pci dss myths and truths - business systems uk ltd€¦ · pci dss myths and truths nick steele...
TRANSCRIPT
11/24/2010 5:24:05 PM. 1Public
PCI DSSMyths and Truths
Nick Steele Director of Consultancy Services
Qualified Security Assessor
Red Island Consulting
11/24/2010 5:24:24 PM
November 2010
Public
11/24/2010 5:24:05 PM. 2Public
• Management System specialists & Europe's most successful providers of ISO27001 solutions
• Over 25% of all UK ISO27001 certificates
• Qualified Security Assessors (PCI DSS)
• Global Client base includes:
– Government Departments (Inc; UK, Saudi, IoM, Eire, Cyprus)
– Defense Contractors
– Health Service and Suppliers
– Telco's, I.T. Developers, Hi Tech Organisations, Media
– Financial Institutions
• Dedicated Red Island consultants – no sub-contractors
• All experienced with deep technical knowledge across IT systems & supporting infrastructure. Strong expertise in Operational Risk, IT Governance & linkage to Corporate Governance
ISO 27001
Risk Management
ITIL (ISO20000)
ISO9001
PCI DSS
Business Continuity Planning &
Disaster Recovery
CESG RMADS & IS1
Red Island Consulting
11/24/2010 5:24:05 PM. 3Public
Contents
1. PCI DSS Background
2. PCI DSS – Myths & Truths
3. PCI DSS – Call Centre Specific Requirements Actions
11/24/2010 5:24:05 PM. 4Public
PCI DSS – Background
11/24/2010 5:24:05 PM. 5Public
• All companies that store, process or transmit payment card information
• Includes Merchants & Service Providers
• Card companies place burden of compliance on Acquirers, Acquirers place burden on Merchant
• Merchants & Service Providers must report back to Acquirers & Payment Brands on compliance
Compliance mandatory as of now
PCI DSS Requirement Business Considerations
• Fines for Breaches can be passed contractually from Card Brand, to Acquirer, from Acquirer to Merchant
• Business impact of a card data breach may be more significant than fines:
• Negative Press & Media
• Loss of customers
• Increased transaction rate
• Loss of card processing
• Litigation & legal proceedings
• Major SP’s lost 100 Million card details –publicly branded non-compliant by Visa in March 2009
PCI Requirements and Considerations
11/24/2010 5:24:05 PM. 6Public
PCI Relevant Data
11/24/2010 5:24:05 PM. 7Public
PCI DSS Requirements
11/24/2010 5:24:05 PM. 8Public
PCI DSS – Myths & Truths
11/24/2010 5:24:05 PM. 9Public
Myth:
PCI DSS is all about compliance
Truth
• Risk assessment of the business and cardholder data is essential
• Manage the risk as well as compliance
• Compliance does not guarantee security
• Significant breaches have happened to certified Level 1 Merchants & Service Providers
PCI Compliance & Risk
11/24/2010 5:24:05 PM. 10Public
Myth:
We need the card numbers for business & regulatory requirements
Truth
• There is no regulatory requirement to store PAN’s
• Most business processes only require the numbers for a short time
• Truncated numbers (first 6 & last 4 digits) are not PAN’s but can be used to identify customers
• Most organisations keep numbers for no real reason
PCI Compliance & Risk
11/24/2010 5:24:05 PM. 11Public
Myth:
Call Recordings can’t contain cardholder data, or are out of scope
Truth
• Call recordings are considered electronic storage of cardholder data, and so are in scope
• The same level of control and protection must be applied to call recordings as other electronic data
• Some dispensation is allowed for storage of CVV in call recordings, under certain circumstances
• Think about the risk of access to recordings and content
PCI Compliance & Risk
11/24/2010 5:24:05 PM. 12Public
Myth:
One product will make us Compliant
Truth
•There are many great products to assist in managing compliance to the PCI DSS, but not one that will do everything
•Some elements of PCI DSS are documentation and management requirements
•There are open source as well as commercial products
PCI Compliance & Risk
11/24/2010 5:24:05 PM. 13Public
Myth:
We’ve outsourced the payment process so we don’t have to do anything
Truth
• Even if you hand off payments to an external party, you still retain the obligation for compliance
• Understanding your external parties that handle card data and managing their compliance is part of the PCI DSS
• You need to validate that external parties are PCI DSS compliant
PCI Compliance & Risk
11/24/2010 5:24:05 PM. 14Public
Myth:
There’s no risk assessment in PCI DSS
Truth
• The level of implementation of a control in many cases is risk based – admin access, secure storage etc.
• Compensating controls are risk assessments
• Section 12 requires an annual risk assessment
PCI Compliance & Risk
11/24/2010 5:24:05 PM. 15Public
Myth:
PCI DSS is an IT Project
Truth
• Information Security needs to involve the whole business
• Training and awareness is critical as well as mandatory
• Paper and physical security is just as important
• Policies & procedures should cover all people & processes
• Management commitment and direction is key
PCI Compliance & Risk
11/24/2010 5:24:05 PM. 16Public
Myth:
We have to hire a QSA
Truth
• Level 2,3 & 4 Merchants and Level 2 Service providers can self assess
• You will always know your business better than any auditor
• But QSA’s can provide valuable insight even if self assessing
• Own it
PCI Compliance & Risk
11/24/2010 5:24:05 PM. 17Public
Myth:
We are fully compliant and certified, so nothing can go wrong.......
Truth
• Minimum requirements for PCI DSS is annual assessment, quarterly technical tests
• Make PCI DSS compliance part of the governance & Information Security processes
PCI Compliance & Risk
11/24/2010 5:24:05 PM. 18Public
•Manage the risk to the business – don't lose the data
•Use compensating controls where appropriate
•Go beyond the PCI DSS, its just a baseline
•Think about ownership & Security management – one audit per annum is not enough
•IT should not own compliance to PCI DSS
•Incorporate PCI into general Governance. Use existing management systems such as ISO27001
•Compliance is just the starting point, use audit, review, testing, Security Management to manage the risks
PCI Compliance & Risk
11/24/2010 5:24:05 PM. 19Public
PCI – Call Centre Specific Issues
11/24/2010 5:24:05 PM. 20Public
•Call Recording
•Screen Scraping / Recording
•Databases & Applications
•3rd Party Access
•Call Centre Agents
•Paper forms as fallback, note taking
•Notes Fields
•Data Transfer
PCI Call Centre PCI Risks Areas
11/24/2010 5:24:05 PM. 21Public
•Call centres are easy targets
•High staff turnover
•Easy access to sensitive data, as well as hardware
•Credit card data is easiest to generate revenue
•Manage the risks not just compliance
PCI Call Centre PCI Risks Assessment
11/24/2010 5:24:05 PM. 22Public
Call Recordings:
•Used in most call centres
•FSA compliance can require calls to be recorded
•PCI DSS says you can’t store “Sensitive Authentication Data” –i.e. CVV numbers
•Many legacy systems pre-date PCI DSS
PCI Call Recordings
11/24/2010 5:24:05 PM. 23Public
This response is intended to provide clarification for call centres that record cardholder data
in audio recordings, and applies only to the storage of card validation codes and values
(referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).
It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data,
including card validation codes and values, after authorization even if encrypted.
It is therefore prohibited to use any form of digital audio recording (using formats such as
wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data
can be queried; recognizing that multiple tools exist that potentially could query a variety of
digital recordings.
Where technology exists to prevent recording of these data elements, such technology
should be enabled.
If these recordings cannot be data mined, storage of CAV2, CVC2, CVV2 or CID codes
after authorization may be permissible as long as appropriate validation has been
performed. This includes the physical and logical protections defined in PCI DSS that
must still be applied to these call recording formats.
This requirement does not supersede local or regional laws that may govern the retention of
audio recordings.
PCI Call Recordings
11/24/2010 5:24:06 PM. 24Public
Sensitive Cardholder Data Call Recording
•Difficulties / considerations:
•Encryption may be difficult, key management, loss of recordings significant
•By their nature, recordings are to be used
•Manual solutions may be ineffective & impractical
•Technical Solutions may add cost
•Consider archive data as well as future process
PCI Call Recordings
11/24/2010 5:24:06 PM. 25Public
Possible Options for not storing CVV
•Agent manual recording drop
•Script tracking or automated process to stop / start recording
•Word spotting to find & delete CHD
•Redirect to IVR or Outsource to take payment
*If you do it for CVV, do it for all CHD – reduce scope*
PCI Call Recordings - Options
11/24/2010 5:24:06 PM. 26Public
•Risk Assess your current setup
•Discuss options with vendors / service providers
•Balance options of keeping / not keeping the SAD against cost of technology & process change
•Assess whether current system can meet the FAQ requirements
•Assess the risk – admin access, encryption, removable media, access to calls, client access & sharing
PCI Call Recordings - Actions
11/24/2010 5:24:06 PM. 27Public
Thank You