Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
9/18/2015
1
Risk and Rewards For PCI DSS 3.1Compliance
What Risks Exist If I Don’t Become Compliant? What Do I Gain For Being Compliant ?
What Is PCI DSS?PCI DSS is an acronym for Payment Card Industry (PCI) Data Security Standards (DSS)
Started in 2002 with VISA CISP Program for protection of the Cardholder Data (CHD) and the Cardholder Data Environment (CDE)
Grew over the years to PCI DSS version 3.1 as of this presentation
Represents only the Five Card Brands BelowVISA (International and VISA Europe)Master CardDiscoverAmerican ExpressJCB
PCI covers logical data and physical data in all forms and formats
9/18/2015
2
QUIZ – True (T) or False (F)
1. I am a level 3 Merchant I do not need to Be PCI Compliant T F
2. I report on a SAQ and do not need to be compliant with all
of the requirements T F
3. My POS devices are fully managed by a Service Provider
so I do not need to worry about them as I contracted this
risk to them T F
4. I use Authorize.Net and PayPal for Credit Card Processing
so I do not have to be PCI Compliant T F
5. I am permitted to store the Security Code for my customers
as they have monthly recurring charges T F
6. I segmented my CDE from all other networks by use of a
firewall that requires all of the devices to pass through so this
CDE is the only segment In-Scope for PCI T F
Quiz Answers and PCI Facts
If you answered True for any of the six quiz questions you are incorrect as all six are False Statements
Your company obligated itself to maintain PCI Compliance by the contract to accept credit cards Proof of PCI DSS compliance is an annual requirement and the evidence must be gathered in that twelve month period – New evidence each yearYou cannot outsource your PCI compliance if any part of the data flows through the systems If you only have historic paper PCI data you must be PCI compliantIf you file with a SAQ the instructions explicitly explain you are required to be compliant with 100% of the requirements applicable to your Merchant activities
9/18/2015
3
What Does PCI Cover?
PCI DSS CoversPeople – All people that can or do interact with the CHD and/or the CDE
Process – All Processes that touch or impact the CHD
Technology – All Technologies that are used to Secure, Administer, Manage, or Touch the CDE and CHD
What Are the Six Goals and Twelve Requirements?
9/18/2015
4
PCI DSS 3.1 Has Future Date Requirements
The reasons for the future date is to allow you to have time to meet these requirements
Depending on the breaches that occur these future dated requirements could move to an earlier date
Example of this is the Liability Shift for POS Devices to be EMV Compliant. This date was originally set to 30 June 2016 but was moved to 01 October 2015
Yes, the Card Brands can do this and you are obligated by your contract to accept Credit Cards from one of the Five PCI Card Brands
What Are These “Future Date” Requirements for PCI DSS?
9/18/2015
5
How Many Total PCI DSS Requirements Exist
The Reporting Requirements for PCI DSS 3.0 has approximately 2,800 by line testing requirements covering Requirement 1 through Appendix A inclusive.
These requirements also have an Executive Summary Section that requires additional data like but not limited to:
Network DiagramsData FlowsList of in-scope LANs or VLANsList of out-of-scope LANs or VLANsList of HardwareList of SoftwareTesting for Primary Account Numbers (PAN) in plain textIncident Response Plan and complete testing annuallyVulnerability Scanning Quarterly based on your filing date
EMV Compliant POS Devices
Because you have EMV Compliant POS devices does not remove your company from being 100% compliant with ALL Applicable Requirements
Applicability to you means that the requirements that map to your activity with or to Cardholder Data are in scope for you
Applicability also means that if you use Service Providers you also have the responsibility for their actions on your behalf
9/18/2015
6
What Is PCI Cardholder Data?(CHD)
PCI CHD isFull Track Data ( Track 1, 2, and 3)
Full Primary Account Number (PAN)
Sensitive Authentication Data (SAD)
Where Can CHD Exist in Your Systems?
On Workstation
In Databases
On File Shares
On Backup Tapes
In Paper Reports and Spreadsheets
In Email
In Contract and Similar Records
In Written Notes in files stored in the Office and Off-Site
Other Locations you can identify
9/18/2015
7
What if the CHD is Old?
Old does not matter if it is CHD you are required to protect it, PAN, or remove it SAD
Old data is generally found in older DR tapes and Backups
In Older Emails
On Local Drives
On Receipts for Historic Stored Records
On the Hotel Folios
What Can You Save After Authorization?
Can SaveFull PAN Data if it is
EncryptedTokenizedTruncatedHashed
Note: If Hashed and Truncated are in same data set they must be protected as it is a trivial exercise to reconstruct the PAN with these two data points
NameExpiration Date (With PAN must be protected)
9/18/2015
8
What Cannot Be Saved After Authorization?
Can Not Save even if encryptedFull Track Data
Track 1Track 2Track 3
Security CodeCVVCVSOther 3 or 4 digits valueEven for recurring charges this CANNOT be saved
How Does SAD Get Into Your Data?
SAD comes to you in all forms including but not limited to:
Your request as part of the transaction or as part of the swipe or touchEmailSnail Mail (USPO – FedEx – DHL – Other)FAXVoiceWriting by staffElectronic messaging including but not limited to SMS, Tweets, etc.
9/18/2015
9
How to Reduce SAD
Place blockers on inbound and outbound email to prevent receipt or sending
Train staff not to write the SAD data
Ensure your applications securely wipe or do not save SAD after authorization
Train your customers not to send this data to you
Work with your processor or Acquirer to remove the need for this data for non face-to-face transaction
What if you Have SAD In Your Systems
This Data MUST be Removed
Removal is only possible by a Wiping Process for Electronic Data
This involves overwriting multiple times with sequential and random characterUSA Minimum iterations is three (3)Global Minimum iterations is seven (7)
What if You Cannot WipeData must be quarantined and removed from access except for emergencies like court orders
9/18/2015
10
What if you Have SAD In Your Physical Environment
Physical Copies with this data must be securely destroyed
Shredding with Cross Cut ShreddersBurningUsing Certified Third Parties for Secure Destruction
Note: If you use this you must at least annually observe this destructionYou must keep a record of your actionsYou MUST have a copy of their certification of secure destruction
What About PAN Data
PAN Data can be retained but only in specific formats
Encrypted
Truncated
Tokenized
HashedNote: If you have both truncated and Hashed values of PAN in the same database you have a PCI DSS issue as this is viewed as a trivial effort to convert to the full PAN
9/18/2015
11
Liability Shift-1 October 2015
The date had originally been set to 30 June 2016
VISA and MasterCard moved it forward to help prevent the losses sustained during the Christmas Season in 2014 and prior during high purchase times for face-to-face transactions
Yes, they know more transaction occur over the internet but this face-to-face loss is substantial and EMV compliant devices will help stop these losses
The Liability shift move all “Fraud Costs” to the Acquirer and to the Merchant for losses caused by fraudulent cards in card present transaction
What Does Liability Mean To My Business?
Liability ShiftThe Card Brands are pushing the liability to protect your environment and your customers data to you exclusivelyYou will be held accountable for your actions or lack their ofWhat if I can’t afford to make this change?
Contract Law – Contact the Card Brands and ask for relief –Ensure you have a plan for meeting this
Unknown if this will work and most likely will not work the closer you get to 1 October 015
How can the Card Brands do this?By Contract Law – Look at your contract to receive the card data it covers how you are to follow the requirements set forth at the time of an incident
9/18/2015
12
The Cost of Not Going to EMV Compliant POS Devices by
1 October 2015The Card Brands (VISA – MasterCard) have stated that as of 1 October 2015, if the merchant has not implemented “EMV” POS devices and a breach occurs, the full cost of the breach is carried by the merchant
Some of these costs areYour Individual LossesThe Processors LossesThe Acquirers LossesThe Card Brand LossesForensics CostsCard Replacement Costs for all that demand or require thisLitigation CostsFines and Penalties
Examples of Cost for Breach
Typical Cost for Breach ResponseForensics
$500.00 USD per hour from the time they are called until they complete and are back home (24*7)Generally this is 30 to 90 days of two or more Forensics specialists
Card ReplacementApproximately $15.00 USD per Card and due to recent cases it is replacing all of the cards for the customer not just the card having the fraud.Customers normally have 3 or more cardsIncludes ALL customers those breached and those that were not but in your systems
9/18/2015
13
Examples of Cost for Breach Continued
Litigation CostsOpen ended and can be applied through the total time permitted by the statute of limitationClass Actions SuitesJohn Doe Suites Your Cost, Card Brand Cost, Processor Costs, Other Cost for outside Attorneys and Legal Specialists – Generally in the Millions of Dollars
Fines and PenaltiesUp to $500,000 USD per occurrence
Occurrences are defined by the state laws and can be as small as each card – No enforcement to date of individual cards as a thresholdGenerally bundled to specific date ranges but still could result in more than one breach classification
Examples of Cost for Breach Continued
Processor and Acquirer LossesCost of their fines
Cost of legal needs in case of a lawsuit
Cost of frauds that occurred
Costs of reworking and purging of their systems
Potential forensics cost for them as a result of your actions
9/18/2015
14
Examples of Cost for Breach Continued
Litigation CostsFor ALL affected parties due to your lack of compliance
Note: In the US Litigation goes from day one through the end of the Statute of Limitations
Class Action Law Suits
Representation is each of the areas where a case is filed
This dollar value can exceed all of the other costs
OK What Else Bad Can Occur
You can be found outside the Due Diligence Practices and if this occurs the following may occur
You May be found Grossly NegligentThis finding can void any Cyber Insurance
This finding may prohibit the use of any other insurance like Executive Insurance
You may be individually found at faultIf this occurs your personal wealth is at risk
The Company can only represent one entity them or you and I suspect they will represent themselves
The business may be forced to close due to bankruptcy caused by the breach
9/18/2015
15
I Now Have EMV Complaint POS DevicesThe fact you have EMV Compliant POS devices puts you on the plus side of PCI Compliance
Having them does not make you PCI Compliant
Not using the EMV Compliant POS Devices as required in PCI DSS 3.1 will have you working outside PCI Compliance
You are required by your contract allowing you to accept Credit Cards to function fully (100%) PCI Compliant regardless of your Level
Merchant Levels
The VISA and Master Card Levels for Merchants are
Level 1 - 6,000,000 or more transactions per card brand per year
Level 2 – 1,000,000 to 6,000,000 transactions per card brand per year
Level 3 – 20,000 to 1,000,000 transactions per card brand per year
Level 4 – 1 to 20,000 transactions per card brand per year
9/18/2015
16
Service Provider Levels
Service Providers per VISA and MasterCard Levels are
Level 1 – over 300,000 cumulative transactions per card brand per year
Level 2 – under 300,000 cumulative transactions per card brand per year
Levels and Compliance
PLEASE NOTE:Regardless of your level you are required to be compliant with ALL (100%) PCI DSS Requirements applicable to you
Levels only address the methods of reporting the compliance and who can report this for you
Master Card specifically requires All Level 1 and Level 2 Merchants to use a QSA Firm or and ISA reporting to Internal Audit for the reporting regardless if the report is a Report on Compliance (RoC) or a Self Assessment Questionnaire (SAQ)
9/18/2015
17
I Have EMV Compliant POS Devices Now WhatHaving the compliant devices is step one of a many step process
PCI DSS 3.0 and now 3.1 have a specific requirement 9.9 that has a required “inspection” of these devices to detect tampering and/or substitution of the device
This is required to ensure the devices you are using are the ones you acquired and that they have not been tampered with
PCI DSS Requirement 9.9
PCI DSS 3.0 Requirement 9.9 Requires that all POS devices be “Periodically inspected”
For TamperingFor SubstitutionCovers all POS including P2PE, EMV, and Non EMV DevicesRequires you to take some form of activity to show compliance like the following
Document this inspection for evidence in case an issue comes Non enforced or not validated processes are not processes that will stand up in court
9/18/2015
18
“Oops” I Said Court
Yes, all of the PCI DSS Compliance Activities you do or do not do are designed to show the courts how compliant you were at the time of a breach
You have never had a breach-Are you 100% sure?
A Server, Room Clerk, Bar Tender, Room Service, Amenities like but not limited to SPA – Golf – Bikes –Retail, and Maid generally have access to a customers Credit Card at one time or another during their stay
Are you certain that any of the above have not taken one card for their own use? If they have, this is a breach and you just did not get detected as the breach point
I am Not Technical-How Can I Inspect a POS Device?
Requirement 9.9 does not require you to be technical
It does requires you to protect the POS Devices from tampering and/or substitution
To this end you can
Record and check the serial number of the POS devices to be sure you have the one that was installed
You can use tamper proof serialized seals on the seams of the POS to allow for an indication of tampering
Record the seal serial number as part of the inspection
9/18/2015
19
What Should You Do if the POS shows signs of Tampering or Substitution
Actions to takeStop the use of the deviceNotify Security and ITGather the inspection records to see when this could have occurredUnplug the device from the equipment it is attached tooRemove the devices from public and general staff accessReport this to the appropriate internal staff member for action
What You Should Not Do?
Do not reset the POS to its default settings by use of the reset input from the number pad
Do not reset the POS to its default settings by use of the reset button
Allow the POS device to stay in use
9/18/2015
20
How to Inspect?
What to Look For When You Are “Inspecting”Yes, it is a POS device
Is the Serial Number the Same?
Has it Been Unplugged?
Has The Case Been Opened?
A key for this inspection is to use a serialized “Tamper Proof Seal” to allow for proof of no tampering or substitution
You Convinced Me-I Must Have EMV Compliant POS Devices
You are not out of risk of being Non-Compliance with the PCI DSS Requirements
Having EMV POS devices is only one of the requirements
EMV devices does not remove any of the PCI DSS 2,800 requirements other than you have them
You must meet 100% of the applicable PCI requirements or you are not PCI compliant.
99% compliant is NOT COMPLIANT
9/18/2015
21
Now You Know The Risks-Where Are The Rewards?
You do in fact have rewards of becoming PCI Compliant beyond the certificate or notes from you processor you are compliant for that specific year
Yes, compliance must be validated annually
For those companies going from zero compliance to full compliance there is generally a Return on Investment (ROI)
ROI for PCI Compliance
These are real dollar savingsRefinement in the network to reduce bandwidth needsProcess driven change management leading to less down timeTrained staff that can better assist the customer faster allowing for faster sales with less reworkBetter use of technology assets requiring less assetsReduced footprint of PCI Data by scope reduction leading to lower cost of operation
9/18/2015
22
Now Its Your Time To Ask
PCI DSS Risk and Rewards
Thank You!
9/18/2015
23
Contact Data
Howard Glavin CPP, CISM, CRISC, PA_QSA, QSA, CTGA
Senior Vice President K3DES LLC
904.631.9204 – Mobile Phone
904.287.4433 – Home Office
904.287.2213 – FAX
Secur8ty – Skype ID