PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams

3,951 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,951
On SlideShare
0
From Embeds
0
Number of Embeds
23
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Myth: PCI is confusing and not specific!“We don’t know what to do, who to ask, what exactly to change”“Just give us a checklist and we will do it. Promise!”Reality: PCI DSS documents explain both what to do and how to validate it; take some time to read and understand it.<- Also, read our book on PCI! Reality: PCI DSS is basic, common sense, baseline security practice; it is only hard if you were not doing it before.It is no harder than running your business or IT – and you’ve been doing it!
  • QSA shop = liabilityxfer
  • Myth: PCI is confusing and not specific!“We don’t know what to do, who to ask, what exactly to change”“Just give us a checklist and we will do it. Promise!”Reality: PCI DSS documents explain both what to do and how to validate it; take some time to read and understand it.<- Also, read our book on PCI! Reality: PCI DSS is basic, common sense, baseline security practice; it is only hard if you were not doing it before.It is no harder than running your business or IT – and you’ve been doing it!
  • Also: Lie to management about “we are NOT compliant – gimme budget!!”
  • How to STAY compliant!
  • PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams

    1. 1. PCI DSS Done RIGHT or WRONG!<br />Dr. Anton Chuvakin<br />Branden R. Williams, CISSP, CISM<br />Source, April 2010<br />
    2. 2. Agenda<br />PCI DSS basics for security folks<br />Fun PCI facts<br />PCI DSS done RIGHT and WRONG<br />Conclusions<br />Q&A, Discussion, Brawl <br />
    3. 3. About Branden<br />Director, RSA Security Consulting<br />Six plus years with PCI DSS<br />Twitter: @BrandenWilliams<br />Blog: blog.brandenwilliams.com<br />Author: PCI Compliance<br />
    4. 4. About Anton<br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />Twitter:@anton_chuvakin<br />Consultant: http://www.securitywarriorconsulting.com<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />
    5. 5. What is PCI DSS or PCI?<br />Payment Card Industry Data Security Standard<br />Payment Card = <br />Payment Card Industry = <br />Data Security = <br />Data Security Standard = <br />
    6. 6. PCI DSS = Basic Security Practices<br /><ul><li>Install and maintain a firewall confirmation to protect data
    7. 7. Do not use vendor-supplied defaults for system passwords and other security parameters</li></ul>Build and Maintain a Secure Network<br /><ul><li>Protect stored data
    8. 8. Encrypt transmission of cardholder data and sensitiveinformation across public networks</li></ul>Protect Cardholder Data<br /><ul><li>Use and regularly update anti-virus software
    9. 9. Develop and maintain secure systems and applications</li></ul>Maintain a Vulnerability Management Program<br /><ul><li>Restrict access to data by business need-to-know
    10. 10. Assign a unique ID to each person with computer access
    11. 11. Restrict physical access to cardholder data</li></ul>Implement Strong Access Control Measures<br /><ul><li>Track and monitor all access to network resources andcardholder data
    12. 12. Regularly test security systems and processes</li></ul>Regularly Monitor and Test Networks<br /><ul><li>Maintain a policy that addresses information security</li></ul>Maintain an Information Security Policy<br />
    13. 13. Ceiling vs Floor<br />PCI is a “floor” of security<br />This is fundamental reality of PCI DSS!<br />However, many prefer to treat it as a “ceiling”<br />Result: <br />security breaches<br />
    14. 14. PCI DSS Difficulty<br />WRONG<br />Whine that “PCI DSS” is too hard – and not do it<br />Avoid parts that are seen as “hard” (e.g. logging)<br />Choose CCs that are inferior to PCI controls<br />RIGHT<br />Aim at benefiting from PCI DSS efforts (it IS possible!)<br />“Dual use everything” – buy for PCI, use broadly<br />Prioritize controls based on your risk (but aim to cover 100% of requirements)<br />
    15. 15. PCI DSS Easy<br />WRONG<br />Consider that PCI is easy = [external] scan + “Y”<br />“QSA shop”<br />Think “sprint, not marathon”<br />RIGHT<br />Think “gap” – yes, you do have it!<br />Select the QSA that understands the business<br />Prepare to maintain it (to not be “wasn’t compliant when breached” case)<br />
    16. 16. PCI DSS = Security?<br />WRONG<br />Pass a PCI assessment? Think “done with security”<br />Only implement PCI controls; ignore everything else<br />Remember about PCI DSS once a quarter<br />RIGHT<br />Focus on doing security and PCI<br />Remember the daily tasks in PCI DSS<br />“Floor, not the ceiling”<br />
    17. 17. Truth in PCI<br />WRONG<br />Lie to QSA and/or acquirer; play scope games<br />Misrepresent data in SAQ<br />Lie to management about “we are compliant”<br />RIGHT<br />Work with good QSA to get an objective assessment<br />Glance at PCI, think risk to data -> then implement<br />
    18. 18. Making Up Requirements<br />WRONG<br />QSA acts like black hat security hacker<br />QSA believes PCI is “common sense”<br />QSA hears trainer wrong<br />RIGHT<br />PCI DSS is a baseline tuned to cardholder data<br />That’s why improvement to PCI DSS is imperative<br />Focus on printed material part of PCI DSS<br />
    19. 19. Compromising Controls<br />WRONG<br />Treat compensating controls as shortcuts<br />Use ultra-liberal or ultra-conservative approach<br />Lose sight of the original requirement<br />RIGHT<br />Use compensating controls where needed<br />Use an approach that passes the “sniff test”<br />Meet the requirements for a valid comp control<br />
    20. 20. The FNG<br />WRONG<br />Put someone brand new on PCI DSS assessment<br /> New Assessor (3-days of training?)<br /> New Assessee (0-days of training!)<br />RIGHT<br />Ensure assessors are experienced<br />Allow new employees to shadow experienced ones<br />Send employees to merchant training<br />
    21. 21. PCI and Security Today<br /> <- This is the enemy!<br />This is NOT the enemy! -><br />Remember:<br />security first, compliance as a result.<br />
    22. 22. Continuous Compliance vs Validation<br />Q: What to do after your QSA leaves?<br />A: PCI DSS compliance does NOT end when a QSA leaves or SAQ is submitted.<br />Use what you built for PCI to reduce risk<br />“Own” PCI DSS; make it the basis for your policies<br />Think beyond credit card data and grow your security!<br />Note: a good QSA will check whether you are “wired” for continuous compliance. Pick one of that sort!<br />BTW, see Anton’s recent paper: “How to STAY Compliant”<br />
    23. 23. Conclusions and Action Items<br />PCI is common sense, basic security; stop complaining about it - start doing it!<br />After validating that you are compliant, don’t stop: continuous compliance AND security is your goal, not “passing an audit.”<br />Develop “security and risk” mindset, not “compliance and audit” mindset.<br />
    24. 24. Get More Info!<br />“PCI Compliance” by Anton Chuvakin and Branden Williams, THE PCI book for merchants, vendors – and everybody else!<br />Get TWO free chapters at <br />http://www.pcicompliancebook.info/<br />Released December 2009!<br />
    25. 25. Questions?<br />Anton Chuvakin<br /> anton@chuvakin.org<br /> @anton_chuvakin<br />Branden R. Williams, CISSP, CISM<br /> brw@brandenwilliams.com<br /> www.brandenwilliams.com<br /> @BrandenWilliams<br />

    ×