presentation.  </li></ul><ul><li>PCI literati … take notice of t...
Agenda <ul><li>What is PCI DSS? </li></ul><ul><li>Who it applies to? </li></ul><ul><li>Why is it here? </li></ul><ul><li>W...
What is PCI DSS or PCI? <ul><li>Payment Card Industry Data Security Standard </li></ul><ul><li>Payment Card  =  </li></ul>...
PCI Security Standards Council <ul><li>New organization formed to promote PCI compliance . </li></ul><ul><li>Founded by: <...
PCI Data Security Standard <ul><li>The PCI Council published the PCI DSS –Data Security Standard </li></ul><ul><ul><ul><li...
PCI DSS is based on fundamental data security practices PCI Data Security Standard In-Depth <ul><li>Protect stored data </...
Why is PCI Here? <ul><li>Criminals need money  </li></ul><ul><li>Credit card = money </li></ul><ul><li>Where are the most ...
Does it Apply to Me? <ul><li>“ PCI DSS compliance includes merchants and service providers who  accept ,  capture ,  store...
Can I Pretend It Doesn’t Exist? <ul><li>Well,  yes.  </li></ul><ul><li>YES-YOU-CAN!!!   </li></ul><ul><li>“ It is not nec...
Can I Make It Easier? PCI DSS Tips <ul><li>Scope </li></ul><ul><ul><li>“ Don’t’ touch that … ‘stuff’” (if you can) ->  out...
More PCI DSS Tips <ul><li>Protection – comes AFTER scope reduction! </li></ul><ul><ul><li>Install  and  update  anti-malwa...
So, What Should I Do? <ul><li>Less card data -> less work needed!!!  (Yes, 3 times   ) </li></ul><ul><li>PCI is common se...
Final Word: “It Can’t Happen to Me!” <ul><li>It probably  already did ! </li></ul>July 16-17, 2009  Napa Valley Marriott
The “PCI Compliance” Book Out Soon! <ul><ul><ul><li>Get as much information as you can about PCI and how it relates to you...
Q&A C O N F I D E N T I A L Thank You [email_address]
Eight Common PCI Myths <ul><li>PCI just  doesn’t apply to us , because… </li></ul><ul><li>PCI is confusing and  not specif...
Upcoming SlideShare
Loading in …5
×

Don’t Fear PCI DSS!

2,217 views

Published on

Don’t Fear PCI DSS! Even Though It Can Be Scary At Times (ENTRY-LEVEL! BASIC!)

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,217
On SlideShare
0
From Embeds
0
Number of Embeds
24
Actions
Shares
0
Downloads
0
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide
  • What is PCI DSS? Why is it here? Who is applies to? What should you do? How to make it easier? Common myths about PCI
  • Visa and MasterCard have had their own Security Programs for years, with separate, and sometimes conflicting, requirements. CISP &amp; QDSC (VISA) SDP (MasterCard) Due to rampart Data Breaches &amp; Credit Card Fraud, a unified approach was needed. The PCI Council was founded.
  • PCI DSS is an industry standard that highlights the following: The PCI Data Security Standard is endorsed by the “Participating Brands”: Visa, MasterCard, American Express, Discover Card, JCB and Diners’ Club. Standardized Security Requirements Consistent validation requirements and protocols Common evaluator credentials and approvals Clear procedures for review and reassessment Slide Point of Contact: Eduardo Perez
  • Cash business!
  • PCI is a standard that can be understood and followed. All major Credit Card companies are supporting the standard. Quarterly compliance is a requirement regardless of Merchant or Service Provider Level. It is important to choose the right solutions and vendors to help you secure your critical data and automate the compliance process. Additional Information can be found at: https://www.pcisecuritystandards.org/ http://www.qualys.com/pci_compliance/wesem/
  • Don’t Fear PCI DSS!

    1. 1. Don’t Fear PCI DSS! Even Though It Can Be Scary At Times July 16-17, 2009 Napa Valley Marriott July 16-17, 2009 Napa Valley Marriott Dr. Anton Chuvakin [email_address] Security Warrior Consulting
    2. 2. WARNING! <ul><li>This is a very, very, very basic PCI DSS presentation. </li></ul><ul><li>PCI literati … take notice of that  </li></ul>July 16-17, 2009 Napa Valley Marriott
    3. 3. Agenda <ul><li>What is PCI DSS? </li></ul><ul><li>Who it applies to? </li></ul><ul><li>Why is it here? </li></ul><ul><li>What should you do? </li></ul><ul><li>How to make it easier? </li></ul><ul><li>Common myths about PCI </li></ul>July 16-17, 2009 Napa Valley Marriott
    4. 4. What is PCI DSS or PCI? <ul><li>Payment Card Industry Data Security Standard </li></ul><ul><li>Payment Card = </li></ul><ul><li>Payment Card Industry = </li></ul><ul><li>Data Security = </li></ul><ul><li>Data Security Standard = </li></ul>July 16-17, 2009 Napa Valley Marriott
    5. 5. PCI Security Standards Council <ul><li>New organization formed to promote PCI compliance . </li></ul><ul><li>Founded by: </li></ul><ul><ul><li>American Express </li></ul></ul><ul><ul><li>Discover Financial Services </li></ul></ul><ul><ul><li>JCB </li></ul></ul><ul><ul><li>MasterCard Worldwide </li></ul></ul><ul><ul><li>Visa International </li></ul></ul><ul><li>Approves security vendors </li></ul><ul><ul><li>Approved Scanning Vendors (ASV) – Quarterly Scans </li></ul></ul><ul><ul><li>Qualified Security Assessor (QSA) – On-Site Assessments </li></ul></ul>
    6. 6. PCI Data Security Standard <ul><li>The PCI Council published the PCI DSS –Data Security Standard </li></ul><ul><ul><ul><li>Outlined the minimum data security protections measures for payment card data. </li></ul></ul></ul><ul><ul><ul><li>Defined Merchant & Service Provider Levels, and compliance validation requirements. </li></ul></ul></ul><ul><ul><ul><li>Left the enforcement to card brands (Council doesn’t fine anybody) </li></ul></ul></ul><ul><li>In October 2008 the PCI Council updated the PCI DSS to v1.2 </li></ul><ul><li>The next change is in 2010 </li></ul>
    7. 7. PCI DSS is based on fundamental data security practices PCI Data Security Standard In-Depth <ul><li>Protect stored data </li></ul><ul><li>Encrypt transmission of cardholder data and sensitive information across public networks </li></ul>Protect Cardholder Data <ul><li>Maintain a policy that addresses information security </li></ul>Maintain an Information Security Policy <ul><li>Track and monitor all access to network resources and cardholder data </li></ul><ul><li>Regularly test security systems and processes </li></ul>Regularly Monitor and Test Networks <ul><li>Restrict access to data by business need-to-know </li></ul><ul><li>Assign a unique ID to each person with computer access </li></ul><ul><li>Restrict physical access to cardholder data </li></ul>Implement Strong Access Control Measures <ul><li>Use and regularly update anti-virus software </li></ul><ul><li>Develop and maintain secure systems and applications </li></ul>Maintain a Vulnerability Management Program <ul><li>Install and maintain a firewall confirmation to protect data </li></ul><ul><li>Do not use vendor-supplied defaults for system passwords and other security parameters </li></ul>Build and Maintain a Secure Network
    8. 8. Why is PCI Here? <ul><li>Criminals need money </li></ul><ul><li>Credit card = money </li></ul><ul><li>Where are the most cards? In computers. </li></ul><ul><li>Data theft grows and reaches HUGE volume </li></ul><ul><li>Some organizations still don’t care … </li></ul><ul><li>… . especially if the loss is not theirs </li></ul><ul><li>Payment card brands enforce DSS! </li></ul>July 16-17, 2009 Napa Valley Marriott
    9. 9. Does it Apply to Me? <ul><li>“ PCI DSS compliance includes merchants and service providers who accept , capture , store , transmit or process credit and debit card data.” </li></ul>C O M P A N Y C O N F I D E N T I A L
    10. 10. Can I Pretend It Doesn’t Exist? <ul><li>Well, yes. </li></ul><ul><li>YES-YOU-CAN!!!  </li></ul><ul><li>“ It is not necessary to change. Survival is not mandatory.” </li></ul><ul><li>William Edwards Deming </li></ul><ul><li>In other words, you can do business with cash! </li></ul>July 16-17, 2009 Napa Valley Marriott
    11. 11. Can I Make It Easier? PCI DSS Tips <ul><li>Scope </li></ul><ul><ul><li>“ Don’t’ touch that … ‘stuff’” (if you can) -> outsource ! </li></ul></ul><ul><ul><li>Don’t store card prohibited card data (CVV2, PIN, etc) </li></ul></ul><ul><ul><li>Don’t store any card data – revisit your storage reasons </li></ul></ul>July 16-17, 2009 Napa Valley Marriott
    12. 12. More PCI DSS Tips <ul><li>Protection – comes AFTER scope reduction! </li></ul><ul><ul><li>Install and update anti-malware </li></ul></ul><ul><ul><li>Change passwords : writing passwords > easy passwords </li></ul></ul><ul><ul><li>Vulnerability scans : close the obvious hacker holes </li></ul></ul>July 16-17, 2009 Napa Valley Marriott
    13. 13. So, What Should I Do? <ul><li>Less card data -> less work needed!!! (Yes, 3 times  ) </li></ul><ul><li>PCI is common sense, basic data security; stop complaining about it - start doing it! </li></ul><ul><li>After validating that you are compliant, don’t stop: ongoing compliance AND security is your goal , not “passing an audit” </li></ul>July 16-17, 2009 Napa Valley Marriott
    14. 14. Final Word: “It Can’t Happen to Me!” <ul><li>It probably already did ! </li></ul>July 16-17, 2009 Napa Valley Marriott
    15. 15. The “PCI Compliance” Book Out Soon! <ul><ul><ul><li>Get as much information as you can about PCI and how it relates to your organization! </li></ul></ul></ul><ul><li>Q: More information? </li></ul><ul><li>A: Get THE PCI book: “PCI Compliance” by Anton Chuvakin and Branden Williams (out in Nov 2009!) </li></ul><ul><li>Also look at authors blogs: </li></ul><ul><li>chuvakin.blogspot.com/search/label/PCI </li></ul><ul><li>brandenwilliams.com/blog </li></ul>
    16. 16. Q&A C O N F I D E N T I A L Thank You [email_address]
    17. 17. Eight Common PCI Myths <ul><li>PCI just doesn’t apply to us , because… </li></ul><ul><li>PCI is confusing and not specific ! </li></ul><ul><li>PCI is too hard </li></ul><ul><li>Recent breaches prove PCI irrelevant </li></ul><ul><li>PCI is easy : we just have to “say Yes” on SAQ and “get scanned” </li></ul><ul><li>My network, application, tool is PCI compliant </li></ul><ul><li>PCI is all we need to do for security! </li></ul><ul><li>Even if breached and then found non-compliant, our business will not suffer </li></ul>

    ×