where you live in the context of the retail industry.
You might be a retail or actually dealing with credit cards, or
you might be say a service provider just kind of supporting that industry and
their different gradations of requirements that are in imposed,
depending on what your role is in that credit card industry.
So, there these different categories.
There's a diagram that we can put up that shows networks and
systems as one category.
A second is the vulnerability management program.
Third is monitoring and testing of your networks.
A fourth is the protection of card holder data.
Fifth, access control measures.
And then the sixth is your information security policy.
And these are all broken up into 12 different sub categories.
These are all requirements that you go one at a time through just like any
framework looking for gaps.
You're looking for
a place where your requirements don't match the requirements that PCI demands.
And if the gap exists, the gap has to be closed.
A QSA has to come in, validate that you've closed it.
There has to be documentation and on and on and on.
This is called security assessment and security audit.
The assessment is the pre-audit,
the real audit activity is done by the QSA with the attestation.
It really is a complicated issue.
Now the foundational problem is that amidst all of this,
we still have retail hacks.
So I think anybody, even a QSA with years of experience,
would tell you that while this reduces risk, it doesn't remove it.
And that's important.
Security assessment and security audit reduce risk, they don't remove risks.
So it's still there.
It just makes things a little better.
It makes our retail system something that we can trust.
A big improvement has been this move from magnetic stripes
on the back of cards to chip in PIN, chip in signature.
Here in the United States, we're a little slower to this sort of thing.
And I think it was October of 2016 that there was a requirement
that businesses really move to a chip kind of model.
Whereas in Europe and other parts of the world that it had been done much sooner.
That certainly reduced risk.
That was something that I think was a real contribution in the retail
industry to greater trust and greater assurance.
But the reality exists that it's still a problem with attacks.
And the fact that there's money involved here makes this very consequential.
So kind of a learning here is that this is a very specific framework,
has a very specific model with 12 subcategories and 6 groupings.
QSAs will commit into pre-audits.
And then full audits to produce an attestation
that businesses need to continue taking credit cards.
The whole process I would claim has in fact reduced risk considerably.
But it hasn't removed it.
That's something that we need to keep in mind.
I hope this has been a useful summary for you.
I'll see you on the next one.
Dr. Edward G. AmorosoResearch Professor, NYU and CEO, TAG Cyber LLC
