SlideShare a Scribd company logo

Risk Factory: PCI Shrink to Fit

Risk Crew
Risk Crew

5 ways to reduce the scope of your PCI compliance program.

Business
1 of 19
PCI: Shrink to Fit
A simple, easy to use, online, B2B procurement portal for purchasing products and services to identify, minimise and manage the security threat to business data. www.riskfactory.com
Cheap Fast Good
The Standard
Applies • Any systems that process, store or transmit cardholder data (credit or debit) • Any systems that connect to them
#1 Discover & Document • Conduct inventory: hard & softcopy card data • Can’t shrink what you have not measured • What do you have & Where do you have it? • Run discovery software across internal network IPs • Create network diagram depicting card data flow • Heat map: processes, stores & transmits • Establish hardware asset register • Results = Card Data Environment (CDE)
Discover & Document
Leakage Laptop / Desktop Server CD / DVD Piggybacking USB iPod Dumpster (Skip) Diving Social Engineering Memory Stick Contractors Road Apple PCMCIA Eavesdropping Memory Card Readers Bluetooth Endpoint Communication Infrared Databases Firewire File Systems Serial / Parallel Ports File Servers NAS Data-At-Rest Virtual Machine SANs / iSCSI Storage Screen Scrapers Voice Mail Data Loss Trojans Other Threat Vectors Video Surveillance Key Loggers Phishing / Spear Phishing E-Mail HTTP/S Printers SSH Backup Tapes / CD / DVD FTP Laptop / Desktop / Server Data-In-Motion IM Fax VoIP Physical Photocopier P2P Mobile Phone / PDA Blogs Digital Camera (incl. Mobile Phone Cameras) Incorrect Disposal Printed Reports
#2 Destroy & De-Scope • Both hard & soft copies • If you don’t need it – delete it. • Take your time. Use your CDE map. • Stakeholders sign off • Remember: VoIP & mail servers, MS Outlook archives, fax, scanner & copier memory cards • Include 3rd parties & back up systems • Be ruthless
#3 Outsource &Oversight • What can you outsource? • Risk transference vs. risk mitigation • Compliance requirement in SLA • Should not be cost plus • See proof (ask for copy of their RoC) • Conduct annual onsite audit • Still need program • The liability is still yours
#4 Separate & Segment • Led by “need to know” • Always ask: Why? • Should not be vendor led • Firewall, VLAN, software… • Subnets • Wireless networks • 3rd party suppliers! “Any systems connected” to the CDE
Point to Point Encryption
Point to Point Encryption • Card brand specific technology requirements • PoS configuration requirements • Bank-owned vs. Merchant-owned devices • Compliance requirement in contract & SLA • Who’s responsible for a breach? • Still have compliance validation requirement
#5 Tokenise • Can significantly downsize scope • Card data replaced by “token” (surrogate value) • Card data stored in centralised vault • Servers processing, storing or transmitting card holder data in scope • Servers processing, storing or transmitting surrogate values not in scope
Model
Tokenisation • Where tokens and card data meet = in scope • Tokenisation hosting solution critical • Be careful of “hybrid” solutions • See PCI Standards Council site for guidance • Test the solution! • This is no silver bullet • Validation still required
5 Ways to Reduce PCI Discover & Document Destroy & De-scope Outsource & Oversight Separate & Segment Tokenisation
Best Way Understand that the PCI DSS is a “risk management framework” Not a checklist
26 Dover Street London United Kingdom W1S 4LY +44 (0)20 3586 1025 +44 (0)20 7763 7101(fax)

Recommended

Gtb Product Technical Present
Gtb Product Technical PresentGtb Product Technical Present
Gtb Product Technical Presentgtbsalesindia
 
Doocuments presentation
Doocuments presentationDoocuments presentation
Doocuments presentationDoocuments
 
Reduce & Eliminate, Wasteful & Redundant Tasks
Reduce & Eliminate, Wasteful & Redundant TasksReduce & Eliminate, Wasteful & Redundant Tasks
Reduce & Eliminate, Wasteful & Redundant Tasksbboggs
 
Fuji xerox apeosport c4430
Fuji xerox apeosport c4430Fuji xerox apeosport c4430
Fuji xerox apeosport c4430Fuji Xerox Singapore
 
DOT International 2010, Titanium Shrink-Fit
DOT International 2010, Titanium Shrink-FitDOT International 2010, Titanium Shrink-Fit
DOT International 2010, Titanium Shrink-FitPaul Brett
 
Increasing the Strength and Reliability of Press Fits
Increasing the Strength and Reliability of Press FitsIncreasing the Strength and Reliability of Press Fits
Increasing the Strength and Reliability of Press FitsDesign World
 
Snap Fit Design by Neeraj Kumar Jha
Snap Fit Design by Neeraj Kumar JhaSnap Fit Design by Neeraj Kumar Jha
Snap Fit Design by Neeraj Kumar JhaAnkit Srivastava
 
Risk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Crew
 

Recommended

Gtb Product Technical Present
Gtb Product Technical PresentGtb Product Technical Present
Gtb Product Technical Presentgtbsalesindia
 
Doocuments presentation
Doocuments presentationDoocuments presentation
Doocuments presentationDoocuments
 
Reduce & Eliminate, Wasteful & Redundant Tasks
Reduce & Eliminate, Wasteful & Redundant TasksReduce & Eliminate, Wasteful & Redundant Tasks
Reduce & Eliminate, Wasteful & Redundant Tasksbboggs
 
Fuji xerox apeosport c4430
Fuji xerox apeosport c4430Fuji xerox apeosport c4430
Fuji xerox apeosport c4430Fuji Xerox Singapore
 
DOT International 2010, Titanium Shrink-Fit
DOT International 2010, Titanium Shrink-FitDOT International 2010, Titanium Shrink-Fit
DOT International 2010, Titanium Shrink-FitPaul Brett
 
Increasing the Strength and Reliability of Press Fits
Increasing the Strength and Reliability of Press FitsIncreasing the Strength and Reliability of Press Fits
Increasing the Strength and Reliability of Press FitsDesign World
 
Snap Fit Design by Neeraj Kumar Jha
Snap Fit Design by Neeraj Kumar JhaSnap Fit Design by Neeraj Kumar Jha
Snap Fit Design by Neeraj Kumar JhaAnkit Srivastava
 
Risk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Crew
 
Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron? Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron? Risk Crew
 
GTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteGTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteVCW Security Ltd
 
Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security...
Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security...Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security...
Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security...Novell
 
Securing Your Endpoints Using Novell ZENworks Endpoint Security Management
Securing Your Endpoints Using Novell ZENworks Endpoint Security ManagementSecuring Your Endpoints Using Novell ZENworks Endpoint Security Management
Securing Your Endpoints Using Novell ZENworks Endpoint Security ManagementNovell
 
Data Loss Prevention de RSA
Data Loss Prevention de RSAData Loss Prevention de RSA
Data Loss Prevention de RSAAEC Networks
 
Vormetric - Gherkin Event
Vormetric - Gherkin EventVormetric - Gherkin Event
Vormetric - Gherkin Eventintellectsecurity
 
Lec 1 apln security(4pd)
Lec 1 apln security(4pd)Lec 1 apln security(4pd)
Lec 1 apln security(4pd)Santosh Khadsare
 
Multicore I/O Processors In Virtual Data Centers
Multicore I/O Processors In Virtual Data CentersMulticore I/O Processors In Virtual Data Centers
Multicore I/O Processors In Virtual Data Centersscarisbrick
 
Scop 11nov2011
Scop 11nov2011Scop 11nov2011
Scop 11nov2011Agora Group
 
P2P - Real Time Communications in the Enterprise
P2P - Real Time Communications in the EnterpriseP2P - Real Time Communications in the Enterprise
P2P - Real Time Communications in the EnterpriseMead Eblan
 
Ixia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsIxia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsresponsedatacomms
 
Ixia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsIxia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsresponsedatacomms
 
Track 2, session 5, aligning security with business kartik shahani
Track 2, session 5, aligning security with business kartik shahaniTrack 2, session 5, aligning security with business kartik shahani
Track 2, session 5, aligning security with business kartik shahaniEMC Forum India
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk OverviewSplunk
 
Truth and Lies about Latency in the Cloud, Jelle Frank v.d. Zwet, Interxion
Truth and Lies about Latency in the Cloud, Jelle Frank v.d. Zwet, InterxionTruth and Lies about Latency in the Cloud, Jelle Frank v.d. Zwet, Interxion
Truth and Lies about Latency in the Cloud, Jelle Frank v.d. Zwet, InterxionCloudOps Summit
 
Device+Cloud: come sviluppare App moderne ed interconnesse
Device+Cloud: come sviluppare App moderne ed interconnesseDevice+Cloud: come sviluppare App moderne ed interconnesse
Device+Cloud: come sviluppare App moderne ed interconnesseNinja Marketing
 
Relate: Architecture, Systems and Tools for Relative Positioning
Relate: Architecture, Systems and Tools for Relative PositioningRelate: Architecture, Systems and Tools for Relative Positioning
Relate: Architecture, Systems and Tools for Relative PositioningTill Riedel
 
Ngn2004 Moving Up And To The Edges110204
Ngn2004 Moving Up And To The Edges110204Ngn2004 Moving Up And To The Edges110204
Ngn2004 Moving Up And To The Edges110204guestf6c708
 
Next Gen Data Center Implementing Network Storage with Server Blades, Cluster...
Next Gen Data Center Implementing Network Storage with Server Blades, Cluster...Next Gen Data Center Implementing Network Storage with Server Blades, Cluster...
Next Gen Data Center Implementing Network Storage with Server Blades, Cluster...IMEX Research
 
Barcode And Rfid Handheld Scanner Scanndy
Barcode And Rfid Handheld Scanner ScanndyBarcode And Rfid Handheld Scanner Scanndy
Barcode And Rfid Handheld Scanner Scanndyadvanced PANMOBIL Systems GMBH & Co. KG
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Risk Crew
 

More Related Content

Similar to Risk Factory: PCI Shrink to Fit

Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron? Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron? Risk Crew
 
GTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteGTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteVCW Security Ltd
 
Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security...
Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security...Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security...
Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security...Novell
 
Securing Your Endpoints Using Novell ZENworks Endpoint Security Management
Securing Your Endpoints Using Novell ZENworks Endpoint Security ManagementSecuring Your Endpoints Using Novell ZENworks Endpoint Security Management
Securing Your Endpoints Using Novell ZENworks Endpoint Security ManagementNovell
 
Data Loss Prevention de RSA
Data Loss Prevention de RSAData Loss Prevention de RSA
Data Loss Prevention de RSAAEC Networks
 
Multicore I/O Processors In Virtual Data Centers
Multicore I/O Processors In Virtual Data CentersMulticore I/O Processors In Virtual Data Centers
Multicore I/O Processors In Virtual Data Centersscarisbrick
 
P2P - Real Time Communications in the Enterprise
P2P - Real Time Communications in the EnterpriseP2P - Real Time Communications in the Enterprise
P2P - Real Time Communications in the EnterpriseMead Eblan
 
Ixia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsIxia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsresponsedatacomms
 
Ixia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsIxia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsresponsedatacomms
 
Track 2, session 5, aligning security with business kartik shahani
Track 2, session 5, aligning security with business kartik shahaniTrack 2, session 5, aligning security with business kartik shahani
Track 2, session 5, aligning security with business kartik shahaniEMC Forum India
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk OverviewSplunk
 
Truth and Lies about Latency in the Cloud, Jelle Frank v.d. Zwet, Interxion
Truth and Lies about Latency in the Cloud, Jelle Frank v.d. Zwet, InterxionTruth and Lies about Latency in the Cloud, Jelle Frank v.d. Zwet, Interxion
Truth and Lies about Latency in the Cloud, Jelle Frank v.d. Zwet, InterxionCloudOps Summit
 
Device+Cloud: come sviluppare App moderne ed interconnesse
Device+Cloud: come sviluppare App moderne ed interconnesseDevice+Cloud: come sviluppare App moderne ed interconnesse
Device+Cloud: come sviluppare App moderne ed interconnesseNinja Marketing
 
Relate: Architecture, Systems and Tools for Relative Positioning
Relate: Architecture, Systems and Tools for Relative PositioningRelate: Architecture, Systems and Tools for Relative Positioning
Relate: Architecture, Systems and Tools for Relative PositioningTill Riedel
 
Ngn2004 Moving Up And To The Edges110204
Ngn2004 Moving Up And To The Edges110204Ngn2004 Moving Up And To The Edges110204
Ngn2004 Moving Up And To The Edges110204guestf6c708
 
Next Gen Data Center Implementing Network Storage with Server Blades, Cluster...
Next Gen Data Center Implementing Network Storage with Server Blades, Cluster...Next Gen Data Center Implementing Network Storage with Server Blades, Cluster...
Next Gen Data Center Implementing Network Storage with Server Blades, Cluster...IMEX Research
 

Similar to Risk Factory: PCI Shrink to Fit (20)

Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron? Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron?
 
GTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteGTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security Suite
 
Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security...
Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security...Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security...
Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security...
 
Securing Your Endpoints Using Novell ZENworks Endpoint Security Management
Securing Your Endpoints Using Novell ZENworks Endpoint Security ManagementSecuring Your Endpoints Using Novell ZENworks Endpoint Security Management
Securing Your Endpoints Using Novell ZENworks Endpoint Security Management
 
Data Loss Prevention de RSA
Data Loss Prevention de RSAData Loss Prevention de RSA
Data Loss Prevention de RSA
 
Vormetric - Gherkin Event
Vormetric - Gherkin EventVormetric - Gherkin Event
Vormetric - Gherkin Event
 
Lec 1 apln security(4pd)
Lec 1 apln security(4pd)Lec 1 apln security(4pd)
Lec 1 apln security(4pd)
 
Multicore I/O Processors In Virtual Data Centers
Multicore I/O Processors In Virtual Data CentersMulticore I/O Processors In Virtual Data Centers
Multicore I/O Processors In Virtual Data Centers
 
Scop 11nov2011
Scop 11nov2011Scop 11nov2011
Scop 11nov2011
 
P2P - Real Time Communications in the Enterprise
P2P - Real Time Communications in the EnterpriseP2P - Real Time Communications in the Enterprise
P2P - Real Time Communications in the Enterprise
 
Ixia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsIxia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsets
 
Ixia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsetsIxia anue maximum roi from your existing toolsets
Ixia anue maximum roi from your existing toolsets
 
Track 2, session 5, aligning security with business kartik shahani
Track 2, session 5, aligning security with business kartik shahaniTrack 2, session 5, aligning security with business kartik shahani
Track 2, session 5, aligning security with business kartik shahani
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
 
Truth and Lies about Latency in the Cloud, Jelle Frank v.d. Zwet, Interxion
Truth and Lies about Latency in the Cloud, Jelle Frank v.d. Zwet, InterxionTruth and Lies about Latency in the Cloud, Jelle Frank v.d. Zwet, Interxion
Truth and Lies about Latency in the Cloud, Jelle Frank v.d. Zwet, Interxion
 
Device+Cloud: come sviluppare App moderne ed interconnesse
Device+Cloud: come sviluppare App moderne ed interconnesseDevice+Cloud: come sviluppare App moderne ed interconnesse
Device+Cloud: come sviluppare App moderne ed interconnesse
 
Relate: Architecture, Systems and Tools for Relative Positioning
Relate: Architecture, Systems and Tools for Relative PositioningRelate: Architecture, Systems and Tools for Relative Positioning
Relate: Architecture, Systems and Tools for Relative Positioning
 
Ngn2004 Moving Up And To The Edges110204
Ngn2004 Moving Up And To The Edges110204Ngn2004 Moving Up And To The Edges110204
Ngn2004 Moving Up And To The Edges110204
 
Next Gen Data Center Implementing Network Storage with Server Blades, Cluster...
Next Gen Data Center Implementing Network Storage with Server Blades, Cluster...Next Gen Data Center Implementing Network Storage with Server Blades, Cluster...
Next Gen Data Center Implementing Network Storage with Server Blades, Cluster...
 
Barcode And Rfid Handheld Scanner Scanndy
Barcode And Rfid Handheld Scanner ScanndyBarcode And Rfid Handheld Scanner Scanndy
Barcode And Rfid Handheld Scanner Scanndy
 

More from Risk Crew

Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Risk Crew
 
Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891Risk Crew
 
Risk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a HackerRisk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a HackerRisk Crew
 
Risk Factory The 2014 Numbers
Risk Factory The 2014 NumbersRisk Factory The 2014 Numbers
Risk Factory The 2014 NumbersRisk Crew
 
Risk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best PracticeRisk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best PracticeRisk Crew
 
Risk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big DataRisk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big DataRisk Crew
 
Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Crew
 
Risk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile DevicesRisk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile DevicesRisk Crew
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Crew
 
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment IndustryRisk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment IndustryRisk Crew
 
Risk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Crew
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
Risk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back DoorRisk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back DoorRisk Crew
 
Risk Factory How to Steal an Identity
Risk Factory How to Steal an IdentityRisk Factory How to Steal an Identity
Risk Factory How to Steal an IdentityRisk Crew
 
Risk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Crew
 
Risk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best PracticesRisk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best PracticesRisk Crew
 

More from Risk Crew (18)

Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891
 
Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891
 
Risk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a HackerRisk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a Hacker
 
Risk Factory The 2014 Numbers
Risk Factory The 2014 NumbersRisk Factory The 2014 Numbers
Risk Factory The 2014 Numbers
 
Risk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best PracticeRisk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best Practice
 
Risk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big DataRisk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big Data
 
Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013
 
Risk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile DevicesRisk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile Devices
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response Programme
 
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment IndustryRisk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
 
Risk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Factory: Let's Get Physical
Risk Factory: Let's Get Physical
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
 
Risk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back DoorRisk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back Door
 
Risk Factory How to Steal an Identity
Risk Factory How to Steal an IdentityRisk Factory How to Steal an Identity
Risk Factory How to Steal an Identity
 
Risk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic Eavesdropping
 
Risk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best PracticesRisk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best Practices
 

Recently uploaded

Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Riya Pathan
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024christinemoorman
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...lizamodels9
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchirictsugar
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...lizamodels9
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Pereraictsugar
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailAriel592675
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607dollysharma2066
 

Recently uploaded (20)

Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchir
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Perera
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detail
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
 

Risk Factory: PCI Shrink to Fit

  • 2. A simple, easy to use, online, B2B procurement portal for purchasing products and services to identify, minimise and manage the security threat to business data. www.riskfactory.com
  • 5. Applies • Any systems that process, store or transmit cardholder data (credit or debit) • Any systems that connect to them
  • 6. #1 Discover & Document • Conduct inventory: hard & softcopy card data • Can’t shrink what you have not measured • What do you have & Where do you have it? • Run discovery software across internal network IPs • Create network diagram depicting card data flow • Heat map: processes, stores & transmits • Establish hardware asset register • Results = Card Data Environment (CDE)
  • 8. Leakage Laptop / Desktop Server CD / DVD Piggybacking USB iPod Dumpster (Skip) Diving Social Engineering Memory Stick Contractors Road Apple PCMCIA Eavesdropping Memory Card Readers Bluetooth Endpoint Communication Infrared Databases Firewire File Systems Serial / Parallel Ports File Servers NAS Data-At-Rest Virtual Machine SANs / iSCSI Storage Screen Scrapers Voice Mail Data Loss Trojans Other Threat Vectors Video Surveillance Key Loggers Phishing / Spear Phishing E-Mail HTTP/S Printers SSH Backup Tapes / CD / DVD FTP Laptop / Desktop / Server Data-In-Motion IM Fax VoIP Physical Photocopier P2P Mobile Phone / PDA Blogs Digital Camera (incl. Mobile Phone Cameras) Incorrect Disposal Printed Reports
  • 9. #2 Destroy & De-Scope • Both hard & soft copies • If you don’t need it – delete it. • Take your time. Use your CDE map. • Stakeholders sign off • Remember: VoIP & mail servers, MS Outlook archives, fax, scanner & copier memory cards • Include 3rd parties & back up systems • Be ruthless
  • 10. #3 Outsource &Oversight • What can you outsource? • Risk transference vs. risk mitigation • Compliance requirement in SLA • Should not be cost plus • See proof (ask for copy of their RoC) • Conduct annual onsite audit • Still need program • The liability is still yours
  • 11. #4 Separate & Segment • Led by “need to know” • Always ask: Why? • Should not be vendor led • Firewall, VLAN, software… • Subnets • Wireless networks • 3rd party suppliers! “Any systems connected” to the CDE
  • 12. Point to Point Encryption
  • 13. Point to Point Encryption • Card brand specific technology requirements • PoS configuration requirements • Bank-owned vs. Merchant-owned devices • Compliance requirement in contract & SLA • Who’s responsible for a breach? • Still have compliance validation requirement
  • 14. #5 Tokenise • Can significantly downsize scope • Card data replaced by “token” (surrogate value) • Card data stored in centralised vault • Servers processing, storing or transmitting card holder data in scope • Servers processing, storing or transmitting surrogate values not in scope
  • 15. Model
  • 16. Tokenisation • Where tokens and card data meet = in scope • Tokenisation hosting solution critical • Be careful of “hybrid” solutions • See PCI Standards Council site for guidance • Test the solution! • This is no silver bullet • Validation still required
  • 17. 5 Ways to Reduce PCI Discover & Document Destroy & De-scope Outsource & Oversight Separate & Segment Tokenisation
  • 18. Best Way Understand that the PCI DSS is a “risk management framework” Not a checklist
  • 19. 26 Dover Street London United Kingdom W1S 4LY +44 (0)20 3586 1025 +44 (0)20 7763 7101(fax)

Editor's Notes

  1. Oldest crime on record – not prostitution First recorded case of identity theft Bible: Genesis XXX