david jenkins (qsa cisa) jenkins.… · david jenkins (qsa cisa) director of pci and payment...
TRANSCRIPT
www.cognosec.com
David Jenkins (QSA CISA)
Director of PCI and Payment Services
PCI and the Cloud, where is my Atlas
www.cognosec.com
Agenda
• About Cognosec
• PCI DSS 3.0 and CSPs
• SLA Considerations
• Technical considerations
• Auditing
www.cognosec.com
About Cognosec GmbH
IT and security and compliance specialist based in Vienna
Services in information security, governance, enterprise risk management, compliance, audit and assurance
Clients throughout Europe, Middle East, Africa and the United States
Qualified Security Assessor (QSA) Company for Europe and CEMEA
Approved Scanning Vendor (ASV) Company for Europe and CEMEA
www.cognosec.com
PCI Security Standard
Manufacturers & Service Providers
PCI P2PE and PTS
Pin and PAN
Software Developers
PCI PA-DSS
Payment Application Vendors
Merchants and Processors
PCI DSS
Data Security Standard
PCI Security Standards and
Compliance
Ecosystem of payment devices, applications, infrastructure and users
QIR Qualified Incident
Response
PFI PCI Forensic Investigator
Pen Testing* ASV
Approved Scanning Vendor
www.cognosec.com
PCI and the Cloud
More flexibility at the front end of the
payment chain
Multi Channel, Twitter etc
More complexity on the back end
P2PE standard a good example
www.cognosec.com
PCI and the Cloud
52 Page White Paper referring to the 70 page NIST Guidelines on
Security and Privacy in Public Cloud Computing (SP SP800-144)
Leads on from the PCI DSS Virtulisation guidance
Note the fine print
www.cognosec.com
Service Level Agreements
Technical considerations
www.cognosec.com
PCI DSS 3.0
Service Level Agreements
12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
12.8.1 Maintain a list of service providers.
www.cognosec.com
Considerations for you:
Nested Service-Provider Relationships?
These relationships will add complexity to both
the CSP’s and the client’s PCI DSS
assessment process.
Look to the P2PE Standard for good examples
of „Behind the scenes“ complexity.
www.cognosec.com
PCI DSS 3.0
Service Level Agreements
12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer's cardholder data environment on behalf of a customer.
www.cognosec.com
PCI DSS 3.0
Service Level Agreements
12.8.3 Ensure there is an established
process for engaging service providers
including proper due diligence prior to
engagement.
www.cognosec.com
Considerations for you:
Your due-diligence process prior to engaging the CSP.
The providers history in performing the services your require
Identifying potential risks or circumstances associated with the CSP
Deep dive of the service elements that need to be included in contracts SLAs
www.cognosec.com
PCI DSS 3.0
Service Level Agreements
12.8.4 Maintain a program to monitor
service providers’ PCI DSS compliance
status at least annually.
www.cognosec.com
Considerations for you:
How long has the CSP been PCI DSS compliant?
What specific services and PCI DSS requirements were included in the validation?
Are there any system components that the CSP relies on for delivery of the service that were not included in the PCI DSS validation?
How does the CSP ensure that clients using the PCI DSS compliant service cannot introduce non- compliant components to the environment or bypass any PCI DSS controls?
www.cognosec.com
PCI DSS 3.0
Service Level Agreements
12.8.5 Maintain information about which PCI
DSS requirements are managed by each
service provider, and which are managed by
the entity.
www.cognosec.com
Considerations for you:
SLAs and other written agreements between the CSP and client should clearly identify the delineation of responsibilities between parties. Provisioning
Written agreements should also cover activities and assurances to be provided by both parties upon termination of the service provision. Decommissioning and Disposal
Clear requirements for data retention, storage and secure disposal
www.cognosec.com
PCI DSS 3.0
Service Level Agreements
12.9 Additional requirement for service providers: Service providers acknowledge in writing to customers that they will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer's cardholder data environment on behalf of a customer
Note: This requirement is a best practice until June 30, 2015, after which it becomes a requirement.
www.cognosec.com
Responsibilities
Client – Generally each client will retain responsibility for
maintaining and verifying the requirement.
CSP – Generally the CSP will maintain and verify the requirement for their clients.
Both – Generally responsibility is “shared” between the client and the CSP. This may be due to the requirement applying to elements present in both the client environment and the CSP-managed environment, or because both parties need to be involved in the management of a particular control.
www.cognosec.com
Service Level Agreements
Technical considerations
www.cognosec.com
Technical Conciderations
Protection methods such as hashing and encryption
Encrypting transmission over networks
Securing systems and applications, Coding
Restricting access to data
Assigning unique accountability
Tracking and monitoring access
www.cognosec.com
Technical Conciderations
Encrypted data is still in scope for PCI DSS
Plan to keep all encryption/decryption and key-management operations isolated from the cloud
..if decryption keys and encrypted data are present all applicable PCI DSS requirements would apply to that environment..
www.cognosec.com
Technical Conciderations
isolation may be required at the network, operating system, and application layers; and most importantly, there should be guaranteed isolation of data that is stored
Segmentation on a cloud-computing infrastructure must provide an equivalent level of isolation as that achievable through physical network separation.
www.cognosec.com
Auditing a PCI DSS Compliant CSP
Proof of compliance documentation (AOC /ROC), including the date of compliance
Documented evidence of system components and services that were included in the PCI DSS assessment
Documented evidence of system components and services that were excluded from the PCI DSS assessment, as applicable to the service
Appropriate contract language
www.cognosec.com
Non PCI Compliant CSP
Access to systems, facilities, and appropriate personnel for on-site reviews, interviews, physical walk- throughs, etc.
Policies and procedures, process documentation, configuration standards, training records, incident response plans, etc.
Evidence (such as configurations, screen shots, process reviews, etc.) to show that all applicable PCI DSS requirements are being met for the in-scope system components
Appropriate contract language
www.cognosec.com
Summary
Policies, SLAs
Roadmap to provisioning
Technical considerations
Meeting the intent of the Standard
www.cognosec.com
David Jenkins (QSA CISA)
Director of PCI and Payment Services
+43 664 8836 4846 [email protected]