This presentation covers PCI DSS-related myths and misconceptions that are common among some merchants and other organizations dealing with PCI DSS challenges. Mistakes related to technical and process side of PCI, self-assessment and audits as well as PCI validation requirements will be discussed. The information will be useful to all merchants dealing with credit card information and thus struggling with PCI DSS mandates.

1. Technology Briefing Series
PCI Myths: Common Mistakes
and Misconceptions About PCI
Anton Chuvakin

2. Agenda
• What is PCI DSS?
• When does PCI DSS apply?
• PCI DSS myths
• Approach to PCI
• PCI implementation mistakes
• Life after audit: compliance vs validation
• Conclusions
2

3. What is PCI DSS v 1.2
PCI DSS is based on basic data security practices!
• Install and maintain a firewall confirmation to protect data
•
Build and Maintain a
Do not use vendor-supplied defaults for system passwords
Secure Network
and other security parameters
• Protect stored data
•
Protect Cardholder Data Encrypt transmission of cardholder data and sensitive
information across public networks
• Use and regularly update anti-virus software
Maintain a Vulnerability Management
•
Program Develop and maintain secure systems and applications
• Restrict access to data by business need-to-know
•
Implement Strong Access Control
Assign a unique ID to each person with computer access
Measures • Restrict physical access to cardholder data
• Track and monitor all access to network resources and
Regularly Monitor and cardholder data
•
Test Networks
Regularly test security systems and processes
•
Maintain an Information Security
Maintain a policy that addresses information security
Policy

4. When PCI Applies…
“PCI DSS compliance includes merchants
and service providers who accept,
capture, store, transmit or
process credit and debit card data.”
4

5. PCI Certification
Merchant & Service Provider Levels
5

6. M1 - PCI just doesn’t apply to us …
Myth: PCI just doesn’t apply to us,
because…
• “… we are small, a University, don’t do
e-commerce, outsource “everything”,
not permanent entity, etc”
Reality: PCI DSS DOES apply to you if you “accept,
capture, store, transmit or process credit and debit
card data”, no exceptions!
At some point, your acquirer will make it clear to you!
6

7. M2 - PCI is confusing
Myth: PCI is confusing and not specific!
• “We don’t know what to do, who to ask,
what exactly to change”
• “Just give us a checklist and we will do
it. Promise!”
Reality: PCI DSS documents explain both what
to do and how to validate it; take some time
to read it.
Whether you get it now, you will need to do it
later. Otherwise, data and $ loss is yours!
7

8. M3 - PCI is too hard
Myth: PCI is too hard …
• “… too expensive, too complicated, too
burdensome, too much for a small
business, too many technologies or even
unreasonable”
Reality: PCI DSS is basic, common sense, baseline security
practice; it is only hard if you were not doing it before.
It is no harder than running your business or IT – and you’ve
been doing it!
8

9. M4 - Breaches prove PCI irrelevant
Myth: Recent breaches prove PCI irrelevant
• “We read that ‘media and pundits agree –
massive data losses “prove” PCI
irrelevant’”
Reality: Data breaches prove that basic PCI DSS security is
not enough, but you have to start from the basics.
PCI is actually easier to understand than other advanced
security and risk matters. Start there!
9

10. M5 – PCI is Easy: Just Say “YES”
Myth: PCI is easy: we just have to “say Yes”
on SAQ and “get scanned”
• “What do we need to do - get a scan and
answer some questions? Sure!’”
• “PCI is about scanning and questionnaires”
Reality: Not exactly - you need to:
a) Get a scan – and then resolve the vulnerabilities found
b) Do the things that the questions refer to – and prove it
c) Keep doing a) and b) forever!
10

11. M6 – My tool is PCI compliant
Myth: My network, application, tool is PCI
compliant
• “The vendor said the tool is ‘PCI
compliant’”
• “My provider is compliant, thus I am too”
• “I use PA-DSS tools, thus I am PCI OK”
Reality: There is no such thing as “PCI compliant tool,
network”, PCI DSS compliance applies to organizations.
PCI DSS combines technical AND process, policy,
management issues; awareness and practices as well.
11

12. M7 – PCI Is Enough Security
Myth: PCI is all we need to do for
security
• “We are secure, we got PCI!”
• “We worked hard and we passed an
‘audit’; now we are secure!”
Reality: PCI is basic security, it is a necessary baseline,
but NOT necessarily enough.
PCI is also about cardholder data security, not the rest of
private data, not your intellectual property, not SSNs, etc.
It also covers confidentiality, and NOT integrity and
availability of data. There is more to security than PCI!
12

13. M8 – PCI DSS Is Toothless
Myth: Even if breached and also found
non-compliant, our business will not
suffer.
• “We read that companies are breached
and then continue being profitable; so
why should we care?”
Reality: Possible fines + lawsuits + breach disclosure costs
+ investigation costs + CC rate increases + contractual
breaches + cost of more security measures + cost of credit
monitoring = will you risk ALL that?
13

14. Summary: Eight Common PCI Myths
1. PCI just doesn’t apply to us,
because…
2. PCI is confusing and not specific!
3. PCI is too hard
4. Recent breaches prove PCI irrelevant
5. PCI is easy: we just have to “say Yes”
on SAQ and “get scanned”
6. My network, application, tool is PCI
compliant
7. PCI is all we need to do for security!
8. Even if breached and then found non-
compliant, our business will not
suffer
14

15. Your Approach To PCI DSS
1. Understand your merchant level (1-4)
2. Review the applicable requirements
3. Identify the gap between your current and required state
4. Implement changes to technology and policies!
5. Validate requirements and attest to it (via SAQ or QSA)
6. Key: continue to maintain secure-thus-compliant state!
“Businesses that are compliant with PCI standards have never been breached.
Victims may have attained compliance certification at some point, but none
has been in compliance at the time of a breach.”
Bob Russo, GM of PCI Security Standards Council
15

16. Select PCI Implementation Mistakes
1. Start “closing the gap” before limiting the scope
Solution: Segment the payment network off, make it
smaller!
2. Stay in technology realm
Solution: Think process and policies; only they will allow
for continuous compliance, not what you deploy today
3. Have “audit mentality”, not “risk mentality”
Solution: Approach PCI as a risk-mitigation effort, not a
“checklist”; you are not “done” when QSA leaves
4. Chose an “easy” QSA and “subpar” ASV
Solution: if you do, the loss is still yours; don’t!
16

17. Continuous Compliance vs Validation
Reminder: PCI DSS compliance does NOT end when a
QSA leaves or SAQ is submitted.
What to do “after your QSA leaves”?
• Use what you built for PCI to reduce risk
• “Own” PCI DSS; make it the basis for your policies
• Think beyond credit card data and grow your security!
Note: a good QSA will check whether you are “wired” for
continuous compliance. Pick one of that sort!
17

18. Conclusions and Action Items
1. PCI is common sense, basic security; stop
complaining about it - start doing it!
2. After validating that you are compliant, don’t
stop: continuous compliance AND security is
your goal, not “passing an audit.”
3. Develop “security and risk” mindset, not
“compliance and audit” mindset.
18

19. PCI Compliance for Dummies
More information?
Read “PCI Compliance
for Dummies”
Get as much information as you can
about PCI and how it relates to your
organization!
19

20. Q&A
Thank You
anton@qualys.com
20
20