An organization can be compliant and still experience a security breach – look no further than Heartland Payment Systems and RBS WorldPay. Both had achieved PCI DSS compliance, only to suffer massive data breaches that cost tens of millions of dollars. What is the difference between compliance and security? And how can organizations effectively move beyond PCI DSS compliance to ensure the security of personally identifiable information (PII)?
3. Today’s Speakers Chris Merritt Director of Solution Marketing Lumension Michael Rasmussen Risk & Compliance Advisor Corporate Integrity, LLC William Bell Director of Information Systems EC Suite
6. Are you focused only on what you see? “ Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!” E.J. Smith, Captain of the Titanic Risk Awareness Risk Ignorance
7.
8.
9. A grim view of the current state… Source: Open Compliance & Ethics Group
10. Big Picture of Compliance OBJECTIVES strategic, operational, customer, process, compliance objectives BUSINESS MODEL strategy, people, process, technology and infrastructure in place to drive toward objectives MANDATED BOUNDARY boundary established by external forces including laws, government regulation and other mandates. VOLUNTARY BOUNDARY boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies. OPPORTUNITIES OPPORTUNITIES OPPORTUNITIES Source: Open Compliance & Ethics Group OBSTACLES
11. Components of Compliance & Data Protection Source: Open Compliance & Ethics Group INFORM & INTEGRATE DETECT & DISCERN ORGANIZE & OVERSEE ASSESS & ALIGN MONITOR & MEASURE PREVENT & PROMOTE RESPOND & RESOLVE
Six control-objective categories that form 12 requirement areas for compliance. Build and maintain a secure network Protect and encrypt cardholder data Manage and monitor threats and vulnerabilities to the environment Integrate strong access-control measures, so only authorized users can access card holder data Test and monitor the state of security Implement a comprehensive and effective information security policy PCI DSS compliance is just one of many regulations organizations face to ensure the protection of information. The end goal is to effectively manage IT risk — to see to it that there are proper security controls in place to reduce risk to an acceptable level. To achieve economies in PCI DSS compliance, to maintain security and prevent data breaches, organizations must implement an infrastructure for managing and monitoring compliance on a continuous basis. Heartland Payment Systems Malicious keylogger software planted on the company's payment processing network recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients. 1 130 million credit cards impacted 2 652 reported institutions affected 2 RBS WorldPay Hacker got into the computer systems 1.5 million cardholders affected Linked to gang that used debit cards to steal millions of dollars from ATMs
Open Compliance & Ethics Group (www.oceg.org) 08/27/10 (c) 2007, OCEG
Though PCI DSS is more prescriptive than other compliance requirements, an organization can use several approaches to demonstrate adherence. One approach is a manual, ad hoc and ultimately labor-intensive process that produces mountains of paper and electronic documents. This leads to a compliance posture that is often full of holes or outright “smoke and mirrors,” with little security value. A more economical approach focuses on automation and efficiency in PCI DSS compliance, which achieves greater control and security.
Organizations need a sustainable process and infrastructure to demonstrate PCI DSS compliance that is agile enough to respond to a changing business and IT environment.
Organizations need a consistent approach to demonstrate PCI DSS compliance and ensure that requirements are consistently applied across governed systems and information.
PCI DSS compliance approached the wrong way can be burdensome.
The organization, and any of its extended business relationships that interact with cardholder data, must demand transparency in reporting across systems.
At its core, compliance is about accountability. The organization is ultimately accountable for PCI DSS compliance even across extended business relationships that use its cardholder data.
Ultimately, security of cardholder data is what PCI DSS is about — and the peace of mind that the organization is not exposing cardholder and financial information to unwanted risk.