SlideShare a Scribd company logo

PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance

K
khalavak

Presentation about Crosskeys journey to PCI-DSS Compliance presented at PCI Amsterdam conference November 27 2014

Technology
1 of 46
Download to read offline
The Rocky Road to Business As Usual PCI Europe, Amsterdam 27.11.2014 Kim Halavakoski
def self.info(Kim Halavakoski) • Security Geek / Nerd • Chief Security Officer • 3 kids: 3(♀), 6(♂) and 8(♀) years old, 5 cats • Hobbies: RC-planes, Quadcopters, Robotics, 
 Photography, Running, Weightlifting… khalavakoski khalavak G+ Communities: PCI-Jedis Security De-Obfuscated
We develop, deliver and manage systems and solutions for the Nordic financial and capital markets. Our mission is to make it easy and profitable to run a financial business Our vision is to be our customers most valued partner We have offices in Mariehamn, Helsinki, Stockholm and Turku Crosskey Banking Solutions Ab Ltd We are a PCI-DSS Compliant Level 1 Service Provider
PCI 101 Some background to PCI-DSS.. Statistics. Requirements
COMPLIANT EASY CHEAP
Prevention, Detection & Response Focus from prevention to a detection and response based event management
249
Focus from prevention to a detection and response based event management
The 5 stages of PCI maturity As a Service Provider I don’t have to comply with these requirements! These requirements are stupid! If I do these compensating controls then I can do what I want! What have I done wrong to deserve 10.6.1? OK, we use payment cards so we need to do this PCI-DSS thing!
Stakeholder approval Management approval and buy-in is essential for the success of your PCI efforts
There is no appliance that automagically gets you PCI-DSS compliant
Get a good QSA
Scoping is vital for PCI-DSS success Scoping, Scoping, Scoping & Scoping
Collaboration One key to success is effective collaboration
#DevOpsSec#DevOps
Automation & 
 Configuration management Configuration standards, snowflake servers and cattle
•Cattle are given numbers like vm001.crosskey.fi •They are almost identical to other cattle •When they get ill, you get another one •Pets are given names like garfield.crosskey.fi •They are unique, lovingly hand raised and cared for •When they get ill, you nurse them back to health
Monitoring, Detection & Response Focus from prevention to a detection and response based event management
VerizonDBIR2013
VerizonDBIR2013 Compromise
VerizonDBIR2013 Compromise Discovery
ANTIVIRUS THE
Log-review Threat-intelligence Security Analyst SIEM Log management Fraud monitoring End-point protection
Young padawan, don't forget: Lack of focus leads to sloppiness, sloppiness leads to misconfiguration, and misconfiguration leads to compromise. 
 — pauldotcom.com security weekly Business As Usual PCI-DSS has to be integrated into your daily operations in order to succeed
Security
PCI Taskforce
Summary UNDERSTAND PCI-DSS REQUIREMENTS Get acquainted with the PCI-DSS standard and requirements. Discuss with your ideas and thoughts with your QSA GET STAKEHOLDER APPROVAL PCI-DSS Compliance requires a substantial effort from the organisation in order to succeed. This will require time, money and management sponsorship to reach the whole organisation. HIRE A GOOD QSA Get a good QSA. There are a lot of QSACs offering their services. Make sure you get a QSA that understands your business and your particular needs. Make sure your QSA is on the same page and that you have respect for each other. SCOPING Scoping is a hard nut to crack. The standard is “intentionally” not clear on the details on what is in scope and what is not
Summary AUTOMATION & CONFIGURATION MANAGEMENT Automation is a really good way to create efficiency in your workflows. Automate all the things that take time to do and focus on the tasks and requirements that is cannot be automated The more smart automation you do, the more time you have to improve and make things more efficient and compliant. COLLABORATE WITH YOUR TEAMS Collaboration is critical for succeeding with fulfilling all requirements. You can’t do it on your own, you’ll need your Operations Team, Development Team, Security Team and Business Team to make it happen. INVEST IN MONITORING Monitoring your environment for malicious activity is difficult. Invest in monitoring, get the team and tools you need to monitor your environment. Outsource if you have to, do it in-house if you can. IMPLEMENT PCI-DSS INTO YOUR DAY-TO-DAY BUSINESS OPERATIONS There are a multitude of tasks that needs to be done on a daily, weekly, monthly, quarterly, bi-annual and annual basis in order to stay compliant. These tasks have to become second nature for your organisation and your teams to stay compliant.
PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance
PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance

Recommended

Platinum_Fortified_email
Platinum_Fortified_emailPlatinum_Fortified_email
Platinum_Fortified_email
Jeff Stoodley
 
Softcontrol.Net presentes TimeControl
Softcontrol.Net presentes TimeControlSoftcontrol.Net presentes TimeControl
Softcontrol.Net presentes TimeControl
ILYA ROITMAN
 
Benefits of an MSP: Increased Profitability
Benefits of an MSP: Increased ProfitabilityBenefits of an MSP: Increased Profitability
Benefits of an MSP: Increased Profitability
The TNS Group
 
Managed Services
Managed ServicesManaged Services
Managed Services
The TNS Group
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
khalavak
 
Security Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSecurity Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor Hersom
SaraPia5
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
Stacy Willis
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
PECB
 

Recommended

Platinum_Fortified_email
Platinum_Fortified_emailPlatinum_Fortified_email
Platinum_Fortified_email
Jeff Stoodley
 
Softcontrol.Net presentes TimeControl
Softcontrol.Net presentes TimeControlSoftcontrol.Net presentes TimeControl
Softcontrol.Net presentes TimeControl
ILYA ROITMAN
 
Benefits of an MSP: Increased Profitability
Benefits of an MSP: Increased ProfitabilityBenefits of an MSP: Increased Profitability
Benefits of an MSP: Increased Profitability
The TNS Group
 
Managed Services
Managed ServicesManaged Services
Managed Services
The TNS Group
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemsHacking the Company : Risks with carbon-based lifeforms using vulnerable systems
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
khalavak
 
Security Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor HersomSecurity Compliance Tackled by Taylor Hersom
Security Compliance Tackled by Taylor Hersom
SaraPia5
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
Stacy Willis
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
PECB
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
Prime Infoserv
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
Accounting_Whitepapers
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
Kaloyan Krastev
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
IBM Security
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptx
infosec train
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
EC-Council
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
Larry Slobodzian
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
PECB
 
Cybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness Assessment
CBIZ, Inc.
 
Fix nix GRC DEMO FOR RISK TEAM MPHASIS
Fix nix GRC DEMO FOR RISK TEAM MPHASISFix nix GRC DEMO FOR RISK TEAM MPHASIS
Fix nix GRC DEMO FOR RISK TEAM MPHASIS
FixNix Inc.,
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
ThreatConnect
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
CYBER-i Corporate Dossier
CYBER-i Corporate Dossier CYBER-i Corporate Dossier
CYBER-i Corporate Dossier
AGC Networks Ltd
 
Welcome to the World of the BPS Security Practice
Welcome to the World of the BPS Security PracticeWelcome to the World of the BPS Security Practice
Welcome to the World of the BPS Security Practice
Edwin Soares
 
Managed services smb nation june 2011
Managed services smb nation june 2011Managed services smb nation june 2011
Managed services smb nation june 2011
Alistair Forbes
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?
Wendy Nather
 
IT Security for your Business
IT Security for your BusinessIT Security for your Business
IT Security for your Business
Neil Kemp
 
Cyber security infotech profile
Cyber security infotech profileCyber security infotech profile
Cyber security infotech profile
Cyber Security Infotech Pvt. Ltd.
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
Jerod Brennen
 
Keynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityKeynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring Security
Priyanka Aash
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
CzechDreamin
 

More Related Content

Similar to PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance

10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
IBM Security
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
PECB
 
Fix nix GRC DEMO FOR RISK TEAM MPHASIS
Fix nix GRC DEMO FOR RISK TEAM MPHASISFix nix GRC DEMO FOR RISK TEAM MPHASIS
Fix nix GRC DEMO FOR RISK TEAM MPHASIS
FixNix Inc.,
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
CYBER-i Corporate Dossier
CYBER-i Corporate Dossier CYBER-i Corporate Dossier
CYBER-i Corporate Dossier
AGC Networks Ltd
 

Similar to PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance (20)

Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptx
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
 
Cybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness AssessmentCybersecurity: Quick Preparedness Assessment
Cybersecurity: Quick Preparedness Assessment
 
Fix nix GRC DEMO FOR RISK TEAM MPHASIS
Fix nix GRC DEMO FOR RISK TEAM MPHASISFix nix GRC DEMO FOR RISK TEAM MPHASIS
Fix nix GRC DEMO FOR RISK TEAM MPHASIS
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
 
CYBER-i Corporate Dossier
CYBER-i Corporate Dossier CYBER-i Corporate Dossier
CYBER-i Corporate Dossier
 
Welcome to the World of the BPS Security Practice
Welcome to the World of the BPS Security PracticeWelcome to the World of the BPS Security Practice
Welcome to the World of the BPS Security Practice
 
Managed services smb nation june 2011
Managed services smb nation june 2011Managed services smb nation june 2011
Managed services smb nation june 2011
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?
 
IT Security for your Business
IT Security for your BusinessIT Security for your Business
IT Security for your Business
 
Cyber security infotech profile
Cyber security infotech profileCyber security infotech profile
Cyber security infotech profile
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
Keynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityKeynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring Security
 

Recently uploaded

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 

Recently uploaded (20)

Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 

PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance

  • 1. The Rocky Road to Business As Usual PCI Europe, Amsterdam 27.11.2014 Kim Halavakoski
  • 2. def self.info(Kim Halavakoski) • Security Geek / Nerd • Chief Security Officer • 3 kids: 3(♀), 6(♂) and 8(♀) years old, 5 cats • Hobbies: RC-planes, Quadcopters, Robotics, 
 Photography, Running, Weightlifting… khalavakoski khalavak G+ Communities: PCI-Jedis Security De-Obfuscated
  • 3. We develop, deliver and manage systems and solutions for the Nordic financial and capital markets. Our mission is to make it easy and profitable to run a financial business Our vision is to be our customers most valued partner We have offices in Mariehamn, Helsinki, Stockholm and Turku Crosskey Banking Solutions Ab Ltd We are a PCI-DSS Compliant Level 1 Service Provider
  • 4. PCI 101 Some background to PCI-DSS.. Statistics. Requirements
  • 6. Prevention, Detection & Response Focus from prevention to a detection and response based event management
  • 7.
  • 8. 249
  • 9. Focus from prevention to a detection and response based event management
  • 10.
  • 11.
  • 12. The 5 stages of PCI maturity As a Service Provider I don’t have to comply with these requirements! These requirements are stupid! If I do these compensating controls then I can do what I want! What have I done wrong to deserve 10.6.1? OK, we use payment cards so we need to do this PCI-DSS thing!
  • 13.
  • 14.
  • 15. Stakeholder approval Management approval and buy-in is essential for the success of your PCI efforts
  • 16.
  • 17.
  • 18. There is no appliance that automagically gets you PCI-DSS compliant
  • 19.
  • 20. Get a good QSA
  • 21. Scoping is vital for PCI-DSS success Scoping, Scoping, Scoping & Scoping
  • 22. Collaboration One key to success is effective collaboration
  • 24. Automation & 
 Configuration management Configuration standards, snowflake servers and cattle
  • 25. •Cattle are given numbers like vm001.crosskey.fi •They are almost identical to other cattle •When they get ill, you get another one •Pets are given names like garfield.crosskey.fi •They are unique, lovingly hand raised and cared for •When they get ill, you nurse them back to health
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31. Monitoring, Detection & Response Focus from prevention to a detection and response based event management
  • 37. Young padawan, don't forget: Lack of focus leads to sloppiness, sloppiness leads to misconfiguration, and misconfiguration leads to compromise. 
 — pauldotcom.com security weekly Business As Usual PCI-DSS has to be integrated into your daily operations in order to succeed
  • 38.
  • 41.
  • 42.
  • 43. Summary UNDERSTAND PCI-DSS REQUIREMENTS Get acquainted with the PCI-DSS standard and requirements. Discuss with your ideas and thoughts with your QSA GET STAKEHOLDER APPROVAL PCI-DSS Compliance requires a substantial effort from the organisation in order to succeed. This will require time, money and management sponsorship to reach the whole organisation. HIRE A GOOD QSA Get a good QSA. There are a lot of QSACs offering their services. Make sure you get a QSA that understands your business and your particular needs. Make sure your QSA is on the same page and that you have respect for each other. SCOPING Scoping is a hard nut to crack. The standard is “intentionally” not clear on the details on what is in scope and what is not
  • 44. Summary AUTOMATION & CONFIGURATION MANAGEMENT Automation is a really good way to create efficiency in your workflows. Automate all the things that take time to do and focus on the tasks and requirements that is cannot be automated The more smart automation you do, the more time you have to improve and make things more efficient and compliant. COLLABORATE WITH YOUR TEAMS Collaboration is critical for succeeding with fulfilling all requirements. You can’t do it on your own, you’ll need your Operations Team, Development Team, Security Team and Business Team to make it happen. INVEST IN MONITORING Monitoring your environment for malicious activity is difficult. Invest in monitoring, get the team and tools you need to monitor your environment. Outsource if you have to, do it in-house if you can. IMPLEMENT PCI-DSS INTO YOUR DAY-TO-DAY BUSINESS OPERATIONS There are a multitude of tasks that needs to be done on a daily, weekly, monthly, quarterly, bi-annual and annual basis in order to stay compliant. These tasks have to become second nature for your organisation and your teams to stay compliant.