PCI Security: Q&A with Anton Chuvakin, PCI Compliance Expert, PART 2
In the second of a two-part series, VPN Haus talks to PCI compliance expert Anton Chuvakin about cloud compliance and the prevalence of the “it won’t happen to my company” attitude. Last week, we spoke to Chuvakin about the way the industry has misunderstood – and undervalued – PCI standards.
VPN Haus: You've mentioned that some companies take a "nobody wants to hack us" attitude to compliance. What kinds of companies tend to take this approach? What kinds of companies tend to be most vigilant - ones that have already had a breach?
Chuvakin: While many in the security community would quip that only stupid companies would say that "nobody wants to hack us," reality is slightly more complicated. Perception of electronic and digital risks does not come naturally to people - and IT
In regards to more vigilant organizations, you are correct: breached companies are indeed more the vigilant - but only for a certain time. Some say a breach gives a boost to security awareness elevated vigilance for about a year.
VPN Haus: Are the consequences of a security breach for PCI companies enough of a deterrent?
Chuvakin: Apparently not. Just look at all the companies that only pay lip service to security and PCI compliance, and then get upset after they are breached. Don't get upset -- the breach is a natural result of your own behavior, please learn to take
VPN Haus: How would you describe PCI's approach to the cloud? Everyone seems to have an opinion on the cloud, but it seems like PCI has been quiet on this front.
Chuvakin: It is quiet [because] Requirement 12.8 that covers service providers addresses it just fine. [The requirement states,] "If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service pro
VPN Haus: So basically, the PCI compliance applies to service providers or cloud providers if they have cardholder data?
Chuvakin: Yes, of course. PCI DSS has - and pretty much always had - a section about the responsibilities of a service provider.
VPN Haus: Is there anything that we haven't covered that you think is relevant or that you'd like to discuss?
Chuvakin: Like we say in <a href="www.pcicompliancebook.info">the PCI book</a>, "The best way to protect the data from hackers is to delete it." People should learn that the best approach to PCI is reducing the scope by eliminating card data storage an
VPN Haus: Would outsourcing your data handling actually increase risks, as you can't control a third-party vendor's compliance but you can control your own?
Chuvakin: No, not at all - because - pardon my French - that "you" mentioned in the above is typically an idiot - in regards to security. Their environments are "owned" and card data is being stolen every day. Think of outsourcing as "do you store a l
Anton Chuvakin is a principal at Security Warrior Consulting, specializing in PCI DSS, SIEM and log management services for security vendors and enterprises. He also runs the Security Warrior blog and is based in San Francisco.
[tweetmeme source=”vpnhaus” only_single=false]