SlideShare uma empresa Scribd logo
1 de 22
Baixar para ler offline
PCI Compliance – What’s the buzz?…
                   Neira Jones
       Head of Payment Security, Barclaycard
                 23rd March 2011
Headlines…
• 18th October 2010: the UK Government published their National Security
  Strategy.
   – This placed "Hostile attacks upon UK Cyberspace by other states and large scale
     cyber crime" at the same level as International Terrorism, and International Military
     threats.
• The Olympics are a target: In 2008, Beijing suffered 12 million cyber attacks per
  day.
   – These games ran (!) for 16 days: total number of attacks = 192 million.
   – The number Internet users was estimated at 1.9 billion users in June 2010*, a 23%
     increase since 2008.
   – As the number of internet users increases, a far larger attack statistic in 2012 is likely.
• A study by Cisco Systems (December 2010), projected that almost 12% of all
  enterprise workloads will run in the public cloud by the end of 2013.

                                                                     Source: Miniwatts Marketing Group, 2010
Cloud Computing

•   2010: the Year Of The Cloud (Salesforce.com, IBM, Google, Microsoft , Oracle,
    Amazon, Rackspace, Dell and others)
•   The key opportunity for service providers is to differentiate themselves by becoming
    cloud service providers.
•   Perceived key benefits for organisation considering a move to the cloud:
     –   reduce capital costs
     –   become more agile by divesting infrastructure and application management to concentrate on
         core competencies.
     –   opportunity to re-architect older applications and infrastructure to meet or exceed modern
         security requirements.
•   Key issues for organisations when determining migration decisions:
     –   security and control
     –   data-centre overcapacity and scale
     –   availability of skilled IT people.
The digital era…

•   By 2015 there will be more interconnected devices on the planet
    than humans.*
•   What’s mobile? What do I need to do?
•   The most recent figures estimated that every year in the UK,
    identity fraud costs more than £2.7 billion and affects over 1.8
    million people*.
•   Every year, we share more of ourselves online.
•   Each time we do this, we place our data and our faith in the
    security measures taken by those managing it on our behalf


                                                    * UK National Security Strategy, October 2010
                                                       * * National Fraud Authority, October 2010
Fraud news (UK)…
                 ☺
•     Debit and credit card fraud fell by nearly •    Crooks still got away with £1million/day.
      £75M in 2010 to the lowest level for
      a decade.
•     This represents a 17% drop to £365M         •   Compared to a 28% fall in 2009.
•     Phone, internet and mail-order fraud        •   Compared to a 19% drop in 2009. CNP
      (Card Not Present) fell 15%.                    fraud remains by far the biggest category.




    “While another drop in fraud is good news, the crooks haven’t shut up shop, which is
    why there can be no room for complacency from the industry, shops or consumers.”
                                                                            DCI Paul Barnard
                                             Head of the Dedicated Cheque and Plastic Crime Unit
The challenges…

•   Cloud computing
•   Mobile infrastructure
•   Third parties
•   Governance or compliance?
•   Risk management
Cloudy out there…
Moving to the Cloud?...

•   Use the Cloud Computing Reference Model provided by NIST.
     – ask cloud services providers to disclose their security controls
     – ask cloud services providers to disclose how these controls are
       implemented to the “consuming” organisation
     – “consuming” organisations will need to know which controls are
       needed to maintain the security of their information.
•   This is a vital step as it is critical that a cloud service is classified
    against the cloud architecture model, then against the security
    architecture, and then against the business, regulatory and
    other compliance requirements.
NIST Cloud Reference Model
          Presentation                                                                                                             •Software as a Service (SaaS)
                                                                                                                                     – Sits on top of IaaS and PaaS stacks




                                                                                                    Software as a Service (SaaS)
              APIs
                                                                                                                                     – Self-contained operating environment to deliver the
                                                                                                                                       entire user experience
          Applications

           Information
         (Data, Metadata,
                                                                                                                                   •Platform as a Service (PaaS)
             Content)                                                                                                                – Sits on top of IaaS
                                                                                                                                     – Additional integration layer with application development
          Integration &                                                                                                                frameworks
           Middleware




                                                                     Platform as a Service (PaaS)
                                                                                                                                     – Middleware
                                                                                                                                     – Programming languages and tools supported by the
               APIs                                                                                                                    stack
                                Infrastructure as a Service (IaaS)
                                                                                                                                     – Functions allowing developers to build applications on the
            Core Connectivity
               & Delivery
                                                                                                                                       platform

                                                                                                                                   •Infrastructure as a Service (IaaS)
        Abstraction
                                                                                                                                     –   Lowest level infrastructure resource stack
                                                                                                                                     –   Capability to abstract resources (or not)
            Hardware                                                                                                                 –   Physical and logical connectivity to those resources
                                                                                                                                     –   Provides a set of APIs which allows “consumers” to
             Facilities
                                                                                                                                         interact with the infrastructure.
Cloud Computing and security
Cloud Computing isn’t necessarily more or less secure than your current environment.



•   Does the risk of moving sensitive data and applications to an emerging infrastructure
    exceed your tolerance levels?
•   The limitations on cloud computing growth will include issues:
     –   Data custody
     –   Control
     –   Security
     –   Privacy
     –   Jurisdiction
     –   Portability standards for data and code
•   Adopting cloud computing is a complex decision involving many factors: desktop
    applications, e-mail, collaboration, enterprise resource planning and potentially any
    application.
•   The key consideration for a security architecture is that the lower down the SPI stack the
    cloud service provider stops, the more organisations will be responsible themselves for
    managing the risk to their assets.
Control & risk management
What degree of control and risk management will the organisation have for
each of the cloud service models.


•   Whilst the risk assessment depends on the “where” and “how” of
    the assets, it also depends on the following:
                                                                                SaaS
     –   The types of assets being managed                                     PaaS
     –   Who manages them and how
                                                                            IaaS
     –   Which controls are selected and why
     –   What compliance issues need to be considered
•   Consideration should be made for risk mitigation in each of the SPI
    tiers (SaaS, PaaS, IaaS) and compliance/ regulatory requirements
    should be considered (e.g. PCI DSS, FSA, SOX, etc.).
Find the gaps…
                                                                                                                                            Find the gaps!
      Cloud Reference Model

           Presentation

                APIs                                                                                                                 Security Control Model




                                                                                                      Software as a Service (SaaS)
                                                                                                                                          Applications        Compliance Model
            Applications

            Information                                                                                                                                              DDA
                                                                                                                                          Information
     (Data, Metadata, Content)

      Integration & Middleware                                                                                                                                       FSA

                                                                       Platform as a Service (PaaS)                                      Management
                APIs
                                  Infrastructure as a Service (IaaS)


                                                                                                                                                                   PCI DSS

            Core Connectivity &
                 Delivery
                                                                                                                                            Network               ISO 27002
         Abstraction
                                                                                                                                       Trusted computing
                                                                                                                                                                     DPA
             Hardware                                                                                                                 Compute & Storage

              Facilities                                                                                                                    Physical                 SOX
Who does what?
The lower down the stack the cloud service provider stops, the more security capabilities and
management “consuming” organisations are responsible for implementing & managing themselves.



                                                                                          SaaS
                                                         PaaS
                IaaS                                                            Provider bears the
                                        Provider responsible for the security   responsibility for security.
     Provider responsible for           of the platform.
     securing the underlying            “Consuming” organisations               Security controls and their
     infrastructure and abstraction     responsible for                         scope are negotiated in the
     layers.                                                                    service contracts (SLAs,
                                           –securing applications developed     privacy, compliance,
     “Consuming” organisation will be       against the platform                liability etc.).
     responsible for the security of       –developing applications securely
     the remainder for the stack.           (e.g. OWASP Top 10).
Evaluate cloud service providers

•   Evaluating the risk for potential cloud service providers is a
    challenge:
     – ask cloud services providers to disclose their security controls
     – ask cloud services providers to disclose how these controls are
       implemented to the “consuming” organisation
     – “consuming” organisations will need to know which controls are
       needed to maintain the security of their information.
•   This is a vital step as it is critical that a cloud service is classified
    against the cloud architecture model, then against the security
    architecture, and then against the business, regulatory and
    other compliance requirements.
For further reading, see http://www.cloudsecurityalliance.org/Research.html
On the move with mobile…
What’s mobile?                  What does a a mobile security policy look like?
                                 What does mobile security policy look like?
What do I need to do?                      How do I enforce it?
                                             How do I enforce it?
• Full-featured mobile phones with functionality similar to personal
  computers, or “smartphones”
• Laptops, netbooks, tablet computers & Portable Digital Assistants
  (PDAs)
• Portable USB devices for storage (such as “thumb drives” and MP3
  devices) and for connectivity (such as Wi-Fi, Bluetooth and
  HSDPA/UMTS/EDGE/GPRS modem cards)
• Digital cameras
• Radio frequency identification (RFID) and mobile RFID (M-RFID)
  devices for data storage, identification and asset management
• Infrared-enabled (IrDA) devices (printers, smart cards, etc.)
It’s all about risk…
What’s the buzz?

• Visa TIP program promotes a risk based approach.
• The banks want merchants to take a risk based approach.
• The merchants want to take a risk based approach.
• The PCI SSC has ‘blessed’ the adoption of a risk based
  approach.
 At the end of the day, what we all want is to stop sensitive information being
 exploited by fraudsters.
 The era of compliance for compliance’s sake is drawing to an end.
Barclaycard’s top ten tips
Prepare for change                                                Reduce Risk
1. Don’t treat PCI DSS as an IT project: it is a Change           6. Remove sensitive authentication data storage as a
   Programme and needs organisational commitment.                    top most priority.
2. Train staff at all levels (there will be various degrees of    7. Prioritise Risk: once SAD storage is addressed, look at
   training, and don’t forget Board and Exco) and embed an           vulnerabilities in the Card Not Present environment (e-
   Information Security culture within your organisation early.      commerce and Mail Order/ Telephone Order). (This tip
3. Scope: Understand how card payments are currently                 is for markets that have implemented EMV in their F2F
   processed (people, process and technology). Reduce the            channel).
   scope of the cardholder environment (the smaller, the          8. Outsource to compliant third parties where possible:
   easier)                                                           in the e-comm space, Level 1 PCI DSS compliant end-
4. There will be quick wins derived by reviewing and                 to-end e-comm Software as a Service (SaaS) is
   changing business processes and historical practices              increasingly seen as a means of achieving compliance
   that require little investment. If you don’t need cardholder      quicker & maximising RoI. And if not possible, tie down
   information, don’t have it…                                       third parties (contractually).
5. Develop a gap analysis between current practices and           9. Assess suitability of and implement risk mitigation
   what is necessary to become PCI DSS compliant. The gap            technologies (e.g. Verified by Visa, Secure Code,
   analysis and cardholder data flow mapping is the most             tokenisation, point-to-point encryption, etc.), whilst these
   important step (and this should be refreshed periodically -       are not PCI DSS requirements, they will improve
   once a year is advised).                                          security and reduce risk.
                                                                  10.If Compensating Controls are required ensure that all
                                                                    parties are engaged to agree the controls before
                                                                    implementation (merchant, QSA, acquirers)
Third parties: do I have a choice?
How organisations can select service providers



For those who outsource…
•    324 (UK) and 900 (US) Level 1 PCI DSS compliant service providers listed on Visa websites
    http://www.visaeurope.com/en/businesses__retailers/payment_security/downloads__resources.aspx
    http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
•   867 Level 1 PCI DSS compliant service providers listed on MasterCard website
    http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20-
    %20November%2029%202010.pdf
For those who want to retain control in-house…
•    724 PA DSS validated payment applications on PCI SSC website
    https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true
Barclaycard’s position…
•   We always recommend that our customers use Level 1 Service providers as self-assessment does not
    provide you with an independent assessment of your supplier.
•   Contractual provisions are crucial.
•   Merchants should seek help from their acquiring bank when facing problems with third party providers
    as a merchant cannot reach compliance without their third parties being compliant.
neira.jones@barclaycard.co.uk

http://uk.linkedin.com/pub/neira-jones/0/7a5/140

Twitter: neirajones

Mais conteúdo relacionado

Mais procurados

Cloud Computing For Enterprises
Cloud Computing For EnterprisesCloud Computing For Enterprises
Cloud Computing For Enterprises
One App Cloud
 
Compuware APM Solution
Compuware APM SolutionCompuware APM Solution
Compuware APM Solution
backfire_88
 
SOA an architecture on the Desktop
SOA an architecture on the DesktopSOA an architecture on the Desktop
SOA an architecture on the Desktop
Vincent Perrin
 
Open Group Conference Csi V5.1
Open Group Conference Csi V5.1Open Group Conference Csi V5.1
Open Group Conference Csi V5.1
Enrico Boverino
 

Mais procurados (20)

Application Grid: Platform for Virtualization and Consolidation of your Java ...
Application Grid: Platform for Virtualization and Consolidation of your Java ...Application Grid: Platform for Virtualization and Consolidation of your Java ...
Application Grid: Platform for Virtualization and Consolidation of your Java ...
 
Innovations in Data Grid Technology with Oracle Coherence
Innovations in Data Grid Technology with Oracle CoherenceInnovations in Data Grid Technology with Oracle Coherence
Innovations in Data Grid Technology with Oracle Coherence
 
GlassFish Mobility Platform - Hans Hrasna
GlassFish Mobility Platform - Hans HrasnaGlassFish Mobility Platform - Hans Hrasna
GlassFish Mobility Platform - Hans Hrasna
 
Cloud Computing For Enterprises
Cloud Computing For EnterprisesCloud Computing For Enterprises
Cloud Computing For Enterprises
 
Rationalizing an Enterprise IT Architecture
Rationalizing an Enterprise IT ArchitectureRationalizing an Enterprise IT Architecture
Rationalizing an Enterprise IT Architecture
 
Business Integration for the 21st Century
Business Integration for the 21st Century Business Integration for the 21st Century
Business Integration for the 21st Century
 
Rackforce the cloud
Rackforce the cloudRackforce the cloud
Rackforce the cloud
 
Lenovo: The Cloud Over BYOD
Lenovo: The Cloud Over BYODLenovo: The Cloud Over BYOD
Lenovo: The Cloud Over BYOD
 
MPLS 2010: Network Enabled Cloud and Service Models
MPLS 2010: Network Enabled Cloud and Service ModelsMPLS 2010: Network Enabled Cloud and Service Models
MPLS 2010: Network Enabled Cloud and Service Models
 
Cloud Computing - A Pragmatic Approach to Cloud Adoption
Cloud Computing - A Pragmatic Approach to Cloud AdoptionCloud Computing - A Pragmatic Approach to Cloud Adoption
Cloud Computing - A Pragmatic Approach to Cloud Adoption
 
Innovations in Grid Computing with Oracle Coherence
Innovations in Grid Computing with Oracle CoherenceInnovations in Grid Computing with Oracle Coherence
Innovations in Grid Computing with Oracle Coherence
 
Compuware APM Solution
Compuware APM SolutionCompuware APM Solution
Compuware APM Solution
 
Vision - The Agile Data Center
Vision - The Agile Data CenterVision - The Agile Data Center
Vision - The Agile Data Center
 
Transaction-based Capacity Planning for greater IT Reliability™ webinar
Transaction-based Capacity Planning for greater IT Reliability™ webinar Transaction-based Capacity Planning for greater IT Reliability™ webinar
Transaction-based Capacity Planning for greater IT Reliability™ webinar
 
Vincent Desveronnieres, Oracle
Vincent Desveronnieres,  OracleVincent Desveronnieres,  Oracle
Vincent Desveronnieres, Oracle
 
SOA an architecture on the Desktop
SOA an architecture on the DesktopSOA an architecture on the Desktop
SOA an architecture on the Desktop
 
Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!Cloud Architectures for Alpha Dogs!
Cloud Architectures for Alpha Dogs!
 
Inter connect2015 ame-3495
Inter connect2015 ame-3495Inter connect2015 ame-3495
Inter connect2015 ame-3495
 
Open Group Conference Csi V5.1
Open Group Conference Csi V5.1Open Group Conference Csi V5.1
Open Group Conference Csi V5.1
 
2010 Software Licensing and Pricing Survey Results and 2011 Predictions
2010 Software Licensing and Pricing Survey Results and 2011 Predictions2010 Software Licensing and Pricing Survey Results and 2011 Predictions
2010 Software Licensing and Pricing Survey Results and 2011 Predictions
 

Destaque

EPA White Paper - Protecting us from the storm v1-0
EPA White Paper - Protecting us from the storm v1-0EPA White Paper - Protecting us from the storm v1-0
EPA White Paper - Protecting us from the storm v1-0
Neira Jones
 
The adventure of dancing men sherlock holmes
The adventure of dancing men sherlock holmesThe adventure of dancing men sherlock holmes
The adventure of dancing men sherlock holmes
Aakarshan97
 
Réunion parents du 15 mars 2011
Réunion parents du 15 mars 2011Réunion parents du 15 mars 2011
Réunion parents du 15 mars 2011
nBesnard
 
Paris - London - New York
Paris - London - New  YorkParis - London - New  York
Paris - London - New York
RAISSA RO
 

Destaque (20)

The Real Sherlock Holmes - John Raffensperger
The Real Sherlock Holmes  - John RaffenspergerThe Real Sherlock Holmes  - John Raffensperger
The Real Sherlock Holmes - John Raffensperger
 
Van Gogh Project
Van Gogh ProjectVan Gogh Project
Van Gogh Project
 
Mobile Money For The Bottom of The Pyramid... Serving the unbanked...
Mobile Money For The Bottom of The Pyramid... Serving the unbanked...Mobile Money For The Bottom of The Pyramid... Serving the unbanked...
Mobile Money For The Bottom of The Pyramid... Serving the unbanked...
 
EPA White Paper - Protecting us from the storm v1-0
EPA White Paper - Protecting us from the storm v1-0EPA White Paper - Protecting us from the storm v1-0
EPA White Paper - Protecting us from the storm v1-0
 
I love to scan
I love to scanI love to scan
I love to scan
 
New york
New yorkNew york
New york
 
Film review project template
Film review project templateFilm review project template
Film review project template
 
The Five Orange Pips - Re-Imagined
The Five Orange Pips - Re-ImaginedThe Five Orange Pips - Re-Imagined
The Five Orange Pips - Re-Imagined
 
The adventure of dancing men sherlock holmes
The adventure of dancing men sherlock holmesThe adventure of dancing men sherlock holmes
The adventure of dancing men sherlock holmes
 
Sherlock Holmes Society of London Talk at The Hound Of The Baskervilles Launch
Sherlock Holmes Society of London Talk at The Hound Of The Baskervilles LaunchSherlock Holmes Society of London Talk at The Hound Of The Baskervilles Launch
Sherlock Holmes Society of London Talk at The Hound Of The Baskervilles Launch
 
Réunion parents du 15 mars 2011
Réunion parents du 15 mars 2011Réunion parents du 15 mars 2011
Réunion parents du 15 mars 2011
 
EMV US whitepaper Bell ID
EMV US whitepaper Bell IDEMV US whitepaper Bell ID
EMV US whitepaper Bell ID
 
Sherlock deck upload to slideshare
Sherlock deck upload to slideshareSherlock deck upload to slideshare
Sherlock deck upload to slideshare
 
London by Diego Garcia 5ºA
London by Diego Garcia 5ºALondon by Diego Garcia 5ºA
London by Diego Garcia 5ºA
 
London By Rocio Pecino 5ºB
London  By Rocio Pecino  5ºBLondon  By Rocio Pecino  5ºB
London By Rocio Pecino 5ºB
 
London Presentation
London PresentationLondon Presentation
London Presentation
 
Rome by Adrian Moreno
Rome by Adrian MorenoRome by Adrian Moreno
Rome by Adrian Moreno
 
LONDON By Triana and Inma 5ºA
LONDON By Triana and Inma 5ºALONDON By Triana and Inma 5ºA
LONDON By Triana and Inma 5ºA
 
Paris - London - New York
Paris - London - New  YorkParis - London - New  York
Paris - London - New York
 
1ºeso unit 3 project
1ºeso unit 3 project1ºeso unit 3 project
1ºeso unit 3 project
 

Semelhante a Sc World Congress Econference March 2011

20090921 Risacher To Ncoic Cloud Storefront
20090921 Risacher To Ncoic Cloud Storefront20090921 Risacher To Ncoic Cloud Storefront
20090921 Risacher To Ncoic Cloud Storefront
GovCloud Network
 
Cloud computing 101
Cloud computing 101Cloud computing 101
Cloud computing 101
kriggins
 
Vendor Landscape: Cloud IaaS
Vendor Landscape: Cloud IaaSVendor Landscape: Cloud IaaS
Vendor Landscape: Cloud IaaS
OpSource
 
Capacity Management in a Cloud Computing World
Capacity Management in a Cloud Computing WorldCapacity Management in a Cloud Computing World
Capacity Management in a Cloud Computing World
David Linthicum
 
Cloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - ChandnaCloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - Chandna
Asheem Chandna
 
Future of cloud computing linthicum 2
Future of cloud computing linthicum 2Future of cloud computing linthicum 2
Future of cloud computing linthicum 2
David Linthicum
 
NJVC-Virtual Global PaaS white paper
NJVC-Virtual Global PaaS white paperNJVC-Virtual Global PaaS white paper
NJVC-Virtual Global PaaS white paper
GovCloud Network
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
nooralmousa
 

Semelhante a Sc World Congress Econference March 2011 (20)

20090921 Risacher To Ncoic Cloud Storefront
20090921 Risacher To Ncoic Cloud Storefront20090921 Risacher To Ncoic Cloud Storefront
20090921 Risacher To Ncoic Cloud Storefront
 
Cloud computing 101
Cloud computing 101Cloud computing 101
Cloud computing 101
 
Redefining cloud computing again linthicum with bonus
Redefining cloud computing again linthicum with bonusRedefining cloud computing again linthicum with bonus
Redefining cloud computing again linthicum with bonus
 
Vendor Landscape: Cloud IaaS
Vendor Landscape: Cloud IaaSVendor Landscape: Cloud IaaS
Vendor Landscape: Cloud IaaS
 
Capacity Management in a Cloud Computing World
Capacity Management in a Cloud Computing WorldCapacity Management in a Cloud Computing World
Capacity Management in a Cloud Computing World
 
Managing Your Cloud with Confidence - Mark Rivington, n•fluence 2012
Managing Your Cloud with Confidence - Mark Rivington, n•fluence 2012Managing Your Cloud with Confidence - Mark Rivington, n•fluence 2012
Managing Your Cloud with Confidence - Mark Rivington, n•fluence 2012
 
Introduction to cloud computing
Introduction to cloud computingIntroduction to cloud computing
Introduction to cloud computing
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Cloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - ChandnaCloud Computing - Jan 2011 - Chandna
Cloud Computing - Jan 2011 - Chandna
 
Future of cloud computing linthicum 2
Future of cloud computing linthicum 2Future of cloud computing linthicum 2
Future of cloud computing linthicum 2
 
describing-the-significant-use-of-cloud-computing-service-models-cuneiform
describing-the-significant-use-of-cloud-computing-service-models-cuneiformdescribing-the-significant-use-of-cloud-computing-service-models-cuneiform
describing-the-significant-use-of-cloud-computing-service-models-cuneiform
 
CLOUD ARCHITECTURE AND SERVICES.pptx
CLOUD ARCHITECTURE AND SERVICES.pptxCLOUD ARCHITECTURE AND SERVICES.pptx
CLOUD ARCHITECTURE AND SERVICES.pptx
 
NJVC-Virtual Global PaaS white paper
NJVC-Virtual Global PaaS white paperNJVC-Virtual Global PaaS white paper
NJVC-Virtual Global PaaS white paper
 
The Enterprise Cloud: Immediate. Urgent. Inevitable.
The Enterprise Cloud: Immediate. Urgent. Inevitable.The Enterprise Cloud: Immediate. Urgent. Inevitable.
The Enterprise Cloud: Immediate. Urgent. Inevitable.
 
Middleware Technologies ppt
Middleware Technologies pptMiddleware Technologies ppt
Middleware Technologies ppt
 
USAREUR Cloud Computing Training Class Presentation Heidelberg 1
USAREUR Cloud Computing Training Class Presentation Heidelberg 1USAREUR Cloud Computing Training Class Presentation Heidelberg 1
USAREUR Cloud Computing Training Class Presentation Heidelberg 1
 
Data Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud ComputingData Protection Jurisdiction and International Transfers in Cloud Computing
Data Protection Jurisdiction and International Transfers in Cloud Computing
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
 
It integration strategy : Example - Approach
It integration strategy : Example - ApproachIt integration strategy : Example - Approach
It integration strategy : Example - Approach
 
Guard Era Corp Brochure 2008
Guard Era Corp Brochure 2008Guard Era Corp Brochure 2008
Guard Era Corp Brochure 2008
 

Mais de Neira Jones (6)

Accourt press release neira jones joins accourt
Accourt press release neira jones joins accourtAccourt press release neira jones joins accourt
Accourt press release neira jones joins accourt
 
Neira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf ready
 
Visa Security Logging Factsheet June 2012
Visa Security Logging Factsheet June 2012Visa Security Logging Factsheet June 2012
Visa Security Logging Factsheet June 2012
 
The Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementThe Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk Management
 
Mobile Practices European Release Final 27 04 11
Mobile Practices European Release Final 27 04 11Mobile Practices European Release Final 27 04 11
Mobile Practices European Release Final 27 04 11
 
Barclaycard Payment Security Newsletter Jan11
Barclaycard Payment Security Newsletter Jan11Barclaycard Payment Security Newsletter Jan11
Barclaycard Payment Security Newsletter Jan11
 

Último

Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
lizamodels9
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
amitlee9823
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
dlhescort
 
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Anamikakaur10
 

Último (20)

Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
Russian Call Girls In Rajiv Chowk Gurgaon ❤️8448577510 ⊹Best Escorts Service ...
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60%  in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60%  in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
 
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)-  A new venture conceptBusiness Model Canvas (BMC)-  A new venture concept
Business Model Canvas (BMC)- A new venture concept
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 

Sc World Congress Econference March 2011

  • 1. PCI Compliance – What’s the buzz?… Neira Jones Head of Payment Security, Barclaycard 23rd March 2011
  • 2. Headlines… • 18th October 2010: the UK Government published their National Security Strategy. – This placed "Hostile attacks upon UK Cyberspace by other states and large scale cyber crime" at the same level as International Terrorism, and International Military threats. • The Olympics are a target: In 2008, Beijing suffered 12 million cyber attacks per day. – These games ran (!) for 16 days: total number of attacks = 192 million. – The number Internet users was estimated at 1.9 billion users in June 2010*, a 23% increase since 2008. – As the number of internet users increases, a far larger attack statistic in 2012 is likely. • A study by Cisco Systems (December 2010), projected that almost 12% of all enterprise workloads will run in the public cloud by the end of 2013. Source: Miniwatts Marketing Group, 2010
  • 3. Cloud Computing • 2010: the Year Of The Cloud (Salesforce.com, IBM, Google, Microsoft , Oracle, Amazon, Rackspace, Dell and others) • The key opportunity for service providers is to differentiate themselves by becoming cloud service providers. • Perceived key benefits for organisation considering a move to the cloud: – reduce capital costs – become more agile by divesting infrastructure and application management to concentrate on core competencies. – opportunity to re-architect older applications and infrastructure to meet or exceed modern security requirements. • Key issues for organisations when determining migration decisions: – security and control – data-centre overcapacity and scale – availability of skilled IT people.
  • 4. The digital era… • By 2015 there will be more interconnected devices on the planet than humans.* • What’s mobile? What do I need to do? • The most recent figures estimated that every year in the UK, identity fraud costs more than £2.7 billion and affects over 1.8 million people*. • Every year, we share more of ourselves online. • Each time we do this, we place our data and our faith in the security measures taken by those managing it on our behalf * UK National Security Strategy, October 2010 * * National Fraud Authority, October 2010
  • 5.
  • 6. Fraud news (UK)… ☺ • Debit and credit card fraud fell by nearly • Crooks still got away with £1million/day. £75M in 2010 to the lowest level for a decade. • This represents a 17% drop to £365M • Compared to a 28% fall in 2009. • Phone, internet and mail-order fraud • Compared to a 19% drop in 2009. CNP (Card Not Present) fell 15%. fraud remains by far the biggest category. “While another drop in fraud is good news, the crooks haven’t shut up shop, which is why there can be no room for complacency from the industry, shops or consumers.” DCI Paul Barnard Head of the Dedicated Cheque and Plastic Crime Unit
  • 7. The challenges… • Cloud computing • Mobile infrastructure • Third parties • Governance or compliance? • Risk management
  • 9. Moving to the Cloud?... • Use the Cloud Computing Reference Model provided by NIST. – ask cloud services providers to disclose their security controls – ask cloud services providers to disclose how these controls are implemented to the “consuming” organisation – “consuming” organisations will need to know which controls are needed to maintain the security of their information. • This is a vital step as it is critical that a cloud service is classified against the cloud architecture model, then against the security architecture, and then against the business, regulatory and other compliance requirements.
  • 10. NIST Cloud Reference Model Presentation •Software as a Service (SaaS) – Sits on top of IaaS and PaaS stacks Software as a Service (SaaS) APIs – Self-contained operating environment to deliver the entire user experience Applications Information (Data, Metadata, •Platform as a Service (PaaS) Content) – Sits on top of IaaS – Additional integration layer with application development Integration & frameworks Middleware Platform as a Service (PaaS) – Middleware – Programming languages and tools supported by the APIs stack Infrastructure as a Service (IaaS) – Functions allowing developers to build applications on the Core Connectivity & Delivery platform •Infrastructure as a Service (IaaS) Abstraction – Lowest level infrastructure resource stack – Capability to abstract resources (or not) Hardware – Physical and logical connectivity to those resources – Provides a set of APIs which allows “consumers” to Facilities interact with the infrastructure.
  • 11. Cloud Computing and security Cloud Computing isn’t necessarily more or less secure than your current environment. • Does the risk of moving sensitive data and applications to an emerging infrastructure exceed your tolerance levels? • The limitations on cloud computing growth will include issues: – Data custody – Control – Security – Privacy – Jurisdiction – Portability standards for data and code • Adopting cloud computing is a complex decision involving many factors: desktop applications, e-mail, collaboration, enterprise resource planning and potentially any application. • The key consideration for a security architecture is that the lower down the SPI stack the cloud service provider stops, the more organisations will be responsible themselves for managing the risk to their assets.
  • 12. Control & risk management What degree of control and risk management will the organisation have for each of the cloud service models. • Whilst the risk assessment depends on the “where” and “how” of the assets, it also depends on the following: SaaS – The types of assets being managed PaaS – Who manages them and how IaaS – Which controls are selected and why – What compliance issues need to be considered • Consideration should be made for risk mitigation in each of the SPI tiers (SaaS, PaaS, IaaS) and compliance/ regulatory requirements should be considered (e.g. PCI DSS, FSA, SOX, etc.).
  • 13. Find the gaps… Find the gaps! Cloud Reference Model Presentation APIs Security Control Model Software as a Service (SaaS) Applications Compliance Model Applications Information DDA Information (Data, Metadata, Content) Integration & Middleware FSA Platform as a Service (PaaS) Management APIs Infrastructure as a Service (IaaS) PCI DSS Core Connectivity & Delivery Network ISO 27002 Abstraction Trusted computing DPA Hardware Compute & Storage Facilities Physical SOX
  • 14. Who does what? The lower down the stack the cloud service provider stops, the more security capabilities and management “consuming” organisations are responsible for implementing & managing themselves. SaaS PaaS IaaS Provider bears the Provider responsible for the security responsibility for security. Provider responsible for of the platform. securing the underlying “Consuming” organisations Security controls and their infrastructure and abstraction responsible for scope are negotiated in the layers. service contracts (SLAs, –securing applications developed privacy, compliance, “Consuming” organisation will be against the platform liability etc.). responsible for the security of –developing applications securely the remainder for the stack. (e.g. OWASP Top 10).
  • 15. Evaluate cloud service providers • Evaluating the risk for potential cloud service providers is a challenge: – ask cloud services providers to disclose their security controls – ask cloud services providers to disclose how these controls are implemented to the “consuming” organisation – “consuming” organisations will need to know which controls are needed to maintain the security of their information. • This is a vital step as it is critical that a cloud service is classified against the cloud architecture model, then against the security architecture, and then against the business, regulatory and other compliance requirements. For further reading, see http://www.cloudsecurityalliance.org/Research.html
  • 16. On the move with mobile…
  • 17. What’s mobile? What does a a mobile security policy look like? What does mobile security policy look like? What do I need to do? How do I enforce it? How do I enforce it? • Full-featured mobile phones with functionality similar to personal computers, or “smartphones” • Laptops, netbooks, tablet computers & Portable Digital Assistants (PDAs) • Portable USB devices for storage (such as “thumb drives” and MP3 devices) and for connectivity (such as Wi-Fi, Bluetooth and HSDPA/UMTS/EDGE/GPRS modem cards) • Digital cameras • Radio frequency identification (RFID) and mobile RFID (M-RFID) devices for data storage, identification and asset management • Infrared-enabled (IrDA) devices (printers, smart cards, etc.)
  • 18. It’s all about risk…
  • 19. What’s the buzz? • Visa TIP program promotes a risk based approach. • The banks want merchants to take a risk based approach. • The merchants want to take a risk based approach. • The PCI SSC has ‘blessed’ the adoption of a risk based approach. At the end of the day, what we all want is to stop sensitive information being exploited by fraudsters. The era of compliance for compliance’s sake is drawing to an end.
  • 20. Barclaycard’s top ten tips Prepare for change Reduce Risk 1. Don’t treat PCI DSS as an IT project: it is a Change 6. Remove sensitive authentication data storage as a Programme and needs organisational commitment. top most priority. 2. Train staff at all levels (there will be various degrees of 7. Prioritise Risk: once SAD storage is addressed, look at training, and don’t forget Board and Exco) and embed an vulnerabilities in the Card Not Present environment (e- Information Security culture within your organisation early. commerce and Mail Order/ Telephone Order). (This tip 3. Scope: Understand how card payments are currently is for markets that have implemented EMV in their F2F processed (people, process and technology). Reduce the channel). scope of the cardholder environment (the smaller, the 8. Outsource to compliant third parties where possible: easier) in the e-comm space, Level 1 PCI DSS compliant end- 4. There will be quick wins derived by reviewing and to-end e-comm Software as a Service (SaaS) is changing business processes and historical practices increasingly seen as a means of achieving compliance that require little investment. If you don’t need cardholder quicker & maximising RoI. And if not possible, tie down information, don’t have it… third parties (contractually). 5. Develop a gap analysis between current practices and 9. Assess suitability of and implement risk mitigation what is necessary to become PCI DSS compliant. The gap technologies (e.g. Verified by Visa, Secure Code, analysis and cardholder data flow mapping is the most tokenisation, point-to-point encryption, etc.), whilst these important step (and this should be refreshed periodically - are not PCI DSS requirements, they will improve once a year is advised). security and reduce risk. 10.If Compensating Controls are required ensure that all parties are engaged to agree the controls before implementation (merchant, QSA, acquirers)
  • 21. Third parties: do I have a choice? How organisations can select service providers For those who outsource… • 324 (UK) and 900 (US) Level 1 PCI DSS compliant service providers listed on Visa websites http://www.visaeurope.com/en/businesses__retailers/payment_security/downloads__resources.aspx http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf • 867 Level 1 PCI DSS compliant service providers listed on MasterCard website http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20- %20November%2029%202010.pdf For those who want to retain control in-house… • 724 PA DSS validated payment applications on PCI SSC website https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true Barclaycard’s position… • We always recommend that our customers use Level 1 Service providers as self-assessment does not provide you with an independent assessment of your supplier. • Contractual provisions are crucial. • Merchants should seek help from their acquiring bank when facing problems with third party providers as a merchant cannot reach compliance without their third parties being compliant.