PCI: The Real DealHow to do PCI Right

(And how to really hose it up)

Branden R. Williams, CISSP, CISMbwilliams@verisign.com

www.brandenwilliams.com

Why companies succeed

What are the steps to success?

PCI Requires Planning

Programmatic approach

Fully staffed compliance office

Trained and/or certified

Must be baked into culture

Getting it RIGHT

Medium sized service provider

Assessment scope less than 1% of systems

On-Site Assessment done in 1 week

No gaps last three years

How do they do it?

Simple & elegant payment systems

Complex ≠ Competitive Advantage

Simplicity+Elegance = Competitive Advantage

Go into assessment knowing you will pass

Good Program Makeup

Documented Data FlowsAccountabilityDocumentationPlan for MaintenanceProcess IntegrationTrainingAssessment Prep/Self Assessment

Why companies failAvoid these pitfalls!

Getting it wrongMedium US-Based Retail

< 1000 locations

Fail every year

But remediate in 60 days

Out of compliance for most of year

Risk breach in between

Getting it wronger

No repeatable processes

Compliance viewed as “audit”

Security/Compliance office buried

All reporting to IT?

CISO unable to sell MGT

Process stagnates

How could we improve?

Build a program to MAINTAIN PCI

Security reporting elsewhereCFOHRLegal

CISO take a business need

Audit results

What are secure companies doing?

Encrypt all stored data

What are my options?Retrofit applicationsUse an encryption applianceUse an encrypting database Render unreadable withoutencryption (truncation, hashing)

The Dangers of EncryptionEnterprise-Wide ApproachCreate a sound strategyData flows required!

Hashing/Rainbow Tables

What is the risk of Hashing?Hashed Data = Cardholder Data. Wait… What?Hashes must be treated like encrypted card dataHashing is still a viable method!Watch other data stored nearby

What is a Rainbow Table?Subvert complex mathOrange vs. JuicePre-computed hashesSecrecy in Salt/Algorithm

TruncationWhat is Truncation?

Remove all but First 6, Last 4

Identify any transactionFirst 6, Last 4Date/Time of PurchaseAmountAuth Code

Who does what?

What is on the horizon?

What does the future hold?

Fees, Fines, and Penalties, OH MY!

Cost of assessments rising (Q/A)

Global Fines in 18 months

Payment App Mandates

Scrutiny of Assessments

High Tech Payments

SIM Based Payments

PED Encryption

Chip/PIN (BUSTED)

RFID/Contactless

Examples!

Discuss Breaches

Questions & Answers

Branden R. Williams, CISSP, CISMbwilliams@verisign.com

www.brandenwilliams.com