SlideShare a Scribd company logo

PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance

K
khalavak

Presentation about Crosskeys journey to PCI-DSS Compliance presented at PCI Amsterdam conference November 27 2014

Technology
1 of 46
Download to read offline
The Rocky Road to Business As Usual PCI Europe, Amsterdam 27.11.2014 Kim Halavakoski
def self.info(Kim Halavakoski) • Security Geek / Nerd • Chief Security Officer • 3 kids: 3(♀), 6(♂) and 8(♀) years old, 5 cats • Hobbies: RC-planes, Quadcopters, Robotics, 
 Photography, Running, Weightlifting… khalavakoski khalavak G+ Communities: PCI-Jedis Security De-Obfuscated
We develop, deliver and manage systems and solutions for the Nordic financial and capital markets. Our mission is to make it easy and profitable to run a financial business Our vision is to be our customers most valued partner We have offices in Mariehamn, Helsinki, Stockholm and Turku Crosskey Banking Solutions Ab Ltd We are a PCI-DSS Compliant Level 1 Service Provider
PCI 101 Some background to PCI-DSS.. Statistics. Requirements
COMPLIANT EASY CHEAP
Prevention, Detection & Response Focus from prevention to a detection and response based event management
249
Focus from prevention to a detection and response based event management
The 5 stages of PCI maturity As a Service Provider I don’t have to comply with these requirements! These requirements are stupid! If I do these compensating controls then I can do what I want! What have I done wrong to deserve 10.6.1? OK, we use payment cards so we need to do this PCI-DSS thing!
Stakeholder approval Management approval and buy-in is essential for the success of your PCI efforts
There is no appliance that automagically gets you PCI-DSS compliant
Get a good QSA
Scoping is vital for PCI-DSS success Scoping, Scoping, Scoping & Scoping
Collaboration One key to success is effective collaboration
#DevOpsSec#DevOps
Automation & 
 Configuration management Configuration standards, snowflake servers and cattle
•Cattle are given numbers like vm001.crosskey.fi •They are almost identical to other cattle •When they get ill, you get another one •Pets are given names like garfield.crosskey.fi •They are unique, lovingly hand raised and cared for •When they get ill, you nurse them back to health
Monitoring, Detection & Response Focus from prevention to a detection and response based event management
VerizonDBIR2013
VerizonDBIR2013 Compromise
VerizonDBIR2013 Compromise Discovery
ANTIVIRUS THE
Log-review Threat-intelligence Security Analyst SIEM Log management Fraud monitoring End-point protection
Young padawan, don't forget: Lack of focus leads to sloppiness, sloppiness leads to misconfiguration, and misconfiguration leads to compromise. 
 — pauldotcom.com security weekly Business As Usual PCI-DSS has to be integrated into your daily operations in order to succeed
Security
PCI Taskforce
Summary UNDERSTAND PCI-DSS REQUIREMENTS Get acquainted with the PCI-DSS standard and requirements. Discuss with your ideas and thoughts with your QSA GET STAKEHOLDER APPROVAL PCI-DSS Compliance requires a substantial effort from the organisation in order to succeed. This will require time, money and management sponsorship to reach the whole organisation. HIRE A GOOD QSA Get a good QSA. There are a lot of QSACs offering their services. Make sure you get a QSA that understands your business and your particular needs. Make sure your QSA is on the same page and that you have respect for each other. SCOPING Scoping is a hard nut to crack. The standard is “intentionally” not clear on the details on what is in scope and what is not
Summary AUTOMATION & CONFIGURATION MANAGEMENT Automation is a really good way to create efficiency in your workflows. Automate all the things that take time to do and focus on the tasks and requirements that is cannot be automated The more smart automation you do, the more time you have to improve and make things more efficient and compliant. COLLABORATE WITH YOUR TEAMS Collaboration is critical for succeeding with fulfilling all requirements. You can’t do it on your own, you’ll need your Operations Team, Development Team, Security Team and Business Team to make it happen. INVEST IN MONITORING Monitoring your environment for malicious activity is difficult. Invest in monitoring, get the team and tools you need to monitor your environment. Outsource if you have to, do it in-house if you can. IMPLEMENT PCI-DSS INTO YOUR DAY-TO-DAY BUSINESS OPERATIONS There are a multitude of tasks that needs to be done on a daily, weekly, monthly, quarterly, bi-annual and annual basis in order to stay compliant. These tasks have to become second nature for your organisation and your teams to stay compliant.
PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance
PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance

Recommended

Platinum_Fortified_email
Platinum_Fortified_emailPlatinum_Fortified_email
Platinum_Fortified_emailJeff Stoodley
 
Softcontrol.Net presentes TimeControl
Softcontrol.Net presentes TimeControlSoftcontrol.Net presentes TimeControl
Softcontrol.Net presentes TimeControlILYA ROITMAN
 
Benefits of an MSP: Increased Profitability
Benefits of an MSP: Increased ProfitabilityBenefits of an MSP: Increased Profitability
Benefits of an MSP: Increased ProfitabilityThe TNS Group
 
Managed Services
Managed ServicesManaged Services
Managed ServicesThe TNS Group
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemskhalavak
 
Security Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSecurity Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSaraPia5
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?PECB
 

Recommended

Platinum_Fortified_email
Platinum_Fortified_emailPlatinum_Fortified_email
Platinum_Fortified_emailJeff Stoodley
 
Softcontrol.Net presentes TimeControl
Softcontrol.Net presentes TimeControlSoftcontrol.Net presentes TimeControl
Softcontrol.Net presentes TimeControlILYA ROITMAN
 
Benefits of an MSP: Increased Profitability
Benefits of an MSP: Increased ProfitabilityBenefits of an MSP: Increased Profitability
Benefits of an MSP: Increased ProfitabilityThe TNS Group
 
Managed Services
Managed ServicesManaged Services
Managed ServicesThe TNS Group
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemskhalavak
 
Security Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSecurity Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSaraPia5
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?PECB
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Accounting_Whitepapers
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should KnowIBM Security
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxinfosec train
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016Larry Slobodzian
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAPPECB
 
Cybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCBIZ, Inc.
 
Fix nix GRC DEMO FOR RISK TEAM MPHASIS
Fix nix GRC DEMO FOR RISK TEAM MPHASISFix nix GRC DEMO FOR RISK TEAM MPHASIS
Fix nix GRC DEMO FOR RISK TEAM MPHASISFixNix Inc.,
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThreatConnect
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Eturnti Consulting Pvt Ltd
 
CYBER-i Corporate Dossier
CYBER-i Corporate Dossier CYBER-i Corporate Dossier
CYBER-i Corporate Dossier AGC Networks Ltd
 
Welcome to the World of the BPS Security Practice
Welcome to the World of the BPS Security PracticeWelcome to the World of the BPS Security Practice
Welcome to the World of the BPS Security PracticeEdwin Soares
 
Managed services smb nation june 2011
Managed services smb nation june 2011Managed services smb nation june 2011
Managed services smb nation june 2011Alistair Forbes
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Wendy Nather
 
IT Security for your Business
IT Security for your BusinessIT Security for your Business
IT Security for your BusinessNeil Kemp
 
Cyber security infotech profile
Cyber security infotech profileCyber security infotech profile
Cyber security infotech profileCyber Security Infotech Pvt. Ltd.
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
Keynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityKeynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityPriyanka Aash
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 

More Related Content

Similar to PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance

Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Accounting_Whitepapers
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should KnowIBM Security
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxinfosec train
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAPPECB
 
Cybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCBIZ, Inc.
 
Fix nix GRC DEMO FOR RISK TEAM MPHASIS
Fix nix GRC DEMO FOR RISK TEAM MPHASISFix nix GRC DEMO FOR RISK TEAM MPHASIS
Fix nix GRC DEMO FOR RISK TEAM MPHASISFixNix Inc.,
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThreatConnect
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Eturnti Consulting Pvt Ltd
 
CYBER-i Corporate Dossier
CYBER-i Corporate Dossier CYBER-i Corporate Dossier
CYBER-i Corporate Dossier AGC Networks Ltd
 
Welcome to the World of the BPS Security Practice
Welcome to the World of the BPS Security PracticeWelcome to the World of the BPS Security Practice
Welcome to the World of the BPS Security PracticeEdwin Soares
 
Managed services smb nation june 2011
Managed services smb nation june 2011Managed services smb nation june 2011
Managed services smb nation june 2011Alistair Forbes
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Wendy Nather
 
IT Security for your Business
IT Security for your BusinessIT Security for your Business
IT Security for your BusinessNeil Kemp
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
Keynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityKeynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityPriyanka Aash
 

Similar to PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance (20)

Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptx
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
 
Cybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness Assessment
 
Fix nix GRC DEMO FOR RISK TEAM MPHASIS
Fix nix GRC DEMO FOR RISK TEAM MPHASISFix nix GRC DEMO FOR RISK TEAM MPHASIS
Fix nix GRC DEMO FOR RISK TEAM MPHASIS
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
 
CYBER-i Corporate Dossier
CYBER-i Corporate Dossier CYBER-i Corporate Dossier
CYBER-i Corporate Dossier
 
Welcome to the World of the BPS Security Practice
Welcome to the World of the BPS Security PracticeWelcome to the World of the BPS Security Practice
Welcome to the World of the BPS Security Practice
 
Managed services smb nation june 2011
Managed services smb nation june 2011Managed services smb nation june 2011
Managed services smb nation june 2011
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?
 
IT Security for your Business
IT Security for your BusinessIT Security for your Business
IT Security for your Business
 
Cyber security infotech profile
Cyber security infotech profileCyber security infotech profile
Cyber security infotech profile
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
Keynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityKeynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring Security
 

Recently uploaded

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance

  • 1. The Rocky Road to Business As Usual PCI Europe, Amsterdam 27.11.2014 Kim Halavakoski
  • 2. def self.info(Kim Halavakoski) • Security Geek / Nerd • Chief Security Officer • 3 kids: 3(♀), 6(♂) and 8(♀) years old, 5 cats • Hobbies: RC-planes, Quadcopters, Robotics, 
 Photography, Running, Weightlifting… khalavakoski khalavak G+ Communities: PCI-Jedis Security De-Obfuscated
  • 3. We develop, deliver and manage systems and solutions for the Nordic financial and capital markets. Our mission is to make it easy and profitable to run a financial business Our vision is to be our customers most valued partner We have offices in Mariehamn, Helsinki, Stockholm and Turku Crosskey Banking Solutions Ab Ltd We are a PCI-DSS Compliant Level 1 Service Provider
  • 4. PCI 101 Some background to PCI-DSS.. Statistics. Requirements
  • 6. Prevention, Detection & Response Focus from prevention to a detection and response based event management
  • 7.
  • 8. 249
  • 9. Focus from prevention to a detection and response based event management
  • 10.
  • 11.
  • 12. The 5 stages of PCI maturity As a Service Provider I don’t have to comply with these requirements! These requirements are stupid! If I do these compensating controls then I can do what I want! What have I done wrong to deserve 10.6.1? OK, we use payment cards so we need to do this PCI-DSS thing!
  • 13.
  • 14.
  • 15. Stakeholder approval Management approval and buy-in is essential for the success of your PCI efforts
  • 16.
  • 17.
  • 18. There is no appliance that automagically gets you PCI-DSS compliant
  • 19.
  • 20. Get a good QSA
  • 21. Scoping is vital for PCI-DSS success Scoping, Scoping, Scoping & Scoping
  • 22. Collaboration One key to success is effective collaboration
  • 24. Automation & 
 Configuration management Configuration standards, snowflake servers and cattle
  • 25. •Cattle are given numbers like vm001.crosskey.fi •They are almost identical to other cattle •When they get ill, you get another one •Pets are given names like garfield.crosskey.fi •They are unique, lovingly hand raised and cared for •When they get ill, you nurse them back to health
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31. Monitoring, Detection & Response Focus from prevention to a detection and response based event management
  • 37. Young padawan, don't forget: Lack of focus leads to sloppiness, sloppiness leads to misconfiguration, and misconfiguration leads to compromise. 
 — pauldotcom.com security weekly Business As Usual PCI-DSS has to be integrated into your daily operations in order to succeed
  • 38.
  • 41.
  • 42.
  • 43. Summary UNDERSTAND PCI-DSS REQUIREMENTS Get acquainted with the PCI-DSS standard and requirements. Discuss with your ideas and thoughts with your QSA GET STAKEHOLDER APPROVAL PCI-DSS Compliance requires a substantial effort from the organisation in order to succeed. This will require time, money and management sponsorship to reach the whole organisation. HIRE A GOOD QSA Get a good QSA. There are a lot of QSACs offering their services. Make sure you get a QSA that understands your business and your particular needs. Make sure your QSA is on the same page and that you have respect for each other. SCOPING Scoping is a hard nut to crack. The standard is “intentionally” not clear on the details on what is in scope and what is not
  • 44. Summary AUTOMATION & CONFIGURATION MANAGEMENT Automation is a really good way to create efficiency in your workflows. Automate all the things that take time to do and focus on the tasks and requirements that is cannot be automated The more smart automation you do, the more time you have to improve and make things more efficient and compliant. COLLABORATE WITH YOUR TEAMS Collaboration is critical for succeeding with fulfilling all requirements. You can’t do it on your own, you’ll need your Operations Team, Development Team, Security Team and Business Team to make it happen. INVEST IN MONITORING Monitoring your environment for malicious activity is difficult. Invest in monitoring, get the team and tools you need to monitor your environment. Outsource if you have to, do it in-house if you can. IMPLEMENT PCI-DSS INTO YOUR DAY-TO-DAY BUSINESS OPERATIONS There are a multitude of tasks that needs to be done on a daily, weekly, monthly, quarterly, bi-annual and annual basis in order to stay compliant. These tasks have to become second nature for your organisation and your teams to stay compliant.