SlideShare ist ein Scribd-Unternehmen logo

PCI Compliance a Business Issue Isaca 2009

J
Jason Edelstein
Technologie
1 von 27
Downloaden Sie, um offline zu lesen
PCI Compliance - A Business Issue David Morrison - CISA, CISSP, QSA ISACA - August, 2009 1 www.senseofsecurity.com.au Tuesday, August 11, 2009
Overview 1. Brief overview of PCI DSS and the associated requirements 2. Why PCI DSS is seen as an IT issue 3. What PCI DSS is really about 4. Why PCI DSS is really a business issue 5. Is outsourcing PCI DSS functions really the path to take? 6. Is PCI DSS working? 7. Conclusion 2 www.senseofsecurity.com.au Tuesday, August 11, 2009
PCI Data Security Standard • Payment Card Industry Data Security Standard – An open industry standard – Developed by the founding payment brands – It attempts to enhance payment account data security – Outlines requirements for data security – PCI Security Standards Council (SSC) maintains a list of Qualified Security Assessors (QSAs and ASVs) • Who must comply? – Everyone who stores, processes or transmits cardholder data • PCI compliance is mandatory • PCI applies to all parties in the payment process • An organisation may not be partially compliant: PASS or FAIL • Merchants and Service Provider levels are based on transaction volumes 3 www.senseofsecurity.com.au Tuesday, August 11, 2009
PCI Compliance - An IT Issue? Is PCI DSS an IT issue? 4 www.senseofsecurity.com.au Tuesday, August 11, 2009
PCI DSS Requirements Build and Maintain a Secure 1. Install and maintain a firewall configuration to protect cardholder data Network 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software Management Program 6. Develop and maintain secure systems and applications Implement Strong Access Control 7. Restrict access to cardholder data by business need-to-know Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security 12. Maintain a policy that addresses information security Policy 5 www.senseofsecurity.com.au Tuesday, August 11, 2009
PCI Compliance - An IT Issue? • IT based solutions will not solve all PCI DSS requirements – Addresses the technical requirements – PCI DSS is about more than just technical issues or finding technical solutions • PCI DSS requirements should not be addressed in isolation • Individual IT solutions create complex and unmanageable environments • Do not believe the vendor hype, there is no silver bullet • Manageability issues lead to security issues • This undermines what PCI DSS is attempting to achieve 6 www.senseofsecurity.com.au Tuesday, August 11, 2009
The Real Requirements • 12 Main Requirements – Approximately 270 Sub-Requirements Requirement Sub-Requirements 1 26 2 13 3 28 4 4 5 7 6 40 7 9 8 25 9 24 10 30 11 14 12 41 Appendix A (Shared Hosting Providers) 9 7 www.senseofsecurity.com.au Tuesday, August 11, 2009
The Real Requirements • From these 270 sub-requirements, some have further bullet points or sub-sub-requirements • Not all requirements take the same time or resources. Some include entire audits, assessments or projects • A scope of this size should not be tackled by one department alone – Cost – Resources – Time • When you look deeper at these sub-requirements, they are not all IT based 8 www.senseofsecurity.com.au Tuesday, August 11, 2009
The Real Requirements • Physical Security - Section 9 • Human Resources – 12.6 - Security Awareness – 12.7 - Screening of Potential Employees • Legal Department – 12.8 - Legal agreements between the organisation and service providers • All Departments – 12.9 Incident Response Plans 9 www.senseofsecurity.com.au Tuesday, August 11, 2009
PCI DSS Complexity • PCI Security Standards Council recognises the complexity • Prioritised Approach Tool (PAT) released in March, 2009 – Helps merchants and acquiring banks demonstrate and measure progress – Consists of 6 key milestones 1. Remove sensitive authentication data and limit data retention 2. Protect the perimeter, internal and wireless networks 3. Secure payment card applications 4. Monitor and control access to your systems 5. Protect stored cardholder data 6. Finalise remaining compliance efforts and ensure all controls are in place 10 www.senseofsecurity.com.au Tuesday, August 11, 2009
Prioritised Approach Tool (PAT) • Helps prioritise and target issues that cause the most harm • The PAT has not changed the requirements. All requirements must still be satisfied • The PAT still looks IT focused 11 www.senseofsecurity.com.au Tuesday, August 11, 2009
What is PCI DSS Really About? • PCI DSS is there to protect the card brands • Data compromise leads to losses for the card brand – The card brand passes on these losses to the acquiring bank in fines – In most cases the acquirer passes the fine down to the offending retailer • Financial cost of compromise – Fines – Associated costs • Fines – TJX Part 1 - US$500,000 for the seriousness of the incident and impact on the VISA system – TJX Part 2 - US$380,000 for failure to cease storing prohibited data • Associated Costs – Forrester Research suggests US$90 to US$305 per record – Replacement of cards – Credit protection – Legal action by card holders 12 www.senseofsecurity.com.au Tuesday, August 11, 2009
PCI Compliance - A Business Issue • PCI DSS addresses business risks, not IT risks • Data compromise affects the entire organisation – Financially – Reputation • Requires someone that understands the business and can align PCI DSS requirements with business risks, goals and impacts • Compliance is generally a business issue and addressed at the business level via an organisation’s overall compliance framework – ISO/IEC 27002 – SOX 13 www.senseofsecurity.com.au Tuesday, August 11, 2009
PCI Compliance - A Business Issue • Why is PCI DSS addressed as a project? • PCI DSS is not a project! – PCI DSS compliance does not have a start and a finishing date – PCI DSS is a process – IT is a project-based culture 14 www.senseofsecurity.com.au Tuesday, August 11, 2009
PCI Security Standards Council • PCI Security Standards Council statement on recent data breaches - 27th July, 2009 – "Friday’s announcement of a data breach at Network Solutions underscores the necessity for ongoing vigilance of an organization’s security measures. Security doesn’t stop with PCI compliance validation. As the Council has said many times, it is not enough to validate compliance annually and not adopt security into an organization's ongoing business practices. A card data environment is under constant threat, so businesses must ensure their safeguards are also under constant vigilance, monitoring and where necessary, ongoing improvement. A layered approach to security is absolutely necessary to protect sensitive payment card data – without ongoing vigilance or a comprehensive security strategy, organizations may be just a change control away from noncompliance." 15 www.senseofsecurity.com.au Tuesday, August 11, 2009
Business Support • Requires support and backing from the business to succeed • Requires support from those that understand the business – C-Level executives – Align PCI DSS to business risk – The lead for driving PCI DSS compliance should reside on the business side • PCI DSS affects the entire organisation – Senior management commitment – Senior management remaining involved • Resources – Spans departments – The authority to assign resources 16 www.senseofsecurity.com.au Tuesday, August 11, 2009
Business Support • Policy, Process and Procedures • Training and security awareness • Cost – Compliance is not cheap – Business risk and costs of non-compliance far exceed implementation costs 17 www.senseofsecurity.com.au Tuesday, August 11, 2009
Outsourcing PCI DSS • No matter what the organisational size, PCI DSS is a business issue • Whether you are level 1, 2, 3 or 4 merchant or a service provider, you must comply with all the requirements • The only difference is how you validate your compliance, and hence the overall cost, time and resources required 18 www.senseofsecurity.com.au Tuesday, August 11, 2009
Outsourcing PCI DSS • There is a common view that due to complexity and cost of addressing and remediating issues, the only solution is to outsource PCI functions – Four different Self Assessment Questionnaires (SAQ) – All PCI DSS functions outsourced allows the filing of version A of the SAQ which only covers 2 of the 12 PCI DSS requirements – Dial out terminal - SAQ covers 5 out of 12 – Payment Application connected to the Internet - 11 out of 12 – All others - All 12 requirements • Overall cost is reduced due to the reduction in requirements • Outsourcing does not address the underlying security issues 19 www.senseofsecurity.com.au Tuesday, August 11, 2009
Outsourcing PCI DSS • Customers are your responsibility whether you outsource or not • You may have outsourced but you still own the problem. You are not free of compliance • If the service provider is compromised, it is your organisation that is dragged through the mud with them • Is the service provider you have outsourced to actually compliant? – Bottle Domains - April 2009 • Remember: PCI DSS compliance is only a snapshot of compliance at a single point in time 20 www.senseofsecurity.com.au Tuesday, August 11, 2009
Outsourcing PCI DSS • You cannot just rely on a Certificate of Compliance. They are not all equal. Y O U ’ R E C O M P L I A N T This certifies that ACME INC Has successfully attained PCI DSS COMPLIANCE 9 August 2009 DATE SECRETARY 21 www.senseofsecurity.com.au Tuesday, August 11, 2009
Outsourcing PCI DSS • How far do you go in validating compliance? – Obtain a copy of their Certificate of Compliance (COC) – Obtain a copy of their Report on Compliance (ROC) – Assess the scope of their compliance – Are your systems/data stored in a compliant manner? – Are they willing to accept you visiting their premises? 22 www.senseofsecurity.com.au Tuesday, August 11, 2009
Outsourcing PCI DSS • PCI DSS requirements are based on security best practice • Outsourcing does not address the underlying security issues within your organisation • Loss of Cardholder Data is not the only issue that may affect a organisation in the event of compromise 23 www.senseofsecurity.com.au Tuesday, August 11, 2009
Is PCI DSS Working? • What about breaches that occur when a merchant or service provider is deemed PCI DSS compliant? • Heartland Payment Systems - January 2009 – Process payments for 250,000 businesses – 100 million transactions per month – No idea how or when the malicious software was put in place – Possibly effects anyone who travelled in the US in 2008 • The report is only as good as when the report was issued • Adrian Philips, Visa’s Deputy Chief Enterprise Risk Officer has stated: “We’ve never seen anyone breached that was PCI compliant. The breaches we have seen have involved a key area of non-compliance” 24 www.senseofsecurity.com.au Tuesday, August 11, 2009
Is PCI DSS Working? • PCI DSS is about security and security is an ongoing pro- active process • How many changes are made to your environment every year? • It is a set of guidelines to reduce risk • Compliance can only be based on how well the QSA assesses that compliance • We are far better off than before PCI DSS 25 www.senseofsecurity.com.au Tuesday, August 11, 2009
Conclusion • PCI DSS is a business risk and cannot be solved piecemeal with IT solutions • PCI DSS is not a project and cannot be treated as a project. It is an ongoing process that requires business support • Outsourcing PCI DSS functions may solve compliance issues but does not address the underlying security issues PCI DSS attempts to address • Compliance is only a snapshot in time and does not guarantee your security 26 www.senseofsecurity.com.au Tuesday, August 11, 2009
Thank You Questions? David Morrison Sense of Security Pty Ltd davidm@senseofsecurity.com.au Tel: +61 2 9290 4443 http://www.senseofsecurity.com.au 27 www.senseofsecurity.com.au Tuesday, August 11, 2009

Empfohlen

Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Jason Edelstein
 
Latests status on pci and pcipa 2010
Latests status on pci and pcipa 2010Latests status on pci and pcipa 2010
Latests status on pci and pcipa 2010Retail Trends
 
Clavister Csp Sit Group
Clavister Csp Sit GroupClavister Csp Sit Group
Clavister Csp Sit Grouptwproject
 
USB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines ComplianceUSB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines ComplianceNetwrix Corporation
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
Demystifying Pci Dss
Demystifying Pci DssDemystifying Pci Dss
Demystifying Pci DssAmanda Squires@Pod1
 
Rapid Deployment Service
Rapid Deployment ServiceRapid Deployment Service
Rapid Deployment ServiceSsgstubbs
 
Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211hdmchughgmailcom
 

Empfohlen

Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Jason Edelstein
 
Latests status on pci and pcipa 2010
Latests status on pci and pcipa 2010Latests status on pci and pcipa 2010
Latests status on pci and pcipa 2010Retail Trends
 
Clavister Csp Sit Group
Clavister Csp Sit GroupClavister Csp Sit Group
Clavister Csp Sit Grouptwproject
 
USB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines ComplianceUSB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines ComplianceNetwrix Corporation
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
Demystifying Pci Dss
Demystifying Pci DssDemystifying Pci Dss
Demystifying Pci DssAmanda Squires@Pod1
 
Rapid Deployment Service
Rapid Deployment ServiceRapid Deployment Service
Rapid Deployment ServiceSsgstubbs
 
Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211hdmchughgmailcom
 
Network Advantage Llc2
Network Advantage Llc2Network Advantage Llc2
Network Advantage Llc2roy2098
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0Jason Edelstein
 
PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009Jason Edelstein
 
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsSense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsJason Edelstein
 
PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007Jason Edelstein
 
Sense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsSense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsJason Edelstein
 
Sense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise securitySense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise securityJason Edelstein
 
Re Formatted Resume Of Avm Bk Murali
Re Formatted Resume Of Avm Bk MuraliRe Formatted Resume Of Avm Bk Murali
Re Formatted Resume Of Avm Bk Muralibeekay_murali
 
Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Jason Edelstein
 
Virtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware ImplementationsVirtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware ImplementationsJason Edelstein
 
VoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldVoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldJason Edelstein
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler HelpSystems
 
PCI Compliance The Circuit
PCI Compliance The Circuit PCI Compliance The Circuit
PCI Compliance The Circuit The Circuit
 
PCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The CircuitPCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The CircuitThe Circuit
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explainedEdwin_Bos
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...amadhireddy
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightScale
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
ControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase
 

Weitere ähnliche Inhalte

Andere mochten auch

Network Advantage Llc2
Network Advantage Llc2Network Advantage Llc2
Network Advantage Llc2roy2098
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0Jason Edelstein
 
PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009Jason Edelstein
 
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsSense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsJason Edelstein
 
PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007Jason Edelstein
 
Sense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsSense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsJason Edelstein
 
Sense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise securitySense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise securityJason Edelstein
 
Re Formatted Resume Of Avm Bk Murali
Re Formatted Resume Of Avm Bk MuraliRe Formatted Resume Of Avm Bk Murali
Re Formatted Resume Of Avm Bk Muralibeekay_murali
 
Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Jason Edelstein
 
Virtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware ImplementationsVirtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware ImplementationsJason Edelstein
 
VoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldVoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldJason Edelstein
 

Andere mochten auch (11)

Network Advantage Llc2
Network Advantage Llc2Network Advantage Llc2
Network Advantage Llc2
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0
 
PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009
 
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsSense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
 
PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007
 
Sense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsSense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated Environments
 
Sense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise securitySense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise security
 
Re Formatted Resume Of Avm Bk Murali
Re Formatted Resume Of Avm Bk MuraliRe Formatted Resume Of Avm Bk Murali
Re Formatted Resume Of Avm Bk Murali
 
Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009
 
Virtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware ImplementationsVirtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware Implementations
 
VoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldVoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate World
 

Ähnlich wie PCI Compliance a Business Issue Isaca 2009

Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler HelpSystems
 
PCI Compliance The Circuit
PCI Compliance The Circuit PCI Compliance The Circuit
PCI Compliance The Circuit The Circuit
 
PCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The CircuitPCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The CircuitThe Circuit
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explainedEdwin_Bos
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...amadhireddy
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightScale
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
ControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSSControlCase
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014
PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014
PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014Luong Trung Thanh
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 

Ähnlich wie PCI Compliance a Business Issue Isaca 2009 (20)

Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler
 
PCI Compliance The Circuit
PCI Compliance The Circuit PCI Compliance The Circuit
PCI Compliance The Circuit
 
PCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The CircuitPCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The Circuit
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explained
 
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public Cloud
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
ControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSS
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliant
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014
PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014
PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 

Kürzlich hochgeladen

Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 

Kürzlich hochgeladen (20)

Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 

PCI Compliance a Business Issue Isaca 2009

  • 1. PCI Compliance - A Business Issue David Morrison - CISA, CISSP, QSA ISACA - August, 2009 1 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 2. Overview 1. Brief overview of PCI DSS and the associated requirements 2. Why PCI DSS is seen as an IT issue 3. What PCI DSS is really about 4. Why PCI DSS is really a business issue 5. Is outsourcing PCI DSS functions really the path to take? 6. Is PCI DSS working? 7. Conclusion 2 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 3. PCI Data Security Standard • Payment Card Industry Data Security Standard – An open industry standard – Developed by the founding payment brands – It attempts to enhance payment account data security – Outlines requirements for data security – PCI Security Standards Council (SSC) maintains a list of Qualified Security Assessors (QSAs and ASVs) • Who must comply? – Everyone who stores, processes or transmits cardholder data • PCI compliance is mandatory • PCI applies to all parties in the payment process • An organisation may not be partially compliant: PASS or FAIL • Merchants and Service Provider levels are based on transaction volumes 3 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 4. PCI Compliance - An IT Issue? Is PCI DSS an IT issue? 4 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 5. PCI DSS Requirements Build and Maintain a Secure 1. Install and maintain a firewall configuration to protect cardholder data Network 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software Management Program 6. Develop and maintain secure systems and applications Implement Strong Access Control 7. Restrict access to cardholder data by business need-to-know Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security 12. Maintain a policy that addresses information security Policy 5 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 6. PCI Compliance - An IT Issue? • IT based solutions will not solve all PCI DSS requirements – Addresses the technical requirements – PCI DSS is about more than just technical issues or finding technical solutions • PCI DSS requirements should not be addressed in isolation • Individual IT solutions create complex and unmanageable environments • Do not believe the vendor hype, there is no silver bullet • Manageability issues lead to security issues • This undermines what PCI DSS is attempting to achieve 6 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 7. The Real Requirements • 12 Main Requirements – Approximately 270 Sub-Requirements Requirement Sub-Requirements 1 26 2 13 3 28 4 4 5 7 6 40 7 9 8 25 9 24 10 30 11 14 12 41 Appendix A (Shared Hosting Providers) 9 7 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 8. The Real Requirements • From these 270 sub-requirements, some have further bullet points or sub-sub-requirements • Not all requirements take the same time or resources. Some include entire audits, assessments or projects • A scope of this size should not be tackled by one department alone – Cost – Resources – Time • When you look deeper at these sub-requirements, they are not all IT based 8 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 9. The Real Requirements • Physical Security - Section 9 • Human Resources – 12.6 - Security Awareness – 12.7 - Screening of Potential Employees • Legal Department – 12.8 - Legal agreements between the organisation and service providers • All Departments – 12.9 Incident Response Plans 9 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 10. PCI DSS Complexity • PCI Security Standards Council recognises the complexity • Prioritised Approach Tool (PAT) released in March, 2009 – Helps merchants and acquiring banks demonstrate and measure progress – Consists of 6 key milestones 1. Remove sensitive authentication data and limit data retention 2. Protect the perimeter, internal and wireless networks 3. Secure payment card applications 4. Monitor and control access to your systems 5. Protect stored cardholder data 6. Finalise remaining compliance efforts and ensure all controls are in place 10 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 11. Prioritised Approach Tool (PAT) • Helps prioritise and target issues that cause the most harm • The PAT has not changed the requirements. All requirements must still be satisfied • The PAT still looks IT focused 11 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 12. What is PCI DSS Really About? • PCI DSS is there to protect the card brands • Data compromise leads to losses for the card brand – The card brand passes on these losses to the acquiring bank in fines – In most cases the acquirer passes the fine down to the offending retailer • Financial cost of compromise – Fines – Associated costs • Fines – TJX Part 1 - US$500,000 for the seriousness of the incident and impact on the VISA system – TJX Part 2 - US$380,000 for failure to cease storing prohibited data • Associated Costs – Forrester Research suggests US$90 to US$305 per record – Replacement of cards – Credit protection – Legal action by card holders 12 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 13. PCI Compliance - A Business Issue • PCI DSS addresses business risks, not IT risks • Data compromise affects the entire organisation – Financially – Reputation • Requires someone that understands the business and can align PCI DSS requirements with business risks, goals and impacts • Compliance is generally a business issue and addressed at the business level via an organisation’s overall compliance framework – ISO/IEC 27002 – SOX 13 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 14. PCI Compliance - A Business Issue • Why is PCI DSS addressed as a project? • PCI DSS is not a project! – PCI DSS compliance does not have a start and a finishing date – PCI DSS is a process – IT is a project-based culture 14 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 15. PCI Security Standards Council • PCI Security Standards Council statement on recent data breaches - 27th July, 2009 – "Friday’s announcement of a data breach at Network Solutions underscores the necessity for ongoing vigilance of an organization’s security measures. Security doesn’t stop with PCI compliance validation. As the Council has said many times, it is not enough to validate compliance annually and not adopt security into an organization's ongoing business practices. A card data environment is under constant threat, so businesses must ensure their safeguards are also under constant vigilance, monitoring and where necessary, ongoing improvement. A layered approach to security is absolutely necessary to protect sensitive payment card data – without ongoing vigilance or a comprehensive security strategy, organizations may be just a change control away from noncompliance." 15 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 16. Business Support • Requires support and backing from the business to succeed • Requires support from those that understand the business – C-Level executives – Align PCI DSS to business risk – The lead for driving PCI DSS compliance should reside on the business side • PCI DSS affects the entire organisation – Senior management commitment – Senior management remaining involved • Resources – Spans departments – The authority to assign resources 16 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 17. Business Support • Policy, Process and Procedures • Training and security awareness • Cost – Compliance is not cheap – Business risk and costs of non-compliance far exceed implementation costs 17 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 18. Outsourcing PCI DSS • No matter what the organisational size, PCI DSS is a business issue • Whether you are level 1, 2, 3 or 4 merchant or a service provider, you must comply with all the requirements • The only difference is how you validate your compliance, and hence the overall cost, time and resources required 18 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 19. Outsourcing PCI DSS • There is a common view that due to complexity and cost of addressing and remediating issues, the only solution is to outsource PCI functions – Four different Self Assessment Questionnaires (SAQ) – All PCI DSS functions outsourced allows the filing of version A of the SAQ which only covers 2 of the 12 PCI DSS requirements – Dial out terminal - SAQ covers 5 out of 12 – Payment Application connected to the Internet - 11 out of 12 – All others - All 12 requirements • Overall cost is reduced due to the reduction in requirements • Outsourcing does not address the underlying security issues 19 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 20. Outsourcing PCI DSS • Customers are your responsibility whether you outsource or not • You may have outsourced but you still own the problem. You are not free of compliance • If the service provider is compromised, it is your organisation that is dragged through the mud with them • Is the service provider you have outsourced to actually compliant? – Bottle Domains - April 2009 • Remember: PCI DSS compliance is only a snapshot of compliance at a single point in time 20 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 21. Outsourcing PCI DSS • You cannot just rely on a Certificate of Compliance. They are not all equal. Y O U ’ R E C O M P L I A N T This certifies that ACME INC Has successfully attained PCI DSS COMPLIANCE 9 August 2009 DATE SECRETARY 21 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 22. Outsourcing PCI DSS • How far do you go in validating compliance? – Obtain a copy of their Certificate of Compliance (COC) – Obtain a copy of their Report on Compliance (ROC) – Assess the scope of their compliance – Are your systems/data stored in a compliant manner? – Are they willing to accept you visiting their premises? 22 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 23. Outsourcing PCI DSS • PCI DSS requirements are based on security best practice • Outsourcing does not address the underlying security issues within your organisation • Loss of Cardholder Data is not the only issue that may affect a organisation in the event of compromise 23 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 24. Is PCI DSS Working? • What about breaches that occur when a merchant or service provider is deemed PCI DSS compliant? • Heartland Payment Systems - January 2009 – Process payments for 250,000 businesses – 100 million transactions per month – No idea how or when the malicious software was put in place – Possibly effects anyone who travelled in the US in 2008 • The report is only as good as when the report was issued • Adrian Philips, Visa’s Deputy Chief Enterprise Risk Officer has stated: “We’ve never seen anyone breached that was PCI compliant. The breaches we have seen have involved a key area of non-compliance” 24 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 25. Is PCI DSS Working? • PCI DSS is about security and security is an ongoing pro- active process • How many changes are made to your environment every year? • It is a set of guidelines to reduce risk • Compliance can only be based on how well the QSA assesses that compliance • We are far better off than before PCI DSS 25 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 26. Conclusion • PCI DSS is a business risk and cannot be solved piecemeal with IT solutions • PCI DSS is not a project and cannot be treated as a project. It is an ongoing process that requires business support • Outsourcing PCI DSS functions may solve compliance issues but does not address the underlying security issues PCI DSS attempts to address • Compliance is only a snapshot in time and does not guarantee your security 26 www.senseofsecurity.com.au Tuesday, August 11, 2009
  • 27. Thank You Questions? David Morrison Sense of Security Pty Ltd davidm@senseofsecurity.com.au Tel: +61 2 9290 4443 http://www.senseofsecurity.com.au 27 www.senseofsecurity.com.au Tuesday, August 11, 2009