Bill Franklin | Senior IT Auditor | [email protected] October 28, 2009 Information Privacy & PCI DSS

Bill Franklin | Senior IT Auditor | [email protected] October 28, 2009

Information Privacy&

PCI DSS

2

Agenda

Introduction

Laws, Regulations, Industry Requirements

Federal Regulations

State Regulations

BREAK – 20 Minutes

PCI DSS Example

AICPA - Generally Accepted Privacy Principles (GAPP)

Case Studies / Discussion

Privacy Evaluation

Next Steps

Summary

3

Introduction

Lighthouse IT Compliance Group

Bill Franklin CISA, CGEIT, QSA

Senior IT Auditor

[email protected]

(978) 821-4863

http://www.lighthouseITCompliance.com

4

Introduction …

Knowledge and Experience

Highly Experienced Staff (15 to 25 Years in the Industry)

Certifications Include:

CISA – Certified Information Systems Auditor

CISSP – Certified Information Systems Security Professional

QSA – PCI Qualified Security Assessor

ASV – Authorized Scanning Vendor

CGEIT – Certified in the Governance if Enterprise Information Technology

CoBiT® 4 - Control Objectives for Information and related Technology

Utilize Industry Standard Frameworks and Best Practices Including:

CoBiT®

ISO

ITIL

5

Services Include:

IT Risk Assessments and Audits

External and Internal Network Scanning

Business Continuity Planning / Disaster Recovery

Training & Education

PCI Compliance

ASV Scanning Solutions

QSA Services

PCI Remediation

SAS 70 Preparation

For More Information:

www.lighthouseITCompliance.com Or www.lighthousecs.com

Introduction

6

Data Security

Privacy – Freedom from Unauthorized Intrusion

Merriam-Webster Dictionary

Security

Confidentiality – Private, Secret

Availability

Integrity

Merriam-Webster Dictionary

7

Privacy – What is it?

Definition

According to NIST (National Institute of Standards and Technology) information security is defined as “…protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.” http://csrc.nist.gov/ Publication SP800-59

Privacy focuses on the unauthorized access, use, and disclosure part of the definition - confidentiality.

Definition of privacy/confidentiality for our purposes will be “Ensuring that information is accessible only to those authorized to have access” as stated ISO (International Standard Organization) http://www.iso.org.

8

Dangers of Identity Theft

9

N

S

EW

Types of Risk

PoliticalGeographic

Business

Unintended Events

Malicious Actions

(Internal & External)Mismanageme

nt

Human Errors

Accidents

Natural Disasters

Security Compromise

IT Fraud / Social Engineering

Hackers / Virus Attacks

Physical Vandalism

Planning

Control

Compliance

Monitoring

Remediation

Global in a World Made Flat by the Internet

10

N

S

EW

Malicious RisksWho Would Do That?

External Internal

Internaland

ExternalTeam

Hackers - Viruses

(International) X Social Engineering

(Confidence Man/Woman) Employees

With access to funds and confidential information

X

11

Data Breaches

• According to Verizon’s 2009 Data Breach Investigations Report, Data Breach statistics for 2009 closely resemble the stats from 2008

• Data Breaches continue to originate from external sources

• Breaches linked to business partners fell for the first time in years

• Breaches caused by insiders is still very high

• The predominance of total records lost was attributed to outsiders

• 91 percent of all compromised records were linked to organized criminal groups

12

Laws

Regulations

Requirements

Privacy – Confidentiality - Security

Rules

13

Mitsubishi Corp.(New York, NY)

14

Analysis of Worst Breaches

June 2009

Dr. Peter Tippett, VP of Technology and Innovation at Verizon Business

A report on actual data from investigations of over 600 cases of computer crime that were the worst in the world

“The quick, short story for the bank and financial industries this year is they have had an increase in organized crime and they were entirely focused at the financial sector, very focused. We saw an increase in sophisticated tool use. But the good news is that in all of those cases, they got in through some easy way. They got in somewhere on a non-sensitive, non-critical device where the password was password, or where it wasn't patched two years ago, or where it was a little SQL injection attack.”

www.BankInfoSecurity.com

15

What’s the Difference

Law or Legal Requirement

Government Regulation

Industry Requirement

16

Legal Requirement

The LAW http://dictionary.law.com

1) Any system of regulations to govern the conduct of the people of a community, society or nation, in response to the need for regularity, consistency and justice based upon collective human experience.

2) A statute, ordinance or regulation enacted by the legislative branch of a government and signed into law, or in some nations created by decree without any democratic process.

Protect Against / Penalties for:

• Fraud

• Embezzlement

• Money Laundering

=

Prison Time

17

Regulations

18

Industry Requirements− Certify that an organization meets certain

standards to ensure a required level of competence in a particular area

− Individuals and businesses using their products and services can rely on this certification to verify the organization’s competence.

Industry Requirements

19

Industry Requirements

It’s not just the IT industry that has these requirements:

− Extractive Industry: Mineral & Petroleum (Explosives) – Really important when you’re handling dynamite.

− Manure Management: Beef Cattle Industry – Who knew there were requirements for this?

− PCI DSS: Payment Card Industry Data Security Standards – Here’s something that’s relevant to us.

What do these pictures have in common?

20

Remember

Your Requirements− Not only is your business affected by Privacy Laws,

Regulations and Requirements …− You as an Individual and Consumer are affected as

well− Think about YOUR personal information being

compromised− Threats are no longer just Local, they are International

21

Federal Regulations

22

GLBA - Gramm-Leach-Bliley Act

This is the nation's first effort to enact restrictions on the sharing and sale of consumers’ personal financial information.

23

GLBA - Areas of the Organization Affected

• Consumer Compliance

• Information Systems

24

GLBA

The privacy of consumers' financial information became relevant to regulatory agencies when lawmakers passed the Gramm-Leach- Bliley Act, which was signed into law on November 12th, 1999.

The focus of the act was to modernize the nation's financial industries by breaking down barriers between banking and related areas such as securities and insurance.

25

GLBA

• The GLBA primarily sought to "modernize" financial services -- that is, end regulations that prevented the merger of banks, stock brokerage companies, and insurance companies.

• The removal of these regulations, however, raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use.

26

GLBA

• Prior to GLBA, the insurance company that maintained your health records was distinct from the bank that mortgaged your house and the stockbroker that traded your stocks.

• Once these companies merge, however, they would have the ability to consolidate, analyze and sell the personal details of their customers' lives.

27

Safe Harbor

• In order to bridge the different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive imposed by European Commission, the U.S. Department of Commerce in consultation with the European Commission developed a “Safe Harbor" framework.

• The Safe Harbor—approved by the EU in 2000—is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor will assure that EU organizations know that your company provides "adequate" privacy protection, as defined by the Directive.

28

GLBA

• Because of these risks, the GLBA included three simple requirements to protect the personal data of individuals:

1. First, banks, brokerage companies, and insurance companies must securely store personal financial information

2. Second, they must advise you of their policies on sharing of personal financial information

3. Third, they must give consumers the option to opt-out of some sharing of personal financial information

29

HIPAA

HIPAA - Health Insurance Portability and Accountability Act

•National health information privacy standards issued by the U.S. Department of Health and Human Services (DHHS), pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

•The HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) provides the first national standards for protecting the privacy of health information.

30

HIPAA

• The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records.

31

HITECH

• HITECH - Health Information Technology for Economic and Clinical Health Act

• Series of privacy and security provisions that expand the current requirements under HIPAA

32

HIPAA Information Stolen

33

NAIC National Association ofInsurance Commissioners

• The NAIC adopted the Privacy of Consumer Financial and Health Information Model Regulation on September 26, 2000.

• The model regulation was drafted in response to requirements set forth in Title V of the Gramm-Leach-Bliley Act (GLBA). GLBA calls on the state insurance regulators to issue regulations protecting the privacy of insurance consumers’ personal information.

• Importantly, the NAIC model privacy regulation also includes special protections for health information. The regulation requires insurance companies and agents to get your affirmative consent before sharing health information with any other entity.

34

Family Educational Rights and Privacy Act (FERPA)

• The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

• FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."

35

ID Theft Red Flags …Federal Trade Commission

• The Fair and Accurate Credit Transaction Act (the FACT Act), which amends the Fair Credit Reporting Act (FCRA) establishes numerous requirements that provide protection for the victims of identity theft, provide more information to consumers about credit reports and credit scoring, limits sharing of information with affiliates, and protects consumer medical and other information.

FIGHTING FRAUD WITH THE RED FLAGS RULE

A How-To Guide for Business

http://www.ftc.gov/redflagsrule

http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf

36

ID Theft Red Flags …

Overview

The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs.

Your Program must include four basic elements, which together create a framework to address the threat of identity theft.

37


Who Must Comply …

The Red Flags Rule applies to “financial institutions” and “creditors.”

The Rule requires you to conduct a periodic risk assessment to determine if you have “covered accounts.”

You need to implement a written program only if you have Covered Accounts.

38


Who Must Comply

It’s important to look closely at how the Rule defines “financial institution” and “creditor” because the terms apply to groups that might not typically use those words to describe themselves.

For example, many non-profit groups and government agencies are “creditors” under the Rule.

The determination of whether your business or organization is covered by the Red Flags Rule isn’t based on your industry or sector, but rather on whether your activities fall within the relevant definitions.

39


First, your Program must include reasonable policies and procedures to identify the “red flags” of identity theft you may run across in the day-to-day operation of your business.

Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft.

For example, if a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a “red flag” for your business.

40

ID Theft Red Flags

Second, your Program must be designed to detect the red flags you’ve identified.

For example, if you’ve identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification.

Third, your Program must spell out appropriate actions you’ll take when you detect red flags.

Fourth, because identity theft is an ever-changing threat, you must address how you will re-evaluate your Program periodically to reflect new risks from this crime.

41

State Regulations

42

State Privacy Regulations

• The State Security Breach Laws were enacted to protect the confidential personal information of consumers.

• The laws require that an individual or a commercial entity that conducts business in a state and that owns or licenses computerized data that includes personal information about a resident of a state becomes aware of a breach of the security of their computer system, the business or entity should conduct a prompt investigation to determine if personal information has been compromised and assess the risk of misuse.

43


• The law also requires the individual or the commercial entity provide notice as soon as possible to the affected state resident unless the investigation determines that the misuse of information about a state resident has not occurred and is not reasonably likely to occur.

44


• In addition to Federal regulations, various states are enacting privacy regulations. The following slides provide information on various state privacy legislation.

• Forty-four states, the District of Columbia, Puerto Rico and the Virgin Islands have now enacted legislation requiring that companies and/or state agencies disclose to consumers security breaches involving personal information.

45


46


47

Rhode IslandBanking & Insurance ProtectionCHAPTER 27-58The Banking And Insurance Consumer Protection Act

§ 27-58-10

Confidential customer information.

A.As used in this section, unless the context requires otherwise:

1) "Customer" means a person with an investment, security, deposit, trust, or credit relationship with a financial institution; and

2) "Nonpublic customer information" means information regarding a person that has been derived from a record of a financial institution, including information concerning the terms and conditions of insurance coverage, insurance expirations, insurance claims, or insurance history of an individual. Nonpublic customer information does not include customer names, addresses or telephone numbers.

B.No financial institution shall use any nonpublic customer information for the purpose of selling or soliciting the purchase of insurance or provide the nonpublic customer information to a third party for the purpose of another's sale or solicitation of the purchase of insurance.

48

Rhode IslandPersonal Information

§ 27-58-13 Penalties.

•Any person who violates the provisions of this chapter, or who fails to perform any duties imposed by this chapter, or who violates any administrative regulation promulgated pursuant to this chapter shall be liable for a civil penalty not to exceed the sum of one hundred dollars ($100) for each day which the violation continues, and in addition, may be concurrently enjoined from any further violations by the superior court upon petition of the insurance commissioner.

49

Rhode IslandFinancial Information

REGULATION 99

PRIVACY OF CONSUMER FINANCIAL INFORMATION

A. Purpose. This Regulation governs the treatment of nonpublic personal financial information about individuals by all insurance licensees of the Rhode Island Department of Business Regulation. This Regulation:

1)Requires a licensee to provide notice to individuals about its privacy policies and practices;

2)Describes the conditions under which a licensee may disclose nonpublic personal financial information about individuals to affiliates and nonaffiliated third parties; and

3)Provides methods for individuals to prevent a licensee from disclosing that information.

50

Rhode IslandFinancial Information

B. Scope. This Regulation applies to nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family or household purposes from licensees. This Regulation does not apply to information about companies or about individuals who obtain products or services for business, commercial or agricultural purposes.

C. Compliance. A licensee domiciled in this state that is in compliance with this Regulation in a state that has not enacted laws or regulations that meet the requirements of Title V of the Gramm-Leach-Bliley Act (PL 102-106) may nonetheless be deemed to be in compliance with Title V of the Gramm-Leach- Bliley Act in the other state.

51

Rhode IslandHealth InformationREGULATION 100

PRIVACY OF CONSUMER HEALTH INFORMATION

A. Purpose. This Regulation governs the treatment of individual’s nonpublic personal health information by all insurance licensees of the Rhode Island Department of Business Regulation. This Regulation:

1)Describes the conditions under which a licensee may disclose nonpublic personal health information about individuals to affiliates and nonaffiliated third parties; and

2)Provides methods for individuals to prevent a licensee from disclosing that information.

B. Scope. This Regulation applies to all nonpublic personal health information

C. Compliance. An insurance licensee that is in compliance with this regulation may be deemed to be in compliance with Title V of the Gramm-Leach-Bliley Act in a state which has not yet enacted laws or regulations that meet the requirements of Gramm-Leach-Bliley.

52

Rhode IslandHealth Information

Section 7 Relationship to Federal Rules

Irrespective of whether a licensee is subject to the Health Insurance Portability and Accountability Act privacy rule as promulgated by the U.S. Department of Health and Human Services (the “federal rule”), if a licensee complies with all requirements of the federal rule except for its effective date provision, the licensee shall not be subject to the provisions of this Regulation.

53

Top 10 TipsPreventing a Security Breach

www.scmagazineus.com

David Hobson, managing director of Global Gecure Systems August 12, 2008

1.Management sets the tone for their organizations by their own behavior. As such, good information practices are obligatory for all stakeholders, not just employees.

2.Be proactive – management should deal with information assurance issues proactively, rather than reactively as information assurance is far more cost effective in a preventative rather than a remedial context.

54


3. Information assurance is a business issue, not something extra for IT to handle. IT simply does not have the resources and/or authority to drive information assurance best practices through their organizations.

4. Understand that information assurance is an ongoing process, not an annual event just before the auditors arrive.

5. Information assurance is everyone's job and as such investments in training and awareness programs for all employees are critical.

6. Management should set out the company's expectations with respect to information assurance in clear, accessible policies.

55


7. The process for dealing with information security incidents should be defined in straightforward and unambiguous procedures.

8. Investments need to be made in technology that will result in the secure transport and processing of information by the company's information technology assets.

9. Suitable best practices should be identified and implemented rather than ad hoc approaches.

10. Expert advice should be sought and used at all times to advise and oversee efforts in respect to information assurance from an experienced and objective third-party perspective.

56

Fourth Annual US Cost of

Data Breach Study Benchmark Study of Companies

Sponsored by PGP Corporation Independently conducted by Ponemon Institute LLC

Publication Date: January 2009

www.ponemon.org

57

Break20 Minutes

58

PCI DSSPayment Card Industry Data Security Standard

ExampleProtection of Sensitive Information

ApplicationCan be Applied to More Than Payment Card Data

59

Who / What Is PCI?

Payment Card Industry Data Security Standard

Global Standard(Standard Released in 2006 v1.1, October 2008 Revised Standard Released v1.2)

“The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.”

“The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards.”

“The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.”

https://www.pcisecuritystandards.org/

60

PCI Security Standards Site

61

What Does PCI DSS Apply To?

Brands

MasterCard Worldwide

Visa, Inc.

American Express

Discover Financial Services

JCB International (Japanese)

Credit Cards

Debit Cards

Stored Value / Top Up(Replenished from a Credit or Debit Card)

62

Cardholder Data

Data ElementStorage

Permitted Protection Required

PCI DSS Req. 3.4(Render PAN Unreadable

Anywhere It is Stored)

Cardholder Data

Primary Account Number (PAN)

Yes Yes Yes

Cardholder Name 1 Yes Yes 1 No

Service Code 1 Yes Yes 1 No

Expiration Date 1 Yes Yes 1 No

Sensitive Authentication Data 2

Full Magnetic Stripe 3 No N/A N/A

CAV2 / CVC2 / CVV2 / CID No N/A N/A

PIN / PIN Block No N/A N/A

1 These data elements must be protected if stored in conjunction with the PAN. This protection must be per PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted.

2 Sensitive authentication data must not be stored after authorization (even if encrypted).

3 Full track data from the magnetic stripe, magnetic image on the chip, or elsewhere.

63

3 PCI Security Standards …

www.pcisecuritystandards.org/pdfs/pcissc_overview.pdf

64


PED - PIN Entry Devices

Set of requirements and guidelines for vendors PIN Entry Devices to ensure the security and confidentiality of payment card data.

Devices

POS – Point of Sale

EPP – Encrypting Pin Pad

AFD – Automated Fuel Dispensers

1

65


PA DSS – Payment Application Data Security Standard

“… help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements.”

Software

Payment – Back Office, Middleware, Switching

POS – Face to Face, Kiosk

Shopping Cart / Store Front

2

66

3 PCI Security Standards

PCI DSS – Payment Card Industry Data Security Standard

“… a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.”

Acceptance of Payment Card data - Process, Transmit, Store

Merchants – Sell Goods or Services

Service Providers – Processes, Transmits, Stores Payment Card Data on Behalf of Another Organization

3

67

Who Needs To Comply?

If you handle payment card information

Proccess (Accept)

Transmit

Store

Payment Card Transactions

Internet

POS (Point of Sale)

Phone

Mail

Paper (In Person)

68

Structure

Brands

MasterCard, Visa, Amex, Discover, JCB

Acquiring Banks

Merchants

PCI CouncilService Provider

69

Levels

Merchant Levels

Determined by the Brand

Determines the Method of Compliance

Determines the Frequency of Compliance

If a Security Breach Occurs You Are Automatically a Level 1

Service Provider Levels

Generally a Level 1

Exceptions for lower volume providers

70

Merchant Level 1

Merchant Level

CriteriaOnsite

Review 1, 3

SelfAssessment 3

NetworkSecurityScan 2, 3

Level 1 American Express-2.5 million American Express Card transactions or more per year;-Any merchant that has had a data incident-Any merchant that American Express otherwise deems a Level 1

RequiredAnnually

NotRequired

RequiredQuarterly

Level 1 Discover-Merchants processing over 6 million Discover Network card transactions annually-Any merchant Discover Network determines to be a Level 1-Merchants required by another payment brand to validate and report as a Level 1

RequiredAnnually

NotRequired

RequiredQuarterly

Level 1 JCB-Merchants processing over 1 million JCB transactions annually-Compromised merchants

RequiredAnnually

NotRequired

RequiredQuarterly

Level 1 MasterCard-Any merchant, including electronic commerce merchants, with more than 6 million total MasterCard transactions annually -Any merchant that experienced a compromise of payment card data-Any merchant meeting the Level 1 criteria of a competing payment brand -Any merchant that MasterCard, at its sole discretion, determines should meet the Level 1 merchant requirements

RequiredAnnually

NotRequired

RequiredQuarterly

Level 1 Visa-Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year-Any merchant that experienced a compromise of payment card data-Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system

RequiredAnnually

Attestation of Compliance Form

NotRequired

RequiredQuarterly

71

Merchant Level 2

Merchant LevelCriteria

OnsiteReview 1, 3

SelfAssessment 3


Level 2 American Express-50,000 to 2.5 million American Express Card transactions per year Not

RequiredRequiredAnnually

RequiredQuarterly

Level 2 Discover-Merchants processing 1 million to 6 million Discover Network card-not-present only transactions annually-Merchants required by another payment brand to validate and report as a Level 2 merchant

NotRequired

RequiredAnnually

RequiredQuarterly

Level 2 JCB-Less than 1 million JCB transactions anually Not

RequiredRequiredAnnually

RequiredQuarterly

Level 2 MasterCard-All merchants with more than one million total MasterCard transactions but less than six million total transactions annually-All merchants meeting the Level 2 criteria of a competing payment brand

NotRequired

RequiredAnnually

RequiredQuarterly

Level 2 Visa-Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year

NotRequired

RequiredAnnually

Attestation of Compliance Form

RequiredQuarterly

72

Merchant Level 3

Merchant Level CriteriaOnsite

Review 1, 3

SelfAssessment 3


Level 3 American Express-Less than 50,000 American Express Card transactions per year

NotRequired

RequiredAnnually

RequiredQuarterly

Level 3 Discover-Merchants processing 20,000 to 1 million Discover Network card-not-present only transactions annually-Merchants required by another payment brand to validate and report as a Level 3 merchant

NotRequired

RequiredAnnually

RequiredQuarterly

Level 3 JCB-NA NA NA NA

Level 3 MasterCard-All merchants with annual MasterCard e-commerce transactions greater than 20,000 but less than one million total transactions-All merchants meeting the Level 3 criteria of a competing payment brand

NotRequired

RequiredAnnually

RequiredQuarterly

Level 3 Visa-Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.

NotRequired

RequiredAnnually

RequiredQuarterly

73

Merchant Level 4

1 For Level 1 merchants, the annual onsite review may be conducted by either the merchant’s internal auditor or a QSA - Qualified Security Assessor.

2 To fulfill the network scanning requirement, all merchants must conduct scans on a quarterly basis using an ASV - Approved Scanning Vendor.

3 Level 4 Merchants are required to comply with the PCI Data Security Standard. Level 4 Merchants should consult their acquirer to determine if compliance validation is also required.

Merchant Level CriteriaOnsite

Review 1, 3

SelfAssessment 3


Level 4 3 American Express-NA NA NA NA

Level 4 3 Discover-All other Discover Network merchants Not

RequiredRecommended

AnnuallyRecommended

Quarterly

Level 4 3 JCB-NA NA NA NA

Level 4 3 MasterCard-All other merchants Not

RequiredRecommended

AnnuallyRecommended

Quarterly

Level 4 3 Visa-Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

NotRequired

RecommendedAnnually

RecommendedQuarterly

74

PCI Validation Change

MasterCard

Requiring ROC by a QSA for Level 2

Merchants

http://treasuryinstitute.org/blog/index.php?itemid=260

75

PCI Compliance Process

76

PCI DSS v 1.2 Confidential Information

77

PCI DSS v 1.2 (6 Areas, 12 Requirements)

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect Stored Data (Electronic)

4. Encrypt transmission of cardholder and sensitive information across public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

6. Develop and Maintain Secure Systems and Applications

Implement Strong Access Control Measures

7. Restrict access to data by business need-to-know

8. Assign unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for employees and contractors

78

PCI DSS Requirements

The Numbers

6 Areas

12 High Level Requirements

62 Detail Level Requirements

Numerous Sub Requirements

79

PCI DSSBuild and Maintain a Secure Network




1.1 - Establish firewall and router configuration standards

1.2 - Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment.

Note: An “untrusted network” is any network that is external tot the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.

1.3 - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

1.4 - Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.

80

PCI DSSBuild and Maintain a Secure Network




2.1 - Always change vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts).

2.2 - Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.

2.3 - Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other non-consoleadministrative access.

2.4 - Shared hosting providers must protect each entity’s hosted environment and data. These providers must meet specific requirements as detailed in “Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.”

81

PCI DSSProtect Card Holder Data




3.1 - Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.

3.2 - Do not store sensitive authentication data after authorization (even if encrypted).

3.3 - Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).

3.4 - Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs)

82

PCI DSSProtect Card Holder Data




3.5 - Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse.

3.6 - Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data.

4.1 - Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.

4.2 - Never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat).

83

PCI DSSMaintain a Vulnerability Management Program




5.1 - Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).

5.2 - Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.

6.1 - Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release.

6.2 - Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by PCI DSS Requirement 2.2 to address new vulnerability issues.

84





6.3 - Develop software applications in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices and incorporate information security throughout the software development life cycle.

6.4 - Follow change control procedures for all changes to system components.

6.5 - Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes.

85





6.6 - For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.

Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at leastannually and after any changes.

ORInstalling a web-application firewall in front of public-facing web applications

86

PCI DSSImplement Strong Access Control Measures





7.1 - Limit access to system components and cardholder data to only those individuals whose job requires such access.

7.2 - Establish a mechanism for system components with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed.

8.1 - Assign all users a unique ID before allowing them to access system components or cardholder data.

87






8.2 - In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:

Password or passphrase Two-factor authentication (for example, token devices, smart

cards, biometrics, or public keys)

8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.

88






8.4 - Render all passwords unreadable during transmission and storage on all system components using strong cryptography (defined in PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms).

8.5 - Ensure proper user authentication and password management for non-consumer users and administrators on all system components.

9.1 - Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.

9.2 - Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible.

89






9.3 - Make sure all visitors are handled as follows: Authorized before entering areas where cardholder data is

processed or maintained. Given a physical token (for example, a badge or access

device) that expires and that identifies the visitors as non-employees.

Asked to surrender the physical token before leaving the facility or at the date of expiration.

9.4 - Use a visitor log to maintain a physical audit trail of visitor activity. Document the visitor’s name, the firm represented, and the employee authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law.

90






9.5 - Store media backups in a secure location, preferably in an off-site facility, such as an alternate or back-up site, or a commercial storage facility. Review the location’s security at least annually.

9.6 - Physically secure all paper and electronic media that contain cardholder data.

9.7 - Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data.

9.8 - Ensure management approves any and all media containing cardholder data that is moved from a secured area (especially when media is distributed to individuals).

91






9.9 - Maintain strict control over the storage and accessibility of media that contains cardholder data.

9.10 - Destroy media containing cardholder data when it is no longer needed for business or legal reasons.

92




PCI DSSRegularly Monitor and Test Networks

10.1 - Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to eachindividual user.

10.2 - Implement automated audit trails for all system components to reconstruct the following events:All individual user accesses to cardholder dataAll actions taken by any individual with root oradministrative privilegesAccess to all audit trailsInvalid logical access attemptsUse of identification and authentication mechanismsInitialization of the audit logsCreation and deletion of system-level objects

93





10.3 - Record at least the following audit trail entries for all system components for each event:User identificationType of eventDate and timeSuccess or failure indicationOrigination of eventIdentity or name of affected data, system component, or resource

10.4 - Synchronize all critical system clocks and times.

10.5 - Secure audit trails so they cannot be altered.

94





10.6 - Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS).

Note: Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6.

10.7 - Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up).

95





11.1 - Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identity all wireless devices in use.

11.2 - Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rulemodifications, product upgrades).

Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by Payment Card Industry Security Standards Council (PCI SSC). Scans conducted after network changes may be performed by the company’s internal staff.

96





11.3 - Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:Network-layer penetration testsApplication-layer penetration tests

11.4 - Use intrusion detection systems, and/or intrusion prevention systems to monitor all traffic in the cardholder data environment and alert personnel tosuspected compromises. Keep all intrusion detection and prevention engines up-to-date.

97





11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files, and configure the software to perform critical file comparisons at least weekly.

Note: For file-integrity monitoring purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. File-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is the merchant or service provider).

98

PCI DSSMaintain Information Security Policy



12.1 - Establish, publish, maintain, and disseminate a security policy that accomplishes the following:Addresses all PCI DSS requirements.Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment.Includes a review at least once a year and updates when the environment changes.

12.2 - Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).

99




12.3 - Develop usage policies for critical employee-facing technologies (for example, remote access technologies, wireless technologies, removableelectronic media, laptops, personal data/digital assistants (PDAs), e-mail usage and Internet usage) to define proper use of these technologies for all employees and contractors.

12.4 - Ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors.

100




12.5 - Assign to an individual or team the following information security management responsibilities:Establish, document, and distribute security policies and procedures.Monitor and analyze security alerts and information, and distribute to appropriate personnel.Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.Administer user accounts, including additions, deletions, and modifications.Monitor and control all access to data.

101




12.6 - Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.Educate employees upon hire and at least annually.Require employees to acknowledge at least annually that they have read and understood the company’s security policy and procedures.

12.7 - Screen potential employees (see definition of “employees” at 9.2 above) prior to hire to minimize the risk of attacks from internal sources.

For those employees such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.

102




12.8 - If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:

Maintain a list of service providersMaintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possessEnsure there is an established process for engaging service providers including proper due diligence prior to engagementMaintain a program to monitor service providers’ PCI DSS compliance status

12.9 -Implement an incident response plan. Be prepared to respond immediately to a system breach.

103

PCI DSS v 1.2 (6 Areas, 12 Requirements)



















104

QSA Audit Process

QSAQualifiedSecurityAssessor

SAQSelfAssessmentQuestionnaire

ROCReportOnCompliance

105

External ASV Scanning Process

ASVApprovedScanningVendor

106

Scoring Results

Pass or Fail

107

Areas to Assess

Business Process – Flow of Payment Card Data

Wireless, Email, Encryption

Third Party Applications Run In-House

Proprietary Applications

Network Segmentation

Third Parties / Outsourcing

Compensating Controls

Documentation, Documentation, Documentation

108

Common Weaknesses …

Firewall and Router Configuration Documentation

Change Management Policy and Procedures

Firewalls and Routers

In General

Information Security Program

Lack of Annual Overall IT Risk Assessment and Remediation

109


Lack of Quarterly External Vulnerability Scan with an ASV

Patches

Upgrades

Lack of Quarterly Internal Vulnerability Scan

Open Ports

Unnecessary Services

Lack of Penetration Tests for Networks and Applications

110


No DMZ (Demilitarized Zone)For Web Applications Processing Payment Card Data

111

Common Weaknesses

Encryption of Cardholder Data

In Storage (PCI DSS 3.4)

During Transmission

Encryption Key Management

PCI DSS Section 6 - Biggest Change in PCI DSS 1.2

Application Firewall

Thorough Application Testing

Hackers are focusing more on Applications

Lack of Documentation

112

Penalties

Fines of up to $25,000 per month for Level 1 and Level 2 Merchants

Increased Transaction Fees

Possible Revocation of Privilege to Accept Payment Cards

In the Case of A Security Breach

Responsible for full scale forensic investigation and remediation costs

Must obtain PCI DSS Level 1 Compliance to continue accepting payment cards

Possible Cost of Reissuing Cards incurred by Banks, Credit Unions, etc…

Lack of consumer trust due to confidential data disclosures harming the organizations reputation and brand

113

PCI DSS Summary

PCI Council is put together by the Brands(Visa, MC, AMEX, Discover, JCB)

PCI Council Determines the Standards

Global Standard

Acquiring Banks enforce the standard

Determine Levels and Reporting Requirements

2 Parts to the PCI DSS

Audit Full Audit by an QSA (Qualified Security Assessor) SAQ (Self Assessment Questionnaire)

External Scan By an ASV (Approved Scanning Vendor)

PASS or FAIL

114

The Challenge

115

The Challenge - Sustainability

PrepareFor

Audit

TestAnd

Remediate

SustainCompliance

Improve

The Wall

Complianc

e

Governanc

e

Perform

anc

eManageme

nt

Address Compliance

and

Create Sustainability

116

IT Integrated Framework SolutionLEVERAGE

Integrated Governance Framework

NAIC

Requir

em

ent

1R

equir

em

ent

2R

equir

em

ent

3R

equir

em

ent

n

ISO 27002CobiT® 4.1 ITIL

Contr

ol

Solu

tion

1

Contr

ol

Solu

tion

2

Contr

ol

Solu

tion

3

Contr

ol

Solu

tion

4

Contr

ol

Solu

tion

5

Contr

ol

Solu

tion

6

Contr

ol

Solu

tion

7

Contr

ol

Solu

tion

n

Map

Regu

lato

ry a

nd S

tan

dard

Req

uir

em

ents

to IT

Map

Regu

lato

ry a

nd S

tan

dard

Req

uir

em

ents

to IT

Contr

ols

Contr

ols

IT C

on

trols A

ddre

ss Multip

le

IT C

on

trols A

ddre

ss Multip

le

Require

men

tsR

equire

men

ts

StatePrivacy

Requir

em

ent

1R

equir

em

ent

2R

equir

em

ent

3R

equir

em

ent

n

GLBA

Requir

em

ent

1R

equir

em

ent

2R

equir

em

ent

3R

equir

em

ent

n

ID Theft Red Flags

Requir

em

ent

1R

equir

em

ent

2R

equir

em

ent

3R

equir

em

ent

n

HIPAA

Requir

em

ent

1R

equir

em

ent

2R

equir

em

ent

3R

equir

em

ent

n

NIST

PCI DSS

Requir

em

ent

1R

equir

em

ent

2R

equir

em

ent

3R

equir

em

ent

n

117

AICPAAmerican Institute

OfCertified Public

Accountants

118


Principle 1: Management This principle requires that the entity define, document, communicate, and assign accountability for its privacy polices and procedures.

Principle 2: Notice This principle requires that the entity provide notice about its privacy policies and procedures and identify the purpose for which personal information is collected, used, retained, and disclosed.

Principle 3: Choice and Consent This principle requires that the entity describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

119


Principle 4: Collection This principle requires that the entity collect personal information only for the purposes identified in the notice.

Principle 5: Use and Retention This principle requires that the entity limit the use of personal information to the purpose identified in the notice and for which the individual has provided implicit or explicit consent.

Principle 6: Access This principle requires that the entity provide individuals with access to their personal information for review and update.

120


Principle 7: Disclosure to Third Parties This principle requires that the entity disclose personal information to third parties only for the purposes identified in the notice and only with the implicit or explicit consent of the individual.

Principle 8: Security for Privacy This principle requires that the entity protect personal information against unauthorized access (both physical and logical).

Principle 9: Quality This principle requires that the entity maintain accurate, complete, and relevant personal information for the purposes identified in the notice.

Principle 10: Monitoring and Enforcement This principle requires that the entity monitor compliance with its privacy policies and procedures and have procedures to address privacy-related inquiries and disputes.

121

Case Study Review

122

Network Solutions(Herndon, VA)

July 24, 2009

•573,000 records

•Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months.

•Network Solutions discovered that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores.

•The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores.

123

American Express(New York, NY)

August 14, 2009

•Unknown number of records

•Some American Express card members' accounts may have been compromised by an employee's recent theft of data.

•The former employee has been arrested and the company is investigating how the data was obtained.

•American Express declined to disclose any more details about the incident.

•The company has put additional fraud monitoring and protection controls on the accounts at issue.

124

Individual Business Owner

October 18, 2009

•Phishing Email Sent to intercept email

From: [email protected] [mailto:[email protected]]

Sent: Monday, October 19, 2009 12:58 PM

To: [email protected]

Subject: The settings for the [email protected] mailbox were changed

Dear user of the dddd.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox ([email protected]) settings were changed. In order to apply the new set of settings click on the following link:

<http://dddd.com.vvverfq.co.uk/owa/service_directory/[email protected]&from=dddd.com&fromname=xxxxxxxx.xxxxx> http://dddd.com/owa/service_directory/[email protected]&from=dddd.com&fromname=xxxxxxxx.xxxxx

Best regards, dddd.com Technical Support.

125

University of CaliforniaBerkeley School of JournalismBerkley, CA

May 7, 2009

•493 records

•Campus officials discovered during a computer security check that a hacker had gained access to the journalism school's primary Web server.

•The server contained much of the same material visible on the public face of the Web site.

•However, the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009.

126

Johns HopkinsBaltimore, MD

May 12, 2009

•10,000 Records Compromised

•An investigation suggests a former employee who worked in patient registration may have been linked to a scheme to create fake drivers' licenses in Virginia.

•The employee had access to information such as name, address, telephone number, mother and fathers names, dates of birth and Social Security numbers, but not to any health or medical information.

127

Maine Office ofInformation TechnologyJune 4, 2009

•Through a printing error, 597 people receiving unemployment benefits last week got direct-deposit information including Social Security numbers belonging to another person.

•"We received a print job and were running it, and there was an equipment malfunction," Thompson said.

•"In restarting the piece of equipment, a mistake was made and it started one page off. It was an error and our quality assurance didn't pick it up.“

•Recipients received one page with their own information and another page with information belonging to a different person.

128

Quick Privacy Evaluation

129

Privacy Evaluation Handout

Are the Businesses You Frequent or Work for Exposing You to an Identity Thief?

Assign 1 point for each NO answer.

Each item illustrates what businesses can do to prevent identity theft. If they are not, it may be time for you to speak up.

If you weren't sure of some of the answers-perhaps you should be asking more questions at work and where you do business.

It's your responsibility to be a ID theft aware consumer as well.

The Higher the Score the More Risk

www.onguardonline.gov/games/overview.aspx

130

Next Steps …

Assess

Prioritize

Classify

Training

Monitor

131

Next Steps …

1. Privacy Assessment / Audit

The first step is to assess the organization

Use Frameworks such ase CoBiT, ISO, ITIL

Review Policies

Interview Staff

Walkthroughs / Observation

Understand the organization and types of Data in the Organization

132

Next Steps …

2. Prioritize Gaps

Prioritize highest risks to be remediated

Remediate issues

Create/update policies and procedures

Implement solutions to mitigate risks

133

Next Steps …

3. Data Classification

The data in the organization must be classified

Public to Private

As The Privacy requirements increase so do the Security requirements

Classify all types of data in the organization

134

Next Steps …

4. Perform Privacy Training

Create/Acquire Privacy Training for organization

Integrate Training with Company Polices

Consider Training options

– Onsite

– Online

– Mix of Both

Train the entire Staff – On-Going

135

Next Steps …

5. Monitor

Monitor all facets of the program

Evaluate new threats and changes to IT and Business

Update policies, procedures & training

Continue to improve ongoing

136

Summary - Be Smart

$$ Educate – (free webinars)

$$ Implement a repeatable process / framework

$$ Perform a Risk Assessment – Not just A Gap Analysis

$$ Common Policies and Procedures that comply with PCI DSS, GLBA, FERPA, HIPAA, State Privacy, etc…

137

Summary - Be Smart

$$ Regular External and Internal Vulnerability Scans (reduced pricing for extended years)

$$ Leverage Outsourcing (Co-ops etc…)

$$ Identify what you can do

$$ Ask yourself:

“Do we really need to store this information?”, and

“Who really needs this access?”

138

Research Sources

• Federal Trade Commission www.ftc.gov

• The Federal Financial Institutions Examination Council (FFIEC)www.ffiec.gov

• The AICPA's Information Technology Centerhttp://www.aicpa.org

• ISACAwww.isaca.org

• Maine Legislaturewww.maine.gov

• Identity Theft Resource Sitewww.IDtheft.gov

• Privacy Rights Organizationwww.privacyrights.org

139

Questions?

Bill FranklinLighthouse IT Compliance [email protected]

Thank You!

Documents

Bill Franklin | Senior IT Auditor | [email protected] October 28, 2009 Information Privacy & PCI DSS