SlideShare une entreprise Scribd logo

PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version

G
guest3af00b8

The document summarizes 8 common myths about PCI compliance and security. The myths are that [1] PCI does not apply, [2] PCI is too confusing, and [3] PCI is too hard. Other myths are that [4] data breaches prove PCI is irrelevant, [5] PCI only involves self-assessment questionnaires and scans, [6] tools and networks can be PCI compliant, [7] PCI is sufficient for security, and [8] non-compliance will not negatively impact businesses. The document provides realities to counter each myth, noting PCI requirements and potential consequences of non-compliance.

Technologie
1  sur  11
Technology Briefing Series PCI Myths: Common Mistakes and Misconceptions About PCI Anton Chuvakin
M1 - PCI just doesn’t apply to us … Myth: PCI just doesn’t apply to us, because… • “… we are small, a University, don‟t do e-commerce, outsource “everything”, not permanent entity, etc” Reality: PCI DSS DOES apply to you if you “accept, capture, store, transmit or process credit and debit card data”, no exceptions! At some point, your acquirer will make it clear to you! 2
M2 - PCI is confusing Myth: PCI is confusing and not specific! • “We don‟t know what to do, who to ask, what exactly to change” • “Just give us a checklist and we will do it. Promise!” Reality: PCI DSS documents explain both what to do and how to validate it; take some time to read it. Whether you get it now, you will need to do it later. Otherwise, data and $ loss is yours! 3
M3 - PCI is too hard Myth: PCI is too hard … • “… too expensive, too complicated, too burdensome, too much for a small business, too many technologies or even unreasonable” Reality: PCI DSS is basic, common sense, baseline security practice; it is only hard if you were not doing it before. It is no harder than running your business or IT – and you‟ve been doing it! 4
M4 - Breaches prove PCI irrelevant Myth: Recent breaches prove PCI irrelevant • “We read that „media and pundits agree – massive data losses “prove” PCI irrelevant‟” Reality: Data breaches prove that basic PCI DSS security is not enough, but you have to start from the basics. PCI is actually easier to understand than other advanced security and risk matters. Start there! 5
M5 – PCI is Easy: Just Say “YES” Myth: PCI is easy: we just have to “say Yes” on SAQ and “get scanned” • “What do we need to do - get a scan and answer some questions? Sure!‟” • “PCI is about scanning and questionnaires” Reality: Not exactly - you need to: a) Get a scan – and then resolve the vulnerabilities found b) Do the things that the questions refer to – and prove it c) Keep doing a) and b) forever! 6
M6 – My tool is PCI compliant Myth: My network, application, tool is PCI compliant • “The vendor said the tool is „PCI compliant‟” • “My provider is compliant, thus I am too” • “I use PA-DSS tools, thus I am PCI OK” Reality: There is no such thing as “PCI compliant tool, network”, PCI DSS compliance applies to organizations. PCI DSS combines technical AND process, policy, management issues; awareness and practices as well. 7
M7 – PCI Is Enough Security Myth: PCI is all we need to do for security • “We are secure, we got PCI!” • “We worked hard and we passed an „audit‟; now we are secure!” Reality: PCI is basic security, it is a necessary baseline, but NOT necessarily enough. PCI is also about cardholder data security, not the rest of private data, not your intellectual property, not SSNs, etc. It also covers confidentiality, and NOT integrity and availability of data. There is more to security than PCI! 8
M8 – PCI DSS Is Toothless Myth: Even if breached and also found non-compliant, our business will not suffer. • “We read that companies are breached and then continue being profitable; so why should we care?” Reality: Possible fines + lawsuits + breach disclosure costs + investigation costs + CC rate increases + contractual breaches + cost of more security measures + cost of credit monitoring = will you risk ALL that? 9
Summary: Eight Common PCI Myths 1. PCI just doesn’t apply to us, because… 2. PCI is confusing and not specific! 3. PCI is too hard 4. Recent breaches prove PCI irrelevant 5. PCI is easy: we just have to “say Yes” on SAQ and “get scanned” 6. My network, application, tool is PCI compliant 7. PCI is all we need to do for security! 8. Even if breached and then found non- compliant, our business will not suffer 10
PCI Compliance for Dummies More information? Read “PCI Compliance for Dummies” Get as much information as you can about PCI and how it relates to your organization! 11

Recommandé

PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton ChuvakinPCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
Anton Chuvakin
 
PCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and RealityPCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and Reality
Anton Chuvakin
 
How Not to Lose Your Bitcoin in 2017
How Not to Lose Your Bitcoin in 2017How Not to Lose Your Bitcoin in 2017
How Not to Lose Your Bitcoin in 2017
Anil X
 
Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019
Dave Cole
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniques
VISTA InfoSec
 
Geek + E.I. = Success in AI
Geek + E.I. = Success in AIGeek + E.I. = Success in AI
Geek + E.I. = Success in AI
Avanade Nederland
 
2. Enterprise and Business Architecture Cloud Video Data
2. Enterprise and Business Architecture Cloud Video Data2. Enterprise and Business Architecture Cloud Video Data
2. Enterprise and Business Architecture Cloud Video Data
MrsAlways RigHt
 
PCI Compliance for Dummies
PCI Compliance for DummiesPCI Compliance for Dummies
PCI Compliance for Dummies
Liberteks
 

Recommandé

PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton ChuvakinPCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin
Anton Chuvakin
 
PCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and RealityPCI DSS Myths 2009: Myths and Reality
PCI DSS Myths 2009: Myths and Reality
Anton Chuvakin
 
How Not to Lose Your Bitcoin in 2017
How Not to Lose Your Bitcoin in 2017How Not to Lose Your Bitcoin in 2017
How Not to Lose Your Bitcoin in 2017
Anil X
 
Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019
Dave Cole
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniques
VISTA InfoSec
 
Geek + E.I. = Success in AI
Geek + E.I. = Success in AIGeek + E.I. = Success in AI
Geek + E.I. = Success in AI
Avanade Nederland
 
2. Enterprise and Business Architecture Cloud Video Data
2. Enterprise and Business Architecture Cloud Video Data2. Enterprise and Business Architecture Cloud Video Data
2. Enterprise and Business Architecture Cloud Video Data
MrsAlways RigHt
 
PCI Compliance for Dummies
PCI Compliance for DummiesPCI Compliance for Dummies
PCI Compliance for Dummies
Liberteks
 
ASFWS 2011 : Les exigences PCI-DSS en terme de développement logiciel
ASFWS 2011 : Les exigences PCI-DSS en terme de développement logicielASFWS 2011 : Les exigences PCI-DSS en terme de développement logiciel
ASFWS 2011 : Les exigences PCI-DSS en terme de développement logiciel
Cyber Security Alliance
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
Implementing PCI DSS v2.0 and v3.0 best practice
Implementing PCI DSS v2.0 and v3.0 best practiceImplementing PCI DSS v2.0 and v3.0 best practice
Implementing PCI DSS v2.0 and v3.0 best practice
IT Governance Ltd
 
Rugged DevOps Will help you build ur cloudz
Rugged DevOps Will help you build ur cloudzRugged DevOps Will help you build ur cloudz
Rugged DevOps Will help you build ur cloudz
James Wickett
 
PCI Compliance - What does it mean to me?
PCI Compliance - What does it mean to me?PCI Compliance - What does it mean to me?
PCI Compliance - What does it mean to me?
syrinxtech
 
PCI-DSS v3.0 - What you need to know
PCI-DSS v3.0 - What you need to knowPCI-DSS v3.0 - What you need to know
PCI-DSS v3.0 - What you need to know
Barry Shteiman
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
Ashintha Rukmal
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes Webinar
ControlCase
 
Payment Card Industry Data Security Standard (PCI DSS) 3.0
Payment Card Industry Data Security Standard (PCI DSS) 3.0Payment Card Industry Data Security Standard (PCI DSS) 3.0
Payment Card Industry Data Security Standard (PCI DSS) 3.0
- Mark - Fullbright
 
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton ChuvakinWhat PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
Anton Chuvakin
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
Chitpong Wuttanan
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
Shreeraj Shah
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
QSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistQSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & Checklist
Tripwire
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
PCI Myths
PCI MythsPCI Myths
PCI Myths
Sasha Nunke
 
Myths of PCI DSS
Myths of PCI DSSMyths of PCI DSS
Myths of PCI DSS
Anton Chuvakin
 
Don’t Fear PCI DSS!
Don’t Fear PCI DSS!Don’t Fear PCI DSS!
Don’t Fear PCI DSS!
Anton Chuvakin
 

Contenu connexe

En vedette

PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 

En vedette (19)

ASFWS 2011 : Les exigences PCI-DSS en terme de développement logiciel
ASFWS 2011 : Les exigences PCI-DSS en terme de développement logicielASFWS 2011 : Les exigences PCI-DSS en terme de développement logiciel
ASFWS 2011 : Les exigences PCI-DSS en terme de développement logiciel
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Implementing PCI DSS v2.0 and v3.0 best practice
Implementing PCI DSS v2.0 and v3.0 best practiceImplementing PCI DSS v2.0 and v3.0 best practice
Implementing PCI DSS v2.0 and v3.0 best practice
 
Rugged DevOps Will help you build ur cloudz
Rugged DevOps Will help you build ur cloudzRugged DevOps Will help you build ur cloudz
Rugged DevOps Will help you build ur cloudz
 
PCI Compliance - What does it mean to me?
PCI Compliance - What does it mean to me?PCI Compliance - What does it mean to me?
PCI Compliance - What does it mean to me?
 
PCI-DSS v3.0 - What you need to know
PCI-DSS v3.0 - What you need to knowPCI-DSS v3.0 - What you need to know
PCI-DSS v3.0 - What you need to know
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes Webinar
 
Payment Card Industry Data Security Standard (PCI DSS) 3.0
Payment Card Industry Data Security Standard (PCI DSS) 3.0Payment Card Industry Data Security Standard (PCI DSS) 3.0
Payment Card Industry Data Security Standard (PCI DSS) 3.0
 
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton ChuvakinWhat PCI DSS Taught Us About Security by Dr. Anton Chuvakin
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
QSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistQSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & Checklist
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 

Similaire à PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version

Credit Card Processing for Small Business
Credit Card Processing for Small BusinessCredit Card Processing for Small Business
Credit Card Processing for Small Business
Mark Ginnebaugh
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
Divya Kothari
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
Anton Chuvakin
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 

Similaire à PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version (20)

PCI Myths
PCI MythsPCI Myths
PCI Myths
 
Myths of PCI DSS
Myths of PCI DSSMyths of PCI DSS
Myths of PCI DSS
 
Don’t Fear PCI DSS!
Don’t Fear PCI DSS!Don’t Fear PCI DSS!
Don’t Fear PCI DSS!
 
"Compliance First" or "Security First"
"Compliance First" or "Security First""Compliance First" or "Security First"
"Compliance First" or "Security First"
 
PCI 2010: Trends and Technologies
PCI 2010: Trends and TechnologiesPCI 2010: Trends and Technologies
PCI 2010: Trends and Technologies
 
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton ChuvakinPCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
PCI DSS-based Security: Is This For Real? by Dr. Anton Chuvakin
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliance
 
Credit Card Processing for Small Business
Credit Card Processing for Small BusinessCredit Card Processing for Small Business
Credit Card Processing for Small Business
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
 
SANS WhatWorks - Compliance & DLP
SANS WhatWorks - Compliance & DLPSANS WhatWorks - Compliance & DLP
SANS WhatWorks - Compliance & DLP
 
Insecurity Through Technology
Insecurity Through TechnologyInsecurity Through Technology
Insecurity Through Technology
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden WilliamsPCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
PCI DSS Done RIGHT and WRONG by Anton Chuvakin and Branden Williams
 
PCI Compliance Myths, Reality and Solutions for Retail
PCI Compliance Myths, Reality and Solutions for RetailPCI Compliance Myths, Reality and Solutions for Retail
PCI Compliance Myths, Reality and Solutions for Retail
 
Quick & Dirty Dozen: PCI Compliance Simplified
Quick & Dirty Dozen: PCI Compliance SimplifiedQuick & Dirty Dozen: PCI Compliance Simplified
Quick & Dirty Dozen: PCI Compliance Simplified
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Payment account data security – PCI DSS
Payment account data security – PCI DSSPayment account data security – PCI DSS
Payment account data security – PCI DSS
 
PCI FAQs and Myths
PCI FAQs and MythsPCI FAQs and Myths
PCI FAQs and Myths
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software Technology
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Dernier (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

PCI DSS: Myths, Mistakes, Misconceptions 2009 - TEASER Version

  • 1. Technology Briefing Series PCI Myths: Common Mistakes and Misconceptions About PCI Anton Chuvakin
  • 2. M1 - PCI just doesn’t apply to us … Myth: PCI just doesn’t apply to us, because… • “… we are small, a University, don‟t do e-commerce, outsource “everything”, not permanent entity, etc” Reality: PCI DSS DOES apply to you if you “accept, capture, store, transmit or process credit and debit card data”, no exceptions! At some point, your acquirer will make it clear to you! 2
  • 3. M2 - PCI is confusing Myth: PCI is confusing and not specific! • “We don‟t know what to do, who to ask, what exactly to change” • “Just give us a checklist and we will do it. Promise!” Reality: PCI DSS documents explain both what to do and how to validate it; take some time to read it. Whether you get it now, you will need to do it later. Otherwise, data and $ loss is yours! 3
  • 4. M3 - PCI is too hard Myth: PCI is too hard … • “… too expensive, too complicated, too burdensome, too much for a small business, too many technologies or even unreasonable” Reality: PCI DSS is basic, common sense, baseline security practice; it is only hard if you were not doing it before. It is no harder than running your business or IT – and you‟ve been doing it! 4
  • 5. M4 - Breaches prove PCI irrelevant Myth: Recent breaches prove PCI irrelevant • “We read that „media and pundits agree – massive data losses “prove” PCI irrelevant‟” Reality: Data breaches prove that basic PCI DSS security is not enough, but you have to start from the basics. PCI is actually easier to understand than other advanced security and risk matters. Start there! 5
  • 6. M5 – PCI is Easy: Just Say “YES” Myth: PCI is easy: we just have to “say Yes” on SAQ and “get scanned” • “What do we need to do - get a scan and answer some questions? Sure!‟” • “PCI is about scanning and questionnaires” Reality: Not exactly - you need to: a) Get a scan – and then resolve the vulnerabilities found b) Do the things that the questions refer to – and prove it c) Keep doing a) and b) forever! 6
  • 7. M6 – My tool is PCI compliant Myth: My network, application, tool is PCI compliant • “The vendor said the tool is „PCI compliant‟” • “My provider is compliant, thus I am too” • “I use PA-DSS tools, thus I am PCI OK” Reality: There is no such thing as “PCI compliant tool, network”, PCI DSS compliance applies to organizations. PCI DSS combines technical AND process, policy, management issues; awareness and practices as well. 7
  • 8. M7 – PCI Is Enough Security Myth: PCI is all we need to do for security • “We are secure, we got PCI!” • “We worked hard and we passed an „audit‟; now we are secure!” Reality: PCI is basic security, it is a necessary baseline, but NOT necessarily enough. PCI is also about cardholder data security, not the rest of private data, not your intellectual property, not SSNs, etc. It also covers confidentiality, and NOT integrity and availability of data. There is more to security than PCI! 8
  • 9. M8 – PCI DSS Is Toothless Myth: Even if breached and also found non-compliant, our business will not suffer. • “We read that companies are breached and then continue being profitable; so why should we care?” Reality: Possible fines + lawsuits + breach disclosure costs + investigation costs + CC rate increases + contractual breaches + cost of more security measures + cost of credit monitoring = will you risk ALL that? 9
  • 10. Summary: Eight Common PCI Myths 1. PCI just doesn’t apply to us, because… 2. PCI is confusing and not specific! 3. PCI is too hard 4. Recent breaches prove PCI irrelevant 5. PCI is easy: we just have to “say Yes” on SAQ and “get scanned” 6. My network, application, tool is PCI compliant 7. PCI is all we need to do for security! 8. Even if breached and then found non- compliant, our business will not suffer 10
  • 11. PCI Compliance for Dummies More information? Read “PCI Compliance for Dummies” Get as much information as you can about PCI and how it relates to your organization! 11