Upload
branden-williams
View
760
Download
0
Tags:
Embed Size (px)
Citation preview
PCI: The Real DealHow to do PCI Right
(And how to really hose it up)
Branden R. Williams, CISSP, [email protected]
www.brandenwilliams.com
Why companies succeed
What are the steps to success?
PCI Requires Planning
Programmatic approach
Fully staffed compliance office
Trained and/or certified
Must be baked into culture
Getting it RIGHT
Medium sized service provider
Assessment scope less than 1% of systems
On-Site Assessment done in 1 week
No gaps last three years
How do they do it?
Simple & elegant payment systems
Complex ≠ Competitive Advantage
Simplicity+Elegance = Competitive Advantage
Go into assessment knowing you will pass
Good Program Makeup
Documented Data FlowsAccountabilityDocumentationPlan for MaintenanceProcess IntegrationTrainingAssessment Prep/Self Assessment
Why companies failAvoid these pitfalls!
Getting it wrongMedium US-Based Retail
< 1000 locations
Fail every year
But remediate in 60 days
Out of compliance for most of year
Risk breach in between
Getting it wronger
No repeatable processes
Compliance viewed as “audit”
Security/Compliance office buried
All reporting to IT?
CISO unable to sell MGT
Process stagnates
How could we improve?
Build a program to MAINTAIN PCI
Security reporting elsewhereCFOHRLegal
CISO take a business need
Audit results
What are secure companies doing?
Encrypt all stored data
What are my options?Retrofit applicationsUse an encryption applianceUse an encrypting database Render unreadable withoutencryption (truncation, hashing)
The Dangers of EncryptionEnterprise-Wide ApproachCreate a sound strategyData flows required!
Hashing/Rainbow Tables
What is the risk of Hashing?Hashed Data = Cardholder Data. Wait… What?Hashes must be treated like encrypted card dataHashing is still a viable method!Watch other data stored nearby
What is a Rainbow Table?Subvert complex mathOrange vs. JuicePre-computed hashesSecrecy in Salt/Algorithm
TruncationWhat is Truncation?
Remove all but First 6, Last 4
Identify any transactionFirst 6, Last 4Date/Time of PurchaseAmountAuth Code
Who does what?
What is on the horizon?
What does the future hold?
Fees, Fines, and Penalties, OH MY!
Cost of assessments rising (Q/A)
Global Fines in 18 months
Payment App Mandates
Scrutiny of Assessments
High Tech Payments
SIM Based Payments
PED Encryption
Chip/PIN (BUSTED)
RFID/Contactless
Examples!
Discuss Breaches