Peter Verderber, CISSP, CISA, PCI QSAPrincipal Consultant

Ben Rothke, CISSP, CISA, PCI QSASenior Security Consultant

Managed Security Leaders Conference

What’s new with PCI?

November 18, 2009

Check out the SecureThinking blog: http://bt-securethinking.blogspot.com. Follow us on Twitter: http://twitter.com/securethinking

Agenda

Introductions

PCI DSS Updates – Gray Areas & Emerging Trends

Evolution of the PCI DSS

PCI SSC Updates – The Impact of QA Inspections

Key messages and take-aways

Introductions

Peter Verderber

• US & Canada Security Practice Lead CISSP, CISA, PCI QSA

• 10+ years in the field Information Security

• Working with PCI Standard since its inception in 2004

Ben Rothke, CISSP, CISM, PCI QSA

• Senior Security Consultant

• In IT sector since 1988 and information security since 1994

• Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill)

• PCI QSA since 2007

BT and PCI

PCI Environment Discovery and Scoping

Security Architecture Design

Compliance Assessments (Gap Analysis)

Remediation Planning, Support, and Integration

Compliance Validation and Reporting

Internal and External ASV Scanning

Network and Application Penetration Testing

Managed Security Event Monitoring

Managed Log Retention Services

Managed Firewall and IDP Services

Digital Security Surveillance Solutions

2001

Visa establishes CISP (Card Information Security Program)

PCI Timeline

2001

Formation of the PCI Security Standards Council (PCI SSC)

2004

PCI SSC is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

Mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards.

Founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.

PCI Timeline

2001

PCI DSS version 1.1 released

2004 2006

PCI DSS (Data Security Standard) is a worldwide information security standard assembled by the PCI SSC.

Standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.

PCI DSS applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.

PCI Timeline

2001

PCI DSS version 1.2 and PA-DSS 1.2 released

2004 2006 2008

PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP).

Goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS

PCI Timeline

2001

PCI wireless guidelines released

2004 2006 2008 2009

Wireless guidelines recommend use of Wireless Intrusion Prevention System (WIPS) to automate wireless scanning for large organizations.

Wireless guidelines clearly define how wireless security applies to PCI DSS 1.2 compliance.

Guidelines apply to the deployment of WLANs in cardholder data environments (CDE) – which is a network environment that possesses or transmits credit card data.

PCI Timeline

2001

PCI will continue to gain traction

2004 2006 2008 2009 and beyond

• Greater details

• Greater enforcement

• Increased rigor

• Federal adoption

PCI Timeline

PCI Security Standards Council Updates

What’s new in 2009?

• More breaches of “PCI Compliant” entities

• Prioritized Approach

• PCI Council QA refresh and enforcement

• New QA model and scoring matrix established

• 945 validation points (1000+ with sampling)

• Limited auditor discretion

Impact to your organization:

• Extensive documentation

• Application interaction and data flows

• Card processing &and third-party relationships

• Defensible position a must

PCI Guiding

Principles

Gray Areas Remain

• But then again, all regulations have gray areas

• Defend your interpretation

• A strong security foundation can certainly deal with every new regulation / standard

• Scoping (limit PCI scope, ASV scan and penetration testing scope)

• Compensating Controls

Emerging Trends

• Tokenization

• Data encryption

• Virtualization

• Outsourcing / Third Party

• Cloud Computing

• Mobility

PCI Data Security Standard Updates

Conclusions

In our opinion

• PCI is a very prescriptive standard, closely

aligned with ISO 27002 and security best

practices

• The increased rigor and advancement of the

PCI Council proves that PCI is not going away

• Expect greater expansion and adoption of PCI

in the form of legislation

• Emerging trends will continue to introduce new

“gray areas” and drive the evolution of PCI

Take-aways / food for thought:

• Understand risks to your organization and

business strategy involving PCI; stay ahead

of the curve

• Align security resources to adequately

mitigate risk and maintain compliance

• Ensure that your security program drives

compliance as a byproduct, not the other way

around

Questions from the floor…..

The future may be

bright, but focus on

the present for now

‘’

Contact Information

Peter Verderber

peter.verderber@bt.com

561-206-2064http://www.linkedin.com/in/peteverd

Ben Rothke

ben.rothke@bt.com

973-489-0838www.linkedin.com/in/benrothke

www.twitter.com/benrothke

www.bt.com/security