Upload
candace-curtis
View
221
Download
1
Tags:
Embed Size (px)
Citation preview
Protecting Your Credit Card Security Environment (PCI)September 26, 2012
Jacob Arthur, CPA, QSA, CEHTimothy Agee, CISA, CGEIT, QSA
FDH ConsultingFrasier, Dean & Howard, PLLC
Information Security LandscapeIn addition to legislation, why are information security programs, such as PCI, necessary?
Information Security LandscapeIn addition to legislation, why are information security programs, such as PCI, necessary?
What we have is not working
Security – In The News
•9/26/12: New vulnerability in all modern versions of Java
•9/18/2012: New vulnerability in Internet Explorer affecting version 7, 8, and 9 on Windows XP, Windows Vista, Windows 7
•8/28/2012: 1 Million account usernames, passwords, and sensitive data leaked in attack affecting banks and government agencies
Security – In The News
•Since January 2011: At least 12 Certification Authorities have been compromised
•Sony – Started with lawsuit on 1/11/2011, hacks begin April 3, 2011, Asks consumers to waive class-action lawsuit rights on September 16 or give up access to service
•RSA, Lockheed-Martin
Source: Trustwave Spiderlabs – Global Security Report 2011
Source: Trustwave Spiderlabs – Global Security Report 2011
Source: Trustwave Spiderlabs – Global Security Report 2011
Source: Trustwave Spiderlabs – Global Security Report 2011
Source: Trustwave Spiderlabs – Global Security Report 2011
Source: Verizon 2011 Data Breach Investigations Report
Study on Data Breaches
•Verizon conducts an annual study of data breaches
•The US Secret Service and Dutch High Tech Crime Unit provided the results of their data breach efforts which Verizon combined with their results
•The study does not include cost analysis of data breaches, but rather, high-level analysis of root cause and perpetrator
Source: Verizon 2011 Data Breach Investigations Report
Source: Verizon 2011 Data Breach Investigations Report
Source: Verizon 2011 Data Breach Investigations Report
Source: Verizon 2011 Data Breach Investigations Report
Source: Verizon 2011 Data Breach Investigations Report
Source: Verizon 2011 Data Breach Investigations Report
Source: Verizon 2011 Data Breach Investigations Report
How did we arrive here?
Individual card brands maintained their own security and compliance programs for merchants, processors, inc.
1. VISA Cardholder Information Security Program (CISP)
2. MasterCard Site Data Protection Program3. American Express Data Security Operating
Policy4. Discover Information and Compliance5. JCB Data Security Program
Payment Card Industry (PCI): Security Standards Council (SSC)
“The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) Requirements.”
PCI SSC – Why?
To help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise
PCI – Key players
•Merchant
•Acquiring Bank; Issuing Bank
•Cardbrand
•Service Providers
•Council
PCI – Key players
•QSA – Qualified Security Assessor•ISA – Internal Security Assessor
•ASV – Approved Scanning Vendor
•SAQ – Self-assessment Questionnaire•ROC – Report on Compliance
PCI - Founding Global Card Brands•American Express•Discover Financial Services•JCB International•MasterCard Worldwide•Visa Inc
All have agreed agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs.
PCI Data Security Standard (DSS)•12 Requirements – 250 Testing
Procedures
“PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data…”
Cardholder Data Environment (CDE)•The CDE is comprised of people,
processes and technology that store, process or transmit cardholder data or sensitive authentication data.
•The PCI DSS security requirements apply to all system components (any network component, server, or application) that is included in or connected to the cardholder data environment.
PCI Overview – Visa Merchant Levels
Tier Visa, Inc.
1Merchants processing over 6 million Visa transactions annually (all channels), or global merchants identified as Level 1 by any Visa region
2 Merchants processing 1 million to 6 million Visa transactions annually (all channels)
3Merchants processing 20,000 to 1 million Visa ecommercetransactions annually
4Merchants processing less than 20,000 Visa ecommerce transactions annually, and all other merchants processing up to 1 million Visa transactions annually
PCI Overview – Merchant Validation
Level AMEX Discover/JCB Mastercard Visa, Inc.
1 Annual onsite assessment by QSA or internal auditor if signed by officer of merchant company
Quarterly network scan by ASV
Annual onsite assessment by QSA or merchant’s internal Auditor
Quarterly network Scan by ASV
Annual onsite assessment by QSA
Quarterly network scan by ASV
Annual onsite assessment by QSA
Quarterly network scans by ASV
Attestation of Compliance from
2 EU Only: Annual Self-Assessment Questionnaire
Quarterly network scan by ASV
Annual Self Assessment Questionnaire
Quarterly network scan by ASV
Annual Self Assessment Questionnaire*
Quarterly network scan by ASV
Annual Self-Assessment Questionnaire
Quarterly network scan by ASV
Attestation of Compliance form
PCI Overview – Merchant Validation
Level AMEX Discover/JCB*
Mastercard Visa, Inc.
3 Quarterly network scan by ASV(recommended)
EU Only: SAQ (recommended)
Annual Self-Assessment Questionnaire
Quarterly Network Scan by ASV
Annual Self-Assessment Questionnaire
Quarterly network scan by ASV
Annual Self-Assessment Questionnaire
Quarterly network scan by ASV
Attestation of Compliance from
4 N/A Compliance Validation requirements determined by acquirer.
Compliance validation is at discretion of acquirer.
Annual Self-Assessment Questionnaire
Quarterly network scan by ASV
Attestation of Compliance form
PCI Overview – Visa ReportingTier Visa, Inc.
1
•At least twice a year, a statement of merchant compliance / non-compliance•Annual Attestation of Compliance form•Upon Request, a copy of ROC
2 Same as Level 1
3 •At least twice a year, a statement of merchant compliance / non-compliance
4 •Set by acquirer
PCI DSS 2.0 - OverviewV2.0 released October 28, 2010
Build and Maintain a Secure Network
•Requirement 1: Install and maintain a firewall configuration to protect cardholder data
•Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Requirement 1 Highlights
Install and maintain a firewall configuration to protect cardholder data
•Standard configurations•Change control process•Placement & configuration
▫Minimum necessary•6-Month review•Mobile software firewalls
Requirement 2 Highlights
Do not use vendor-supplied defaults for system passwords and other security parameters
•Changing default passwords•Configuration hardening standards
▫Operating systems, databases, applications, etc.
•System configuration▫Minimum necessary
Protect Cardholder Data
•Requirement 3: Protect stored cardholder data
•Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 3 Highlights
Protect stored cardholder data
•Data retention and disposal policies▫Minimum necessary
•No Track data storage•No Card Verification Code (CVC) data
storage•Card Primary Account Number (PAN)
masking•PAN storage requirements / encryption•Documentation
Requirement 4 Highlights
Encrypt transmission of cardholder data across open, public networks
•Transmission encryption▫The Internet▫Wireless technologies (WiFi)▫Mobile (cell) technologies
•Never send unencrypted using End-User Messaging technologies:▫Email, instant messaging, SMS (texting)
Maintain a Vulnerability Management Program
•Requirement 5: Use and regularly update anti-virus software or programs
•Requirement 6: Develop and maintain secure systems and applications
Requirement 5 Highlights
Use and regularly update anti-virus software or programs
•Deployed on all systems▫Commonly affected by malicious software
Yes – Windows No – UNIX, Series i
•Must be current / latest signatures
Requirement 6 HighlightsDevelop and maintain secure systems and applications
• Vendor supplied patches▫Critical < 30 days▫Less critical within 2 to 3 months
• Establish process to identify new vulnerabilities• Custom development
▫Change control process▫Secure coding / code review (OWASP Top 10)▫No production PANs used in testing
Implement Strong Access Control Measures
•Requirement 7: Restrict access to cardholder data by business need-to-know
•Requirement 8: Assign a unique ID to each person with computer access
•Requirement 9: Restrict physical access to cardholder data
Requirement 7 Highlights
Restrict access to cardholder data by business need-to-know
•Minimum necessary access to Cardholder Data Environment (CDE)
•User provisioning process▫Based on job classification / function
•Default “deny all” configuration
Requirement 8 Highlights
Assign a unique ID to each person with computer access
•All users must have a “Unique ID” and password for access to CDE
•Two-factor authentication for remote users
•Password / account management•Policy communication
Requirement 9 Highlights
Restrict physical access to cardholder data
•Physical security monitoring (i.e. video cameras)
•Physical access to system components•Physical access to network jacks•Employee and visitor identification•Visitor tracking•Backup media security, storage, tracking,
destruction, etc.
Regularly Monitor and Test Networks
•Requirement 10: Track and monitor all access to network resources and cardholder data
•Requirement 11: Regularly test security systems and processes
Requirement 10 HighlightsTrack and monitor all access to network resources and cardholder data
• Linking CDE access to the individual user• Automated audit trails
▫Actions taken▫Logical access / creation, changing, deletion▫ Invalid logon attempts
• Audit log review• Audit log retention• Time synchronization
Requirement 11 HighlightsRegularly test security systems and processes
• Quarterly wireless access point testing▫Scanning / Physical inspection / Wireless IDS
• Quarterly vulnerability scans▫External – Approved Scanning Vendor (ASV)▫ Internal – Internal staff or ASV
• Annual penetration test (Internal and External)▫Firewall and application
• Intrusion Detection System (IDS)• File Integrity Monitoring
Maintain an Information Security Policy
•Requirement 12: Maintain a policy that addresses information security for all personnel
Requirement 12 HighlightsMaintain a policy that addresses information security for all personnel
• Must address all PCI requirements• Reviewed annually• Usage policies• Responsibilities• Security awareness program• Employee screening• Service provider policies• Incident response plan
Reducing the Scope for PCI DSS
•Why does this matter?•Card storage, processing, and
transmission▫Reduce the number of system and network
components that are used to store, process, or transmit credit card data.
•Network segmentation▫Reduce the number of system and network
components that connect to the CDE▫Flat Network = Everything is in scope!
What should IA do?
•Become familiar with the PCI requirements
•Actively participate in the organization’s PCI compliance program
•Where appropriate, own the PCI assessment process (SAQ, ROC)
•Utilize IA knowledge of risk and controls (and appropriate documentation) to help the organization build the PCI compliance program
What should IA do?
•Evaluate IA skill sets and identify any gaps
•Allocate training to address both knowledge of PCI compliance as well as key subject matter areas
•Participate in PCI community – become a Participating Organization or join a Special Interest Groups (wireless, encryption)
What should IA do?•Consider PCI risks in our organization’s risk
assessment process – both from a perspective of compliance vs. non-compliance as well as understanding the significant threats
•Consider the strength and maturity of controls and allocation of the organization’s resources which address the risks
•Evaluate the skills of the individuals that own the PCI controls
What should IA do?•Understand where and how credit card data is
collected, stored, processed and transmitted •Ensure management fully explores opportunities
to reduce the scope•Understand the full path of credit card data from
initial collection all the way to the acquiring bank, especially at third-parties along this path
•Understand where credit card data is encrypted and where it isn’t (both stored and during transmission) at every step along the way
What should IA do?
•Determine if the organization understands all of the locations credit card data is stored and how much credit card data is stored - determine if the amount of data is reasonable
•Familiarize yourself with tokenization•Understand requirements related to
wireless security, secure coding, network scanning and reporting (ASV), penetration tests
What should IA do?•Consider third-party/partner risk in your
organization from a compliance standpoint as well as risk of security incidents▫Credit card processors or other
intermediaries▫Payment applications▫Web sites owned, managed or hosted by third-
parties which collect credit card data•How do contracts with third parties address
responsibilities to secure data and in handling incident response?
What should IA do?
•Consider IA role in compliance testing▫Pre-assessment▫ISA role ▫Integration of PCI testing with SOX, HIPAA
or other compliance programs
PCI Skills• Risk identification and assessment
• Internal control identification, design assessment (preventive/detective, mature/informal) and operating effectiveness; internal control development (monitoring controls, appropriate documentation, etc.)
• Compliance program development▫ Ownership of controls▫ Stakeholder identification and involvement ▫ Audit program development▫ Workpaper documentation▫ Remediation programs
PCI Skills• Strong technical background including
knowledge of: ▫ network architecture ▫ firewall configuration, network protocols, etc.▫ wireless security▫ IPS/IDS
• Encryption design and implementation
• Secure coding
• Application security architecture
Questions?
Jacob Arthur, CPA, QSA, [email protected] (Mobile)
Timothy Agee, CISA, CGEIT, [email protected] (Mobile)