Achieving Compliance With The PCI Data Security Standard
1y ago
27 Views
1 Downloads
933.59 KB
12 Pages
Report/dmca
Download PDF

Transcription

Achieving Compliance with thePCI Data Security StandardAlex Woda1 Alex Woda 2009AgendavvvvvPCI Security Compliance BackgroundSecurity Breaches - How do they happen?Overview of the Security Standards10 Best Practices for Achieving ComplianceQuestions Alex Woda 200921

Payment Card IndustryOverview: Terminology“Card Association” Licensor of brand, e.g. VISA“Issuer” Financial Institution that issues cards, e.g. TD Bank“Acquirer” Accepts card transactions for association, e.g. TD Bank, GlobalPayments, Moneris, etc.“Service Provider” Merchant Services (e.g. storefront host) “IPSP” Internet Payment Service Provider“Merchant” Takes cards as payment “MOTO” Mail Order / Telephone Operator3 Alex Woda 2009Payment Card Industry OverviewCard AssociationsTransactions AcquirersMerchantsCard IssuersService ProvidersCardholdersContractsReporting RequirementsDirection & Requirements Alex Woda 200942

Before Payment Compliance (2000)Increase in Risks to Acquirers and Consumers Card Not Present Fraud (Identity Theft)Web Server Certificates not adequate for e-commerce SecurityPublic disclosure of losses and breaches are rareErosion of Industry and Brand confidence“Zero liability” for cardholders announced in 2000First Major Security Breach made public Public disclosure of a possible compromise of 3.7M cards @Egghead.com – December 22, 2000 Industry damage control cost estimated at 20M with millions ofcards cancelled days before ChristmasIndustry wide security improvements needed Public disclosure laws such as California Bill-1386 Payment Card Industry Data Security Standards Alex Woda 20095Major Card Security Breaches Card Systems International hacked in 2005 Approx. 40 Million Cards compromised Service Provider Network Gateway was hacked Modifications made to Web Server Software TJX Stores hacked in 2007 Approx. 60 Million Cards compromisedStores were not PCI compliantHackers gained access to non-protected Wi-Fi NetworksDrive-By HackingRoyal Bank of Scotland Worldpay (US 2008) Customer information and payroll cards (2 Million) Included open loop gift cards Alex Woda 200963

Major Card Security Breaches Geeks.com (Dec. 2007 but reported in 2008) Stored client info and CVV / CVC E-commerce site hacked Hannaford Brothers - 2008 More than 5 Million Cards compromisedStores were PCI compliantHackers targeted servers that transmit card data to processorNot addressed in PCI DSS (new vulnerability)Heartland Payment Systems Jan. 2009 Investigation is still in progressService provider for retailers and e-commerceProcesses more than 100 Million transactions per monthMalicious code found on serversExtent of cardholder data loss not documented Alex Woda 20097Who Gets Hacked?Recent Data Breaches Food mmunicationsNon-ProfitMediaPetroleumGovernment Alex Woda 200954%25%5%4%4%3%2%1%1%1%84

How Was it Done?Recent Data Breaches Compromise POS SoftwareInternet Shopping CartsBack End Processing SystemHardware TerminalsSource: PCI Assessor Trustwave Alex Woda 200971%22%6%1%9Payment Compliance Origins (2001) Origins of Compliance Programs MasterCard International – Site Data Protection Program (SDP)announced May 2001 VISA US – Cardholder Information Security Program (CISP)announced June 2001 VISA International – Account Information Security (AIS)Standard and regional programs announced November 2001 Some Confusion in the Beginning Acquirers and Merchants unsure of requirements Lack of awareness and training 3 different standards and 3 different compliance programsworld wide Different requirements Different compliance dates Little enforcement Alex Woda 2009105

Payment Compliance Today (2008 ) Security Programs Align on new standard VISA, MasterCard align standards and programs on “PaymentCard Industry (PCI) Security Standard” December, 2004 Focus on e-commerce and large volume merchants in 2005 All merchants need to comply PCI Security Programs VISA US and VISA Canada use one standard - Release 1.2 VISA approves Qualified Independent Security Assessors MasterCard International sets standard for Internet facingsystems, evaluates and approves Qualified Scanning Vendors Acquirers and merchants need to be in compliancePenalties for companies not in complianceIndependent forensic investigations mandated for all breacheswww.pcisecuritystandards.org for more information Alex Woda 200911Benefits of PCI CompliancevReduced liability for merchant and acquirer in theevent of a breach 500k plus 25 per card if duty of care not demonstrated byMerchantvvvvvImprove and monitor protection of critical systemsIncreased security over personal/confidential dataReduces likelihood of a breachSupports Sarbanes-Oxley and Bill 198 complianceEvidence of system access in logs Alex Woda 2009126

PCI Data Security Standardvv6 major areas, 12 categories, and more than200 specific requirementsRequirements added after security breachesdetected eg. cannot store cardholder data in nonencrypted format secure wireless networks monitor for malicious code and unusual activity Version 1.2 released October 2008Clarification of compensating controls13 Alex Woda 2009Merchant Compliance Requirements Level 1, 2, & 3 are standardin all VISA regions worldwide Level 4 is specific to VISACanada All levels are based uponrisk and include:-Transaction volumes-Card not present-Previous accountcompromise Visa Canada Alex Woda 2009 Additional requirementsfor Merchant ServiceProviders147

PCI Data Security RequirementsBuild and Maintain a Secure Network1. Install and maintain a firewall configuration to protect data2. Do not use vendor-supplied defaults for system passwords andother non-secure parametersProtect Cardholder Data3. Protect stored data4. Encrypt transmission of cardholder data and sensitiveinformation across public networksMaintain a Vulnerability Management Program5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications15 Alex Woda 2009PCI Assessment Requirements(cont.)Implement Strong Access Control Measures7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder dataRegularly Monitor and Test Networks10. Track and monitor all access to network resources andcardholder data11. Regularly test security systems and processes.Maintain an Information Security Policy12. Maintain a policy that addresses information security Alex Woda 2009168

Controversial AreasvPCI DSS is Prescriptive– Detailed description of controls that must be in placevStorage of Cardholder data (Section 3)– Remove complete track 2 data– Render primary account number (PAN) unreadable– PAN is used for database index, payment reconciliationvApplication development– Source code analysis and reviewvAudit Trails– Log and monitor all access to cardholder datavExtent of security testing– Penetration tests, security tests, vulnerability scans Alex Woda 200917Self-AssessmentCompliance QuestionnairevRequired annually for smaller merchants Self Assessment Completed by staff Assistance often required for accurate completion Should be completed by non-operations staffvManagement formally acknowledge that they are incompliancevShould be verified by a VISA approved assessorvFiled with Acquirers and VISAvNon-compliance must be addressed in action plans Alex Woda 2009189

Compliance On-sitevRequired annually for large merchants Detailed security assessment Performed by a VISA approved assessorvScope of Review Any system or network which collects, processes,stores or transmits cardholder data focus on malicious code protection and networksecurityFiled with Acquirers and VISAvNon-compliance must be addressed in action plansv Alex Woda 200919Documentation RequirementsvvvvvvvvvvvInformation Security Policies and StandardsOrganization chartsUp to date Network diagramsPayment application and infrastructure architecturePayment interfacesFirewalls rulesIntrusion Detection / Prevention strategiesMalicious code protectionSecurity monitoring and assessmentsControl of User access to payment systemsAll 3rd party handling of transactions - contracts20 Alex Woda 200910

Compliance Vulnerability ScanningVulnerability Scans All Internet facing systems (not just e-commerce web servers) Required on a quarterly basis Should be assessed by a Security SpecialistLimitations of tests External security scanning of network ports Tests are non-intrusive, however, disruptions may still occur Tests are continuously being added to address newvulnerabilitiesVulnerabilities must be fixed Low risk findings are excluded Potential vulnerabilities can be excluded if additionalexamination proves them not applicablevvv Alex Woda 200921Best Practices for PCI Compliance1. Conduct an IT Risk AssessmentUnderstand the environment and security risks2. Reduce the ScopeIsolate, Compartmentalize and Secure3. Understand the Control EnvironmentDocument key controls - Are they working effectively?4. Buy Compliant SystemsAll vendors are required to be in compliance with certified softwareIncludes implementation guides that follow the PCI Standard5. Do not store Cardholder dataKeep the data for as long as required to authorize the transactionMask or truncate the data when completedDo not use card numbers for business intelligence or reporting Alex Woda 20092211

Best Practices for PCI Compliance6. Update Policies and StandardsInformation security policies must be up to date and reference PCI7. Detailed System LoggingLogs must provide evidence of system accessLogs must be securedConsider security event correlation tools8. Secure the Network PerimeterFirewalls are not enoughNeed to use multiple devices and appliances for protection9. Harden ServersConfiguration standards and disciplined patch management10. Control vendor and remote accessRemote access for support and management access represents asevere security weakness Alex Woda 200923On the Road to PCI CompliancevvvvvvvConduct a Pre-assessment and risk analysisInvestigate ways to reduce the risksEngage with a qualified security assessor tointerpret PCI data security standardCreate a detailed project plan for remediationIdentify compensating controlsTest the controlsImplement a vulnerability management program Alex Woda 20092412

Build and Maintain a Secure Network 1.Install and maintain a firewall configuration to protect data 2.Do not use vendor-supplied defaults for system passwords and other non-secure parameters Protect Cardholder Data 3.Protect stored data 4.Encrypt transmission of cardholder data and sensitive information across public networks

Related Books

Claim Appeals, Adjustments and Voids - Nevada

Claim Appeals, Adjustments and Voids - Nevada

ẻ Tín dụ ố ế Sacombank

ẻ Tín dụ ố ế Sacombank

PCI Add-on User's Guide - HCL Product Documentation

PCI Add-on User's Guide - HCL Product Documentation

How the Unity EdgeConnect SD-WAN Edge Platform Supports PCI DSS Compliance

How the Unity EdgeConnect SD-WAN Edge Platform Supports PCI DSS Compliance

Achieving PCI Compliance with Postgres

Achieving PCI Compliance with Postgres

Secured hosting of a PCI DSS Compliant web application on Aws

Secured hosting of a PCI DSS Compliant web application on Aws

The Value of Point-to-Point Encryption in Point-of-Interaction Environments

The Value of Point-to-Point Encryption in Point-of-Interaction Environments

Volusion PCI Responsibility Matrix

Volusion PCI Responsibility Matrix

Advance Information MPC107 PCI Bridge/Memory Controller Technical . - NXP

Advance Information MPC107 PCI Bridge/Memory Controller Technical . - NXP

PCI Redaction: Compliance Reimagined

PCI Redaction: Compliance Reimagined

The Ultimate Guide to Pci Dss Cloud Hosting

The Ultimate Guide to Pci Dss Cloud Hosting

October 26, 2009 PCI X-Ray: File Integrity Monitoring

October 26, 2009 PCI X-Ray: File Integrity Monitoring

PopularTags

Recent Views