Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Spirit of PCI DSS by Dr. Anton Chuvakin


Published on

Spirit of PCI DSS by Dr. Anton Chuvakin

PCI compliance is seen by many merchants as “a checklist exercise” which is disconnected from reducing their fraud costs, security risks and other losses. It is sometimes perceived as a painful exercise in futility, enforced by some “higher powers” who don’t care about merchants. This presentation will discuss how to bring back the real spirit of PCI DSS, the spirit of data security, risk reduction and trustworthy business transactions. It will discuss, in particular, how to use the controls of PCI DSS to protect your business from online threats and highly damaging hacker attacks. Moreover, focusing on the spirit of PCI DSS will help merchants to both simplify compliance and improve security, while protecting their customers and their sensitive data and keeping acquirers and brands happy.

Published in: Technology

Spirit of PCI DSS by Dr. Anton Chuvakin

  1. 1. Spirit of PCI DSSorThe REAL Goal of PCI<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br /><br />Author of “PCI Compliance” book <br />Keynote at PCI in Higher Education Workshop<br />Indianapolis, IN - May 2010<br />
  2. 2. “PCI Is The Devil !!!”<br />
  3. 3. Inspiration….<br />“Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “<br />PCI Knowledge Base by late David Taylor<br />
  4. 4. Outline<br />Background and context around PCI<br />Why are we doing it?<br />Accept risk … of others?<br />Security as a checklist?<br />PCI -> security? <br />Conclusions: Simplify PCI?<br />
  5. 5. What is PCI DSS or PCI?<br />Payment Card Industry Data Security Standard<br />Payment Card = <br />Payment Card Industry = <br />Data Security = <br />Data Security Standard = <br />
  6. 6. PCI Regime vs DSS Guidance<br />The PCI Council publishes PCI DSS <br />Outlined the minimumdata security protections measures for payment card data.<br />Defined Merchant & Service Provider Levels, and compliance validation requirements.<br />Left the enforcement to card brands (Council doesn’t fine anybody!)<br />Key point: PCI DSS (document) vs PCI (validation regime)<br />
  7. 7. <ul><li>Install and maintain a firewall confirmation to protect data
  8. 8. Do not use vendor-supplied defaults for system passwords and other security parameters</li></ul>Build and Maintain a Secure Network<br /><ul><li>Protect stored data
  9. 9. Encrypt transmission of cardholder data and sensitiveinformation across public networks</li></ul>Protect Cardholder Data<br /><ul><li>Use and regularly update anti-virus software
  10. 10. Develop and maintain secure systems and applications</li></ul>Maintain a Vulnerability Management Program<br /><ul><li>Restrict access to data by business need-to-know
  11. 11. Assign a unique ID to each person with computer access
  12. 12. Restrict physical access to cardholder data</li></ul>Implement Strong Access Control Measures<br /><ul><li>Track and monitor all access to network resources andcardholder data
  13. 13. Regularly test security systems and processes</li></ul>Regularly Monitor and Test Networks<br /><ul><li>Maintain a policy that addresses information security</li></ul>Maintain an Information Security Policy<br />PCI DSS = Basic Security Practices!<br />
  14. 14. PCI Game: The Players<br />PCI Security Standards Council<br />
  15. 15. Why Are We Doing It?<br />Risk of DEATH<br />Vs <br />Risk of $60 fine?<br />
  16. 16. My Data – Their Risk!?<br />*I* GIVE *YOU* DATA<br />*YOU* LOSE IT<br />*ANOTHER* SUFFERS!<br />
  17. 17. Key Point: What Do You Protect?<br />
  18. 18. 2/3 Value vs ½ Protection<br />What is VALUED <br />vs<br />what is<br />PROTECTED<br />Lack of Balance!<br />
  19. 19. Observations…<br />
  20. 20. Leaders vs Losers<br />
  21. 21. Extra Dimension: Fraud?<br />Disconnect of <br />fraud and PCI?<br />Ideas:<br /><ul><li>Deploy PCI DSS controls
  22. 22. Measure their impact on fraud
  23. 23. Rinse, repeat!</li></li></ul><li>Compliance vs Security<br />X<br />
  24. 24. Ceiling vs Floor<br />PCI is the “floor” of security<br />This is fundamental reality of PCI DSS!<br />However, many prefer to treat it as a “ceiling”<br />Result: <br />security breaches<br />
  25. 25. PCI and Security Today<br /> <- This is the enemy!<br />This is NOT the enemy! -><br />Remember:<br />security first, compliance as a result.<br />
  26. 26. Checklist Mentality IS Evil!<br />
  27. 27. “Whack-an-assessor”<br />PCI “game” as<br /> “whack-an-assessor” = PAIN, PAIN, PAIN, PAIN, PAIN, PAIN!<br />Do it for security – justify it for PCI DSS!<br />
  28. 28. How To “Profit” From PCI DSS?<br />Everything you do for PCI DSS, MUST have security benefit for your organization!<br />Examples: log management, IDS/IPS, IdM, application security , etc<br />
  29. 29. In Other Words…<br />Every time you think “PCI DSS OR security,” <br />god kills a kitten!<br />
  30. 30. The Spirit of PCI DSS?<br />PCI DSS = Motivating FORCE for CUSTODIAN data security, thus customer TRUST!<br />Can learn to protect YOUR data too!<br />
  31. 31. CSR Goes Far?<br />Corporate Social Responsibility?<br />Green<br />Sustainable<br />“Fair” trade<br />LOSES CUSTOMER DATA!!!<br />Secure data -> trust!<br />
  32. 32. The Whining of PCI DSS<br />W1: Why don’t the brands “fix the system?”<br />A1: They will.<br />W2: Can we have “a risk based” standard?<br />A2: No. 91% of people can’t spell “risk”<br />W3: Can we do something simpler?<br />A3: Yes! Cash.<br />
  33. 33. Conclusions and Action Items<br />Kill the data! Outsource!<br />PCI is basic security; stop complaining about it - start doing it!<br />Develop “security and risk” mindset, not “compliance and audit” mindset.<br />If you are doing PCI DSS and not getting a security benefit, please STOP!<br />
  34. 34. Get The PCI Book!<br />“PCI Compliance” by Anton Chuvakin and Branden Williams<br />Useful reference for merchants, vendors – and everybody else in PCI-land<br />Released December 2009!<br /><br />
  35. 35. Questions?<br />Dr. Anton Chuvakin <br /><br />Site:<br />Blog:<br />Twitter:@anton_chuvakin<br />Consulting:<br />
  36. 36. More on Anton<br />Now: independent consultant<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />
  37. 37. Security Warrior Consulting Services<br />Logging and log management policy<br />Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems <br />Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation<br />Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations<br />Help integrate logging tools and processes into IT and business operations<br />Content development<br />Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs<br />Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations<br />More at<br />