Dr. Anton Chuvakin's keynote at the PCI in Higher Education workshop emphasizes the true purpose of PCI DSS: to reduce security breaches and card fraud rather than merely fulfilling compliance. He critiques the checklist mentality surrounding PCI compliance, urging organizations to prioritize genuine security improvements over mere adherence to standards. The document advocates for a shift in thinking from compliance to a broader security mindset, highlighting that effective PCI practices should lead to actual security benefits.

1. Spirit of PCI DSSorThe REAL Goal of PCIDr. Anton ChuvakinSecurity Warrior Consultingwww.securitywarriorconsulting.comAuthor of “PCI Compliance” book Keynote at PCI in Higher Education WorkshopIndianapolis, IN - May 2010

2. “PCI Is The Devil !!!”

3. Inspiration….“Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “PCI Knowledge Base by late David Taylor

4. OutlineBackground and context around PCIWhy are we doing it?Accept risk … of others?Security as a checklist?PCI -> security? Conclusions: Simplify PCI?

5. What is PCI DSS or PCI?Payment Card Industry Data Security StandardPayment Card = Payment Card Industry = Data Security = Data Security Standard =

6. PCI Regime vs DSS GuidanceThe PCI Council publishes PCI DSS Outlined the minimumdata security protections measures for payment card data.Defined Merchant & Service Provider Levels, and compliance validation requirements.Left the enforcement to card brands (Council doesn’t fine anybody!)Key point: PCI DSS (document) vs PCI (validation regime)

7. Install and maintain a firewall confirmation to protect data

8. Do not use vendor-supplied defaults for system passwords and other security parametersBuild and Maintain a Secure NetworkProtect stored data

9. Encrypt transmission of cardholder data and sensitiveinformation across public networksProtect Cardholder DataUse and regularly update anti-virus software

10. Develop and maintain secure systems and applicationsMaintain a Vulnerability Management ProgramRestrict access to data by business need-to-know

11. Assign a unique ID to each person with computer access

12. Restrict physical access to cardholder dataImplement Strong Access Control MeasuresTrack and monitor all access to network resources andcardholder data

13. Regularly test security systems and processesRegularly Monitor and Test NetworksMaintain a policy that addresses information securityMaintain an Information Security PolicyPCI DSS = Basic Security Practices!

14. PCI Game: The PlayersPCI Security Standards Council

15. Why Are We Doing It?Risk of DEATHVs Risk of $60 fine?

16. My Data – Their Risk!?*I* GIVE *YOU* DATA*YOU* LOSE IT*ANOTHER* SUFFERS!

17. Key Point: What Do You Protect?

18. 2/3 Value vs ½ ProtectionWhat is VALUED vswhat isPROTECTEDLack of Balance!

19. Observations…

20. Leaders vs Losers

21. Extra Dimension: Fraud?Disconnect of fraud and PCI?Ideas:Deploy PCI DSS controls

22. Measure their impact on fraud

23. Rinse, repeat!Compliance vs SecurityX

24. Ceiling vs FloorPCI is the “floor” of securityThis is fundamental reality of PCI DSS!However, many prefer to treat it as a “ceiling”Result: security breaches

25. PCI and Security Today <- This is the enemy!This is NOT the enemy! ->Remember:security first, compliance as a result.

26. Checklist Mentality IS Evil!

27. “Whack-an-assessor”PCI “game” as “whack-an-assessor” = PAIN, PAIN, PAIN, PAIN, PAIN, PAIN!Do it for security – justify it for PCI DSS!

28. How To “Profit” From PCI DSS?Everything you do for PCI DSS, MUST have security benefit for your organization!Examples: log management, IDS/IPS, IdM, application security , etc

29. In Other Words…Every time you think “PCI DSS OR security,” god kills a kitten!

30. The Spirit of PCI DSS?PCI DSS = Motivating FORCE for CUSTODIAN data security, thus customer TRUST!Can learn to protect YOUR data too!

31. CSR Goes Far?Corporate Social Responsibility?GreenSustainable“Fair” tradeLOSES CUSTOMER DATA!!!Secure data -> trust!

32. The Whining of PCI DSSW1: Why don’t the brands “fix the system?”A1: They will.W2: Can we have “a risk based” standard?A2: No. 91% of people can’t spell “risk”W3: Can we do something simpler?A3: Yes! Cash.

33. Conclusions and Action ItemsKill the data! Outsource!PCI is basic security; stop complaining about it - start doing it!Develop “security and risk” mindset, not “compliance and audit” mindset.If you are doing PCI DSS and not getting a security benefit, please STOP!

34. Get The PCI Book!“PCI Compliance” by Anton Chuvakin and Branden WilliamsUseful reference for merchants, vendors – and everybody else in PCI-landReleased December 2009!www.pcicompliancebook.info

35. Questions?Dr. Anton Chuvakin Email:anton@chuvakin.orgSite:http://www.chuvakin.orgBlog:http://www.securitywarrior.orgTwitter:@anton_chuvakinConsulting:http://www.securitywarriorconsulting.com

36. More on AntonNow: independent consultantBook author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etcConference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwideStandard developer: CEE, CVSS, OVAL, etcCommunity role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, othersPast roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

37. Security Warrior Consulting ServicesLogging and log management policyDevelop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulationsHelp integrate logging tools and processes into IT and business operationsContent developmentDevelop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsMore at www.SecurityWarriorConsulting.com