Embed Size (px)
Citation preview
Walter Conway, QSA
403 Labs, LLC
PCI DSS Gap Analysis Briefing
The University of Chicago
October 1, 2012
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 2
Agenda The PCI DSS ecosystem
- Key players, roles - Cardholder data - Merchant levels and SAQs
UofC’s PCI Gap Analysis
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 3
Walt Conway and 403 Labs PCI QSA, consultant, blogger, trainer, speaker, author
- Former Visa VP - Consult with schools to become PCI compliant
403 Labs: Information security consulting firm - PCI QSA and PA-QSA, ASV, and PCI forensic investigator (PFI),
P2PE (QSA and PA-QSA)
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 4
Some PCI DSS Basics Payment Card Industry Data Security Standard
Goal is to protect Cardholder Data - And to keep UofC out of the headlines - PCI does not make you secure
If you take plastic, PCI applies to you
PCI Scope includes people, processes, and systems - “Store, process, or transmit” cardholder data (UofC’s
Cardholder Data Environment) - And all connected systems
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 5
Some PCI DSS Basics PCI is a program, not a project
Two things you need to accept about PCI - Your costs have gone up - You will change the way you do business
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 6
The PCI Ecosystem
Manufacturers
PCI PTS Pin Entry Devices
Ecosystem of payment devices, applications, infrastructure and users
Software Developers
PCI PA-DSS Payment
Applications
PCI Security
Merchants & Service
Providers
PCI DSS Secure
Environments
P2PE
P2PE
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 7
PCI DSS: 6 Goals, 12 Requirements
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 8
Key Players
PCI Security Standards Council - Global forum to enhance global payment security - Multiple standards: PCI DSS, PA-DSS, PCI PTS, and
P2PE - Approve assessors (QSAs) and scan vendors (ASVs) - Develop Self-Assessment Questionnaire (SAQ) - Develop and publish PCI documentation
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 9
Key Players Five Payment brands
- Track compliance and enforce standards (fines, sanctions)
- Determine event response (forensics)
- Define merchant levels
Acquirers (Merchant Banks) and processors - Set UofC’s merchant level - Determine UofC’s compliance - Approve compensating controls
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 10
PCI Compliance is Widespread U.S. PCI DSS Compliance Status
Merchant Level Estimated Population
Size
Estimated % of Visa
Transactions
PCI DSS Compliance Validation
Validated Not Storing
Prohibited Data
Level 1 Merchant (>6M) 403 50% 97% 100%
Level 2 Merchant ( 1-6M) 1058 13% 93% 100%
Level 3 Merchant (>6M) 3,218 < 5% 60% N/A
Level 4 Merchant (<1M) ~ 5,000,000 32% Moderate** TBD
* As of June 30, 2012 **Level 4 compliance is moderate among stand-alone terminal merchants, but lower among merchants using integrated payment applications
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 11
Who are the High Risk Merchants?
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 12
Who are the High Risk Merchants?
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 13
Merchant Level Determines Validation Level Visa and MasterCard Amex
1 >6 Million trans/yr, by brand
• Annual on-site assessment • Quarterly network scan by Approved Scanning Vendor (ASV) • Report on Compliance (ROC)
• Annual on-site Security Audit • Quarterly network scan by ASV
2 >1 Million trans/yr, by brand
Visa: • Annual Self-Assessment Questionnaire (SAQ) • Quarterly network scan by ASV MasterCard: • Same as Level 1
• Quarterly network scan ASV
3 >20K
ecommerce
• Annual SAQ • Quarterly network scan by ASV
• Recommend quarterly network scan by ASV
4 Determined by acquirer: • Annual SAQ • Quarterly network scan by ASV
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 14
Self-Assessment Questionnaire (SAQ) Level 3 and 4 merchants self-assess
Shortened SAQ only if no electronic cardholder data
Card-not-present merchants, all cardholder data functions outsourced, no electronic cardholder data storage
A
Imprint-only merchants, no electronic cardholder data storage B
Stand-alone terminal merchants, no electronic cardholder data storage B
Merchants with POS systems connected to the Internet, no electronic cardholder data storage
C
Merchants who process cards on isolated virtual terminals connected to the Internet
C-VT
All other merchants and service providers D
13 Items
29 Items
80 Items
280+ Items
51 Items
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 15
Cardholder Data
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 16
Cardholder Data
PAN: OK to store first six and/or last four digits
Source: PCI SSC
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 17
Why Store Cardholder Data? Policy: No electronic card data stored on any
UofC device
But what about …? - Recurring payments – acquirer has alternatives - Chargebacks, refunds – let acquirer store PAN - Legal requirements – these apply to banks - Paper receipts – reprogram/upgrade terminals to
truncate both receipts - Payment applications – confirm with vendor or
acquirer that software does not store sensitive data
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 18
SAQ A Card-not-present merchants only
- E-commerce, mail order/telephone order (MOTO) - Never applies in a face-to-face POS environment
Card processing is outsourced - No cardholder data stored, processed, or transmitted
on your systems
Service provider is PCI compliant
Only paper records, not received electronically
No electronic cardholder data
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 19
SAQ A Merchant
Payment card data are entered and processed
on PCI compliant service provider’s site.
Students log into school site, and are redirected to PCI compliant
service provider to enter payment. No payment data are stored, processed, or transmitted on
school’s systems.
PAY
School
Website Secure
Third-Party Website
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 20
SAQ B For merchants with stand-alone dial-up terminals
or imprinters (aka, zip-zap machines) - Brick-and-mortar, MOTO, or e-commerce
Dial-up terminals - Not connected to any other systems - Not connected to Internet
Paper records, not received electronically
No electronic cardholder data
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 21
SAQ C
Payment application and Internet connection on the same device - Card-present or card-not-present merchants - Can be POS or shopping cart application
Device not connected to any other system
Store only paper records, not received electronically
No electronic cardholder data
Payment application vendor provides remote support securely
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 22
SAQ C-VT Merchant uses a virtual terminal
- Web browser connected to processor that hosts payment processing function
- Enter card data manually (no mag stripe reader), via a secure connection, one transaction at a time
- Brick-and-mortar or MOTO
Single payment terminal, isolated, fixed
Other requirements same as SAQ C
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 23
SAQ D Everybody else
280 questions
All 12 PCI requirements
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 24
SAQ A, Outsourcing OMG! “Customer Service”
- Merchant outsources e-commerce payments (hosted) - MOTO, fax orders persist - Staff enter transactions on their workstations - Workstations are not isolated - Result: staff workstations and all connected systems
are in PCI scope
Result: SAQ D - 280+ questions - Full PCI DSS including scans and pen testing
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 25
Other SAQ OMG! Dial-up POS terminal (SAQ B)
- Card numbers on daily batch tape - Non-compliant PIN entry devices - Solution: upgrade or replace device
Virtual terminal (SAQ C or C-VT) - Not isolated – device connects to other systems - Not dedicated – device used for other purposes - Solution: segment network, restrict terminal use
Result: SAQ D
Conclusion: Not easy to qualify for a shortened SAQ
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 26
“Requirement 0” – Minimize Scope What it says:
- Stop and take a breath - Don’t accept status quo as fixed
What it means: - Minimize scope to reduce PCI cost and effort - Your mantra: “If you don’t need it, don’t keep it”
How to comply: - Accept the two “Laws of PCI”:
Your costs will go up. You will change the way you do business.
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 27
UofC’s PCI DSS Gap Analysis Identify compliance gaps: “no harm, no foul”
- Meet with all UofC merchants and IT - Understand business needs, processes, technology - Identify gaps and recommend remediation options - Provide options so merchants can meet business requirements
Goal: minimize UofC’s PCI scope (and risk) - Simplify PCI compliance validation - Identify business process changes (often hard!) - Identify infrastructure changes (expensive)
Reporting - Debriefing session at conclusion of onsite - Written report
University of Chicago PCI DSS Overview | Walter Conway, QSA, | 403 Labs, LLC | © 2012 28
Thank You Your comments? Questions? Thoughts?
Walter Conway [email protected] 877.403.5227, ext. 223 (or: 415.690.6876) www.403labs.com
Follow my PCI column at storefrontbacktalk.com
Higher Education PCI blog (Treasury Institute) treasuryinstitutepcidss.blogspot.com
