Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,

Protecting Your Credit Card Security Environment (PCI)September 26, 2012

Jacob Arthur, CPA, QSA, CEHTimothy Agee, CISA, CGEIT, QSA

FDH ConsultingFrasier, Dean & Howard, PLLC

Information Security LandscapeIn addition to legislation, why are information security programs, such as PCI, necessary?

Information Security LandscapeIn addition to legislation, why are information security programs, such as PCI, necessary?

What we have is not working

Security – In The News

•9/26/12: New vulnerability in all modern versions of Java

•9/18/2012: New vulnerability in Internet Explorer affecting version 7, 8, and 9 on Windows XP, Windows Vista, Windows 7

•8/28/2012: 1 Million account usernames, passwords, and sensitive data leaked in attack affecting banks and government agencies

Security – In The News

•Since January 2011: At least 12 Certification Authorities have been compromised

•Sony – Started with lawsuit on 1/11/2011, hacks begin April 3, 2011, Asks consumers to waive class-action lawsuit rights on September 16 or give up access to service

•RSA, Lockheed-Martin

Source: Trustwave Spiderlabs – Global Security Report 2011





Source: Verizon 2011 Data Breach Investigations Report

Study on Data Breaches

•Verizon conducts an annual study of data breaches

•The US Secret Service and Dutch High Tech Crime Unit provided the results of their data breach efforts which Verizon combined with their results

•The study does not include cost analysis of data breaches, but rather, high-level analysis of root cause and perpetrator








How did we arrive here?

Individual card brands maintained their own security and compliance programs for merchants, processors, inc.

1. VISA Cardholder Information Security Program (CISP)

2. MasterCard Site Data Protection Program3. American Express Data Security Operating

Policy4. Discover Information and Compliance5. JCB Data Security Program

Payment Card Industry (PCI): Security Standards Council (SSC)

“The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) Requirements.”

PCI SSC – Why?

To help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise

PCI – Key players

•Merchant

•Acquiring Bank; Issuing Bank

•Cardbrand

•Service Providers

•Council

PCI – Key players

•QSA – Qualified Security Assessor•ISA – Internal Security Assessor

•ASV – Approved Scanning Vendor

•SAQ – Self-assessment Questionnaire•ROC – Report on Compliance

PCI - Founding Global Card Brands•American Express•Discover Financial Services•JCB International•MasterCard Worldwide•Visa Inc

All have agreed agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs.

PCI Data Security Standard (DSS)•12 Requirements – 250 Testing

Procedures

“PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data…”

Cardholder Data Environment (CDE)•The CDE is comprised of people,

processes and technology that store, process or transmit cardholder data or sensitive authentication data.

•The PCI DSS security requirements apply to all system components (any network component, server, or application) that is included in or connected to the cardholder data environment.

PCI Overview – Visa Merchant Levels

Tier Visa, Inc.

1Merchants processing over 6 million Visa transactions annually (all channels), or global merchants identified as Level 1 by any Visa region

2 Merchants processing 1 million to 6 million Visa transactions annually (all channels)

3Merchants processing 20,000 to 1 million Visa ecommercetransactions annually

4Merchants processing less than 20,000 Visa ecommerce transactions annually, and all other merchants processing up to 1 million Visa transactions annually

PCI Overview – Merchant Validation

Level AMEX Discover/JCB Mastercard Visa, Inc.

1 Annual onsite assessment by QSA or internal auditor if signed by officer of merchant company

Quarterly network scan by ASV

Annual onsite assessment by QSA or merchant’s internal Auditor

Quarterly network Scan by ASV

Annual onsite assessment by QSA


Annual onsite assessment by QSA

Quarterly network scans by ASV

Attestation of Compliance from

2 EU Only: Annual Self-Assessment Questionnaire


Annual Self Assessment Questionnaire


Annual Self Assessment Questionnaire*


Annual Self-Assessment Questionnaire


Attestation of Compliance form

PCI Overview – Merchant Validation

Level AMEX Discover/JCB*

Mastercard Visa, Inc.

3 Quarterly network scan by ASV(recommended)

EU Only: SAQ (recommended)


Quarterly Network Scan by ASV





Attestation of Compliance from

4 N/A Compliance Validation requirements determined by acquirer.

Compliance validation is at discretion of acquirer.



Attestation of Compliance form

PCI Overview – Visa ReportingTier Visa, Inc.

1

•At least twice a year, a statement of merchant compliance / non-compliance•Annual Attestation of Compliance form•Upon Request, a copy of ROC

2 Same as Level 1

3 •At least twice a year, a statement of merchant compliance / non-compliance

4 •Set by acquirer

PCI DSS 2.0 - OverviewV2.0 released October 28, 2010

Build and Maintain a Secure Network

•Requirement 1: Install and maintain a firewall configuration to protect cardholder data

•Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Requirement 1 Highlights

Install and maintain a firewall configuration to protect cardholder data

•Standard configurations•Change control process•Placement & configuration

▫Minimum necessary•6-Month review•Mobile software firewalls


Do not use vendor-supplied defaults for system passwords and other security parameters

•Changing default passwords•Configuration hardening standards

▫Operating systems, databases, applications, etc.

•System configuration▫Minimum necessary

Protect Cardholder Data

•Requirement 3: Protect stored cardholder data

•Requirement 4: Encrypt transmission of cardholder data across open, public networks


Protect stored cardholder data

•Data retention and disposal policies▫Minimum necessary

•No Track data storage•No Card Verification Code (CVC) data

storage•Card Primary Account Number (PAN)

masking•PAN storage requirements / encryption•Documentation


Encrypt transmission of cardholder data across open, public networks

•Transmission encryption▫The Internet▫Wireless technologies (WiFi)▫Mobile (cell) technologies

•Never send unencrypted using End-User Messaging technologies:▫Email, instant messaging, SMS (texting)

Maintain a Vulnerability Management Program

•Requirement 5: Use and regularly update anti-virus software or programs

•Requirement 6: Develop and maintain secure systems and applications


Use and regularly update anti-virus software or programs

•Deployed on all systems▫Commonly affected by malicious software

Yes – Windows No – UNIX, Series i

•Must be current / latest signatures

Requirement 6 HighlightsDevelop and maintain secure systems and applications

• Vendor supplied patches▫Critical < 30 days▫Less critical within 2 to 3 months

• Establish process to identify new vulnerabilities• Custom development

▫Change control process▫Secure coding / code review (OWASP Top 10)▫No production PANs used in testing

Implement Strong Access Control Measures

•Requirement 7: Restrict access to cardholder data by business need-to-know

•Requirement 8: Assign a unique ID to each person with computer access

•Requirement 9: Restrict physical access to cardholder data


Restrict access to cardholder data by business need-to-know

•Minimum necessary access to Cardholder Data Environment (CDE)

•User provisioning process▫Based on job classification / function

•Default “deny all” configuration


Assign a unique ID to each person with computer access

•All users must have a “Unique ID” and password for access to CDE

•Two-factor authentication for remote users

•Password / account management•Policy communication


Restrict physical access to cardholder data

•Physical security monitoring (i.e. video cameras)

•Physical access to system components•Physical access to network jacks•Employee and visitor identification•Visitor tracking•Backup media security, storage, tracking,

destruction, etc.

Regularly Monitor and Test Networks

•Requirement 10: Track and monitor all access to network resources and cardholder data

•Requirement 11: Regularly test security systems and processes

Requirement 10 HighlightsTrack and monitor all access to network resources and cardholder data

• Linking CDE access to the individual user• Automated audit trails

▫Actions taken▫Logical access / creation, changing, deletion▫ Invalid logon attempts

• Audit log review• Audit log retention• Time synchronization

Requirement 11 HighlightsRegularly test security systems and processes

• Quarterly wireless access point testing▫Scanning / Physical inspection / Wireless IDS

• Quarterly vulnerability scans▫External – Approved Scanning Vendor (ASV)▫ Internal – Internal staff or ASV

• Annual penetration test (Internal and External)▫Firewall and application

• Intrusion Detection System (IDS)• File Integrity Monitoring

Maintain an Information Security Policy

•Requirement 12: Maintain a policy that addresses information security for all personnel

Requirement 12 HighlightsMaintain a policy that addresses information security for all personnel

• Must address all PCI requirements• Reviewed annually• Usage policies• Responsibilities• Security awareness program• Employee screening• Service provider policies• Incident response plan

Reducing the Scope for PCI DSS

•Why does this matter?•Card storage, processing, and

transmission▫Reduce the number of system and network

components that are used to store, process, or transmit credit card data.

•Network segmentation▫Reduce the number of system and network

components that connect to the CDE▫Flat Network = Everything is in scope!

What should IA do?

•Become familiar with the PCI requirements

•Actively participate in the organization’s PCI compliance program

•Where appropriate, own the PCI assessment process (SAQ, ROC)

•Utilize IA knowledge of risk and controls (and appropriate documentation) to help the organization build the PCI compliance program

What should IA do?

•Evaluate IA skill sets and identify any gaps

•Allocate training to address both knowledge of PCI compliance as well as key subject matter areas

•Participate in PCI community – become a Participating Organization or join a Special Interest Groups (wireless, encryption)

What should IA do?•Consider PCI risks in our organization’s risk

assessment process – both from a perspective of compliance vs. non-compliance as well as understanding the significant threats

•Consider the strength and maturity of controls and allocation of the organization’s resources which address the risks

•Evaluate the skills of the individuals that own the PCI controls

What should IA do?•Understand where and how credit card data is

collected, stored, processed and transmitted •Ensure management fully explores opportunities

to reduce the scope•Understand the full path of credit card data from

initial collection all the way to the acquiring bank, especially at third-parties along this path

•Understand where credit card data is encrypted and where it isn’t (both stored and during transmission) at every step along the way

What should IA do?

•Determine if the organization understands all of the locations credit card data is stored and how much credit card data is stored - determine if the amount of data is reasonable

•Familiarize yourself with tokenization•Understand requirements related to

wireless security, secure coding, network scanning and reporting (ASV), penetration tests

What should IA do?•Consider third-party/partner risk in your

organization from a compliance standpoint as well as risk of security incidents▫Credit card processors or other

intermediaries▫Payment applications▫Web sites owned, managed or hosted by third-

parties which collect credit card data•How do contracts with third parties address

responsibilities to secure data and in handling incident response?

What should IA do?

•Consider IA role in compliance testing▫Pre-assessment▫ISA role ▫Integration of PCI testing with SOX, HIPAA

or other compliance programs

PCI Skills• Risk identification and assessment

• Internal control identification, design assessment (preventive/detective, mature/informal) and operating effectiveness; internal control development (monitoring controls, appropriate documentation, etc.)

• Compliance program development▫ Ownership of controls▫ Stakeholder identification and involvement ▫ Audit program development▫ Workpaper documentation▫ Remediation programs

PCI Skills• Strong technical background including

knowledge of: ▫ network architecture ▫ firewall configuration, network protocols, etc.▫ wireless security▫ IPS/IDS

• Encryption design and implementation

• Secure coding

• Application security architecture

Questions?

Jacob Arthur, CPA, QSA, [email protected] (Mobile)

Timothy Agee, CISA, CGEIT, [email protected] (Mobile)

mailto:[email protected]



Documents

Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,