Transcription
Will you be PCI DSSCompliant by September2010?Michael D’Sa, Visa CanadaPresentation to OWASP Toronto ChapterToronto, ON19 August 2009
Security EnvironmentAs PCI DSS compliance rates rise, new compromisetrends emergeCompliance MilestoneCompromise Trend PCI DSS compliance isadopted by acquiringparticipants in North America. Issuers and processorsincreasingly targeted; non-U.S.compromises increasing rapidly Merchants and serviceproviders reduce historicalstorage of cardholder data Data criminals seek capture ofcardholder data in transit throughsniffer attacks PCI DSS compliance improvesamong large merchants Compromises of small andmedium size merchants increase E-commerce and paymentchannel websites bettersecured SQL injection attacks on nonpayment sites to gain access topayment environmentAccount Information Security 19 August 2009Visa PublicInformation Classification as Needed2Presentation Identifier.2
Compromises in the Media Myths and FactsMythsFacts PCI DSS compliant entities havebeen breached As of today, no compromised entityhas been found to be compliant atthe time of the breach PCI DSS does not addresssniffer* attacks PCI DSS should prevent and detectunauthorized network access andinstallation of sniffers Visa does not supportencryption Visa does support encryption forboth online and batch files Encryption of data transmissioncan prevent recent compromises Encryption does not eliminate therisk of data being “sniffed” if data isdecrypted at any pointPCI DSS continues to serve as a robust foundation toprotect cardholder data in a static data environment*Sniffers are used by hackers to monitor and capture data in transit over an internal networkAccount Information Security 19 August 2009Visa PublicInformation Classification as Needed3Presentation Identifier.3
Common cyber vulnerabilities that lead toattacks on a networkCyber VulnerabilitiesAccount Information Security 19 August 2009Visa Public No segmentation and/or firewall Un-patched systems and/or defaultconfiguration No logging No encryption or authentication onWireless Access Points Security not written into paymentapplications Sniffer attacks Remote access misconfigurationsInformation Classification as Needed4Presentation Identifier.4
Forensic Findings* The majority of all E-commerce merchant breaches are tied back to externalhackers as opposed to insiders. On the other hand the number of “insidejobs” for Brick/Mortar data breaches still remains significantly higher. More than 80% of E-commerce merchant breaches could have been easilyprevented if some basic security measures were in place. 20-25% of E-commerce merchant breaches were the result of SQL Injection– an attack that can be perpetrated quickly, easily and using any basic webbrowser from anywhere on the internet. Vulnerability Scanning is still critically important. Some breached e-merchants were undergoing scans, but were notlooking at their reports. Some of these merchants were looking at the reports, but didn’tbother to remediate the reported vulnerabilities. Some of these reported vulnerabilities were known for over 12months, but never addressed.* Source: Verizon Business Powered by CyberTrust (2008)Account Information Security 19 August 2009Visa PublicInformation Classification as Needed5Presentation Identifier.5
Forensic Findings* Approximately 50% of the E-commerce merchants’ breaches tied back to issueswith third parties.These tend to fall into three sub-categories:1. Outsourcing of the payment function (shopping cart check-out). The third partysuffers a breach and the merchant’s transaction data is compromised.2. The e-commerce merchant sends transaction information to a third party, andpermits the third party to connect into their e-commerce environment directlyto pull the order fulfillment and transaction data. The third party suffers acompromise and the hacker exploits the connectivity that the third party hasinto the merchant to compromise the transaction data.3. The shared hosting provider scenario. Many e-commerce sites are beinghosted in shared environments. In these shared scenarios there is little to nosegmentation between the various e-commerce sites that may exist in theshared environment. One merchant or entity that is hosted in the environmentcan suffer a breach and then the hacker gains access to the database – whichcan contain transaction information for dozens or even hundreds ofmerchants.* Source: Verizon Business Powered by CyberTrust (2008)Account Information Security 19 August 2009Visa PublicInformation Classification as Needed6Presentation Identifier.6
What Are We Up Against?ComplexityPROCESSINGMalicious individuals continue to evolveattacks in an effort to obtain cardholderdata that is processed, stored ortransmittedSTORAGESniffersWireless intrusionDatabase hackStolen Receipts/CardsTimeTRANSMISSIONAccount Information Security 19 August 2009Visa PublicInformation Classification as Needed7Presentation Identifier.7
Compromise Event ImpactsWhen Cardholder Data is Compromised1. Financial Liability- Fines- Cost of forensic exam- Fraud LiabilityCompromised Entity2. Brand/Reputation Damage3. Disruption of ServiceAccount Information Security 19 August 2009Visa PublicInformation Classification as Needed8Presentation Identifier.8
Visa’s Data Security ProgramAccount Information Securityis a Visa mandated program thatoutlines the minimum level ofsecurity for any entity thattransmits, processes, or storesVisa account information.The AIS program utilizes the PCIData Security Standard andrelated suite of documents.Account Information Security 19 August 2009Visa PublicInformation Classification as Needed9Presentation Identifier.9
Compliance Validation Summary –Merchants1Annual Review /M and MOTO 1,000,000E-comm 20,000Account Information Security 19 August 2009 AllE-commerceVolumeAll othermerchants AnnualQuarterly AnnualQuarterly AnnualVisa PublicInformation Classification as NeededAnnualAnnual10Presentation Identifier.10
Compliance Validation Summary –Service ProvidersService ProviderType12SelfAssessmentQuestionnaireVisaNet processors or anyservice provider that stores,processes and/or transmits over300,000 transactions per yearAny service provider that stores,processes and/or transmits lessthan 300,000 transactions peryearAccount Information Security 19 August 2009Visa PublicVulnerabilityScanOn-siteReview Quarterly AnnualInformation Classification as NeededAnnual Quarterly11Presentation Identifier.11
Deadlines Level 1, 2, and 3 merchants were required to complete theirvalidation compliance review by 31 December 2005. Visa Canada agreed not to levy fines if a merchant had areasonable action plan in place Visa Inc announced a global date (September 30, 2010), whichenforces fines on L1 merchants who have not completed theirDSS validation reviews Fines will be levied to the respective Acquirers of noncompliant L1 merchants after September 30, 2010 Visa Canada will announce an end date for L2 and L3merchantsAccount Information Security 19 August 2009Visa PublicInformation Classification as Needed12Presentation Identifier.12
PCI Training in CanadaPCI DSS 1.2 TrainingLocation: TorontoJune 16, 17PCI PA-DSS TrainingLocation: TorontoJune 18PCI DSS 1.2 TrainingLocation: VancouverSeptember 9/10Account Information Security 19 August 2009Visa PublicInformation Classification as Needed13Presentation Identifier.13
PCI DSS Prioritized ApproachWhat is the PrioritizedApproach?The Prioritized Approach is anew educational resourcefrom the Council. It offersguidance on how to focusPCI DSS implementationefforts in a way thatexpedites the security ofcardholder data.Account Information Security 19 August 2009Visa PublicInformation Classification as Needed14Presentation Identifier.14
PCI DSS Prioritized ApproachHow can the Prioritized Approach help with compliance?The Prioritized Approach does not provide a short cut or tricks toachieve PCI DSS compliance. It does however deliver keybenefits, such as: Helps businesses identify highest risk targets Creates a common language around PCI DSS implementationefforts Enables merchants to demonstrate progress on complianceprocess to key stakeholders – banks, acquirers, QSAs, others.Account Information Security 19 August 2009Visa PublicInformation Classification as Needed15Presentation Identifier.15
PCI DSS Prioritized ApproachHow was it created? Examination of account data compromise events Feedback from PCI SSC Board of Advisors, Council leadership andthe Technical Working Group Feedback from several QSAs and forensics investigatorsAsked to identify the top 15 PCI DSS requirements forprotecting cardholder data–Reduce risk associated with account data compromise by: Not retaining magnetic stripe data Minimize and secure storage of PAN Using network segmentation to reduce scopeAccount Information Security 19 August 2009Visa PublicInformation Classification as Needed16Presentation Identifier.16
PCI DSS Prioritized ApproachMilestone One - If you don’t need it, don’t store it.The intent of Milestone One is to remove sensitive authentication dataand limit data retention. This milestone targets a key area of risk forentities that have been compromised – if sensitive authentication dataand other cardholder data had not been stored, the effects of thecompromise would have been greatly reduced.Milestone Two - Secure the perimeter.The intent of Milestone Two is to protect the perimeter, internal, andwireless networks. This milestone targets a key area that represents thepoint of access for most compromises: vulnerabilities in networks or atwireless access points.Account Information Security 19 August 2009Visa PublicInformation Classification as Needed17Presentation Identifier.17
PCI DSS Prioritized ApproachMilestone Three - Secure applications.The intent of Milestone Three is to secure applications. This milestonefocuses on applications, as well as application processes and applicationservers, since application weaknesses are a key access point used tocompromise systems and obtain access to cardholder data.Milestone Four - Control access to your systems.The intent of Milestone Four is to protect the cardholder dataenvironment through monitoring and access control since this is the keymethod to detect the who, what, when and how about who is accessingyour network.Account Information Security 19 August 2009Visa PublicInformation Classification as Needed18Presentation Identifier.18
PCI DSS Prioritized ApproachMilestone Five - Protect stored cardholder data.For those organizations that have analyzed their business processes anddetermined that they must store Primary Account Numbers, Milestone Fivetargets key protection mechanisms for that stored data.Milestone Six - Finalize remaining compliance efforts, and ensure allcontrols are in place.The intent of Milestone Six is to complete PCI DSS requirements andfinalize all remaining related policies, procedures, and processes needed toprotect the cardholder data environment.Account Information Security 19 August 2009Visa PublicInformation Classification as Needed19Presentation Identifier.19
PCI DSS Prioritized ApproachPrioritized ApproachToolsAccount Information Security 19 August 2009Visa PublicInformation Classification as Needed20Presentation Identifier.20
PCI DSS Prioritized ApproachThe Prioritized Approach does not Provide a short cut to compliance with PCI DSS 1.2 Assume a one size fits all approach for every organization Replace PCI DSS 1.2Account Information Security 19 August 2009Visa PublicInformation Classification as Needed21Presentation Identifier.21
PCI DSS Prioritized ApproachThe use of the Prioritized Approach is not mandated QSAs are not obliged to use this approach for reporting purposes, butencouraged to become familiar with the approach Merchants and Service Providers are still required to be fullycompliant with PCI DSS Safe Harbour only afforded to entities that are fully compliantFor more details on the Prioritized Approach, please refer to the PCISecurity Standards website, www.pcisecuritystandards.orgAccount Information Security 19 August 2009Visa PublicInformation Classification as Needed22Presentation Identifier.22
Payment ApplicationCompliance ProgramA Program Overview
Compromise Incidents by Industry*Source: TrustWave, 2008Account Information Security 19 August 2009Visa PublicInformation Classification as Needed24Presentation Identifier.24
What is the PA-DSS? PA-DSS is a comprehensive set ofsecurity requirements designed forpayment application software vendorsto facilitate their customers’ PCI DSScompliance This comprehensive standard isintended to help organizationsminimize the potential for securitybreaches due to flawed paymentapplications, leading to compromise ofsensitive authentication data Distinct from, but aligned with PCI DSSAccount Information Security 19 August 2009Visa PublicInformation Classification as Needed25Presentation Identifier.25
Payment Application Data SecurityStandard1. Do not retain full magnetic stripe, CVV2, or PIN block data.2. Protect stored cardholder data.3. Provide secure password features.4. Log application activity.5. Develop secure applications.6. Protect wireless transmissions.7. Test applications to address vulnerabilities.8. Facilitate secure network implementation.9. Cardholder data must never be stored on a server connectedto the Internet.10. Facilitate secure remote software updates.11. Facilitate secure remote access to application.12. Encrypt sensitive traffic over public networks.13. Encrypt all non-console administrative access.14. Develop, maintain and disseminate a PABP implementationguide for customers, resellers and integrators.Account Information Security 19 August 2009Visa PublicInformation Classification as Needed26Presentation Identifier.26
Payment Application VulnerabilitiesOver 24 applications have played a role in data compromises*Top 5 vulnerabilities related to payment applications include:– SQL injection– Default accounts– Full track data and/or encrypted PIN block retention– Insecure remote access by software vendors and their resellers– Compatibility issues with anti-virus and encryption*Source: Visa Inc. Payment System Risk, 2007Account Information Security 19 August 2009Visa PublicInformation Classification as Needed27Presentation Identifier.27
Important Dates – Visa Canada Effective October 1, 2008, Visa Canada requiresall newly boarded merchants who use PaymentApplication software to use software that has beenvalidated to comply with PA-DSS Effective July 1, 2010, all existing merchants whouse Payment Application software must usesoftware that has been validated to comply with PADSSAccount Information Security 19 August 2009Visa PublicInformation Classification as Needed28Presentation Identifier.28
PCI Security Standards CouncilAccount Information Security 19 August 2009 The PCI Security Standards Council (PCISSC) is an open global forum for theongoing development, enhancement,storage, dissemination and implementationof security standards for account dataprotection. Its mission is to enhance payment accountsecurity by fostering broad adoption of PCISecurity Standards. The founding members are Visa, Amex,Discover, JCB and MasterCard.Visa PublicInformation Classification as Needed29Presentation Identifier.29
Participating OrganizationsParticipating Organizations contributeto PCI SSC by: Account Information Security 19 August 2009Providing advance comment on potentialchanges to security standardsProviding input on future initiatives of theorganizationNominating representatives for election tothe Advisory BoardProviding strategic direction to theorganization by serving on the AdvisoryBoardVisa PublicInformation Classification as Needed30Presentation Identifier.30
www. PCISecurityStandards.orgAccount Information Security 19 August 2009Visa PublicInformation Classification as Needed31Presentation Identifier.31
PCI SSC – Visa Inc.’s 2009 ObjectivesAs a founding member, Visa drives key industry datasecurity initiatives through the PSI SSC Perform QSA quality assurance reviews Formal publication of a risk-prioritization strategy– Visa to develop corresponding qualification criteria forentities to validate using risk-prioritization Adoption and publication of PCI PIN Security Standard Determine feasibility for Council’s management of ForensicInvestigators program Development of card issuer guidance for PCI DSS complianceAccount Information Security 19 August 2009Visa PublicInformation Classification as Needed32Presentation Identifier.32
ConclusionToo much emphasis on PCI DSS validation as a finish linerather than ongoing security and compliance leaves exposure PCI DSS controls, when implemented properly, would prevent network intrusions–If the network is compromised, impact should be mitigated via timely detection In all compromise cases, forensic investigations have found significant gaps in thecompromised entity’s PCI DSS controls to be major contributors to the breach Validating compliance is a snapshot, point-in-time review of a business’ systems,and is limited in scope to a sample of systems– Entities must not rely solely on a Qualified Security Assessors to determinetheir complianceMaintaining good security requires an ongoing commitment–PCI DSS compliance is a 24 hour a day, 7 day a week, 365 day a year job–Businesses must build ongoing compliance monitoring into their internalauditing processesAccount Information Security 19 August 2009Visa PublicInformation Classification as Needed33Presentation Identifier.33
Questions?Account Information Security 19 August 2009Visa PublicInformation Classification as Needed34Presentation Identifier.34
Merchants and Service Providers are still required to be fully compliant with PCI DSS Information Classification as Needed Presentation Identifier.22 Account Information Security 19 August 2009 Visa Public 22 Safe Harbour only afforded to entities that are fully compliant For more details on the Prioritized Approach, please refer to the PCI
