SlideShare a Scribd company logo
DATA SECURITY
COMPLIANCE
MANAGEMENTANDASUCCESSSTORYOFCOLLABORATION
Erik Sørup Andersen
AGENDA
§ What is Data Security Compliance about
§ The PCI Data Security story
§ Is the PCI showing the way forward for PII protection?
© F-Secure Public for Training purpose2
DATA SECURITY
COMPLIANCE
Proving that data is and has been protected according to agreements, at
all times and everywhere
© F-Secure Public for Training purpose3
DRIVERS
§ Risk management
§ Communication
§ Economies of scale
§ Trust
© F-Secure Public for Training purpose4
WHATS WRONG WITH
ISO 27001?
§ ISO 27001 does not address the data to protect unless explicitly defined
in the scope
§ In ISO 27001 the organization decides according to own risk
ISO 27001 is somewhat useful for structuring and communicating about
security work, but does not assure that your data has been protected!
© F-Secure Public for Training purpose5
THE PCI
STORY
© F-Secure Public for Training purpose6
WHAT TO PROTECT
© F-Secure Public for Training purpose7
PCI DATA SECURITY
§ Payment Card Industry: Visa, Mastercard, JCB, Discover, American Express
§ Protection of Card Holder Data
§ Standards
§ PCI DSS the framework
§ PCI PA DSS the ”off the shelf” payment applications
§ PCI PTS HSM, PIN, POI the devices
§ Counsil
§ Standards maintenance
§ Training
§ QA of certificed players
§ …
© F-Secure Public for Training purpose8
THING TO NOTE
PCI is not a legal framework. It is an industry-specific security standard,
created to make it easier for all players of payment card business to
protect their operations and comply with the law
© F-Secure Public for Training purpose9
WHERE DID ITALL COME FROM
© F-Secure Public for Training purpose10
§ Major Card Brands had their own security models and instructions,
which led to confusion and overlapping work
§ 12 years ago Visa, MC, Discover and Amex decided to create an
industry standard security guideline for all affected parties
§ PCI DSS version 1 was created in December 2004
§ During that time, the role of the standard was mainly to guide the
merchant
MODERN VERSION
§ PCI evolves in a set lifecycle, where new version is published every 3
years. Next version creation, testing and acceptance testing is running
in annual cycle.
§ Focus is all the time shifting more toward service providers
§ Largely due technological improvements in payment systems and cryptography
© F-Secure Public for Training purpose11
THE BUSINESS CASE
§ Efficient collaboration on CHD protection
§ Making the shift from cash to cards
§ Changing trade from place to space
© F-Secure Public for Training purpose12
NOT JUST THE INTERNET
© F-Secure Public for Training purpose13
WHO RUNS THE SHOW?
© F-Secure Public for Training purpose14
“The Brands”
Acquirer Issuer
Works with Works with
Merchant Customer
“Card Holder”
Gives card to userProvides payment services
Use card to buy stuff
Service Providers
Payment Gateways
Card Manufacturers
Software houses
WHO RUNS THE SHOW?
§ Ultimately, Acquirer decides what level of compliancy is required from
which merchant
§ Acquirer uses rough calculation of card transactions on setting whether
merchant must provide them with
§ Self Assesstment Questionaire (less than 6 million transactions) that merchant
can fulfill themselves
§ Attestation Of Compliance, accompanied with Report Of Compliace that
Qualified Security Assessor writes during annual QSA led assessment
§ There are country- and acquirer specific exceptions to this
WHAT’S IN PCI DSS?
Build and maintain a secure network
1 Install and maintain a firewall configuration to protect cardholder data
2 Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
3 Protect stored cardholder data
4 Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
5 Use and regularly update anti-virus software on all systems commonly affected by malware
6 Develop and maintain secure systems and applications
Implement strong access control measures
7 Restrict access to cardholder data by business need-to-know
8 Assign a unique ID to each person with computer access
9 Restrict physical access to cardholder data
Regularly monitor and test networks
10 Track and monitor all access to network resources and cardholder data
11 Regularly test security systems and processes
Maintain an information security policy 12 Maintain a policy that addresses information security
© F-Secure Public for Training purpose16
A DEEPER LOOK
© F-Secure Public for Training purpose17
WORKING WITH PCI DSS
© F-Secure Public for Training purpose18
§ Scoping is the key word – You have to comply with all the controls
which are relevant to you
§ Workload can be significantly lowered by good process, network and
service design
§ Target of PCI is to maintain compliancy throughout the year, and
confirm this by annual assessment. Not to regain compliancy every
assessment.
§ To enforce this, there are multiple checks, tests and controls that must
be done annually, quarterly, monthly and even daily
THE SCOPE (CDE)
§ Everyone who sees or processes CHD
§ Cashier, sysadmin, service provider personnel, service desk employees,…
§ All processes involved in CHD processing
§ Payments, withdrawals, balance,…
§ All the technology involved
§ Endpoints, infrastructure, applications
§ All parties involved
§ Merchants, service providers, issuers, acquirers
© F-Secure Public for Training purpose19
ACTION PLAN
1. Remove sensitive data and limit data retention. If sensitive data are not stored, the effects of a compromise
will be greatly reduced. If you don't need it, don't store it.
2. Protect systems and networks, and be prepared to respond to a system breach. Establish controls for points
of access to most compromises, and the processes for responding.
3. Secure applications. Establish controls for applications, application processes, and application servers.
Weaknesses in these areas offer easy prey for compromising systems and obtaining access to data.
4. Monitor and control access to your systems. Detect the who, what, when, and how concerning who is
accessing your network and data environment.
5. Protect stored data. For those organizations that have analyzed their business processes and determined that
they must store sensitive data,
6. Your 80% done, just add some management and document your work J
© F-Secure Public for Training purpose20
THE WAY
FORWARD
© F-Secure Public for Training purpose21
DOES PCI COMPLIANCE
WORK?
§ 32 data records were stolen every second in 2015
§ Who did it?
§ 55% Malicious outsider
§ 1% Accidental loss
§ 15% Malicious insider
§ 4% State sponsored
§ #1 concern is identity theft
© F-Secure Public for Training purpose22
Source: www.creditcards.com
PCI FOR (OTHER) PII?
§ PCI is PII, but only 76 characters
§ Where there is a clearly defined syntax and use, PCI would work
§ In all other cases, frequently used huge fines will do the trick J
© F-Secure Public for Training purpose23
SUMMARY
§ Compliance is for collaboration and its about proof of protection
§ There is real value in compliance – make a business case
§ Learning do manage compliance may be a good thing
§ Use the action plan if you consider developing compliance management
capabilities
© F-Secure Public for Training purpose24
© F-Secure Public for Training purpose25
THANK YOU
Erik Sørup Andersen (CISM, QSA, EMBA)
Erik.andersen@f-secure.com
+45 31 44 46 36
css.f-secure.com
© F-Secure Public for Training purpose

More Related Content

PDF
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
PDF
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
PDF
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
PPTX
Compete To Win: Don’t Just Be Compliant – Be Secure!
IBM Security
 
PDF
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
PPTX
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz Asia Pte Ltd
 
PPTX
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
PPTX
Addressing Healthcare Challenges Today
Ivanti
 
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
Compete To Win: Don’t Just Be Compliant – Be Secure!
IBM Security
 
Why Zero Trust Yields Maximum Security
Priyanka Aash
 
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz Asia Pte Ltd
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
Addressing Healthcare Challenges Today
Ivanti
 

What's hot (17)

PPTX
The State Of Information and Cyber Security in 2016
Shannon G., MBA
 
PDF
Cyber Security 2017 Challenges
Leandro Bennaton
 
PPTX
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
 
PDF
Vulnerability management - beyond scanning
Vladimir Jirasek
 
PPT
Ne Course Part Two
backdoor
 
PDF
The Cyber Security Landscape: An OurCrowd Briefing for Investors
OurCrowd
 
PPTX
Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...
Sirius
 
PPTX
The Technology Horizon & Cyber Security from EISIC 2015
Ollie Whitehouse
 
PPTX
Cybersecurity: How to Use What We Already Know
jxyz
 
PDF
From Business Architecture to Security Architecture
Priyanka Aash
 
PPTX
Summer internship - Cybersecurity
AbhilashYadav14
 
PPTX
Understanding the Cyber Security Vendor Landscape
Sounil Yu
 
PDF
Enumerating your shadow it attack surface
Priyanka Aash
 
PPTX
Security Trend Report, 2017
Bill Chamberlin
 
PDF
IT Security - Guidelines
Pedro Espinosa
 
PPTX
Keeping up with the Revolution in IT Security
Distil Networks
 
PPTX
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
IBM Security
 
The State Of Information and Cyber Security in 2016
Shannon G., MBA
 
Cyber Security 2017 Challenges
Leandro Bennaton
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
 
Vulnerability management - beyond scanning
Vladimir Jirasek
 
Ne Course Part Two
backdoor
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
OurCrowd
 
Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...
Sirius
 
The Technology Horizon & Cyber Security from EISIC 2015
Ollie Whitehouse
 
Cybersecurity: How to Use What We Already Know
jxyz
 
From Business Architecture to Security Architecture
Priyanka Aash
 
Summer internship - Cybersecurity
AbhilashYadav14
 
Understanding the Cyber Security Vendor Landscape
Sounil Yu
 
Enumerating your shadow it attack surface
Priyanka Aash
 
Security Trend Report, 2017
Bill Chamberlin
 
IT Security - Guidelines
Pedro Espinosa
 
Keeping up with the Revolution in IT Security
Distil Networks
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
IBM Security
 
Ad

Similar to Cyber Security 4.0 conference 30 November 2016 (20)

PPTX
Making Compliance Business as Usual
ControlCase
 
PPTX
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
PPTX
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
PPTX
PCI DSS Business as Usual
ControlCase
 
PDF
PCI DSS Business as Usual
ControlCase
 
PPTX
Payment Card Acceptance PCI Compliance for Local Governments 2012
Donald E. Hester
 
PPTX
PCI DSS Business as Usual
Kimberly Simon MBA
 
PPTX
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
PDF
PCI Certification and remediation services
Tariq Juneja
 
PPTX
Making PCI V3.0 Business as Usual (BAU)
ControlCase
 
PPTX
PCI DSS & PA DSS Version 3.0 Changes Webinar
ControlCase
 
PDF
Adventures in PCI Wonderland
Michele Chubirka
 
PPTX
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
PPTX
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
DOC
"Compliance First" or "Security First"
Anton Chuvakin
 
PDF
PCI DSS Implementation: A Five Step Guide
AlienVault
 
PDF
PCI Solna EDB 101020 FortConsult
Jolin Löf
 
PDF
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
PPTX
Solutions For PCI Compliance
John Bedrick
 
Making Compliance Business as Usual
ControlCase
 
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
Anton Chuvakin
 
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
PCI DSS Business as Usual
ControlCase
 
PCI DSS Business as Usual
ControlCase
 
Payment Card Acceptance PCI Compliance for Local Governments 2012
Donald E. Hester
 
PCI DSS Business as Usual
Kimberly Simon MBA
 
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
PCI Certification and remediation services
Tariq Juneja
 
Making PCI V3.0 Business as Usual (BAU)
ControlCase
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
ControlCase
 
Adventures in PCI Wonderland
Michele Chubirka
 
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
"Compliance First" or "Security First"
Anton Chuvakin
 
PCI DSS Implementation: A Five Step Guide
AlienVault
 
PCI Solna EDB 101020 FortConsult
Jolin Löf
 
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
Solutions For PCI Compliance
John Bedrick
 
Ad

More from InfinIT - Innovationsnetværket for it (20)

PDF
Erfaringer med-c kurt-noermark
InfinIT - Innovationsnetværket for it
 
PDF
Object orientering, test driven development og c
InfinIT - Innovationsnetværket for it
 
PDF
Embedded softwaredevelopment hcs
InfinIT - Innovationsnetværket for it
 
PDF
C og c++-jens lund jensen
InfinIT - Innovationsnetværket for it
 
PDF
201811xx foredrag c_cpp
InfinIT - Innovationsnetværket for it
 
PDF
C som-programmeringssprog-bt
InfinIT - Innovationsnetværket for it
 
PDF
Infinit seminar 060918
InfinIT - Innovationsnetværket for it
 
PDF
Not your grandfathers BPM
InfinIT - Innovationsnetværket for it
 
PDF
Kmd workzone - an evolutionary approach to revolution
InfinIT - Innovationsnetværket for it
 
PDF
Martin Wickins Chatbots i fronten
InfinIT - Innovationsnetværket for it
 
PDF
Marie Fenger ai kundeservice
InfinIT - Innovationsnetværket for it
 
PDF
Leif Howalt NNIT Service Support Center
InfinIT - Innovationsnetværket for it
 
PDF
Jan Neerbek NLP og Chatbots
InfinIT - Innovationsnetværket for it
 
PDF
Anders Soegaard NLP for Customer Support
InfinIT - Innovationsnetværket for it
 
PDF
Stephen Alstrup infinit august 2018
InfinIT - Innovationsnetværket for it
 
PDF
Innovation og værdiskabelse i it-projekter
InfinIT - Innovationsnetværket for it
 
PDF
Rokoko infin it presentation
InfinIT - Innovationsnetværket for it
 
Erfaringer med-c kurt-noermark
InfinIT - Innovationsnetværket for it
 
Object orientering, test driven development og c
InfinIT - Innovationsnetværket for it
 
Embedded softwaredevelopment hcs
InfinIT - Innovationsnetværket for it
 
C og c++-jens lund jensen
InfinIT - Innovationsnetværket for it
 
C som-programmeringssprog-bt
InfinIT - Innovationsnetværket for it
 
Not your grandfathers BPM
InfinIT - Innovationsnetværket for it
 
Kmd workzone - an evolutionary approach to revolution
InfinIT - Innovationsnetværket for it
 
Martin Wickins Chatbots i fronten
InfinIT - Innovationsnetværket for it
 
Marie Fenger ai kundeservice
InfinIT - Innovationsnetværket for it
 
Leif Howalt NNIT Service Support Center
InfinIT - Innovationsnetværket for it
 
Jan Neerbek NLP og Chatbots
InfinIT - Innovationsnetværket for it
 
Anders Soegaard NLP for Customer Support
InfinIT - Innovationsnetværket for it
 
Stephen Alstrup infinit august 2018
InfinIT - Innovationsnetværket for it
 
Innovation og værdiskabelse i it-projekter
InfinIT - Innovationsnetværket for it
 
Rokoko infin it presentation
InfinIT - Innovationsnetværket for it
 

Recently uploaded (20)

PDF
This slide provides an overview Technology
mineshkharadi333
 
PDF
Doc9.....................................
SofiaCollazos
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
Revolutionize Operations with Intelligent IoT Monitoring and Control
Rejig Digital
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
Why Your AI & Cybersecurity Hiring Still Misses the Mark in 2025
Virtual Employee Pvt. Ltd.
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PDF
DevOps & Developer Experience Summer BBQ
AUGNYC
 
PDF
Software Development Methodologies in 2025
KodekX
 
PPT
L2 Rules of Netiquette in Empowerment technology
Archibal2
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
This slide provides an overview Technology
mineshkharadi333
 
Doc9.....................................
SofiaCollazos
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
Revolutionize Operations with Intelligent IoT Monitoring and Control
Rejig Digital
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
Why Your AI & Cybersecurity Hiring Still Misses the Mark in 2025
Virtual Employee Pvt. Ltd.
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
DevOps & Developer Experience Summer BBQ
AUGNYC
 
Software Development Methodologies in 2025
KodekX
 
L2 Rules of Netiquette in Empowerment technology
Archibal2
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 

Cyber Security 4.0 conference 30 November 2016

  • 2. AGENDA § What is Data Security Compliance about § The PCI Data Security story § Is the PCI showing the way forward for PII protection? © F-Secure Public for Training purpose2
  • 3. DATA SECURITY COMPLIANCE Proving that data is and has been protected according to agreements, at all times and everywhere © F-Secure Public for Training purpose3
  • 4. DRIVERS § Risk management § Communication § Economies of scale § Trust © F-Secure Public for Training purpose4
  • 5. WHATS WRONG WITH ISO 27001? § ISO 27001 does not address the data to protect unless explicitly defined in the scope § In ISO 27001 the organization decides according to own risk ISO 27001 is somewhat useful for structuring and communicating about security work, but does not assure that your data has been protected! © F-Secure Public for Training purpose5
  • 6. THE PCI STORY © F-Secure Public for Training purpose6
  • 7. WHAT TO PROTECT © F-Secure Public for Training purpose7
  • 8. PCI DATA SECURITY § Payment Card Industry: Visa, Mastercard, JCB, Discover, American Express § Protection of Card Holder Data § Standards § PCI DSS the framework § PCI PA DSS the ”off the shelf” payment applications § PCI PTS HSM, PIN, POI the devices § Counsil § Standards maintenance § Training § QA of certificed players § … © F-Secure Public for Training purpose8
  • 9. THING TO NOTE PCI is not a legal framework. It is an industry-specific security standard, created to make it easier for all players of payment card business to protect their operations and comply with the law © F-Secure Public for Training purpose9
  • 10. WHERE DID ITALL COME FROM © F-Secure Public for Training purpose10 § Major Card Brands had their own security models and instructions, which led to confusion and overlapping work § 12 years ago Visa, MC, Discover and Amex decided to create an industry standard security guideline for all affected parties § PCI DSS version 1 was created in December 2004 § During that time, the role of the standard was mainly to guide the merchant
  • 11. MODERN VERSION § PCI evolves in a set lifecycle, where new version is published every 3 years. Next version creation, testing and acceptance testing is running in annual cycle. § Focus is all the time shifting more toward service providers § Largely due technological improvements in payment systems and cryptography © F-Secure Public for Training purpose11
  • 12. THE BUSINESS CASE § Efficient collaboration on CHD protection § Making the shift from cash to cards § Changing trade from place to space © F-Secure Public for Training purpose12
  • 13. NOT JUST THE INTERNET © F-Secure Public for Training purpose13
  • 14. WHO RUNS THE SHOW? © F-Secure Public for Training purpose14 “The Brands” Acquirer Issuer Works with Works with Merchant Customer “Card Holder” Gives card to userProvides payment services Use card to buy stuff Service Providers Payment Gateways Card Manufacturers Software houses
  • 15. WHO RUNS THE SHOW? § Ultimately, Acquirer decides what level of compliancy is required from which merchant § Acquirer uses rough calculation of card transactions on setting whether merchant must provide them with § Self Assesstment Questionaire (less than 6 million transactions) that merchant can fulfill themselves § Attestation Of Compliance, accompanied with Report Of Compliace that Qualified Security Assessor writes during annual QSA led assessment § There are country- and acquirer specific exceptions to this
  • 16. WHAT’S IN PCI DSS? Build and maintain a secure network 1 Install and maintain a firewall configuration to protect cardholder data 2 Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5 Use and regularly update anti-virus software on all systems commonly affected by malware 6 Develop and maintain secure systems and applications Implement strong access control measures 7 Restrict access to cardholder data by business need-to-know 8 Assign a unique ID to each person with computer access 9 Restrict physical access to cardholder data Regularly monitor and test networks 10 Track and monitor all access to network resources and cardholder data 11 Regularly test security systems and processes Maintain an information security policy 12 Maintain a policy that addresses information security © F-Secure Public for Training purpose16
  • 17. A DEEPER LOOK © F-Secure Public for Training purpose17
  • 18. WORKING WITH PCI DSS © F-Secure Public for Training purpose18 § Scoping is the key word – You have to comply with all the controls which are relevant to you § Workload can be significantly lowered by good process, network and service design § Target of PCI is to maintain compliancy throughout the year, and confirm this by annual assessment. Not to regain compliancy every assessment. § To enforce this, there are multiple checks, tests and controls that must be done annually, quarterly, monthly and even daily
  • 19. THE SCOPE (CDE) § Everyone who sees or processes CHD § Cashier, sysadmin, service provider personnel, service desk employees,… § All processes involved in CHD processing § Payments, withdrawals, balance,… § All the technology involved § Endpoints, infrastructure, applications § All parties involved § Merchants, service providers, issuers, acquirers © F-Secure Public for Training purpose19
  • 20. ACTION PLAN 1. Remove sensitive data and limit data retention. If sensitive data are not stored, the effects of a compromise will be greatly reduced. If you don't need it, don't store it. 2. Protect systems and networks, and be prepared to respond to a system breach. Establish controls for points of access to most compromises, and the processes for responding. 3. Secure applications. Establish controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to data. 4. Monitor and control access to your systems. Detect the who, what, when, and how concerning who is accessing your network and data environment. 5. Protect stored data. For those organizations that have analyzed their business processes and determined that they must store sensitive data, 6. Your 80% done, just add some management and document your work J © F-Secure Public for Training purpose20
  • 21. THE WAY FORWARD © F-Secure Public for Training purpose21
  • 22. DOES PCI COMPLIANCE WORK? § 32 data records were stolen every second in 2015 § Who did it? § 55% Malicious outsider § 1% Accidental loss § 15% Malicious insider § 4% State sponsored § #1 concern is identity theft © F-Secure Public for Training purpose22 Source: www.creditcards.com
  • 23. PCI FOR (OTHER) PII? § PCI is PII, but only 76 characters § Where there is a clearly defined syntax and use, PCI would work § In all other cases, frequently used huge fines will do the trick J © F-Secure Public for Training purpose23
  • 24. SUMMARY § Compliance is for collaboration and its about proof of protection § There is real value in compliance – make a business case § Learning do manage compliance may be a good thing § Use the action plan if you consider developing compliance management capabilities © F-Secure Public for Training purpose24
  • 25. © F-Secure Public for Training purpose25 THANK YOU Erik Sørup Andersen (CISM, QSA, EMBA) [email protected] +45 31 44 46 36 css.f-secure.com
  • 26. © F-Secure Public for Training purpose