Embed Size (px)
Citation preview
Can you protect my Credit Card data? It is 2015 after all!
Compliance (PCI-DSS), emerging technologies, and scope reduction
Mr. Kelvin Medina, CISSP, SEC+, ITIL
Presenter
Mr. Kelvin Medina, CISSP, SEC+, ITIL
Security Engineer, University of Miami (UM)
Contact Information
305-284-1005 (Office)
[email protected] (personal)
https://www.linkedin.com/in/kelvinmedina
Presenter (Who is this guy anyway!?)
• Information Security Engineer (ISE) at the University of Miami (UM)• IT enterprise compromised of more than 25k users, 700 plus applications, and over $160 millions
in credit card transactions per year across different facilities in South Florida
• Previously, Information Systems Security Officer (ISSO) at the US Navy• Lately conducting mission assurance assessments on cybersecurity across the world for the DoD• Software Engineer for the submarine-launched ballistic missiles (SLBMs) Trident II
• Recent public engagements• “Your biggest cyber threat? Naïve end-users”, United States Cybersecurity Magazine, January 2015• Panelist, “Network Security and PCI-DSS”, South Florida Technology Alliance (SFTA), February 2015
• Education• BS Computer Science, University of Puerto Rico• MS Technical Management, Johns Hopkins University• Global Pre-MBA Leadership Program, Yale University
Securing the infrastructure, receipt for failure
Life according to PCI-DSS
• 1.3.5 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
• 2.2.2 Disable unnecessary services and protocols
• 2.2.4 Remove all unnecessary functionality
• And 300 plus requirements (and counting!)
What do I need to protect, anyway?
How to balance EPIC’s business workflow and PCI-DSS?
Pilot project, hoping scope reduction
• Use Desktop as a Service (DaaS) to reduce scope
Moving toward a data centric approach
• Data centric approach• Cell level security (e.g. Transparent Data Encryption (TDE) in Azure SQL)
• Encryption (e.g. P2PE)
• Security containers (e.g. MobileIron MDM)
• Social, Mobile, Analytics, and Cloud (SMAC)
The future, present (for some out there!)
Point to Point Encryption (P2PE)
• End-to-End encryption (E2EE) is not equal to P2PE
• Point of Interaction (POI) is the key here
P2PE to address malware
• Consider the following
VISA expand Technology Innovation Program (TIP) Expanded• VISA TIP now includes merchants
who process at least 75% of their transactions through a PCI-validated P2PE solution• Effective on April 1st, 2015
• Annual PCI-DSS validation assessment might be waived
Going back… EPIC and P2PE
Magnetic Stripe Technology
• Virtually no changes since its introduction in the 1960s
• Prone to• Skimming (capture the track data)
• Shoulder-surfing (watch the PIN as it is being entered)
Europay, Visa, Mastercard (EMV) Technology
• EVM or smart cards were patented by in the 1970’s by France, Germany, and Japan
• Started as a way to store bank account information securely on a card
EMV Workflow1. Match between Terminal and Chip Card’s Application ID
• ARQC’s algorithm create cryptogram • Chip Card Master Key (unique value to the card) + Session Key (unique to the transaction) as parameters
• ARQC is encrypted/hashed w/Chip Card Master key, result is 16 characters HEC ARQC: 1A2B3C4D5E6F4321
2. Terminal → ARQC → Acquirer
3. Acquirer → ARQC → Issuer
4. Issuer validates ARQC by creating its own ARQC using a HSM and makes authorization decision. 5. Issuer ARPC → Acquirer6. Acquirer → ARPC → Terminal
7. Terminal send ARPC to Chip Card plus optional Issuer’s commands (e.g. card block) • Issuer’s command known as the Application Protocol Data Unit (APDU)• The Chip Card validates the ARPC by creating its own and approve any APDU sent by Issuer• Chip Card respond back to the Terminal indicating whether or not the command was executed successfully
EMV Deadline
• Liability fraud shift from Issuer to Merchant• Oct 2015
• Not an actual PCI-DSS requirement
What is tokenization?
As per PCI-DSS “a process by which the primary account number (PAN) is replaced with a surrogate value called a ―token. De-tokenization is the reverse process of redeeming a token for its associated PAN value.”
Tokenization process
Tokenization scope reduction
• Merchant VS Tokenization Service Provider (TSP)
Panacea: Tokenization and encryption
• For real? Let’s use see…
Takeaways
• Whenever you consider a new product or service, • Weight pros and cons
• Use a security first approach• Security is engaged as early as possible during the acquisition process
• Clearly understand all the responsibilities• Your responsibilities• Your Vendor responsibilities
• Focus on security as an overall strategy for your business
• See security as an integrated part of your business
• AND finally make informed, risk based decisions
Questions and Answers
