© secureworks, inc. · pci standards overview common myths and misconceptions ... a-ep e-commerce...
TRANSCRIPT
© SecureWorks, Inc.1
© SecureWorks, Inc.
Payment Card IndustryPrimer
Jason Wikenczy
CISSP, CISA, QSA
May 8, 2018
2
© SecureWorks, Inc.3
Agenda
• Payment Card Industry Standards Overview
• Validation Levels and Reporting Requirements
• Scoping the Assessment
• Methods for Scope Reduction
• The Prioritized Approach
• Resources
• Question & Answer
TermsPayment Card Industry (PCI)
Data Security Standard (DSS)
Report on Compliance (ROC)
Self-Assessment Questionnaire (SAQ)
Qualified Security Assessor (QSA)
Approved Scanning Vendor (ASV)
Cardholder Data (CHD)
Cardholder Data Environment (CDE)
Point-to-Point Encryption (P2PE)
© SecureWorks, Inc.
PCI Standards Overview
Entities Affected – Needs to Demonstrate Compliance
• Merchants, to name a few:
• Government Agencies
• Financial Institutions
• Retail, Healthcare, & Education
• E-commerce
• Service Providers
• Banks & Payment Processors
• Hardware / Device Manufacturers
• Software Developers
4
Any entity that stores, processes, or transmits cardholder data,
OR impacts the security of the cardholder data environment.
© SecureWorks, Inc.
PCI Standards Overview
Common Myths and Misconceptions
• “We use compliant hardware and software, therefore we must be compliant”
• “We don’t take enough credit cards to need to worry about compliance”
• “Our vendor said one product was all we needed”
• “We passed this year, so we don’t have to think about it until next year”
• “We outsource so we don’t have to worry about being compliant”
• “The requirements are too vague, with a lot of room for interpretation”
• “We don’t store payment card information so we don’t have to be compliant”
5
© SecureWorks, Inc.
PCI Standards Overview
The Truths: I
• $3.62M is the average cost of a data breach
• Potential for $100,000+ monthly costs / fines for non-compliance
• Rarely are self-assessing organizations actually compliant
• Greater than two years on average to become PCI compliant
• Compliance does not equal security, it should be a byproduct
6
© SecureWorks, Inc.
PCI Standards Overview: Recent Breaches
Compliments of InformationisBeautiful.net
7
© SecureWorks, Inc.
PCI Standards Overview
The Truths: II
• Requirements are the same globally, but legal supersedes PCI
• Organizations are NOT required to use compliant products and services
• Typically, being compliant helps secure more funding for IT security
• Merchants and service providers may use any assessing company of choice
• If you ask five QSAs the same question, you will get seven different answers
8
© SecureWorks, Inc.
PCI Standards Overview
Multiple Standards for the Protection of Cardholder Data
• Covers security of the environments that store, process, or transmit account data.
• Environments receive account data from payment applications and other sources (e.g., acquirers).
PCI DSS
• Covers encryption, decryption, and key management requirements for point-to-point encryption solutions.
PCI P2PE
• Covers secure payment applications to support PCI DSS compliance.
• Payment application receives account data from PIN entry devices (PEDs) or other devices and begins payment transaction.
PCI PA-DSS
9
There’s more if you’re really bored…or suffer from insomnia.
© SecureWorks, Inc.
The PCI DSS
Six Goals, Twelve Major Requirements
10
Goals Requirements
Build and Maintain a Secure
Network and Systems
• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data • Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
• Protect all systems against malware and regularly update anti-virus software or programs
• Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
• Restrict access to cardholder data by business need-to-know
• Identify and authenticate access to system components
• Restrict physical access to cardholder data
Regularly Monitor and Test
Networks
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
Maintain an Information
Security Program
• Maintain a policy that addresses information security for all personnel
© SecureWorks, Inc.
The PCI DSS
Validation Levels
• Defined by the payment brands
• Based on transaction volume
• Transaction volume determined by the
acquirer (the merchant’s bank)
• Defined by the payment brands
according to transaction volume and/or
type of service provider
• Determined by the payment brands or
acquirer, or sometimes the service
provider
Merchant Levels Service Provider Levels
11
Compliance validation requirements vary by payment brand.
© SecureWorks, Inc.
The PCI DSS
Validation Requirements Overview
12
Merchants
Level 1 Level 2 Level 3 & 4
Type of Assessment Onsite Assessment Self-AssessmentDetermined by Payment
Brand or Acquirer
Reporting RequirementsROC and ASV Scan
Report
SAQ and ASV Scan
Report
Determined by Payment
Brand or Acquirer
Service Providers
Level 1 Level 2 Level 3 (AMEX)
Type of Assessment Onsite Assessment Self-Assessment Self-Assessment
Reporting RequirementsROC and ASV Scan
Report
SAQ and ASV Scan
Report
SAQ and ASV Scan
Report
© SecureWorks, Inc.
The PCI DSS: Reporting
The Self-Assessment Questionnaire (SAQ)
• The SAQ is a validation tool intended to assist merchants and service providers in
self-evaluating their compliance with the PCI DSS
• There are multiple versions of the PCI DSS SAQ to meet various scenarios
• The PCI DSS SAQ is a validation tool for merchants and service providers not
required to submit an on-site data security assessment Report on Compliance.
13
SAQ Description
A Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced to
PCI DSS compliant service providers. Not applicable to face-to-face channels.
A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties,
and who have a website(s) that doesn't directly receive cardholder data but that can impact the
security of the payment transaction. No electronic storage, processing, or transmission of any
cardholder data on the merchant's systems or premises. Applicable only to e-commerce channels.
© SecureWorks, Inc.
The PCI DSS: Reporting
The SAQ Continued
14
SAQ Description
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal
merchants with no electronic cardholder data storage. Not applicable to e-commerce channels.
B-IP Merchants using only stand-alone, PTS-approved payment terminals with an IP connection to the
payment processor, with no electronic cardholder data storage. Not applicable to e-commerce
channels.
C Merchants with segmented payment application systems connected to the Internet, with no
electronic cardholder data storage. Not applicable to e-commerce channels.
C-VT Merchants using only web-based virtual payment terminals, with no electronic cardholder data
storage. Not applicable to e-commerce channels.
P2PE Merchants who have implemented a validated Point-to-Point Encryption Solution t hat is listed on the
PCI SSC website, with no electronic cardholder data storage. Not applicable to e-commerce
channels.
D Merchants: All merchants not included in the descriptions for other SAQ types.
Service Providers: All service providers identified by a payment brands as eligible to complete a
self-assessment questionnaire.
© SecureWorks, Inc.
The PCI DSS: Reporting
The SAQ – An Eye Opener Comparison
15
SAQ PCI DSS
Total
Requirements
A A-EP B B-IP C C-VT D (M) D (SP) P2PE V3.2
22 193 41 84 162 81 332 365 33 428
• Even when completely outsourced, merchants have PCI responsibilities.
• For e-commerce, an API vs. an iFrame could mean the difference of 170+
requirements even when outsourced.
• POTS vs. IP could mean the difference between 40+ requirements when
using standard swipe/dip terminals.
• The industry as a whole is really going towards P2PE.
© SecureWorks, Inc.
The PCI DSS Assessment
How to Scope
PCI DSS security requirements apply to:
• Systems that store, process, or transmit cardholder data
• Systems that provide security services or may impact the security of the CDE
• Any other component or device located within or connected to the CDE
Scope includes:
• People
• Process
• Technology
The first step of a PCI DSS assessment is to accurately determine the scope.
At least annually and prior to the annual assessment the assessed entity:
• Identifies all locations and flows of cardholder data to verify they are included in the CDE
• Confirms the accuracy of their PCI DSS scope
• Retains their scoping documentation for assessor reference
The assessor validates that the scope of the assessment is accurately defined and documented
Scoping the Environment Scope Verification
16
© SecureWorks, Inc.
The PCI DSS Assessment
How to Scope (Contd.)
• Understand the environment being assessed, including the system components and physical locations where card holder data is stored, processed, or transmitted.
• Data flow diagrams help identify where cardholder data could exist
• An inventory should be completed to document all in-scope systems
• Allow adequate time for discovery, testing, and remediation.
• If you don’t need, don’t store it !!!
• Outsource, preferably with PCI compliant service providers
• Segmentation and Separation
• Consider reporting against payment channels separately
Preparation Ways to Reduce Scope
17
© SecureWorks, Inc.
The PCI DSS Assessment
Common Scoping Errors
• Not having a complete inventory of all systems that store, process, or transmit cardholder data
• Not identifying "unknown" data that has "leaked" out of applications and databases
• Not identifying all physical locations that store, process or transmit cardholder data
• Not identifying all connected networks and confirming network segmentation is in place and effective
• Not allowing enough time to interview all application, database, and system owners
• Not allowing enough time to perform thorough system testing
• Assuming encrypted data is out of scope
• Not taking into account the multiple layers of applicability
• Access and authentication mechanisms
• Non-console access
• Network, system, application, database
• Supporting systems
18
Classification: //SecureWorks/Confidential - Limited External Distribution:© SecureWorks, Inc.
Scope Reduction Techniques
19
Cardholder data.
If you don’t need it, remove it.
© SecureWorks, Inc.
Scope Reduction Techniques
Concept of Separate Payment Channels
E-commerce
• Outsourced to PCI compliant service provider
• Uses iFrame
Retail
• Using P2PE solution, and;
• Using dial-out POIs
Call Center
• Leverages e-commerce site above
• Calls are recorded
Kiosks
• IP connected on airport network
20
What is the reporting requirements?
SAQ A
SAQ B &
SAQ P2PE
SAQ C
SAQ B-IP?
What if the merchant
network is separated?
© SecureWorks, Inc.
Scope Reduction Techniques
Segmentation
• Network segmentation of, or isolating, the cardholder data environment from the remainder of the corporate network is not a PCI DSS requirement.
• Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment.
21
• Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technology that restricts access to a particular segment of a network.
• Any device that isolates the cardholder data environment from the rest of the network could be used for segmentation.
Segmentation = Separation =
No Connectivity
Pinholes = Controlled Access =
Still in Scope
Out of Scope = Untrusted =
Security not Reviewed
Classification: //SecureWorks/Confidential - Limited External Distribution:© SecureWorks, Inc.
Scope Reduction Techniques
Segmentation (Cont.)
22
Graphic complements of the PCI Security Standards Council
PCI Network
Controlled Access
E-commerce?
Supporting Services
Access Control Lists
User Listings
Configuration Settings
Database Schemas
Classification: //SecureWorks/Confidential - Limited External Distribution:© SecureWorks, Inc.
So you found out there’s some…issues.
23
1. It is more common than you think.
2. Work with a trusted advisor.
3. The bank (or payment card brand) likes a project plan.
Me! (shameless plug)
© SecureWorks, Inc.
PCI DSS Gap Remediation
The Prioritized Approach
• Helps entities implementing PCI DSS to identify highest risk targets
• Enables entities to demonstrate progress
24
• Helps acquirers objectively measure compliance activities, and risk reduction efforts
© SecureWorks, Inc.
Useful Resources
25
• Validated Payment Applications
• Validated P2PE Solutions
• Qualified Security Assessors
• Approved Scanning Vendors
• PCI Forensic Investigators
• Validated Service Provider Listing• Not all inclusive
• Entities pay $$$ for listing
• Center for Internet Security• Platform Benchmarks
• Platform Security Baselines
• PCI DSS v3.2
• Understanding SAQs for PCI DSS
• Prioritized Approach
• Document Library for Guidance on:• E-commerce
• Intro to PCI
• Logging
• Mobile
• Pentesting & Phishing
• Risk Assessment
• Security Awareness
• SSL/TLS
• Tokenization
• Virtualization and Cloud
The PCI Security Standards Council and Additional Resources
© SecureWorks, Inc.
Questions and Answers
26