Technology Briefing Series


  PCI Myths: Common Mistakes
  and Misconceptions About PCI
  Anton Chuvakin
M1 - PCI just doesn’t apply to us …

Myth: PCI just doesn’t apply to us,
  because…
• “… we are small, a University, don‟t...
M2 - PCI is confusing

Myth: PCI is confusing and not specific!
• “We don‟t know what to do, who to ask,
  what exactly to...
M3 - PCI is too hard

Myth: PCI is too hard …
• “… too expensive, too complicated, too
  burdensome, too much for a small
...
M4 - Breaches prove PCI irrelevant

Myth: Recent breaches prove PCI irrelevant
• “We read that „media and pundits agree –
...
M5 – PCI is Easy: Just Say “YES”

Myth: PCI is easy: we just have to “say Yes”
  on SAQ and “get scanned”
• “What do we ne...
M6 – My tool is PCI compliant

Myth: My network, application, tool is PCI
  compliant
• “The vendor said the tool is „PCI
...
M7 – PCI Is Enough Security

Myth: PCI is all we need to do for
  security
• “We are secure, we got PCI!”
• “We worked har...
M8 – PCI DSS Is Toothless

Myth: Even if breached and also found
  non-compliant, our business will not
  suffer.
• “We re...
Summary: Eight Common PCI Myths
1. PCI just doesn’t apply to us,
   because…
2. PCI is confusing and not specific!
3. PCI ...
PCI Compliance for Dummies

More information?

Read “PCI Compliance
  for Dummies”

Get as much information as you can
   ...
Upcoming SlideShare
Loading in …5
×

PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version

2,860 views

Published on

PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version BUT with All PCI Myths

Published in: Technology

PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version

  1. 1. Technology Briefing Series PCI Myths: Common Mistakes and Misconceptions About PCI Anton Chuvakin
  2. 2. M1 - PCI just doesn’t apply to us … Myth: PCI just doesn’t apply to us, because… • “… we are small, a University, don‟t do e-commerce, outsource “everything”, not permanent entity, etc” Reality: PCI DSS DOES apply to you if you “accept, capture, store, transmit or process credit and debit card data”, no exceptions! At some point, your acquirer will make it clear to you! 2
  3. 3. M2 - PCI is confusing Myth: PCI is confusing and not specific! • “We don‟t know what to do, who to ask, what exactly to change” • “Just give us a checklist and we will do it. Promise!” Reality: PCI DSS documents explain both what to do and how to validate it; take some time to read it. Whether you get it now, you will need to do it later. Otherwise, data and $ loss is yours! 3
  4. 4. M3 - PCI is too hard Myth: PCI is too hard … • “… too expensive, too complicated, too burdensome, too much for a small business, too many technologies or even unreasonable” Reality: PCI DSS is basic, common sense, baseline security practice; it is only hard if you were not doing it before. It is no harder than running your business or IT – and you‟ve been doing it! 4
  5. 5. M4 - Breaches prove PCI irrelevant Myth: Recent breaches prove PCI irrelevant • “We read that „media and pundits agree – massive data losses “prove” PCI irrelevant‟” Reality: Data breaches prove that basic PCI DSS security is not enough, but you have to start from the basics. PCI is actually easier to understand than other advanced security and risk matters. Start there! 5
  6. 6. M5 – PCI is Easy: Just Say “YES” Myth: PCI is easy: we just have to “say Yes” on SAQ and “get scanned” • “What do we need to do - get a scan and answer some questions? Sure!‟” • “PCI is about scanning and questionnaires” Reality: Not exactly - you need to: a) Get a scan – and then resolve the vulnerabilities found b) Do the things that the questions refer to – and prove it c) Keep doing a) and b) forever! 6
  7. 7. M6 – My tool is PCI compliant Myth: My network, application, tool is PCI compliant • “The vendor said the tool is „PCI compliant‟” • “My provider is compliant, thus I am too” • “I use PA-DSS tools, thus I am PCI OK” Reality: There is no such thing as “PCI compliant tool, network”, PCI DSS compliance applies to organizations. PCI DSS combines technical AND process, policy, management issues; awareness and practices as well. 7
  8. 8. M7 – PCI Is Enough Security Myth: PCI is all we need to do for security • “We are secure, we got PCI!” • “We worked hard and we passed an „audit‟; now we are secure!” Reality: PCI is basic security, it is a necessary baseline, but NOT necessarily enough. PCI is also about cardholder data security, not the rest of private data, not your intellectual property, not SSNs, etc. It also covers confidentiality, and NOT integrity and availability of data. There is more to security than PCI! 8
  9. 9. M8 – PCI DSS Is Toothless Myth: Even if breached and also found non-compliant, our business will not suffer. • “We read that companies are breached and then continue being profitable; so why should we care?” Reality: Possible fines + lawsuits + breach disclosure costs + investigation costs + CC rate increases + contractual breaches + cost of more security measures + cost of credit monitoring = will you risk ALL that? 9
  10. 10. Summary: Eight Common PCI Myths 1. PCI just doesn’t apply to us, because… 2. PCI is confusing and not specific! 3. PCI is too hard 4. Recent breaches prove PCI irrelevant 5. PCI is easy: we just have to “say Yes” on SAQ and “get scanned” 6. My network, application, tool is PCI compliant 7. PCI is all we need to do for security! 8. Even if breached and then found non- compliant, our business will not suffer 10
  11. 11. PCI Compliance for Dummies More information? Read “PCI Compliance for Dummies” Get as much information as you can about PCI and how it relates to your organization! 11

×