PCI 2010: Trends and Technologies
6 likes1,633 views
The document discusses the key topics of PCI compliance standards and security trends. It provides an overview of why PCI standards exist due to security breaches and the need to protect payment card data. It also discusses that PCI should be considered a minimum baseline for security and that organizations should strive for higher security, rather than viewing PCI as the maximum level of security needed. Additionally, it outlines future security trends like tokenization and encryption that can help make payment data more secure.
![About Anton Chuvakin Dr. Anton Chuvakin Email: [email_address] Site: http://www.chuvakin.org Blog: http://www.securitywarrior.org LinkedIn: http://www.linkedin.com/in/chuvakin Twitter: @anton_chuvakin Consulting : www.securitywarriorconsulting.com For more: http://www.chuvakin.org](https://image.slidesharecdn.com/bisecpci2010ideas-anton-091216215608-phpapp01/85/PCI-2010-Trends-and-Technologies-13-320.jpg)
PCI 2010: Trends and Technologies
- 1. PCI 2010: Trends & Technologies Presented by: Dr. Anton Chuvakin Author of the book “ PCI Compliance” Principal at www.securitywarriorconsulting.com/
- 2. Agenda Why PCI? Key Question PCI “State of the Union” “ PCI War” Future of PCI?
- 3. Why is PCI Here? Criminals need money Credit card = money Where are the most cards? In computers. Data theft grows and reaches HUGE volume Some organizations still don’t care … … . especially if the loss is not theirs Payment card brands enforce DSS!
- 4. PCI DSS is based on fundamental data security practices What is PCI DSS: DSS + Regime Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Protect Cardholder Data Maintain a policy that addresses information security Maintain an Information Security Policy Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Regularly Monitor and Test Networks Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Implement Strong Access Control Measures Use and regularly update anti-virus software Develop and maintain secure systems and applications Maintain a Vulnerability Management Program Install and maintain a firewall confirmation to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Build and Maintain a Secure Network
- 5. Ceiling vs Floor PCI is the “floor” of security However, many prefer to treat it as a “ceiling” Result: security breaches
- 6. Laggards vs Leaders Issue : many merchants don’t even want to “grow up” to the floor . Action : breaches, fines, “motivation”, guidance, etc Result : security improves!
- 7. PCI War: Security vs Compliance Issue : some argue that PCI lowers the ceiling of security Truth : PCI doesn’t lower security, YOU do Result : breach is your fault!
- 8. Myth 7 – PCI Is Enough Security (from “PCI Myths and Misconceptions” by Anton Chuvakin) Myth : PCI is all we need to do for security “ We are secure, we got PCI!” “ We worked hard and we passed an ‘audit’; now we are secure!” Reality: Again, PCI is basic security, it is a necessary, NOT sufficient . PCI is also about cardholder data security , not the rest of private data, not your intellectual property, not SSNs, etc. It also covers confidentiality , and NOT integrity and availability of data.
- 9. PCI and Security Today <- This is the enemy! This is NOT the enemy! -> Remember: security first , compliance as a result.
- 10. PCI 2010 Battle for Level3s and Level4s continues : security increases, transaction risk decreases New technologies make payment security easier : tokenization, E2EE, DLP ( who pays? ) Outsource to those who know : don’t fail on your own Cybercrime still rampant : focus on security! Remember : ongoing compliance vs point-in-time validation
- 11. Quick PCI Action Items Less card data -> less work needed!!! (Yes, 3 times ) PCI is common sense, basic data security; stop complaining about it - start doing it! After validating that you are compliant, don’t stop: continues compliance AND security is your goal , not “passing an audit”
- 12. Get More Info! “ PCI Compliance” by Anton Chuvakin and Branden Williams Useful reference for merchants, vendors – and everybody else Out in December 2009!
- 13. About Anton Chuvakin Dr. Anton Chuvakin Email: [email_address] Site: http://www.chuvakin.org Blog: http://www.securitywarrior.org LinkedIn: http://www.linkedin.com/in/chuvakin Twitter: @anton_chuvakin Consulting : www.securitywarriorconsulting.com For more: http://www.chuvakin.org
- 14. More on Anton Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop , many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, now Consultant
- 15. Anton’s Security Warrior Consulting Services Logging and log management policy Develop logging policies and processes , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations Content development Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations More at www.SecurityWarriorConsulting.com
Editor's Notes
- #5: Scope! Scope!! Scope!!! PCI DSS is an industry standard that highlights the following: The PCI Data Security Standard is endorsed by the “Participating Brands”: Visa, MasterCard, American Express, Discover Card, JCB and Diners’ Club. Standardized Security Requirements Consistent validation requirements and protocols Common evaluator credentials and approvals Clear procedures for review and reassessment Slide Point of Contact: Eduardo Perez
- #6: Scope! Scope!! Scope!!!
- #14: Whether someone’s writing a check at the gas station, using an ATM/debit card to pay for groceries, buying a book online, getting cash out of an ATM, paying for dinner with a credit card or using a gift card to purchase something special, chances are the transaction is moved quickly and securely by First Data. First Data processes transaction data of all kinds, harnesses the power of that data, and delivers innovations in secure infrastructure, intelligence and insight for its customers. From large financial institutions to the merchant around the corner, First Data supports its customers by helping them process and understand the intelligence behind every transaction. For more, visit www.firstdata.com.