2. A simple, easy to use, online, B2B procurement
portal for purchasing products and services to
identify, minimise and manage the security
threat to business data.
www.riskfactory.com
5. Applies
• Any systems that process, store or transmit
cardholder data (credit or debit)
• Any systems that connect to them
6. #1 Discover &
Document
• Conduct inventory: hard & softcopy card data
• Can’t shrink what you have not measured
• What do you have & Where do you have it?
• Run discovery software across internal network
IPs
• Create network diagram depicting card data
flow
• Heat map: processes, stores & transmits
• Establish hardware asset register
• Results = Card Data Environment (CDE)
8. Leakage
Laptop / Desktop
Server
CD / DVD
Piggybacking
USB iPod
Dumpster (Skip) Diving
Social Engineering Memory Stick
Contractors
Road Apple PCMCIA
Eavesdropping Memory Card Readers
Bluetooth
Endpoint
Communication Infrared
Databases
Firewire
File Systems
Serial / Parallel Ports
File Servers
NAS Data-At-Rest Virtual Machine
SANs / iSCSI Storage Screen Scrapers
Voice Mail Data Loss Trojans
Other Threat Vectors
Video Surveillance Key Loggers
Phishing / Spear Phishing
E-Mail
HTTP/S Printers
SSH Backup Tapes / CD / DVD
FTP Laptop / Desktop / Server
Data-In-Motion
IM Fax
VoIP
Physical Photocopier
P2P Mobile Phone / PDA
Blogs Digital Camera (incl. Mobile Phone Cameras)
Incorrect Disposal
Printed Reports
9. #2 Destroy & De-Scope
• Both hard & soft copies
• If you don’t need it – delete it.
• Take your time. Use your CDE map.
• Stakeholders sign off
• Remember: VoIP & mail servers, MS Outlook
archives, fax, scanner & copier memory cards
• Include 3rd parties & back up systems
• Be ruthless
10. #3 Outsource &Oversight
• What can you outsource?
• Risk transference vs. risk mitigation
• Compliance requirement in SLA
• Should not be cost plus
• See proof (ask for copy of their RoC)
• Conduct annual onsite audit
• Still need program
• The liability is still yours
11. #4 Separate & Segment
• Led by “need to know”
• Always ask: Why?
• Should not be vendor led
• Firewall, VLAN, software…
• Subnets
• Wireless networks
• 3rd party suppliers!
“Any systems connected” to the CDE
13. Point to Point Encryption
• Card brand specific technology requirements
• PoS configuration requirements
• Bank-owned vs. Merchant-owned devices
• Compliance requirement in contract & SLA
• Who’s responsible for a breach?
• Still have compliance validation requirement
14. #5 Tokenise
• Can significantly downsize scope
• Card data replaced by “token” (surrogate value)
• Card data stored in centralised vault
• Servers processing, storing or transmitting card
holder data in scope
• Servers processing, storing or transmitting
surrogate values not in scope
16. Tokenisation
• Where tokens and card data meet = in scope
• Tokenisation hosting solution critical
• Be careful of “hybrid” solutions
• See PCI Standards Council site for guidance
• Test the solution!
• This is no silver bullet
• Validation still required
17. 5 Ways to Reduce PCI
Discover & Document
Destroy & De-scope
Outsource & Oversight
Separate & Segment
Tokenisation
18. Best Way
Understand that the PCI DSS is a
“risk management framework”
Not a checklist
19. 26 Dover Street
London
United Kingdom
W1S 4LY
+44 (0)20 3586 1025
+44 (0)20 7763 7101(fax)
Editor's Notes
Oldest crime on record – not prostitution First recorded case of identity theft Bible: Genesis XXX