pci compliance the circuit
DESCRIPTION
TRANSCRIPT
1
2011
PCI Compliance Fundamentals
2What is PCI Compliance?
• PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data.
– (American Express, Discover, JCB International, MasterCard, and Visa)• Security Management and Monitoring• Policies & Procedures• Network Architecture• Software design
• If you accept payment cards, you are required to be compliant with the PCI Data Security Standard.
• PCI – The Gold Standard– Compared to other standards the requirements are clearly defined
3The PCI Data Security Standard
4Why Is Compliance with PCI DSS Important?
• A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including:
– Regulatory notification requirements,
– Loss of reputation,
– Loss of customers,
– Potential financial liabilities (for example, regulatory and other fees and fines), and
– Litigation
5
Notify Clients and Provide Privacy Guard
Fines and Penalties from Card Brands and Acquiring Banks
Increased PCI audits and requirements for new controls
Potential costs to re-issue credit cards
Reputation Loss
$30 x 10,000 = $300,000
$50,000 to $500,000
$50,000 x 3 years = $150,000
10,000 accounts x $20 = $200,000
PRICELESS!
A hypothetical merchant has 10,000 card numbers and account holder information compromised.What is the potential financial impact to the merchant?
Economics of an Credit Card Breach – Source CoalFire
Estimates are based on actual incidents examined by Coalfire’s forensic team. Fees and services required vary by incident. For more information on potential costs and risk from credit card compromise, contact Coalfire (www.coalfiresystems.com)
6Why Is Compliance with PCI DSS Important?
• Investigations after compromises consistently show common PCI DSS violations, including but not limited to:
– Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised entities are unaware that their systems are storing this data.
– Inadequate access controls due to improperly installed merchant POS systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3)
– Default system settings and passwords not changed when system was set up (Requirement 2.1)
– Unnecessary and insecure services not removed or secured when system was set up (Requirements 2.2.2 and 2.2.4)
– Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the web site (Requirement 6.5)
– Missing and outdated security patches (Requirement 6.1)
– Lack of logging (Requirement 10)
– Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems) (Requirements 10.6, 11.2, 11.4 and 11.5)
– Poorly implemented network segmentation resulting in the cardholder data environment being unknowingly exposed to weaknesses in other parts of the network that have not been secured according to PCI DSS (for example, from unsecured wireless access points and vulnerabilities introduced via employee e-mail and web browsing) (Requirements 1.2, 1.3 and 1.4)
*Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0
7What are my organizations requirements?
8Self-Assessment Questionnaire?
A) Requirement Areas: 9 & 1213 Questions / requirements
B) Requirement Areas: 3,4,7,9 & 1229 Questions / requirements
C-VT) Requirement Areas: 1-7,9 & 12 51 Questions / requirements
C) Requirement Areas: 1-9,11 & 1280 Questions / requirements
D) Requirement Areas: 1-12286 Questions / requirements
Does your company store any cardholder data in electronic format?
*Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0
9Policies and ProceduresPCI requirement Policies/proceduresRequirement 1Install and maintain a firewall configuration toprotect cardholder data
Configuration standards, Change control approval and testing process, Firewall placement, Maintain current network diagram, Description of Roles & Responsibilities, Documentation and business justification of all ports, protocols and services, FW and Router review.
Requirement 2Do not use vendor supplied defaults for system passwords and other security Parameters
Pre-production modifications, Develop configuration hardening standards, Removing/disabling insecure/unnecessary services, protocols and functionality, One function per server, Encrypting all non-console access
Requirement 3Protect stored cardholder data
Limit duration of data retention, Secure deletion, Data types retained, Display masking, Safe storage, Encryption key management
Requirement 4Encrypt transmission of cardholder data acrossopen, public networks
Minimum encryption standards, Wireless standards
Requirement 5Use and regularly update anti-virus software or programs
Antivirus validation, current-actively running and generating logs,
Requirement 6Develop and maintain secure systems andapplications
Vulnerability identification, rank and management, Patching and patch validation, Secure application development and deployment, Change control, Code reviews
Requirement 7Restrict access to cardholder data by business need to know
Data control need-to-know requirements, Role-based access
Requirement 8Assign a unique ID to each person with computer access
Authentication and password management policies and procedures, Unique ID, user verification for password resets, Employee termination, Remove inactive users, Vendor access, length, duration, strength
Requirement 9Restrict physical access to cardholder data
Access control, Badge assignment, Visitors, Media access, distribution and destruction
Requirement 10Track and monitor all access to network resources and cardholder data
Daily log review, Exception handling, log retention and availability
Requirement 11Regularly test security systems and processes
Detect and identify wireless access points, Alerting, incident handling and response, IDS/IPS configuration and updates, Change control
Requirement 12Maintain a policy that addresses information security for employees and contractors
Information security policy, Risk assessment, Daily operational procedures, Usage policy, Personnel roles and responsibilities, monitoring & analysis, incident response and escalation plan, security awareness program
10Technologies
PCI requirement TechnologiesRequirement 1Install and maintain a firewall configuration toprotect cardholder data
Firewall (network and personal), Routers and Switches, File Integrity Monitoring
Requirement 2Do not use vendor supplied defaults for system passwords and other security Parameters
Vulnerability Scanning / Management, VPN
Requirement 3Protect stored cardholder data
Encryption, Backup / data retention
Requirement 4Encrypt transmission of cardholder data acrossopen, public networks
Encryption, VPN, Firewall, WAF, IDS/IPS
Requirement 5Use and regularly update anti-virus software or programs
Antivirus, File Integrity Monitoring, Log Management
Requirement 6Develop and maintain secure systems andapplications
Vulnerability Scanning / Management, Patch Management, WAF
Requirement 7Restrict access to cardholder data by business need to know
Firewall, VPN, Authentication, Application level access control
Requirement 8Assign a unique ID to each person with computer access
Multi-Factor Authentication, Application level access control, Firewall, VPN
Requirement 9Restrict physical access to cardholder data
PCI Certified Data Centers
Requirement 10Track and monitor all access to network resources and cardholder data
Log Management, SIM , SEIM, File Integrity Monitoring, NTP Service
Requirement 11Regularly test security systems and processes
Vulnerability Scanning, IDS/IPS, File Integrity Monitoring, Log Management
Requirement 12Maintain a policy that addresses information security for employees and contractors
Log Management, SIM , SEIM, IDS/IPS
11Ten Common Myths of PCI DSS
Myth 1 – One vendor and product will make us compliant
Myth 2 – Outsourcing card processing makes us compliant
Myth 3 – PCI compliance is an IT project
Myth 4 – PCI will make us secure
Myth 5 – PCI is unreasonable; it requires too much
Myth 6 – PCI requires us to hire a Qualified Security Assessor
Myth 7 – We don’t take enough credit cards to be compliant
Myth 8 – We completed a SAQ so we’re compliant
Myth 9 – PCI makes us store cardholder data
Myth 10 – PCI is too hard
*Source: PCI Security Standards Council
12Proven PCI management practices
• Limit the Scope of the PCI environment• PCI embedded in an overall security program• PCI compliant policies, procedures, and training• Monitoring and Reporting• Due diligence of your service provides, vendors• Work with a QSA
• PCI DSS General Tips and Strategies to Prepare for Compliance Validation1. Sensitive Authentication Data (includes the full track contents of the magnetic strip or
chip, card verification codes and values, PINs and PIN blocks:1. NEVER STORE THIS DATA
2. Ask your POS vendor about the security of your system3. Card holder data- if you don’t need it don’t store it!
1. Payment brand rules allow for the storage of Personal Account Number (PAN), expiration date, cardholder name, and service code.
4. Card holder data- if you do need it, consolidate and isolate it.5. Compensating Controls
*Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0