SlideShare a Scribd company logo
1 of 30
Spirit of PCI DSSorThe REAL Goal of PCI Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com Author of “PCI Compliance” book  Keynote at PCI in Higher Education Workshop Indianapolis, IN  -  May 2010
“PCI Is The Devil !!!”
Inspiration…. “Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “ PCI Knowledge Base by late David Taylor
Outline Background and context around PCI Why are we doing it? Accept risk … of others? Security as a checklist? PCI -> security?  Conclusions: Simplify PCI?
What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card  =  Payment Card Industry =  Data Security =  Data Security Standard =
PCI Regime vs DSS Guidance The PCI Council publishes  PCI DSS  Outlined the minimumdata security protections measures for payment card data. Defined Merchant & Service Provider Levels, and compliance validation requirements. Left the enforcement to card brands (Council doesn’t fine anybody!) Key point: PCI DSS (document) vs PCI (validation regime)
[object Object]
Do not use vendor-supplied defaults for system passwords and other security parametersBuild and Maintain a Secure Network ,[object Object]
Encrypt transmission of cardholder data and sensitiveinformation across public networksProtect Cardholder Data ,[object Object]
Develop and maintain secure systems and applicationsMaintain a Vulnerability Management Program ,[object Object]
Assign a unique ID to each person with computer access
Restrict physical access to cardholder dataImplement Strong Access Control Measures ,[object Object]
Regularly test security systems and processesRegularly Monitor and Test Networks ,[object Object],Maintain an Information Security Policy PCI DSS  = Basic Security Practices!
PCI Game: The Players PCI Security Standards Council
Why Are We Doing It? Risk of DEATH Vs  Risk of $60 fine?
My Data – Their Risk!? *I* GIVE *YOU* DATA *YOU* LOSE IT *ANOTHER* SUFFERS!
Key Point: What Do You Protect?
2/3 Value vs ½ Protection What is VALUED  vs what is PROTECTED Lack of Balance!
Observations…
Leaders vs Losers
Extra Dimension: Fraud? Disconnect of  fraud and PCI? Ideas: ,[object Object]
Measure their impact on fraud
Rinse, repeat!,[object Object]
Ceiling vs Floor PCI is the “floor” of security This is fundamental reality of PCI DSS! However, many prefer to treat it as a “ceiling” Result:  security breaches
PCI and Security Today               <- This is the enemy! This is NOT the enemy! -> Remember: security first, compliance as a result.
Checklist Mentality IS Evil!
“Whack-an-assessor” PCI “game” as  “whack-an-assessor” = PAIN, PAIN, PAIN, PAIN, PAIN, PAIN! Do it for security – justify it for PCI DSS!
How To “Profit” From PCI DSS? Everything you do for PCI DSS, MUST have security benefit for your organization! Examples: log management, IDS/IPS, IdM, application security , etc
In Other Words… Every time you think “PCI DSS OR security,”  god kills a kitten!
The Spirit of PCI DSS? PCI DSS = Motivating FORCE for CUSTODIAN data security, thus customer TRUST! Can learn to protect YOUR data too!

More Related Content

What's hot

Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
webhostingguy
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
Alexander Polyakov
 

What's hot (20)

PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
Pci dss v2
Pci dss v2Pci dss v2
Pci dss v2
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
 
Pci dss v3-2-1
Pci dss v3-2-1Pci dss v3-2-1
Pci dss v3-2-1
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 

Similar to Spirit of PCI DSS by Dr. Anton Chuvakin

PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
Anton Chuvakin
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
sallychiu
 

Similar to Spirit of PCI DSS by Dr. Anton Chuvakin (20)

PCI 2010: Trends and Technologies
PCI 2010: Trends and TechnologiesPCI 2010: Trends and Technologies
PCI 2010: Trends and Technologies
 
PCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and RealityPCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and Reality
 
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton ChuvakinPCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
 
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton ChuvakinWhat PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
 
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton ChuvakinPCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
 
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
Webinar: Protect Your Customers, Protect Yourself Learn How to Take Precautio...
 
Myths of PCI DSS
Myths of PCI DSSMyths of PCI DSS
Myths of PCI DSS
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2
 
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
Introduction to the Payment Card Industry Data Security Standard (PCI DSS) - ...
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
 
PCI Myths
PCI MythsPCI Myths
PCI Myths
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009   Underside Of The Compliance EcosystemPci Europe 2009   Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
Verderber Rothke What’s New With PCI
Verderber   Rothke   What’s New With PCIVerderber   Rothke   What’s New With PCI
Verderber Rothke What’s New With PCI
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
 

More from Anton Chuvakin

More from Anton Chuvakin (20)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020  Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020  Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 

Recently uploaded

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptx
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 

Spirit of PCI DSS by Dr. Anton Chuvakin

  • 1. Spirit of PCI DSSorThe REAL Goal of PCI Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com Author of “PCI Compliance” book Keynote at PCI in Higher Education Workshop Indianapolis, IN - May 2010
  • 2. “PCI Is The Devil !!!”
  • 3. Inspiration…. “Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “ PCI Knowledge Base by late David Taylor
  • 4. Outline Background and context around PCI Why are we doing it? Accept risk … of others? Security as a checklist? PCI -> security? Conclusions: Simplify PCI?
  • 5. What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card = Payment Card Industry = Data Security = Data Security Standard =
  • 6. PCI Regime vs DSS Guidance The PCI Council publishes PCI DSS Outlined the minimumdata security protections measures for payment card data. Defined Merchant & Service Provider Levels, and compliance validation requirements. Left the enforcement to card brands (Council doesn’t fine anybody!) Key point: PCI DSS (document) vs PCI (validation regime)
  • 7.
  • 8.
  • 9.
  • 10.
  • 11. Assign a unique ID to each person with computer access
  • 12.
  • 13.
  • 14. PCI Game: The Players PCI Security Standards Council
  • 15. Why Are We Doing It? Risk of DEATH Vs Risk of $60 fine?
  • 16. My Data – Their Risk!? *I* GIVE *YOU* DATA *YOU* LOSE IT *ANOTHER* SUFFERS!
  • 17. Key Point: What Do You Protect?
  • 18. 2/3 Value vs ½ Protection What is VALUED vs what is PROTECTED Lack of Balance!
  • 21.
  • 23.
  • 24. Ceiling vs Floor PCI is the “floor” of security This is fundamental reality of PCI DSS! However, many prefer to treat it as a “ceiling” Result: security breaches
  • 25. PCI and Security Today <- This is the enemy! This is NOT the enemy! -> Remember: security first, compliance as a result.
  • 27. “Whack-an-assessor” PCI “game” as “whack-an-assessor” = PAIN, PAIN, PAIN, PAIN, PAIN, PAIN! Do it for security – justify it for PCI DSS!
  • 28. How To “Profit” From PCI DSS? Everything you do for PCI DSS, MUST have security benefit for your organization! Examples: log management, IDS/IPS, IdM, application security , etc
  • 29. In Other Words… Every time you think “PCI DSS OR security,” god kills a kitten!
  • 30. The Spirit of PCI DSS? PCI DSS = Motivating FORCE for CUSTODIAN data security, thus customer TRUST! Can learn to protect YOUR data too!
  • 31. CSR Goes Far? Corporate Social Responsibility? Green Sustainable “Fair” trade LOSES CUSTOMER DATA!!! Secure data -> trust!
  • 32. The Whining of PCI DSS W1: Why don’t the brands “fix the system?” A1: They will. W2: Can we have “a risk based” standard? A2: No. 91% of people can’t spell “risk” W3: Can we do something simpler? A3: Yes! Cash.
  • 33. Conclusions and Action Items Kill the data! Outsource! PCI is basic security; stop complaining about it - start doing it! Develop “security and risk” mindset, not “compliance and audit” mindset. If you are doing PCI DSS and not getting a security benefit, please STOP!
  • 34. Get The PCI Book! “PCI Compliance” by Anton Chuvakin and Branden Williams Useful reference for merchants, vendors – and everybody else in PCI-land Released December 2009! www.pcicompliancebook.info
  • 35. Questions? Dr. Anton Chuvakin Email:anton@chuvakin.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consulting:http://www.securitywarriorconsulting.com
  • 36. More on Anton Now: independent consultant Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
  • 37. Security Warrior Consulting Services Logging and log management policy Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations Content development Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations More at www.SecurityWarriorConsulting.com

Editor's Notes

  1. http://www.pciknowledgebase.com/index.php?option=com_mtree&amp;task=viewlink&amp;link_id=1366&amp;Itemid=0As a banker who has been involved in audit and risk management for 20+ years, I have a beef with PCI. Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. We have removed the acceptance of risk as an option by insisting on 100% compliance. That was not the intent.
  2. Forrester“Value of Data” report: “Custodial data has little intrinsic value in and of itself. But when it is obtained by an unauthorized party, misused, lost, or stolen, it changes state. Data that is ordinarily benign transforms into something harmful. When custodial data isspilled, it becomes “toxic” and poisons the enterprise’s air in terms of press headlines, fines, and customer complaints.Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data alsoaccrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity.”
  3. Forrester report:2/3of value in OWN data, ½ is spent protecting it!
  4. + not have OWN DATA+ not have CUSTODIAN DATA+ removes CUSTODIAN DATA = protects CUSTODIAN DATA!+ protects key business processes
  5. While many hope for gaussian, in security – counter to intuition! – most people are below average!
  6. Example controls deemed useful for fraud:LoggingUser access configuration, logging and monitoringLimiting access to data –e.g. encryption, tokenization, etcSecurity awareness – unavoidable punishment for internal fraudDefine an incentive program to enforce policies. About two months ago in this column I wrote about he importance of “deputizing” store managers to watch for security breaches. Since I have discussed such programs with leading retailers, it’s become clear that in order to change the culture, retailers have to provide incentives to these “deputies” in order to actually impact key metrics such as shrinkage, fraud and chargeback rates. The other important technique is to link the PCI compliance initiative to these same security metrics. For example, a PCI project manager who wants to “embed” PCI compliance into the corporate culture would be well advised to spend about 20 hours, spread over several weeks, to create a presentation for management which shows how PCI compliance can not only reduce risk, but also can impact key financial metrics such as fraud and chargeback rates. I have talked to three PCI managers who also own fraud management and report into the CFO. All three have found that linking PCI compliance to financial performance is a great way to get executive attention, and budget. And since all these metrics are key to individual store performance, this is one of the ways to gain the support of store management for PCI compliance – circling back to the whole “deputize” argument.  Pasted from &lt;http://pciknowledgebase.com/index.php?option=com_content&amp;view=article&amp;id=121:pci-compliance-whos-re-minding-the-store&amp;catid=28:myblog&amp;Itemid=132&gt;WE ARE LOOKING TO LINK PCI COMPLIANCE TO FRAUD REDUCTION: You cannot simply say that PCI compliance leads to reduced fraud rates. You have to prove it. Because PCI is so detailed, it&apos;s not ALL of the controls that can be proven to reduce fraud. However, one of the controls that we believe has the most direct impact are #3, encryption, #10, monitoring and logging access, #7, access controls, and #11 vulnerability testing. If just those 4 are done well, we believe that we can prove those controls in PCI can lead directly to reduced fraud rates. However, we still cannot prove it statistically. We have case study data that suggest it however.  Pasted from &lt;http://www.pciknowledgebase.com/index.php?option=com_mtree&amp;task=viewlink&amp;link_id=3195&amp;Itemid=0&gt; “Merchants have implemented PCI-mandated security controls in order to reduce fraud and security breaches. However, a weak connection between the PCI controls and fraud management by many merchants has left PCI compliance ineffective at catching external fraud on a day-to-day basis. Some merchants run PCI compliance as an IT project, leaving other operations groups fewer opportunities to get involved. PCI managers also need better understanding of fraud and risk managers&apos; functions to benefit from PCI-mandated reporting.”  Pasted from &lt;http://blog.intellitactics.com/blog/new-intellitactics-blog/0/0/catching-fraud-pci-dss-compliance-software&gt;
  7. REAL Spirit of PCITrust in business transactions&quot;Corporate Social Responsibility&quot;They trusted you with their data!You give me data. I lose it. Another suffers.
  8. This comes from the PCI book www.pcicompliancebook.info
  9. + After validating that you are compliant, don’t stop: continuous compliance AND security is your goal, not “passing an audit.”See “How to STAY PCI Compliant?”