Keynote Presentation at Security Conference in Brussels

1. The underside of the PCI DSS ecosystem: PCI as Security, simple facts that no-one talks about and anecdotes from the merchant’s perspective Patrick Wheeler, P.E. [email_address] December 2009 … The following deck is shared post event: It is intended to be accompanied by a dialog and a verbal presentation that unfortunately is not as easy to share … however if you are struggling with PCI I encourage you to contact me via email, LinkedIn or any other means you find comfortable …

5. Eight indicted in $9M RBS WorldPay heist... Eight men have been indicted on charges that they hacked into credit card processing firm RBS Worldpay, and helped steal more than $9 million in a highly coordinated heist nearly a year ago Data Breaches are ever more frequent & negatively impact public perception & diminish public trust in an institution Comprehensive Data Breach notification rules are inevitable Credit Card security standards like PCI are a first step Hackers escalate thefts of financial data Computer hackers stole more sensitive records last year than in the previous four combined, with ATM cards and PIN information growing in popularity as targets , according … Organised criminal groups orchestrated nine in 10 of the most successful attacks, with 93 per cent of the 285m records exposed coming from the financial sector … US to Get Data Breach Notification Laws : … notify anyone whose personal information may have been accessed in a breach … set new standards for data breach notifications, the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139), were passed by the Senate Judiciary Committee Nov. 5 … ( link ) The European Council has approved a data breach notification rule for Europe's telecoms firms. … Security breach notification laws force companies which have lost customers' or employees' personal data to announce the loss. Information Society Commissioner Viviane Reding said. "The Commission will … extend the debate to generally applicable breach notification requirements and work on possible legislative solutions … In 2010 , the Commission intends … a major initiative to modernise and strengthen network and information security policy in the EU ," ( link )

9. ITIL COBIT ISO PCI Security Strategy on an Enterprise-wide Level

12. ISO <According to our friends at ISO27kfaq >

13. PCI PCI is certainly not a strategy One of PCI’s biggest criticisms: “ It is too prescriptive ” Is one of its biggest strengths… PCI is, at its heart, basic housekeeping Not New Not Complicated Not Rocket Science <and, as we all know, not a guarantee> PCI is a list of procedures and explicit instructions implementable by a decent IT security practitioner and/or competent engineers/sysadmins and relatively easily verifiable

15. Common Mistakes Companies Make …

20. Dear Mr. Retail Director , wish to speak with you about PCI DSS, the Data Security Standard … Wait a minute, let me get the IT guys on the phone … Dear Ms. Risk Manager , wish to discuss our Certificate of Compliance – Wait a minute, let me call the auditors … Dear Mssr. Regional Store Manager , we need to discuss Requirement 12 : Maintain a policy that addresses information security for employees and contractors , Section 12.3.10 when accessing cardholder data via remote access technologies – Wait a minute, let me get a pillow … Where is the business?

21. … An uncomfortable discussion with the Vice President of Audit … … an even more uncomfortable meeting with the Enterprise Risk Manager … … Meeting with a fifth generation billionaire chairman emeritus business owner … Where is the business?