Embed Size (px)
Citation preview
Improving Technology Decision Making for the Multichannel
Retailer
Improving Technology Decision Making for the Multichannel
Retailer
Complicated, Expensive and Time-Consuming – But PCI
DSS isn’t Going Away
Mark Kedgley, Chief Technical Officer
NNT
Improving Technology Decision Making for the Multichannel
Retailer
• NNT is a leading light in PCI DSS & general Data Protection software solutions
• Focused on helping organisations protect their sensitive/credit card data in an effective, affordable and pragmatic manner
Improving Technology Decision Making for the Multichannel
Retailer
Agenda
• Attitudes and Opinions from Multi Channel retailers in the UK
• Some Statistics and Figures • Strategies available – what is working and what
are others getting away with? • Common Sense or Technology? • Are the goalposts moving (or going to move) • Summary
Improving Technology Decision Making for the Multichannel
Retailer
Attitudes & Opinions from Retailers #1
• Duck it!
• “The future is too unclear to make any investment….”
Improving Technology Decision Making for the Multichannel
Retailer
Attitudes & Opinions from Retailers #2
• Paralysis!
• “We don’t want to make
mistakes like xyz….”
Improving Technology Decision Making for the Multichannel
Retailer
• Ignore it!
• “We don’t need to bother – we’ve been OK so far and we view the risks as low…”
Attitudes & Opinions from Retailers #3
Improving Technology Decision Making for the Multichannel
Retailer
Attitudes & Opinions from Retailers #4
• Go Slow!
• “We have kept some updated procedural stuff back and if we drip-feed this to the Bank over the next two quarters then we are covered for the next few months…”
Improving Technology Decision Making for the Multichannel
Retailer
How hard can it be?
• Just 12 Requirements
• ……230 sub requirements
• …and some estimates of 650 detail points
Improving Technology Decision Making for the Multichannel
Retailer
Logical – from one perspective…
• Requirements focus on 12 main security initiatives comprising technological measures and ‘best practice’ procedures
Improving Technology Decision Making for the Multichannel
Retailer
Processes & Technology Needed
What is our Change Management Process? Is it documented?
What is our Change Management Process? Is it documented?
How often do we verify configuration standards? What is our process for this?
How often do we verify configuration standards? What is our process for this?
Where is that network diagram? !Where is that network diagram? !
Do we need to buy a firewall for each site?Do we need to buy a firewall for each site?
Do we need an automated diagramming tool?
Do we need an automated diagramming tool?
Improving Technology Decision Making for the Multichannel
Retailer
Cost? – Be careful who you Ask!
• Vendor Speak • “Silver Bullet…”• “….Easy Steps”
• Cost of Procrastination and Sandbagging?
Improving Technology Decision Making for the Multichannel
Retailer
Upside? Plenty…
• Avoid Fines and Corporate Shame
• ‘Off the Shelf’ Security Policy
• Data Protection?
• ISO 27000?
• Advanced Warning System
Improving Technology Decision Making for the Multichannel
Retailer
The Future of the PCI DSS
• Stable and Mature
• P2P Encryption and Tokenization help but aren’t ‘Magic Bullets’ (or Silver Bullets)
• Likely that the PCI DSS will take P2P Encryption in as an additional measure
• Expect more, not fewer measures
Improving Technology Decision Making for the Multichannel
Retailer
Want some advice? PCI DSS on a fag packet• Take Control – understand the objectives of the
PCI DSS
• Your environment is unique – you understand your exposure best
• Don’t ask your QSA for guidance, just confirmation
Improving Technology Decision Making for the Multichannel
Retailer
Summary
• Don’t resist – Embrace the PCI DSS!
• Thank you for your attention.
