Post on 25-May-2015
description
Peter Verderber, CISSP, CISA, PCI QSAPrincipal Consultant
Ben Rothke, CISSP, CISA, PCI QSASenior Security Consultant
Managed Security Leaders Conference
What’s new with PCI?
November 18, 2009
Check out the SecureThinking blog: http://bt-securethinking.blogspot.com. Follow us on Twitter: http://twitter.com/securethinking
Agenda
Introductions
PCI DSS Updates – Gray Areas & Emerging Trends
Evolution of the PCI DSS
PCI SSC Updates – The Impact of QA Inspections
Key messages and take-aways
Introductions
Peter Verderber
• US & Canada Security Practice Lead CISSP, CISA, PCI QSA
• 10+ years in the field Information Security
• Working with PCI Standard since its inception in 2004
Ben Rothke, CISSP, CISM, PCI QSA
• Senior Security Consultant
• In IT sector since 1988 and information security since 1994
• Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill)
• PCI QSA since 2007
BT and PCI
PCI Environment Discovery and Scoping
Security Architecture Design
Compliance Assessments (Gap Analysis)
Remediation Planning, Support, and Integration
Compliance Validation and Reporting
Internal and External ASV Scanning
Network and Application Penetration Testing
Managed Security Event Monitoring
Managed Log Retention Services
Managed Firewall and IDP Services
Digital Security Surveillance Solutions
2001
Visa establishes CISP (Card Information Security Program)
PCI Timeline
2001
Formation of the PCI Security Standards Council (PCI SSC)
2004
PCI SSC is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
Mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards.
Founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.
PCI Timeline
2001
PCI DSS version 1.1 released
2004 2006
PCI DSS (Data Security Standard) is a worldwide information security standard assembled by the PCI SSC.
Standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.
PCI DSS applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.
PCI Timeline
2001
PCI DSS version 1.2 and PA-DSS 1.2 released
2004 2006 2008
PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP).
Goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS
PCI Timeline
2001
PCI wireless guidelines released
2004 2006 2008 2009
Wireless guidelines recommend use of Wireless Intrusion Prevention System (WIPS) to automate wireless scanning for large organizations.
Wireless guidelines clearly define how wireless security applies to PCI DSS 1.2 compliance.
Guidelines apply to the deployment of WLANs in cardholder data environments (CDE) – which is a network environment that possesses or transmits credit card data.
PCI Timeline
2001
PCI will continue to gain traction
2004 2006 2008 2009 and beyond
• Greater details
• Greater enforcement
• Increased rigor
• Federal adoption
PCI Timeline
PCI Security Standards Council Updates
What’s new in 2009?
• More breaches of “PCI Compliant” entities
• Prioritized Approach
• PCI Council QA refresh and enforcement
• New QA model and scoring matrix established
• 945 validation points (1000+ with sampling)
• Limited auditor discretion
Impact to your organization:
• Extensive documentation
• Application interaction and data flows
• Card processing &and third-party relationships
• Defensible position a must
PCI Guiding
Principles
Gray Areas Remain
• But then again, all regulations have gray areas
• Defend your interpretation
• A strong security foundation can certainly deal with every new regulation / standard
• Scoping (limit PCI scope, ASV scan and penetration testing scope)
• Compensating Controls
Emerging Trends
• Tokenization
• Data encryption
• Virtualization
• Outsourcing / Third Party
• Cloud Computing
• Mobility
PCI Data Security Standard Updates
Conclusions
In our opinion
• PCI is a very prescriptive standard, closely
aligned with ISO 27002 and security best
practices
• The increased rigor and advancement of the
PCI Council proves that PCI is not going away
• Expect greater expansion and adoption of PCI
in the form of legislation
• Emerging trends will continue to introduce new
“gray areas” and drive the evolution of PCI
Take-aways / food for thought:
• Understand risks to your organization and
business strategy involving PCI; stay ahead
of the curve
• Align security resources to adequately
mitigate risk and maintain compliance
• Ensure that your security program drives
compliance as a byproduct, not the other way
around
Questions from the floor…..
The future may be
bright, but focus on
the present for now
‘’
Contact Information
Peter Verderber
peter.verderber@bt.com
561-206-2064http://www.linkedin.com/in/peteverd
Ben Rothke
ben.rothke@bt.com
973-489-0838www.linkedin.com/in/benrothke
www.twitter.com/benrothke
www.bt.com/security