pci compliance 103: ask the experteoplugin.commpartners.com/asae/2012/120306 pci compliance...
TRANSCRIPT
3/6/2012
1
PCI Compliance 103: Ask the Expert
Tuesday, March 6, 20122:00 pm – 3:30 pm ET
David A. Wallace MBA, CISA/M, CISSPGM, Data Security Standards Compliance
Chase Paymentech
This complimentary webinar is brought to you by ASAE-Endorsed Business Solutions and Chase Paymentech.
Your Presenter:With 29 years of experience in the Information Technology (IT) industry and 14 years of Information Security management experience, David Wallace serves as Group Manager for Chase Paymentech’s Security Standards Compliance team. In his role, Wallace is responsible for p pmanaging data security compliance for Chase Paymentech’s merchant portfolio and advising merchants about the Payment Card Industry (PCI) security standards.
Prior to joining Chase Paymentech, Wallace gained invaluable experience serving in information security management roles with companies such as NationsBank, Sabre Holdings/Travelocity, Pilgrim’s Pride and Perot Systems. In addition to his professional experience, Wallace has earned several industry certifications, including Certified Information Systems Security Professional in 1999, Certified Information Security Manager in 2004, and Certified Information Systems Auditor in 2008. He is also a frequent speaker at regional, national and international information security conferences including
David A. Wallace
Group Manager, Security Standards national and international information security conferences including
the RSA Conference and Computer Security Institute Conference.
Wallace spent his undergraduate years attending Louisiana State University in Shreveport, La., where he studied business administration and management information systems. He earned a master’s degree in business administration from Southern Methodist University in Dallas, Texas in 2003.
Security Standards Compliance
2
3/6/2012
2
• Payment Card Industry Basics
Agenda
Payment Card Industry Basics• Reducing Scope• Third Parties• Resources and Questions
3©2011, Chase Paymentech Solutions, LLC. All rights reserved.
P t C dPayment Card Industry Basics
4
3/6/2012
3
PCI Security Standards Council
The OrganizationMi i F d b fi j tMission — Formed by five major payment brands to enhance payment account data security21 member advisory board with 500+ participating organizations
ScopeStandards Management Assessor accreditation
5©2011, Chase Paymentech Solutions, LLC. All rights reserved.
Payment Brand Data Security Programs
• Mandate compliance for entities storing, i t itti dh ld d tprocessing, or transmitting cardholder data
• Origination point for new PCI standards• May differ from brand to brand
– And in some cases from region to regionS ti th th• Some more active than others
6©2011, Chase Paymentech Solutions, LLC. All rights reserved.
3/6/2012
4
PCI Security Standards• The PCI Data Security Standard (PCI DSS)
o Applies to any entity that stores, processes, and/or transmits cardholder datao Covers technical and operational system components
• The Payment Application Data Security Standards (PA-DSS)o Applies to developers and integrators of applications involved in authorization or
settlement. o Governs these applications that are sold, distributed or licensed to third parties.
• The PIN Transaction Security (PTS)o Applies to manufacturers of personal identification number (PIN) entry terminals used
for payment card financial transactions.
7©2011, Chase Paymentech Solutions, LLC. All rights reserved.
PCI Security Standards Council Accreditations
Type PCI SSC Designation ActivityAssessment Internal Security Assessor
(ISA)Merchant resource certified to validate compliance of PCI DSS
Qualified Security Assessor (QSA)
Independent third party certified to validate compliance of PCI DSS
Payment Application Qualified Security Assessor (PA-QSA)
Independent third party certified to evaluate compliance of Payment Applications to the PA-DSS
NetworkScanning
Approved Scanning Vendor (ASV)
Independent third party accredited to perform network vulnerability scan
Forensics PCI Forensics Investigator Independent third party accredited to
©2011, Chase Paymentech Solutions, LLC. All rights reserved.
8
Investigation (PFI) perform forensics investigation in the event of suspected cardholder data breach
Laboratory PCI RecognizedLaboratory
Independent third party certified to validate compliance of PIN TransactionSecurity Standards
3/6/2012
5
Self Assessment Questionnaire TypesSAQ
Validation Type
Description SAQForm
1Card-not-present (e-commerce or mail/telephone-order)merchants all cardholder data functions outsourced This would A1 merchants, all cardholder data functions outsourced. This wouldnever apply to face-to-face merchants.
A
2 Imprint-only merchants with no electronic cardholder datastorage B
3 Stand-alone dial terminal merchants, no electronic cardholderdata storage B
4Merchants with IP terminals, or POS systems connected to theInternet, no electronic cardholder data storage, no networkedd i
C
9
devices
Payment processing done via Virtual Terminal accessed viabrowser on Internet (No Ecommerce) C-VT
5All other merchants (not included in Types 1-4 above) and allservice providers defined by a payment brand as eligible tocomplete an SAQ.
D
©2011, Chase Paymentech Solutions, LLC. All rights reserved.
Merchant Validation Levels and Requirements
Merchant Level Volume Requirements Compliance
Validation Target
4Less than 20,000 ecommerce or less than 1 million
Self-Assessment Questionnaire 12/31/20064 or less than 1 million
transactions with one card brand
Questionnaire Quarterly network scans
12/31/2006
3 Between 20,000 and 1 million Visa or MC ecommerce transactions in a 12 month period
Self-Assessment Questionnaire
Quarterly network scans
12 months from date of notification
2 Between 1 and 6 million Visa or MC transactions in a 12
Self-Assessment Questionnaire 1 Dec 31st of year
following notification2
©2011, Chase Paymentech Solutions, LLC. All rights reserved.
10
month period Quarterly network scans following notification
1 Greater than 6 million Visa or MC transactions in a 12 month period
Onsite Assessment 1 Quarterly network scans
Sept. 30th of year following notification2
(1) MasterCard now requires Level 1 and Level 2 merchant assessments to be performed by an assessor – QSA or ISA (2) MasterCard requires all Level 1 and Level 2 merchants to validate compliance by June 30, 2011
3/6/2012
6
Payment Brand Enforcement
Prohibited data storage fines: up to $480,000/year$480,000/year
PCI Non-Compliance fines: up to $675,000/year
Compromise fines: Vary based on incident severityVary based on incident severityAssessed in addition tonon-compliance fines
11©2011, Chase Paymentech Solutions, LLC. All rights reserved.
What Do Hackers Want?
Payment Card Data is a target for criminals looking to turn data into cash quicklyq y
12©2011, Chase Paymentech Solutions, LLC. All rights reserved.
Source: Trustwave Global Security Report 2011
3/6/2012
7
What Could a Compromise Cost My Association?
Example 1 Example 2 Example 3 Example 4 Example 5 Example 6Example 1 Example 2 Example 3 Example 4 Example 5 Example 6
Type of Merchant Retailer Restaurant Rest / Ent Restaurant Service Provider Event OtherPCI Level 1 2 2 4 2 4Number of Account at risk 45,700,000 ~22,000 ~156,000 ~33,330 ~635,000 ~88,000Data at risk Magnetic Stripe Magnetic Stripe Magnetic Stripe Magnetic Stripe Account Numbers Account NumbersVisa Fine 40.9 M 15,000$ 10,000$ 15,000$ 17,500$ 10,000$ MasterCard Fine 24 M 10,000$ 90,000$ 14,600$ 100,000$ 5,000$ Visa ADCR Fine N/A 429,000$ -$ 69,000$ -$ -$ Compliance Cases $ - $ - $ 390,000 $ 3,000 $ - $ -
N/A Closed Active Active Closed ClosedForensic Investigation Unknown Unknown Unknown Unknown Unknown UnknownC t f U d U k U k U k U k U k U k
Card Present Card Not Present
Cost of Upgrades Unknown Unknown Unknown Unknown Unknown UnknownMerchant Brand Damage Unknown Unknown Unknown Unknown Unknown Unknown
TOTAL > $64.9 M > $454,000 > $490,000 > $101,600 > $117,500 > $15,000
13©2011, Chase Paymentech Solutions, LLC. All rights reserved.
What can I do?
14
3/6/2012
8
The Prioritized Approach – Simply
• Six Milestones:1. If you don’t need it, don’t store it2. Secure the perimeter3. Secure applications4. Monitor and control access to your systems5. Protect stored cardholder data6. Finalize remaining compliance efforts, and
ensure all controls are in placeensure all controls are in place
• Tools and guidance on the PCI SSC Web site
15©2011, Chase Paymentech Solutions, LLC. All rights reserved.
Use PA-DSS Validated Payment Applications
Validated payment applications:D t t hibit d d tDo not store prohibited data or cardholder data past authorization and settlementVersions available for most applicationsConfigured to update and patch automaticallyListed on the PCI Security StandardsListed on the PCI Security Standards Council Web Site
Cost: Varies by application
16©2011, Chase Paymentech Solutions, LLC. All rights reserved.
3/6/2012
9
#5 - Payment Hardware Best Practices
• Securely mount terminals to deter theft• Use PCI PTS validated terminals
– Support strong keys (Triple DES aka ‘TDES’)
– Tamper resistant if stolen• Memory is deleted if device is opened• PIN encryption key is deleted if device is opened• Cannot be used in skimmer/replacement attackp
– Required by July 1,2010 for merchants accepting PIN Debit
– Listed on the PCI Council web site• Cost: Varies by terminal
17©2011, Chase Paymentech Solutions, LLC. All rights reserved.
#4 - Use Strong Passwords
• Change the default password on a new systemCh d d• Choose a good password– Easy to remember– Hard to guess– Mixed Case, Alpha-Numeric, Special characters
• Pink Floyd• Pink Floyd!y• P1nk F10yd!• F10yd!P1nk• FP11!0nykd
• Cost FREE18©2011, Chase Paymentech Solutions, LLC. All rights reserved.
3/6/2012
10
#3 - Install and Use Anti-Virus Software
• Anti-Virus software– Usually includes anti-virus anti-– Usually includes anti-virus, anti-
spyware and a personal firewall– Checks the hard drive and memory for
existing infections– Monitors communications for infected
files and web pagesU d t t ti ll i th I t t– Updates automatically via the Internet
• Cost: Often FREE from Internet Service Provider
19©2011, Chase Paymentech Solutions, LLC. All rights reserved.
#2 – Apply Patches
• Update software patches:– Address newly identified vulnerabilities– Released
• Regularly (Microsoft “Patch Tuesdays”) • As needed when critical vulnerabilities appear
– Can be downloaded and installed automatically
• Cost: Free
20©2011, Chase Paymentech Solutions, LLC. All rights reserved.
3/6/2012
11
#1 – Install a Firewall
• Consumer-grade firewalls: g– Available since the late 1990s– Require little or no configuration – Available from most
large retailers Cost: Less than $100– Cost: Less than $100
21©2011, Chase Paymentech Solutions, LLC. All rights reserved.
SScope Reduction
22
3/6/2012
12
Security Business Decision 101
• Assess the risks• Identify the mitigation optionsy g p• Determine how much risk
– The business is comfortable accepting– The business is ALLOWED to accept?
• Recognize the constraints• Acquire and apply resourcesq pp y
23©2011, Chase Paymentech Solutions, LLC. All rights reserved.
But what WAS the BUSINESS Decision?
• The drivers for storing, processing, and transmitting cardholder data are BUSINESS drivers
• The business has to ask (or BE ASKED) – Do legacy cardholder data business processes make
sense in the post PCI world in light of• the expenditures we will be called upon to make? • the processes we will have to implement?• the effort we will have to exert?
24
• the discipline we will have to maintain?– To achieve and maintain compliance?
24©2011, Chase Paymentech Solutions, LLC. All rights reserved.
3/6/2012
13
If the Answers Are “No”• The business has to:
– Reengineer Processes• Evaluate acceptance processes and• Evaluate acceptance processes and
technologies• Identify significant post deposit events and
their timing• Adjust data capture, processing, storage
and retrieval policies
25
– Reduce cardholder data storage• Rely on the Acquirer• Implement tokenization
– Examine outsourcing options25©2011, Chase Paymentech Solutions, LLC. All rights reserved.
What are Compliance‐Enabling Technologies?
Product (or service) that reduces the scope of PCINot a PCI requirementNot a PCI requirementDoes not replace PCI or its requirementsBenefits organizations
with large, ‘flat’ networkswho have well-defined and understood payment flows
Long term cost reductionLong term cost reductionGenerally lengthy and costly up-frontMulti-year payback
Not one-size-fits-all; proceed with caution!
26©2011, Chase Paymentech Solutions, LLC. All rights reserved.
3/6/2012
14
Eliminating the Scope of PCI
One solution: stop accepting cardsSee SAQ ASee SAQ A
Information security policySecurity awareness trainingService Provider compliance
You can only hope to reduce your scopeThere is no PCI Fairy!e e s o C a y
27©2011, Chase Paymentech Solutions, LLC. All rights reserved.
Some ExamplesMaskingVirtual TerminalEMV or ‘Chip and PIN’Point-to-point EncryptionTokenizationHosted Pay PageMobile?Mobile?
28©2011, Chase Paymentech Solutions, LLC. All rights reserved.
3/6/2012
15
Masking
Primarily a display technologyUnderlying data is still storedDisplay is suppressed on a need-to-know basis
Use of replacement data to obscure or replace PANData replacement strings can be random or fixedNot tokenization or encryptionNo hashing or encryption algorithms are usedUseful in limiting scope by denying end users access to fullUseful in limiting scope by denying end users access to full PAN
Sample Masking FormatsPCI 435461XXXXXX1234
FACTA ***********23456
29©2011, Chase Paymentech Solutions, LLC. All rights reserved.
Virtual Terminal
Web page with SSL-encrypted linkCard data capture & hosted remotelyC i t t k i tiCan incorporate tokenizationGood fit for card-not-present and e-Commerce
Call CentersCustomer self-serviceCan operating in conjunction with terminal/reader hardware to support card-present transactions
PCI SSC recognized use case in 2010 with Self gAssessment Questionnaire (SAQ) C-VT
30©2011, Chase Paymentech Solutions, LLC. All rights reserved.
3/6/2012
16
EMV
What is EMV?Europay-MasterCard-Visa standard for global i t bilit f I t t d Ci it ‘Chi ’ dinteroperability of Integrated Circuit or ‘Chip’ cardsAlmost universally implemented in EuropeWidely deployed in Canada
PIN-authenticated transactionsRecent attacks have demonstrated protocol vulnerabilities that can obviate PIN security in EU yimplementation
31©2011, Chase Paymentech Solutions, LLC. All rights reserved.
EMV & PCI
Primary EMV impact is card-present fraud reductionAlternate payment mechanisms are available
Mag stripe readManual PAN entry
Brands offering PCI incentives for EMV adoptionMasterCard SDP (Issuer centric)Visa TIP (Merchant centric)
EMV and PCI are not “EITHER/OR”EMV and PCI are not EITHER/ORMore like bacon and eggs or peanut butter and jelly
Good separatelyBetter together
32©2011, Chase Paymentech Solutions, LLC. All rights reserved.
3/6/2012
17
What is Tokenization?A form of PAN replacement that substitutes a derived value for the PAN
k k k hTokenization server creates tokens, tracks the relationship of tokens to PANS, and translates tokens back into PANsA TRUE token can have NO reversible relationship between token and PAN
33©2011, Chase Paymentech Solutions, LLC. All rights reserved.
Tokenization & PCI• Compliance
– Potentially eliminates cardholder data storage• Reduces scope and cost of PCI DSS compliance• Reduces scope and cost of PCI DSS compliance• Reduces risk in the event of compromise
– Tokenization occurs after authorization• Does not address acceptance• System accepting transactions can perpetuate an in‐scope
cardholder data environment within the merchants’ systems
• Operations– Credit card number is a highly specific value– May require integration into existing systems– Hosted Pay Page required to support scope limitation at acceptance34
©2011, Chase Paymentech Solutions, LLC. All rights reserved.
3/6/2012
18
What is Point‐to‐point Encryption?
• Card data encrypted at swipe• Decryption occurs outside merchant environment• No decryption key material in merchant environment– REQUIRED to achieve scope reduction
• Implementation is key
35©2011, Chase Paymentech Solutions, LLC. All rights reserved.
Point‐to‐point Encryption and PCI• Encrypted PAN is still a PAN • If cardholder data:
– Is encrypted when read AND– Decryption occurs outside the merchant environment AND
– No key material exists in the merchant environment
• Then the merchant environment scope• Then the merchant environment scope is potentially minimized– Assuming no other cardholder data is stored, processed, or transmitted anywhere in the merchant environment
36©2011, Chase Paymentech Solutions, LLC. All rights reserved.
3/6/2012
19
Going Mobile
• Current generation of mobile applications are mostly ports from the PC/UNIX/Linux worldy p / /
• Applications developed based on prior platform assumptions– Secured (or securable) operating system– Availability of effective protective mechanisms
• Native• Aftermarket
– Robust logging and protected log files
• Mobile applications are still available– Adopt mobile devices with secure underlying operating systems– Must be able to implement PCI DSS controls
• For the operating system• For the application
37©2011, Chase Paymentech Solutions, LLC. All rights reserved.
Mobile and PCI• PCI SSC mobile device hierarchy
– Class 1 – Purpose built wireless payment deviceClass 2 Purpose built payment device operating– Class 2 – Purpose built payment device operating wirelessly
– Class 3 – Consumer call phone‐based device• Scenario 1 – PTS validated sled w/phone as radio• Scenario 2 – Phone has access to payment instrument data
• PCI SSC has delisted multiple PA DSS‐validated mobile payment applications– Common thread: device form factor
• MasterCard requires all merchants to use Validated Payment Applications by June 30, 201238
©2011, Chase Paymentech Solutions, LLC. All rights reserved.
3/6/2012
20
Phone‐Based Mobile Application Issues
• Three words: Operating Systems Security• Cell phone operating systems today:
Contain known vulnerabilities– Contain known vulnerabilities– Are attracting serious hacker attention
• Have been successfully compromised in multiple recent hacking competitions• More vulnerabilities likely to emerge
– Support multiple forms of inbound connectivity• CDMA, GSM, etc.• 802.11• Bluetooth
– Lack basic protections such as • Passwords• Anti‐virus• Firewalls
– Lack the ability to patch & update securely, automatically, and seamlessly
39©2011, Chase Paymentech Solutions, LLC. All rights reserved.
Thi d P tThird Party Agentsg
40
3/6/2012
21
How Do I Choose a Service Provider?
• The same way you chose any vendor!– Provides a product and/or service you needProvides a product and/or service you need– At a price you want– In the best interest of your customers and stakeholders
• Check their finances• Check their references• Check their accredidation• Check their accredidation:
41©2011, Chase Paymentech Solutions, LLC. All rights reserved.
Key Considerations
• Compliance & Security• Liability and Indemnification
42©2011, Chase Paymentech Solutions, LLC. All rights reserved.
3/6/2012
22
Resources
Additional ResourcesChase Paymentech http://www.chasepaymentech.comCardholder Data Security http://www.chasepaymentech.com/datasecurity
PCI Security Standards Council https://www.pcisecuritystandards.org/Validated Payment Applications https://www.pcisecuritystandards.org/security_standards/vpa/PTS Certified devices https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.htmlSelf-Assessment Questionnaires https://www.pcisecuritystandards.org/saq/index.shtmlPrioritized Approach https://www.pcisecuritystandards.org/education/prioritized.shtml
Visa Cardholder Info Security Program http://usa.visa.com/merchants/risk_management/cisp.htmlVisa/BBB Data Security Microsite http://www.bbb.org/data-security/Visa Alert Page http://usa.visa.com/merchants/risk_management/cisp_alerts.html
US44©2011, Chase Paymentech Solutions, LLC. All rights reserved.
MasterCard Site Data Protection Program https://sdp.mastercardintl.com/
Trustwave http://www.trustwave.comPortal: Level 4 Merchant Portal https://www.trustwave.com/level4pci/Free Risk Profile http://chasepaymentech.riskprofiler.net/
referral code: WELCOMECHASEPAY
3/6/2012
23
Questions?
David A. Wallace
G M S it St d d C liGroup Manager, Security Standards ComplianceChase Paymentech
www.chasepaymentech.com/asae