This document provides an overview of using the Payment Card Industry Data Security Standard (PCI DSS) as the foundation for a company's overall security program, beyond just payment card data security. It discusses building a security program in phases, starting with understanding PCI DSS requirements, planning to address gaps, implementing solutions, and then ongoing management of the security program. While PCI DSS was created specifically for payment card data security, this document argues that its requirements can form a solid baseline for any organization to improve their overall security posture.

1. PCI DSS-based Security: Is This For Real?Using PCI DSS as A Foundation for Your Security ProgramDr. Anton ChuvakinAuthor of “PCI Compliance”http://www.pcicompliancebook.infoSecurity Warrior Consultingwww.securitywarriorconsulting.comSecure 360, Minneapolis, MNMay 2010

2. Inspiration….“Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “PCI Knowledge Base by late David Taylor

3. “PCI Is The Devil !!!”

4. OutlineWhat is PCI DSS? Why it is here?PCI DSS as a security frameworkPCI DSS as a data security frameworkStarting from PCI: how to do it?Risks and pitfalls

5. What is PCI DSS or PCI?Payment Card Industry Data Security StandardPayment Card = Payment Card Industry = Data Security = Data Security Standard =

6. PCI Data Security StandardPCI Council publishes PCI DSS –Data Security StandardOutlined the minimumdata security protections measures for payment card data.Defined Merchant & Service Provider Levels, and compliance validation requirements.Left the enforcement to card brands (Council doesn’t fine anybody!)Key point: PCI DSS (document) vs PCI (validation regime)

7. PCI Game: The PlayersPCI Security Standards Council

8. My Data – Their Risk!?*I* GIVE *YOU* DATA*YOU* LOSE IT*ANOTHER* SUFFERS!

9. Install and maintain a firewall confirmation to protect data

10. Do not use vendor-supplied defaults for system passwords and other security parametersBuild and Maintain a Secure NetworkProtect stored data

11. Encrypt transmission of cardholder data and sensitiveinformation across public networksProtect Cardholder DataUse and regularly update anti-virus software

12. Develop and maintain secure systems and applicationsMaintain a Vulnerability Management ProgramRestrict access to data by business need-to-know

13. Assign a unique ID to each person with computer access

14. Restrict physical access to cardholder dataImplement Strong Access Control MeasuresTrack and monitor all access to network resources and cardholder data

15. Regularly test security systems and processesRegularly Monitor and Test NetworksMaintain a policy that addresses information securityMaintain an Information Security PolicyPCI Data Security Standard In-Depth

16. PCI DSS Coverage… in no particular order:Security policy and proceduresNetwork securityMalware protectionApplication security (and web)Vulnerability scanning and remediationLogging and monitoringSecurity awareness

17. PCI DSS With No Cards?

18. PCI Coverage: What Do We Learn?Focus: confidentiality credit of card data…… but not exactly: data avoidance is even better!Now …… a hard question: what is “a good security program”? What technology, processes, etc?What are the goals?What are the metrics?

19. Our Goals!

20. Holes?BIG HOLE#1 Everything availability“If your payment app blows up, it magically becomes ‘PCI compliant’” HOLE #2 Everything productivitySpam, web filtering, client protection, etcHOLE #3 Card data discoveryPCI assumes omniscient data owners…

21. Sidetrack: WTH is “Data Security”… back to If you router is 0wned, is data security still achieved?If a secondary system is compromised?QA machine?Public web server?Know any “data idiots?”

22. Pros and ConsPros:Good coverage of many domains (tech and process)Useful focus on data elimination, app security and monitoringDetailed guidance availableA lot of tools available to helpLacks complexity of ISO, NIST, etcCons:Does not start from policy (but you can!)

23. Holes!

24. Lack of logical structure (but Prioritized Approach is there)

25. Your risk not covered

26. “Kill the data” focus doesn’t apply to some

27. Measuring success?!Pause…What do you think?

28. OK, Diving In…

29. Phase 1 UnderstandingRead PCI DSS and Prioritized ApproachOrganize into domainsSplit technology requirements from process/policy/procedureMind the holes!Also: think about other regulations, e.g. breach disclosure laws

30. Holes? What Holes?

31. Phase 2 PlanGaps?Policy/process gapTechnology gapAnything to buy? Build? Outsource? “Close the gap” strategyGuidance: PCI SSC “Prioritized Approach”“Reverse PCI”: start from Req 12 “Policy “Coordinate with stakeholders

32. Scope Explodes!Key lesson in PCI compliance: SHRINK THE SCOPE! “Drop the data”Here we expand the scope to all data and even all systems.

33. Phase 3 Do it!Following the prioritized plan, start building If under actual PCI regime, start from payment networks [of course!]Adjust! You are not “praying to PCI gods”Q: Can I use ISO27001 instead?A: Sure, but you would not be reading this if you had this choice!

34. Done?

35. Phase 4 Run it!Ongoing tasks in PCI: