PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance

The Rocky Road to Business As Usual PCI Europe, Amsterdam 27.11.2014Kim Halavakoski

def self.info(Kim Halavakoski)• Security Geek / Nerd

• Chief Security Officer

• 3 kids: 3(♀), 6(♂) and 8(♀) years old, 5 cats

• Hobbies: RC-planes, Quadcopters, Robotics, Photography, Running, Weightlifting…

khalavakoski khalavak

G+ Communities:PCI-JedisSecurity De-Obfuscated

We develop, deliver and manage systems and solutions for the Nordic financial and capital markets.

Our mission is to make it easy and profitable to run a financial businessOur vision is to be our customers most valued partner

We have offices in Mariehamn, Helsinki, Stockholm and Turku

Crosskey Banking Solutions Ab Ltd

We are a PCI-DSS Compliant Level 1 Service Provider

PCI 101Some background to PCI-DSS.. Statistics. Requirements

COMPLIANT

EASY CHEAP

Prevention, Detection & Response

Focus from prevention to a detection and response based event management

249

Focus from prevention to a detection and response based event management

The 5 stages of PCI maturityAs a Service Provider I don’t have to comply

with these requirements!These requirements

are stupid!

If I do these compensating controls

then I can do what I want!

What have I done wrong to

deserve 10.6.1?

OK, we use payment

cards so we need to do this PCI-DSS

thing!

Stakeholder approval

Management approval and buy-in is essential for the success of your PCI efforts

There is no appliance that automagically gets you PCI-DSS compliant

Get a good QSA

Scoping is vital for PCI-DSS success

Scoping, Scoping, Scoping & Scoping

Collaboration

One key to success is effective collaboration

#DevOpsSec#DevOps

Automation & Configuration management

Configuration standards, snowflake servers and cattle

•Cattle are given numbers like vm001.crosskey.fi

•They are almost identical to other cattle•When they get ill, you get another one

•Pets are given names like garfield.crosskey.fi

•They are unique, lovingly hand raised and cared for

•When they get ill, you nurse them back to health

Monitoring, Detection & Response

Focus from prevention to a detection and response based event management

Veriz

on D

BIR

201

3

Veriz

on D

BIR

201

3 Compromise

Veriz

on D

BIR

201

3 Compromise

Discovery

ANTIVIRUSTHE

Log-review

Threat-intelligence

SecurityAnalyst

SIEMLogmanagement

Fraud

monitoring

End-point

protection

Young padawan, don't forget: Lack of focus leads to sloppiness,

sloppiness leads to misconfiguration, and misconfiguration leads to compromise.

— pauldotcom.com security weekly

Business As UsualPCI-DSS has to be integrated into your daily operations in order to succeed

Security

PCI Taskforce

SummaryUNDERSTAND PCI-DSS REQUIREMENTSGet acquainted with the PCI-DSS standard and requirements. Discuss with your ideas and thoughts with your QSA

GET STAKEHOLDER APPROVALPCI-DSS Compliance requires a substantial effort from the organisation in order to succeed. This will require time, money and management sponsorship to reach the whole organisation.

HIRE A GOOD QSAGet a good QSA. There are a lot of QSACs offering their services. Make sure you get a QSA that understands your business and your particular needs. Make sure your QSA is on the same page and that you have respect for each other.

SCOPINGScoping is a hard nut to crack. The standard is “intentionally” not clear on the details on what is in scope and what is not

SummaryAUTOMATION & CONFIGURATION MANAGEMENTAutomation is a really good way to create efficiency in your workflows. Automate all the things that take time to do and focus on the tasks and requirements that is cannot be automated The more smart automation you do, the more time you have to improve and make things more efficient and compliant.

COLLABORATE WITH YOUR TEAMSCollaboration is critical for succeeding with fulfilling all requirements. You can’t do it on your own, you’ll need your Operations Team, Development Team, Security Team and Business Team to make it happen.

INVEST IN MONITORINGMonitoring your environment for malicious activity is difficult. Invest in monitoring, get the team and tools you need to monitor your environment. Outsource if you have to, do it in-house if you can.

IMPLEMENT PCI-DSS INTO YOUR DAY-TO-DAY BUSINESS OPERATIONSThere are a multitude of tasks that needs to be done on a daily, weekly, monthly, quarterly, bi-annual and annual basis in order to stay compliant. These tasks have to become second nature for your organisation and your teams to stay compliant.