SlideShare a Scribd company logo
1 of 19
PCI DSS Done RIGHT or WRONG! Dr. Anton Chuvakin Branden R. Williams, CISSP, CISM Source, April 2010
Agenda PCI DSS basics for security folks Fun PCI facts PCI DSS done RIGHT and WRONG Conclusions Q&A, Discussion, Brawl 
About Branden Director, RSA Security Consulting Six plus years with PCI DSS Twitter: @BrandenWilliams Blog: blog.brandenwilliams.com Author: PCI Compliance
About Anton Email:anton@chuvakin.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consultant:  http://www.securitywarriorconsulting.com Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card  =  Payment Card Industry =  Data Security =  Data Security Standard =
PCI DSS = Basic Security Practices ,[object Object]
Do not use vendor-supplied defaults for system passwords and other security parametersBuild and Maintain a Secure Network ,[object Object]
Encrypt transmission of cardholder data and sensitiveinformation across public networksProtect Cardholder Data ,[object Object]
Develop and maintain secure systems and applicationsMaintain a Vulnerability Management Program ,[object Object]
Assign a unique ID to each person with computer access
Restrict physical access to cardholder dataImplement Strong Access Control Measures ,[object Object]
Regularly test security systems and processesRegularly Monitor and Test Networks ,[object Object],Maintain an Information Security Policy
Ceiling vs Floor PCI is a “floor” of security This is fundamental reality of PCI DSS! However, many prefer to treat it as a “ceiling” Result:  security breaches
PCI DSS Difficulty WRONG Whine that “PCI DSS” is too hard – and not do it Avoid parts that are seen as “hard” (e.g. logging) Choose CCs that are inferior to PCI controls RIGHT Aim at benefiting from PCI DSS efforts (it IS possible!) “Dual use everything” – buy for PCI, use broadly Prioritize controls based on your risk (but aim to cover 100% of requirements)
PCI DSS Easy WRONG Consider that PCI is easy = [external] scan + “Y” “QSA shop” Think “sprint, not marathon” RIGHT Think “gap” – yes, you do have it! Select the QSA that understands the business Prepare to maintain it (to not be “wasn’t compliant when breached” case)
PCI DSS = Security? WRONG Pass a PCI assessment? Think “done with security” Only implement PCI controls; ignore everything else Remember about PCI DSS once a quarter RIGHT Focus on doing security and PCI Remember the daily tasks in PCI DSS “Floor, not the ceiling”
Truth in PCI WRONG Lie to QSA and/or acquirer; play scope games Misrepresent data in SAQ Lie to management about “we are compliant” RIGHT Work with good QSA to get an objective assessment Glance at PCI, think risk to data -> then implement
Making Up Requirements WRONG QSA acts like black hat security hacker QSA believes PCI is “common sense” QSA hears trainer wrong RIGHT PCI DSS is a baseline tuned to cardholder data That’s why improvement to PCI DSS is imperative Focus on printed material part of PCI DSS
Compromising Controls WRONG Treat compensating controls as shortcuts Use ultra-liberal or ultra-conservative approach Lose sight of the original requirement RIGHT Use compensating controls where needed Use an approach that passes the “sniff test” Meet the requirements for a valid comp control

More Related Content

What's hot

Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus  ISOQAR PCIDSS Compliance PresentationAlcumus  ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
Bhargav Upadhyay
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
b28stu
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 

What's hot (20)

Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus  ISOQAR PCIDSS Compliance PresentationAlcumus  ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
Pcidss
PcidssPcidss
Pcidss
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
Approach pci- dss
Approach   pci- dssApproach   pci- dss
Approach pci- dss
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 

Viewers also liked (7)

Acertigo AG on SBS Talk 2011
Acertigo AG on SBS Talk 2011Acertigo AG on SBS Talk 2011
Acertigo AG on SBS Talk 2011
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
PCIe and PCIe driver in WEC7 (Windows Embedded compact 7)
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016
 
Pci express technology 3.0
Pci express technology 3.0Pci express technology 3.0
Pci express technology 3.0
 

Similar to PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams

Similar to PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams (20)

PCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and RealityPCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and Reality
 
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton ChuvakinPCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
 
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton ChuvakinPCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
 
PCI 2010: Trends and Technologies
PCI 2010: Trends and TechnologiesPCI 2010: Trends and Technologies
PCI 2010: Trends and Technologies
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton ChuvakinWhat PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
 
What do I really need to do to STAY compliant with PCI DSS?
What do I really need to do to STAY compliant with PCI DSS?What do I really need to do to STAY compliant with PCI DSS?
What do I really need to do to STAY compliant with PCI DSS?
 
Myths of PCI DSS
Myths of PCI DSSMyths of PCI DSS
Myths of PCI DSS
 
PCI Myths
PCI MythsPCI Myths
PCI Myths
 
"Compliance First" or "Security First"
"Compliance First" or "Security First""Compliance First" or "Security First"
"Compliance First" or "Security First"
 
Don’t Fear PCI DSS!
Don’t Fear PCI DSS!Don’t Fear PCI DSS!
Don’t Fear PCI DSS!
 
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER VersionPCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
 
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER VersionPCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
 
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER VersionPCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
 
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER VersionPCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
 
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER VersionPCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
 
SANS WhatWorks - Compliance & DLP
SANS WhatWorks - Compliance & DLPSANS WhatWorks - Compliance & DLP
SANS WhatWorks - Compliance & DLP
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
PCI Compliance for Dummies
PCI Compliance for DummiesPCI Compliance for Dummies
PCI Compliance for Dummies
 
Pondurance pci dss 112014
Pondurance   pci dss 112014Pondurance   pci dss 112014
Pondurance pci dss 112014
 

More from Anton Chuvakin

More from Anton Chuvakin (20)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020  Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020  Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 

Recently uploaded

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 

Recently uploaded (20)

WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 

PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams

  • 1. PCI DSS Done RIGHT or WRONG! Dr. Anton Chuvakin Branden R. Williams, CISSP, CISM Source, April 2010
  • 2. Agenda PCI DSS basics for security folks Fun PCI facts PCI DSS done RIGHT and WRONG Conclusions Q&A, Discussion, Brawl 
  • 3. About Branden Director, RSA Security Consulting Six plus years with PCI DSS Twitter: @BrandenWilliams Blog: blog.brandenwilliams.com Author: PCI Compliance
  • 4. About Anton Email:anton@chuvakin.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consultant: http://www.securitywarriorconsulting.com Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
  • 5. What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card = Payment Card Industry = Data Security = Data Security Standard =
  • 6.
  • 7.
  • 8.
  • 9.
  • 10. Assign a unique ID to each person with computer access
  • 11.
  • 12.
  • 13. Ceiling vs Floor PCI is a “floor” of security This is fundamental reality of PCI DSS! However, many prefer to treat it as a “ceiling” Result: security breaches
  • 14. PCI DSS Difficulty WRONG Whine that “PCI DSS” is too hard – and not do it Avoid parts that are seen as “hard” (e.g. logging) Choose CCs that are inferior to PCI controls RIGHT Aim at benefiting from PCI DSS efforts (it IS possible!) “Dual use everything” – buy for PCI, use broadly Prioritize controls based on your risk (but aim to cover 100% of requirements)
  • 15. PCI DSS Easy WRONG Consider that PCI is easy = [external] scan + “Y” “QSA shop” Think “sprint, not marathon” RIGHT Think “gap” – yes, you do have it! Select the QSA that understands the business Prepare to maintain it (to not be “wasn’t compliant when breached” case)
  • 16. PCI DSS = Security? WRONG Pass a PCI assessment? Think “done with security” Only implement PCI controls; ignore everything else Remember about PCI DSS once a quarter RIGHT Focus on doing security and PCI Remember the daily tasks in PCI DSS “Floor, not the ceiling”
  • 17. Truth in PCI WRONG Lie to QSA and/or acquirer; play scope games Misrepresent data in SAQ Lie to management about “we are compliant” RIGHT Work with good QSA to get an objective assessment Glance at PCI, think risk to data -> then implement
  • 18. Making Up Requirements WRONG QSA acts like black hat security hacker QSA believes PCI is “common sense” QSA hears trainer wrong RIGHT PCI DSS is a baseline tuned to cardholder data That’s why improvement to PCI DSS is imperative Focus on printed material part of PCI DSS
  • 19. Compromising Controls WRONG Treat compensating controls as shortcuts Use ultra-liberal or ultra-conservative approach Lose sight of the original requirement RIGHT Use compensating controls where needed Use an approach that passes the “sniff test” Meet the requirements for a valid comp control
  • 20. The FNG WRONG Put someone brand new on PCI DSS assessment New Assessor (3-days of training?) New Assessee (0-days of training!) RIGHT Ensure assessors are experienced Allow new employees to shadow experienced ones Send employees to merchant training
  • 21. PCI and Security Today <- This is the enemy! This is NOT the enemy! -> Remember: security first, compliance as a result.
  • 22. Continuous Compliance vs Validation Q: What to do after your QSA leaves? A: PCI DSS compliance does NOT end when a QSA leaves or SAQ is submitted. Use what you built for PCI to reduce risk “Own” PCI DSS; make it the basis for your policies Think beyond credit card data and grow your security! Note: a good QSA will check whether you are “wired” for continuous compliance. Pick one of that sort! BTW, see Anton’s recent paper: “How to STAY Compliant”
  • 23. Conclusions and Action Items PCI is common sense, basic security; stop complaining about it - start doing it! After validating that you are compliant, don’t stop: continuous compliance AND security is your goal, not “passing an audit.” Develop “security and risk” mindset, not “compliance and audit” mindset.
  • 24. Get More Info! “PCI Compliance” by Anton Chuvakin and Branden Williams, THE PCI book for merchants, vendors – and everybody else! Get TWO free chapters at http://www.pcicompliancebook.info/ Released December 2009!
  • 25. Questions? Anton Chuvakin anton@chuvakin.org @anton_chuvakin Branden R. Williams, CISSP, CISM brw@brandenwilliams.com www.brandenwilliams.com @BrandenWilliams

Editor's Notes

  1. Myth: PCI is confusing and not specific!“We don’t know what to do, who to ask, what exactly to change”“Just give us a checklist and we will do it. Promise!”Reality: PCI DSS documents explain both what to do and how to validate it; take some time to read and understand it.&lt;- Also, read our book on PCI! Reality: PCI DSS is basic, common sense, baseline security practice; it is only hard if you were not doing it before.It is no harder than running your business or IT – and you’ve been doing it!
  2. QSA shop = liabilityxfer
  3. Myth: PCI is confusing and not specific!“We don’t know what to do, who to ask, what exactly to change”“Just give us a checklist and we will do it. Promise!”Reality: PCI DSS documents explain both what to do and how to validate it; take some time to read and understand it.&lt;- Also, read our book on PCI! Reality: PCI DSS is basic, common sense, baseline security practice; it is only hard if you were not doing it before.It is no harder than running your business or IT – and you’ve been doing it!
  4. Also: Lie to management about “we are NOT compliant – gimme budget!!”
  5. How to STAY compliant!