Embed Size (px)
Citation preview
Lightweight Intro
Dark Myths of PCI
Shades of Grey 3
Source: https://www.pcisecuritystandards.org/
“The Payment Card Industry Data
Security Standard represents a
common set of industry tools and
measurements to help ensure the safe
handling of sensitive information.”
PCI = Payment Card Industry
PCI SSC = PCI Security Standards Council
PCI DSS = PCI Data Security Standard
PAN = Primary Account Number
QSA = Qualified Security Assessor
CHD = Cardholder Data
SAD = Sensitive Authentication Data
CVV2 or CAV2 / CVC2 / CID ( Visa JCB / MasterCard / Discover & AmEX)
The Payment Card Industry Security Standards Council (PCI SSC)
representing the major credit card brands:
VISA
MasterCard
American Express
Discover
JCB
Ensures a consistent „standard of care‟ for protection of Cardholder
Data (CHD)
Anyone who transmits, processes or stores CHD
This includes Debit Cards!
All merchants must comply
Some require onsite validation
Source: PCI-SSC website – Asia-Pac Participating Organisations
Two categories
Merchants (e.g. Supermarkets)
Service Providers (e.g. Payment Gateways)
1. Install and maintain a firewall configuration to
protect cardholder data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across
open, public networks
5. Use and regularly update anti-virus software or
programs
6. Develop and maintain secure systems and
applications
7. Restrict access to cardholder data by business
“need-to-know”
8. Assign a unique ID to each person with
computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information
security for employees and contractors
The standard is not perfect. There are some grey areas.
However, each requirement or control is based on one of two
intents:
Prevention: Protect CHD from disclosure
Detection: Identify the events leading up to a data disclosure
Compliance isn‟t simply an expensive pile of technology
There is not a single product solution
Achieving and maintaining compliance is not just a technical issue –
it relies heavily on people, policy and processes
UNFORTUNATELY NOT
The point is CHD is exposed by:
Theft of documents
Poor document disposal
Skimming / fake PoS terminals
Theft of computers laptops, desktops and servers
Web site compromises
WiFi attacks
“Rogue” employees and careless “trusted” third parties
Configuration errors
Unencrypted data being stored
PCI takes time,
money, effort away
from core security
PCI is all about core
security
Misguided priority on
protecting IP and
thwarting insiders
Prioritise network
control, anti-malware,
logging etc.
This is a lament uttered
by those with a weak
security program
MYTH “MYTH BUSTED”
MYTH “MYTH BUSTED”
Checklist Security ≠
Risk-based Security
Protect the CHD
A successful security
program cannot be reduced
to a checklist
Do minimum to
comply and send
QSA away
Evade the assessor
Checklists have their
place in security
MYTH “MYTH BUSTED”
Possible to follow the
letter and not the intent
of the Standard
Following the letter =
letter (email) notifying
you of a breach
PCI = antithesis of
“security theatre”
Semblance of security with no
real risk reduction
Procure hardware and create
documents
See PCI as a compliance
point and not a starting point
MYTH “MYTH BUSTED”
Heartland breached
despite being compliant
We accept that patients may
die after seeing a doctor.
Medicine = Faulty Science?
Basic PCI Compliance not
enough
Heartland Breached ஃ PCI
Ineffective
Security professionals believe
following external guidance =
100% safety
Complexity is enemy of payment
systems and networks
SAQ A:
Card-Not-Present with all functions outsourced (e-commerce or MO/TO)
11 Q
SAQ B:
Imprint only/individual dial-up terminals (no card data storage)
21 Q
SAQ C:
Payment apps connected to Internet (no card data storage)
38 Q
SAQ D:
All other merchants and all service providers defined by payment
brand as eligible
Full DSS!
PCI DSS inherently onerous (if unprepared)
Merchants can define their own scope
Merchants not required to attend PCI DSS merchant training
Merchants can (and do) answer the SAQ unaided
ஃ Merchants can and often do, find themselves inexplicably
overestimating their level of compliance……….
This will satisfy the Acquirers until a breach occurs……..
*
Merchant:
Defined by Payment Brand
Levels 1-4
Determined by Acquiring Bank (transaction volume)
Merchant must confirm with Acquirer
Service Provider:
Defined by Payment Brand
Levels 1-2
May be determined by any party!
*VISA levels used as a guide
PCI applies to all network components, servers or applications in or
connected to the CHD environment
CHD environment contains cardholder or sensitive authentication
data
This is the point at which the drops……(mostly)
Remediate the entire environment
Segment the network
Outsource the handling of CHD
Cease to accept credit cards
To reduce the cost of compliance:
Reduce the SCOPE
The more places you store CHD, the more compliance will cost
Mask / truncate CHD
Accept but do not store data if not needed!
Question existing business processes
• Why is CHD being stored?
PAN – Primary Account Number
4000 0012 3456 7899
It must be unreadable when stored
Encrypted (FFwEQ129AbaCS)
Hashed (as above)
Truncated (4000 00** **** 7899)
Masking
Is not secure storage
SAD – Sensitive Authentication Data
Storage is forbidden at all times
Do not try and invent new truncation methods
The intent of truncation is that only a portion (not to exceed the first six
and last four digits) of the PAN is stored
4000 00** **** 7899
4000 1023 **** ****
How about 4000 1*** **** 7899?
Might be problematic for merchant, but is acceptable.
1. Store & Forward/Posting
Card Data touches server
Server transmits CHD to SP
ஃ The Web Server will be considered
“In Scope”!
1 3
2
2. Redirection
Card Data does not touch the
server pre/post-authorisation
ஃ The Web Server may be considered
“OUT of Scope”!
The QSA has an important role to
play in advising the merchant
1
2
3
4
It may feel like an audit, but
it’s NOT about getting a tick
in a box!
Identify and document the
gap between "where you
are" and the standard.
It provides the foundation
for determining time,
budget and resources
required.
Achieving PCI compliance is not the end of the
journey, it’s the start.
A compliant state must be maintained at all
times.
This compliant state must be revalidated
annually and after any “significant” change to the
CHD Environment.
Information security threats emerge faster than
any standards committee can keep up with.
Reduce the scope
Prioritise remediation activities based on
risk
Complying to the standard is a minimum
requirement, not an end goal
You cannot outsource the consequences
of a breach
No standard can address every risk for
every business
Be pragmatic. The only effective solution is
to combine policies, procedures and
technologies to meet the risks specific to
your organisation
