3. We develop, deliver and manage systems and solutions for the Nordic financial and
capital markets.
Our mission is to make it easy and profitable to run a financial business
Our vision is to be our customers most valued partner
We have offices in Mariehamn, Helsinki, Stockholm and Turku
Crosskey Banking Solutions Ab Ltd
We are a PCI-DSS Compliant Level 1 Service Provider
12. The 5 stages of PCI maturity
As a Service Provider I
don’t have to comply
with these requirements!
These requirements
are stupid!
If I do these
compensating controls
then I can do what I want!
What have I
done wrong to
deserve 10.6.1?
OK,
we use payment
cards so we need to
do this PCI-DSS
thing!
25. •Cattle are given numbers like
vm001.crosskey.fi
•They are almost identical to other cattle
•When they get ill, you get another one
•Pets are given names like
garfield.crosskey.fi
•They are unique, lovingly hand raised
and cared for
•When they get ill, you nurse them back
to health
37. Young padawan, don't forget:
Lack of focus leads to sloppiness,
sloppiness leads to misconfiguration, and
misconfiguration leads to compromise.
— pauldotcom.com security weekly
Business As Usual
PCI-DSS has to be integrated into your daily operations in order to succeed
43. Summary
UNDERSTAND PCI-DSS REQUIREMENTS
Get acquainted with the PCI-DSS standard and requirements. Discuss with your ideas and thoughts
with your QSA
GET STAKEHOLDER APPROVAL
PCI-DSS Compliance requires a substantial effort from the organisation in order to succeed. This
will require time, money and management sponsorship to reach the whole organisation.
HIRE A GOOD QSA
Get a good QSA. There are a lot of QSACs offering their services. Make sure you get a QSA that
understands your business and your particular needs. Make sure your QSA is on the same page
and that you have respect for each other.
SCOPING
Scoping is a hard nut to crack. The standard is “intentionally” not clear on the details on what is in
scope and what is not
44. Summary
AUTOMATION & CONFIGURATION MANAGEMENT
Automation is a really good way to create efficiency in your workflows. Automate all the things that
take time to do and focus on the tasks and requirements that is cannot be automated The more
smart automation you do, the more time you have to improve and make things more efficient and
compliant.
COLLABORATE WITH YOUR TEAMS
Collaboration is critical for succeeding with fulfilling all requirements. You can’t do it on your own,
you’ll need your Operations Team, Development Team, Security Team and Business Team to make
it happen.
INVEST IN MONITORING
Monitoring your environment for malicious activity is difficult. Invest in monitoring, get the team and
tools you need to monitor your environment. Outsource if you have to, do it in-house if you can.
IMPLEMENT PCI-DSS INTO YOUR DAY-TO-DAY BUSINESS OPERATIONS
There are a multitude of tasks that needs to be done on a daily, weekly, monthly, quarterly, bi-annual
and annual basis in order to stay compliant. These tasks have to become second nature for your
organisation and your teams to stay compliant.