PCI DSS Myths 2009: Myths and Reality

Anton Chuvakin
Anton ChuvakinSecurity Strategy
PCI DSS Myths 2009: Fiction and Reality Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com November 2009
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object]
What is PCI DSS or PCI? ,[object Object],[object Object],[object Object],[object Object],[object Object]
PCI DSS is based on basic data security practices! ,[object Object],[object Object],Protect Cardholder Data ,[object Object],Maintain an Information Security Policy ,[object Object],[object Object],Regularly Monitor and Test Networks ,[object Object],[object Object],[object Object],Implement Strong Access Control Measures ,[object Object],[object Object],Maintain a Vulnerability Management Program ,[object Object],[object Object],Build and Maintain a Secure Network
Ceiling vs Floor ,[object Object],[object Object],[object Object],[object Object],[object Object]
M1 - PCI just doesn’t apply to us … ,[object Object],[object Object],Reality: PCI DSS DOES apply to you if you “ accept, capture, store, transmit or process credit and debit card data ”, no exceptions! At some point, your acquirer will make it clear to you!
M2 - PCI is confusing ,[object Object],[object Object],[object Object],Reality: PCI DSS documents explain both what to do and how to validate it; take some time to read and understand it. <- Also, read our book on PCI! 
M3 - PCI is too hard ,[object Object],[object Object],Reality: PCI DSS is basic, common sense, baseline security practice; it is only hard if you were not doing it before. It is no harder than running your business or IT – and you’ve been doing it!
M4 - Breaches prove PCI irrelevant ,[object Object],[object Object],Reality: Data breaches prove that basic PCI DSS security is not enough, but you have to start from the basics. PCI is actually easier to understand than other advanced security and risk matters. Start there!
M5 – PCI is Easy : Just Say “YES” ,[object Object],[object Object],Reality: Not exactly - you need to: a) Get a scan – and then resolve the vulnerabilities found b) Do the things that the questions refer to – and prove it c) Keep doing a) and b) forever!
M6 – My tool is PCI compliant ,[object Object],[object Object],[object Object],Reality: There is no such thing as “PCI compliant tool, network”, PCI DSS compliance applies to organizations . PCI DSS combines technical AND process, policy, management issues; awareness and practices as well.
M7 – PCI Is Enough Security ,[object Object],[object Object],Reality: PCI is basic security, it is a necessary baseline, but NOT sufficient (floor – not the ceiling!) PCI is also about cardholder data security , not the rest of private data, not your intellectual property, not SSNs, etc. It also covers confidentiality , and NOT integrity and availability. There is more to security than PCI!
M8 – PCI DSS Is Toothless ,[object Object],[object Object],Reality: Possible fines + lawsuits + breach disclosure costs + investigation costs + CC rate increases + contractual breaches + cost of more security measures + cost of credit monitoring = will you risk ALL that?
Summary: Eight Common PCI Myths ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Your Approach To PCI DSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Continuous Compliance vs Validation ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
PCI and Security Today ,[object Object],[object Object],[object Object],[object Object]
Conclusions and Action Items ,[object Object],[object Object],[object Object]
Get More Info! ,[object Object],[object Object],[object Object]
About Anton Chuvakin ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],For more: http://www.chuvakin.org
More on Anton ,[object Object],[object Object],[object Object],[object Object],[object Object]
Security Warrior Consulting Services ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
1 of 22

PCI DSS Myths 2009: Myths and Reality

Technology

PCI DSS Myths 2009: Fiction and Reality The presentation will cover PCI DSS-related myths and misconceptions that are common among some organizations dealing with PCI DSS challenges. Myths related to technical and process side of PCI, self-assessment and audits as well as PCI validation requirements will be discussed. The information will be useful to all organizations dealing with credit card information and thus struggling with PCI DSS mandates

Anton Chuvakin
Anton ChuvakinSecurity Strategy

Recommended

PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton ChuvakinPCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton ChuvakinAnton Chuvakin
1.3K views22 slides
PCI 2010: Trends and TechnologiesPCI 2010: Trends and Technologies
PCI 2010: Trends and TechnologiesAnton Chuvakin
1.6K views15 slides
PCI MythsPCI Myths
PCI MythsSasha Nunke
677 views20 slides
PCI DSS-based Security: Is This For Real? by Dr. Anton ChuvakinPCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton ChuvakinAnton Chuvakin
1.8K views35 slides
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER VersionPCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Versionguest3af00b8
343 views11 slides
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the Warcentralohioissa
770 views27 slides

More Related Content

What's hot

What's hot(17)

How Not to Lose Your Bitcoin in 2017How Not to Lose Your Bitcoin in 2017
How Not to Lose Your Bitcoin in 2017
Anil X692 views
Privacies are ComingPrivacies are Coming
Privacies are Coming
Ernest Staats93 views
RSA 2017 - CISO's 5 steps to SuccessRSA 2017 - CISO's 5 steps to Success
RSA 2017 - CISO's 5 steps to Success
Gary Hayslip CISSP, CISA, CRISC, CCSK935 views
Mobile Devices and Internet of ThingsMobile Devices and Internet of Things
Mobile Devices and Internet of Things
Paul Hastings1.7K views
10 Practical Tips to Prepare for the New Privacy Shield Era10 Practical Tips to Prepare for the New Privacy Shield Era
10 Practical Tips to Prepare for the New Privacy Shield Era
Paul Hastings669 views
10 Rules for Vendors - an Overview10 Rules for Vendors - an Overview
10 Rules for Vendors - an Overview
Gary Hayslip CISSP, CISA, CRISC, CCSK557 views
Helping SME’S to face cybersecurity threatsHelping SME’S to face cybersecurity threats
Helping SME’S to face cybersecurity threats
Agence du Numérique (AdN)219 views
Data Loss Prevention in SharePoint 2016 Webinar with Crow CanyonData Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
Data Loss Prevention in SharePoint 2016 Webinar with Crow Canyon
Vlad Catrinescu843 views
10 Tips for CIOs - Data Security in the Cloud10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud
Peak 10302 views
5 Ways to Stay #CyberSecure5 Ways to Stay #CyberSecure
5 Ways to Stay #CyberSecure
Media Sonar524 views
(SACON) Srinivas posarala - Challenges & Approach(SACON) Srinivas posarala - Challenges & Approach
(SACON) Srinivas posarala - Challenges & Approach
Priyanka Aash390 views
Blockchain for Accounting & AssuranceBlockchain for Accounting & Assurance
Blockchain for Accounting & Assurance
Eryk Budi Pratama1.1K views
Cloud adoption in the EU - and analyst's perspective (revised)Cloud adoption in the EU - and analyst's perspective (revised)
Cloud adoption in the EU - and analyst's perspective (revised)
Mike Davis319 views
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCI
Ben Rothke321 views
Privacies are comingPrivacies are coming
Privacies are coming
Ernest Staats115 views
The CISO’s Guide to Data Loss PreventionThe CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss Prevention
Digital Guardian1.2K views
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLP
Robert Kloots4K views

Similar to PCI DSS Myths 2009: Myths and Reality

Myths of PCI DSSMyths of PCI DSS
Myths of PCI DSSAnton Chuvakin
369 views7 slides

Similar to PCI DSS Myths 2009: Myths and Reality(20)

Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin2.9K views
Myths of PCI DSSMyths of PCI DSS
Myths of PCI DSS
Anton Chuvakin369 views
What PCI DSS Taught Us About Security by Dr. Anton ChuvakinWhat PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
Anton Chuvakin1.8K views
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER VersionPCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
Anton Chuvakin1.7K views
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER VersionPCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
guest3af00b81 view
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER VersionPCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
guest3af00b82 views
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER VersionPCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version
guest3af00b81 view
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
Anton Chuvakin1.4K views
Don’t Fear PCI DSS!Don’t Fear PCI DSS!
Don’t Fear PCI DSS!
Anton Chuvakin778 views
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
himalya sharma440 views
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
himalya sharma76 views
"Compliance First" or "Security First""Compliance First" or "Security First"
"Compliance First" or "Security First"
Anton Chuvakin1.4K views
PCI Compliance for DummiesPCI Compliance for Dummies
PCI Compliance for Dummies
Liberteks2.5K views
Pci dss compliancePci dss compliance
Pci dss compliance
pcidss14s84 views
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
i2Coalition522 views
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicable
VISTA InfoSec42 views
Quick & Dirty Dozen: PCI Compliance SimplifiedQuick & Dirty Dozen: PCI Compliance Simplified
Quick & Dirty Dozen: PCI Compliance Simplified
AlienVault3.5K views
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
Fit Small Business1.1K views
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2
Flaskdata.io1.2K views
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
AlienVault3.2K views

More from Anton Chuvakin

More from Anton Chuvakin(20)

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
Anton Chuvakin32 views
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
Anton Chuvakin264 views
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Anton Chuvakin137 views
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
Anton Chuvakin281 views
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
Anton Chuvakin391 views
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Anton Chuvakin285 views
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
Anton Chuvakin429 views
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
Anton Chuvakin754 views
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton Chuvakin339 views
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
Anton Chuvakin1K views
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
Anton Chuvakin364 views
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
Anton Chuvakin608 views
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
Anton Chuvakin497 views
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin10K views
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin14K views
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Anton Chuvakin3.4K views
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin4.7K views
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin1.5K views
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton Chuvakin
Anton Chuvakin1.7K views
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Anton Chuvakin2.6K views

Recently uploaded

Recently uploaded(20)

Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...
NUS-ISS23 views
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi102 views
Spesifikasi Lengkap ASUS Vivobook Go 14Spesifikasi Lengkap ASUS Vivobook Go 14
Spesifikasi Lengkap ASUS Vivobook Go 14
Dot Semarang34 views
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation24 views
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
Vadym Kazulkin56 views
Empathic Computing: Delivering the Potential of the MetaverseEmpathic Computing: Delivering the Potential of the Metaverse
Empathic Computing: Delivering the Potential of the Metaverse
Mark Billinghurst422 views
The details of description: Techniques, tips, and tangents on alternative tex...The details of description: Techniques, tips, and tangents on alternative tex...
The details of description: Techniques, tips, and tangents on alternative tex...
BookNet Canada103 views
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya59 views
"Fast Start to Building on AWS", Igor Ivaniuk"Fast Start to Building on AWS", Igor Ivaniuk
"Fast Start to Building on AWS", Igor Ivaniuk
Fwdays34 views
Microchip: CXL Use Cases and Enabling EcosystemMicrochip: CXL Use Cases and Enabling Ecosystem
Microchip: CXL Use Cases and Enabling Ecosystem
CXL Forum118 views
GigaIO: The March of Composability Onward to Memory with CXLGigaIO: The March of Composability Onward to Memory with CXL
GigaIO: The March of Composability Onward to Memory with CXL
CXL Forum122 views
Java Platform Approach 1.0 - Picnic MeetupJava Platform Approach 1.0 - Picnic Meetup
Java Platform Approach 1.0 - Picnic Meetup
Rick Ossendrijver24 views
"AI Startup Growth from Idea to 1M ARR", Oleksandr Uspenskyi"AI Startup Growth from Idea to 1M ARR", Oleksandr Uspenskyi
"AI Startup Growth from Idea to 1M ARR", Oleksandr Uspenskyi
Fwdays25 views
"How we switched to Kanban and how it integrates with product planning", Vady..."How we switched to Kanban and how it integrates with product planning", Vady...
"How we switched to Kanban and how it integrates with product planning", Vady...
Fwdays60 views
MemVerge: Gismo (Global IO-free Shared Memory Objects)MemVerge: Gismo (Global IO-free Shared Memory Objects)
MemVerge: Gismo (Global IO-free Shared Memory Objects)
CXL Forum112 views
Astera Labs: Intelligent Connectivity for Cloud and AI InfrastructureAstera Labs: Intelligent Connectivity for Cloud and AI Infrastructure
Astera Labs: Intelligent Connectivity for Cloud and AI Infrastructure
CXL Forum125 views
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
Beyond the Hype: What Generative AI Means for the Future of Work - Damien Cum...
NUS-ISS28 views
ChatGPT and AI for Web DevelopersChatGPT and AI for Web Developers
ChatGPT and AI for Web Developers
Maximiliano Firtman161 views
Micron CXL product and architecture updateMicron CXL product and architecture update
Micron CXL product and architecture update
CXL Forum23 views
"Thriving Culture in a Product Company — Practical Story", Volodymyr Tsukur"Thriving Culture in a Product Company — Practical Story", Volodymyr Tsukur
"Thriving Culture in a Product Company — Practical Story", Volodymyr Tsukur
Fwdays39 views

PCI DSS Myths 2009: Myths and Reality

  • 1. PCI DSS Myths 2009: Fiction and Reality Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com November 2009
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.