0:04
Hi folks, Ed Amoroso here.
And I want to spend some time in this short video kind of introducing
a framework known as PCI-DSS.
[LAUGH] And that stands for Payment Card Industry Data Security Standards.
It's hard to say that, right?
A lot of sounds in there.
So PCI is really intended to reduce the risk
of cyber attacks to retail businesses.
We've [LAUGH] seen so many attacks to credit card readers and
servers keeping track of retail information and your private account data.
Definitely, your credit card information, my goodness.
See one after another of these kinds of breaches over the last ten years.
So the industry, the payment card industry, credit card industry,
basically, decides this is not reasonable.
We need to improve our industry securities is not acceptable.
People, they stop using credit cards than it's
a big blow to that industry obviously.
So they had to reduce the likelihood of these attacks by increasing trust.
So what they did, is came up with a framework.
This data security standard requirements that they impose a levy on
anyone involved in the payment card industry.
And a whole discipline has emerged, a job, a profession,
called a QSA, or Qualified Security Assessor.
It's a job.
It's a profession. It's something that an auditor might
specialize in.
We're going to go in and either do a pre-assessment or pre-audit
with the business to see if they're consistent with these PCI requirements.
Or going to actually come in, and boom, attest with their stamp of approval
that of particular company has in fact met the PCI requirements.
And they're all these complications around
1:57
where you live in the context of the retail industry.
You might be a retail or actually dealing with credit cards, or
you might be say a service provider just kind of supporting that industry and
their different gradations of requirements that are in imposed,
depending on what your role is in that credit card industry.
So, there these different categories.
There's a diagram that we can put up that shows networks and
systems as one category.
A second is the vulnerability management program.
Third is monitoring and testing of your networks.
A fourth is the protection of card holder data.
Fifth, access control measures.
And then the sixth is your information security policy.
And these are all broken up into 12 different sub categories.
These are all requirements that you go one at a time through just like any
framework looking for gaps.
You're looking for
a place where your requirements don't match the requirements that PCI demands.
And if the gap exists, the gap has to be closed.
A QSA has to come in, validate that you've closed it.
There has to be documentation and on and on and on.
This is called security assessment and security audit.
The assessment is the pre-audit,
the real audit activity is done by the QSA with the attestation.
It really is a complicated issue.
Now the foundational problem is that amidst all of this,
we still have retail hacks.
So I think anybody, even a QSA with years of experience,
would tell you that while this reduces risk, it doesn't remove it.
And that's important.
Security assessment and security audit reduce risk, they don't remove risks.
So it's still there.
It just makes things a little better.
It makes our retail system something that we can trust.
A big improvement has been this move from magnetic stripes
on the back of cards to chip in PIN, chip in signature.
Here in the United States, we're a little slower to this sort of thing.
And I think it was October of 2016 that there was a requirement
that businesses really move to a chip kind of model.
Whereas in Europe and other parts of the world that it had been done much sooner.
That certainly reduced risk.
That was something that I think was a real contribution in the retail
industry to greater trust and greater assurance.
But the reality exists that it's still a problem with attacks.
And the fact that there's money involved here makes this very consequential.
So kind of a learning here is that this is a very specific framework,
has a very specific model with 12 subcategories and 6 groupings.
QSAs will commit into pre-audits.
And then full audits to produce an attestation
that businesses need to continue taking credit cards.
The whole process I would claim has in fact reduced risk considerably.
But it hasn't removed it.
That's something that we need to keep in mind.
I hope this has been a useful summary for you.
I'll see you on the next one.
Dr. Edward G. AmorosoResearch Professor, NYU and CEO, TAG Cyber LLC
