Advertisement

Spirit of PCI DSS by Dr. Anton Chuvakin

Security Strategy
May. 7, 2010
Advertisement

More Related Content

Similar to Spirit of PCI DSS by Dr. Anton Chuvakin(20)

Advertisement
Advertisement

Spirit of PCI DSS by Dr. Anton Chuvakin

  1. Assign a unique ID to each person with computer access
  2. Measure their impact on fraud

Editor's Notes

  1. http://www.pciknowledgebase.com/index.php?option=com_mtree&task=viewlink&link_id=1366&Itemid=0As a banker who has been involved in audit and risk management for 20+ years, I have a beef with PCI. Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. We have removed the acceptance of risk as an option by insisting on 100% compliance. That was not the intent.
  2. Forrester“Value of Data” report: “Custodial data has little intrinsic value in and of itself. But when it is obtained by an unauthorized party, misused, lost, or stolen, it changes state. Data that is ordinarily benign transforms into something harmful. When custodial data isspilled, it becomes “toxic” and poisons the enterprise’s air in terms of press headlines, fines, and customer complaints.Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data alsoaccrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity.”
  3. Forrester report:2/3of value in OWN data, ½ is spent protecting it!
  4. + not have OWN DATA+ not have CUSTODIAN DATA+ removes CUSTODIAN DATA = protects CUSTODIAN DATA!+ protects key business processes
  5. While many hope for gaussian, in security – counter to intuition! – most people are below average!
  6. Example controls deemed useful for fraud:LoggingUser access configuration, logging and monitoringLimiting access to data –e.g. encryption, tokenization, etcSecurity awareness – unavoidable punishment for internal fraudDefine an incentive program to enforce policies. About two months ago in this column I wrote about he importance of “deputizing” store managers to watch for security breaches. Since I have discussed such programs with leading retailers, it’s become clear that in order to change the culture, retailers have to provide incentives to these “deputies” in order to actually impact key metrics such as shrinkage, fraud and chargeback rates. The other important technique is to link the PCI compliance initiative to these same security metrics. For example, a PCI project manager who wants to “embed” PCI compliance into the corporate culture would be well advised to spend about 20 hours, spread over several weeks, to create a presentation for management which shows how PCI compliance can not only reduce risk, but also can impact key financial metrics such as fraud and chargeback rates. I have talked to three PCI managers who also own fraud management and report into the CFO. All three have found that linking PCI compliance to financial performance is a great way to get executive attention, and budget. And since all these metrics are key to individual store performance, this is one of the ways to gain the support of store management for PCI compliance – circling back to the whole “deputize” argument.  Pasted from <http://pciknowledgebase.com/index.php?option=com_content&view=article&id=121:pci-compliance-whos-re-minding-the-store&catid=28:myblog&Itemid=132>WE ARE LOOKING TO LINK PCI COMPLIANCE TO FRAUD REDUCTION: You cannot simply say that PCI compliance leads to reduced fraud rates. You have to prove it. Because PCI is so detailed, it's not ALL of the controls that can be proven to reduce fraud. However, one of the controls that we believe has the most direct impact are #3, encryption, #10, monitoring and logging access, #7, access controls, and #11 vulnerability testing. If just those 4 are done well, we believe that we can prove those controls in PCI can lead directly to reduced fraud rates. However, we still cannot prove it statistically. We have case study data that suggest it however.  Pasted from <http://www.pciknowledgebase.com/index.php?option=com_mtree&task=viewlink&link_id=3195&Itemid=0> “Merchants have implemented PCI-mandated security controls in order to reduce fraud and security breaches. However, a weak connection between the PCI controls and fraud management by many merchants has left PCI compliance ineffective at catching external fraud on a day-to-day basis. Some merchants run PCI compliance as an IT project, leaving other operations groups fewer opportunities to get involved. PCI managers also need better understanding of fraud and risk managers' functions to benefit from PCI-mandated reporting.”  Pasted from <http://blog.intellitactics.com/blog/new-intellitactics-blog/0/0/catching-fraud-pci-dss-compliance-software>
  7. REAL Spirit of PCITrust in business transactions"Corporate Social Responsibility"They trusted you with their data!You give me data. I lose it. Another suffers.
  8. This comes from the PCI book www.pcicompliancebook.info
  9. + After validating that you are compliant, don’t stop: continuous compliance AND security is your goal, not “passing an audit.”See “How to STAY PCI Compliant?”
Advertisement