PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin

Anton Chuvakin
Anton ChuvakinSecurity Strategy
PCI DSS-based Security: Is This For Real?Using PCI DSS as A Foundation for Your Security Program,[object Object],Dr. Anton Chuvakin,[object Object],Author of “PCI Compliance”,[object Object],http://www.pcicompliancebook.info,[object Object],Security Warrior Consulting,[object Object],www.securitywarriorconsulting.com,[object Object],Secure 360, Minneapolis, MN,[object Object],May 2010,[object Object]
Inspiration….,[object Object],“Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “,[object Object],PCI Knowledge Base by late David Taylor,[object Object]
“PCI Is The Devil !!!”,[object Object]
Outline,[object Object],What is PCI DSS? Why it is here?,[object Object],PCI DSS as a security framework,[object Object],PCI DSS as a data security framework,[object Object],Starting from PCI: how to do it?,[object Object],Risks and pitfalls,[object Object]
What is PCI DSS or PCI?,[object Object],Payment Card Industry Data Security Standard,[object Object],Payment Card  = ,[object Object],Payment Card Industry = ,[object Object],Data Security = ,[object Object],Data Security Standard = ,[object Object]
PCI Data Security Standard,[object Object],PCI Council publishes PCI DSS –Data Security Standard,[object Object],Outlined the minimumdata security protections measures for payment card data.,[object Object],Defined Merchant & Service Provider Levels, and compliance validation requirements.,[object Object],Left the enforcement to card brands (Council doesn’t fine anybody!),[object Object],Key point: PCI DSS (document) vs PCI (validation regime),[object Object]
PCI Game: The Players,[object Object],PCI Security Standards Council,[object Object]
My Data – Their Risk!?,[object Object],*I* GIVE *YOU* DATA,[object Object],*YOU* LOSE IT,[object Object],*ANOTHER* SUFFERS!,[object Object]
[object Object]
Do not use vendor-supplied defaults for system passwords and other security parametersBuild and Maintain a Secure Network,[object Object],[object Object]
Encrypt transmission of cardholder data and sensitiveinformation across public networksProtect Cardholder Data,[object Object],[object Object]
Develop and maintain secure systems and applicationsMaintain a Vulnerability Management Program,[object Object],[object Object]
Assign a unique ID to each person with computer access
Restrict physical access to cardholder dataImplement Strong Access Control Measures,[object Object],[object Object]
Regularly test security systems and processesRegularly Monitor and Test Networks,[object Object],[object Object],Maintain an Information Security Policy,[object Object],PCI Data Security Standard In-Depth,[object Object]
PCI DSS Coverage,[object Object],… in no particular order:,[object Object],Security policy and procedures,[object Object],Network security,[object Object],Malware protection,[object Object],Application security (and web),[object Object],Vulnerability scanning and remediation,[object Object],Logging and monitoring,[object Object],Security awareness,[object Object]
PCI DSS With No Cards?,[object Object]
PCI Coverage: What Do We Learn?,[object Object],Focus: confidentiality credit of card data…,[object Object],… but not exactly: data avoidance is even better!,[object Object],Now …,[object Object],… a hard question: what is “a good security program”? ,[object Object],What technology, processes, etc?,[object Object],What are the goals?,[object Object],What are the metrics?,[object Object]
Our Goals!,[object Object]
Holes?,[object Object],BIG HOLE#1 Everything availability,[object Object],“If your payment app blows up, it magically becomes ‘PCI compliant’” ,[object Object],HOLE #2 Everything productivity,[object Object],Spam, web filtering, client protection, etc,[object Object],HOLE #3 Card data discovery,[object Object],PCI assumes omniscient data owners…,[object Object]
Sidetrack: WTH is “Data Security”,[object Object],… back to ,[object Object],If you router is 0wned, is data security still  achieved?,[object Object],If a secondary system is compromised?,[object Object],QA machine?,[object Object],Public web server?,[object Object],Know any “data idiots?”,[object Object]
Pros and Cons,[object Object],Pros:,[object Object],Good coverage of many domains (tech and process),[object Object],Useful focus on data elimination, app security and monitoring,[object Object],Detailed guidance available,[object Object],A lot of tools available to help,[object Object],Lacks complexity of ISO, NIST, etc,[object Object],Cons:,[object Object],[object Object]
Holes!
Lack of logical structure (but Prioritized Approach is there)
Your risk not covered
“Kill the data” focus doesn’t apply to some
Measuring success?!,[object Object]
OK, Diving In…,[object Object]
Phase 1 Understanding,[object Object],Read PCI DSS and Prioritized Approach,[object Object],Organize into domains,[object Object],Split technology requirements from process/policy/procedure,[object Object],Mind the holes!,[object Object],Also: think about other regulations, e.g. breach disclosure laws,[object Object]
Holes? What Holes?,[object Object]
Phase 2 Plan,[object Object],Gaps?,[object Object],Policy/process gap,[object Object],Technology gap,[object Object],Anything to buy? Build? Outsource?,[object Object], “Close the gap” strategy,[object Object],Guidance: PCI SSC “Prioritized Approach”,[object Object],“Reverse PCI”: start from Req 12 “Policy “,[object Object],Coordinate with stakeholders,[object Object]
Scope Explodes!,[object Object],Key lesson in PCI compliance: ,[object Object],SHRINK THE SCOPE! “Drop the data”,[object Object],Here we expand the scope to all data and even all systems.,[object Object]
Phase 3 Do it!,[object Object],Following the prioritized plan, start building ,[object Object],If under actual PCI regime, start from payment networks [of course!],[object Object],Adjust! You are not “praying to PCI gods”,[object Object],Q: Can I use ISO27001 instead?,[object Object],A: Sure, but you would not be reading this if you had this choice!,[object Object]
Done?,[object Object]
Phase 4 Run it!,[object Object],Ongoing tasks in PCI:,[object Object]
1 of 35

Recommended

PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams by
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsAnton Chuvakin
1.4K views19 slides
PCI Myths by
PCI MythsPCI Myths
PCI MythsSasha Nunke
677 views20 slides
Spirit of PCI DSS by Dr. Anton Chuvakin by
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
2.9K views30 slides
SFISSA - PCI DSS 3.0 - A QSA Perspective by
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
2.1K views51 slides
PCI DSS Essential Guide by
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
5.1K views41 slides
PCI DSS v3 - Protecting Cardholder data by
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
3.7K views19 slides

More Related Content

What's hot

Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant by
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
1.7K views112 slides
Pci dss-for-it-providers by
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
1.2K views19 slides
PCI DSS 3.0 – What You Need to Know by
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
1.3K views25 slides
1. PCI Compliance Overview by
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
6.7K views39 slides
Introduction to PCI DSS by
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
11.2K views37 slides
Pci ssc quick reference guide by
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
710 views34 slides

What's hot(20)

Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant by Olivia Grey
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Olivia Grey1.7K views
PCI DSS 3.0 – What You Need to Know by Terra Verde
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
Terra Verde1.3K views
1. PCI Compliance Overview by okrantz
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz6.7K views
Introduction to PCI DSS by Saumya Vishnoi
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi11.2K views
(SACON) Sameer anja - Privacy in Technology: Kickstart of the Hackathon by Priyanka Aash
(SACON) Sameer anja - Privacy in Technology: Kickstart of the Hackathon (SACON) Sameer anja - Privacy in Technology: Kickstart of the Hackathon
(SACON) Sameer anja - Privacy in Technology: Kickstart of the Hackathon
Priyanka Aash374 views
PCI-DSS Compliant Cloud - Design & Architecture Best Practices by HyTrust
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
HyTrust1.2K views
How to Prepare for a PCI DSS Audit by SecurityMetrics
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
SecurityMetrics1.1K views
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f... by Priyanka Aash
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...
Priyanka Aash413 views
Myths and realities of data security and compliance - Isaca Alanta - ulf matt... by Ulf Mattsson
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Myths and realities of data security and compliance - Isaca Alanta - ulf matt...
Ulf Mattsson631 views
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin by Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton ChuvakinWhat PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
Anton Chuvakin1.8K views
Application security and pa dss certification by Alexander Polyakov
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
Alexander Polyakov1.3K views
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION by himalya sharma
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
himalya sharma143 views
Isaca new delhi india privacy and big data by Ulf Mattsson
Isaca new delhi india   privacy and big dataIsaca new delhi india   privacy and big data
Isaca new delhi india privacy and big data
Ulf Mattsson834 views

Viewers also liked

20140818内刊投稿(刘胜)技术创新和专利申请.图文版v3.3 by
20140818内刊投稿(刘胜)技术创新和专利申请.图文版v3.320140818内刊投稿(刘胜)技术创新和专利申请.图文版v3.3
20140818内刊投稿(刘胜)技术创新和专利申请.图文版v3.3liu sheng
418 views11 slides
20150528联动技术大讲堂15(刘胜)业务系统上线标准指引 by
20150528联动技术大讲堂15(刘胜)业务系统上线标准指引20150528联动技术大讲堂15(刘胜)业务系统上线标准指引
20150528联动技术大讲堂15(刘胜)业务系统上线标准指引liu sheng
502 views41 slides
Presentacion de tecnologia by
Presentacion de tecnologiaPresentacion de tecnologia
Presentacion de tecnologiakrishna_Mondaca
429 views19 slides
Better Living Through Storytelling by
Better Living Through StorytellingBetter Living Through Storytelling
Better Living Through StorytellingAaron Aldrich
207 views20 slides
The Political Economy of the Trans Pacific Partnership by
The Political Economy of the Trans Pacific PartnershipThe Political Economy of the Trans Pacific Partnership
The Political Economy of the Trans Pacific PartnershipIra Kristina Lumban Tobing
212 views40 slides
Tech io spa_angularjs_20130814_v0.9.5 by
Tech io spa_angularjs_20130814_v0.9.5Tech io spa_angularjs_20130814_v0.9.5
Tech io spa_angularjs_20130814_v0.9.5Ganesh Kondal
1.5K views42 slides

Viewers also liked(20)

20140818内刊投稿(刘胜)技术创新和专利申请.图文版v3.3 by liu sheng
20140818内刊投稿(刘胜)技术创新和专利申请.图文版v3.320140818内刊投稿(刘胜)技术创新和专利申请.图文版v3.3
20140818内刊投稿(刘胜)技术创新和专利申请.图文版v3.3
liu sheng418 views
20150528联动技术大讲堂15(刘胜)业务系统上线标准指引 by liu sheng
20150528联动技术大讲堂15(刘胜)业务系统上线标准指引20150528联动技术大讲堂15(刘胜)业务系统上线标准指引
20150528联动技术大讲堂15(刘胜)业务系统上线标准指引
liu sheng502 views
Better Living Through Storytelling by Aaron Aldrich
Better Living Through StorytellingBetter Living Through Storytelling
Better Living Through Storytelling
Aaron Aldrich207 views
Tech io spa_angularjs_20130814_v0.9.5 by Ganesh Kondal
Tech io spa_angularjs_20130814_v0.9.5Tech io spa_angularjs_20130814_v0.9.5
Tech io spa_angularjs_20130814_v0.9.5
Ganesh Kondal1.5K views
Olga Markina et Francois Laprade avec la Chine by Olga Markina
Olga Markina et Francois Laprade avec la ChineOlga Markina et Francois Laprade avec la Chine
Olga Markina et Francois Laprade avec la Chine
Olga Markina214 views
Canada - Ukraine Free Trade Agreement: A Primer for the Canadian Lawyer by LexSage PC
Canada - Ukraine Free Trade Agreement: A Primer for the Canadian LawyerCanada - Ukraine Free Trade Agreement: A Primer for the Canadian Lawyer
Canada - Ukraine Free Trade Agreement: A Primer for the Canadian Lawyer
LexSage PC664 views
Incorta Data Security by Dylan Wan
Incorta Data SecurityIncorta Data Security
Incorta Data Security
Dylan Wan709 views
Si proyecto feria tec 7° by profesoraudp
Si proyecto feria  tec 7° Si proyecto feria  tec 7°
Si proyecto feria tec 7°
profesoraudp2.8K views
7º blogger indicadores copia by profesoraudp
7º  blogger indicadores copia7º  blogger indicadores copia
7º blogger indicadores copia
profesoraudp1.6K views
Presentación tpp by leo181516
Presentación tppPresentación tpp
Presentación tpp
leo1815161.4K views
Colour Blindness Ishihara Charts by Somya Tyagi
Colour Blindness Ishihara ChartsColour Blindness Ishihara Charts
Colour Blindness Ishihara Charts
Somya Tyagi5K views
coagulation system by derosaMSKCC
coagulation systemcoagulation system
coagulation system
derosaMSKCC25.9K views
Dumping by Isha Joshi
DumpingDumping
Dumping
Isha Joshi11.8K views

Similar to PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin

PCI 2010: Trends and Technologies by
PCI 2010: Trends and TechnologiesPCI 2010: Trends and Technologies
PCI 2010: Trends and TechnologiesAnton Chuvakin
1.6K views15 slides
PCI DSS Myths 2009: Myths and Reality by
PCI DSS Myths 2009: Myths and RealityPCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and RealityAnton Chuvakin
2.5K views22 slides
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin by
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton ChuvakinPCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton ChuvakinAnton Chuvakin
1.3K views22 slides
Data Security For Compliance 2 by
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2Flaskdata.io
1.2K views84 slides
Verderber Rothke What’s New With PCI by
Verderber   Rothke   What’s New With PCIVerderber   Rothke   What’s New With PCI
Verderber Rothke What’s New With PCIBen Rothke
321 views16 slides
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio... by
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...i2Coalition
522 views40 slides

Similar to PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin(20)

PCI 2010: Trends and Technologies by Anton Chuvakin
PCI 2010: Trends and TechnologiesPCI 2010: Trends and Technologies
PCI 2010: Trends and Technologies
Anton Chuvakin1.6K views
PCI DSS Myths 2009: Myths and Reality by Anton Chuvakin
PCI DSS Myths 2009: Myths and RealityPCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and Reality
Anton Chuvakin2.5K views
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin by Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton ChuvakinPCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
Anton Chuvakin1.3K views
Data Security For Compliance 2 by Flaskdata.io
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2
Flaskdata.io1.2K views
Verderber Rothke What’s New With PCI by Ben Rothke
Verderber   Rothke   What’s New With PCIVerderber   Rothke   What’s New With PCI
Verderber Rothke What’s New With PCI
Ben Rothke321 views
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio... by i2Coalition
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
i2Coalition522 views
What do I really need to do to STAY compliant with PCI DSS? by Anton Chuvakin
What do I really need to do to STAY compliant with PCI DSS?What do I really need to do to STAY compliant with PCI DSS?
What do I really need to do to STAY compliant with PCI DSS?
Anton Chuvakin720 views
"Compliance First" or "Security First" by Anton Chuvakin
"Compliance First" or "Security First""Compliance First" or "Security First"
"Compliance First" or "Security First"
Anton Chuvakin1.4K views
Cyber Risk Management in 2017: Challenges & Recommendations by Ulf Mattsson
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson2.2K views
Data protection on premises, and in public and private clouds by Ulf Mattsson
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private clouds
Ulf Mattsson207 views
Cyber Risk Management in 2017 - Challenges & Recommendations by Ulf Mattsson
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
Ulf Mattsson480 views
Pci Europe 2009 Underside Of The Compliance Ecosystem by kpatrickwheeler
Pci Europe 2009   Underside Of The Compliance EcosystemPci Europe 2009   Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
kpatrickwheeler313 views
Tizor_Data-Best-Practices.ppt by webhostingguy
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
webhostingguy212 views
Tizor_Data-Best-Practices.ppt by webhostingguy
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
webhostingguy243 views
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin by Anton Chuvakin
PCI 2.0 What's Next for PCI DSS  by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS  by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin1.2K views
Quick & Dirty Dozen: PCI Compliance Simplified by AlienVault
Quick & Dirty Dozen: PCI Compliance SimplifiedQuick & Dirty Dozen: PCI Compliance Simplified
Quick & Dirty Dozen: PCI Compliance Simplified
AlienVault3.5K views
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ... by AtoZ Compliance
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
AtoZ Compliance170 views
Webinar - PCI DSS Merchant Levels validations and applicable by VISTA InfoSec
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicable
VISTA InfoSec42 views

More from Anton Chuvakin

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En... by
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin
32 views22 slides
SOC Lessons from DevOps and SRE by Anton Chuvakin by
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
264 views18 slides
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth by
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
138 views10 slides
20 Years of SIEM - SANS Webinar 2022 by
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022Anton Chuvakin
282 views21 slides
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin by
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
391 views25 slides
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends by
SOCstock 2020  Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020  Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
285 views14 slides

More from Anton Chuvakin(20)

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En... by Anton Chuvakin
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
Anton Chuvakin32 views
SOC Lessons from DevOps and SRE by Anton Chuvakin by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
Anton Chuvakin264 views
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth by Anton Chuvakin
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Anton Chuvakin138 views
20 Years of SIEM - SANS Webinar 2022 by Anton Chuvakin
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
Anton Chuvakin282 views
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin by Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
Anton Chuvakin391 views
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends by Anton Chuvakin
SOCstock 2020  Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020  Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Anton Chuvakin285 views
SOCstock 2021 The Cloud-native SOC by Anton Chuvakin
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
Anton Chuvakin429 views
Anton's 2020 SIEM Best and Worst Practices - in Brief by Anton Chuvakin
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton Chuvakin339 views
RSA 2016 Security Analytics Presentation by Anton Chuvakin
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
Anton Chuvakin497 views
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin by Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin10K views
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin by Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin14K views
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin by Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Anton Chuvakin3.4K views
Log management and compliance: What's the real story? by Dr. Anton Chuvakin by Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin1.5K views
On Content-Aware SIEM by Dr. Anton Chuvakin by Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton Chuvakin
Anton Chuvakin1.7K views
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin by Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Anton Chuvakin2.6K views

Recently uploaded

.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV by
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTVSplunk
86 views20 slides
AI: mind, matter, meaning, metaphors, being, becoming, life values by
AI: mind, matter, meaning, metaphors, being, becoming, life valuesAI: mind, matter, meaning, metaphors, being, becoming, life values
AI: mind, matter, meaning, metaphors, being, becoming, life valuesTwain Liu 刘秋艳
34 views16 slides
SAP Automation Using Bar Code and FIORI.pdf by
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdfVirendra Rai, PMP
19 views38 slides
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu... by
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...NUS-ISS
32 views54 slides
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor... by
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...Vadym Kazulkin
70 views64 slides
Five Things You SHOULD Know About Postman by
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About PostmanPostman
25 views43 slides

Recently uploaded(20)

.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV by Splunk
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk86 views
AI: mind, matter, meaning, metaphors, being, becoming, life values by Twain Liu 刘秋艳
AI: mind, matter, meaning, metaphors, being, becoming, life valuesAI: mind, matter, meaning, metaphors, being, becoming, life values
AI: mind, matter, meaning, metaphors, being, becoming, life values
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu... by NUS-ISS
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
NUS-ISS32 views
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor... by Vadym Kazulkin
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
Vadym Kazulkin70 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman25 views
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi113 views
How the World's Leading Independent Automotive Distributor is Reinventing Its... by NUS-ISS
How the World's Leading Independent Automotive Distributor is Reinventing Its...How the World's Leading Independent Automotive Distributor is Reinventing Its...
How the World's Leading Independent Automotive Distributor is Reinventing Its...
NUS-ISS15 views
AMAZON PRODUCT RESEARCH.pdf by JerikkLaureta
AMAZON PRODUCT RESEARCH.pdfAMAZON PRODUCT RESEARCH.pdf
AMAZON PRODUCT RESEARCH.pdf
JerikkLaureta14 views
[2023] Putting the R! in R&D.pdf by Eleanor McHugh
[2023] Putting the R! in R&D.pdf[2023] Putting the R! in R&D.pdf
[2023] Putting the R! in R&D.pdf
Eleanor McHugh38 views
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen... by NUS-ISS
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...
Upskilling the Evolving Workforce with Digital Fluency for Tomorrow's Challen...
NUS-ISS23 views
handbook for web 3 adoption.pdf by Liveplex
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdf
Liveplex19 views
RADIUS-Omnichannel Interaction System by RADIUS
RADIUS-Omnichannel Interaction SystemRADIUS-Omnichannel Interaction System
RADIUS-Omnichannel Interaction System
RADIUS14 views
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica... by NUS-ISS
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...
NUS-ISS15 views
.conf Go 2023 - Data analysis as a routine by Splunk
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk90 views
Attacking IoT Devices from a Web Perspective - Linux Day by Simone Onofri
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day
Simone Onofri15 views

PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin

Editor's Notes

  1. http://www.pciknowledgebase.com/index.php?option=com_mtree&task=viewlink&link_id=1366&Itemid=0As a banker who has been involved in audit and risk management for 20+ years, I have a beef with PCI. Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. We have removed the acceptance of risk as an option by insisting on 100% compliance. That was not the intent.
  2. “The best method to protect data from hackers is to delete it”PCI Compliance book http://www.pcicompliancebook.info/