PCI requirements in business language

What can happen with the cardholder data?

PartneriPartneri

Medijski pokroviteljiMedijski pokrovitelji

Sadržaj predavanja

• What is PCI DSS?• Who must comply with PCI DSS?• The PCI DSS requirements• Steps of the PCI DSS

assessment?• Compliance level• Incidents• Background of an incident• Typical example

What is PCI DSS?• Payment Card Industry Data Security Standard• Developed by: Founding payment brands• Main principles

• Build and Maintain a Secure Network• Protect Cardholder Data• Maintain a Vulnerability Management Program• Implement Strong Access Control Measures• Regularly Monitor and Test Networks• Maintain an Information Security Policy

Who must comply with PCI DSS?Covered

Not covered

Issuer

& Service Provider (s)

Cardholder

Acquirer

& Service Provider (s)

Merchant

& Service Provider (s)

The PCI DSS requirements• Build and Maintain a Secure Network

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data

• Requirement 2: No use of vendor-supplied defaults for system passwords and other security parameters

• Protect Cardholder Data• Requirement 3: Protect stored cardholder data• Requirement 4: Encrypt transmission of cardholder data across open,

public networks

The PCI DSS requirements• Maintain a Vulnerability Management

program• Requirement 5: Use and regularly update anti-virus software• Requirement 6: Develop and maintain secure systems and applications

• Implement Strong Access Control Measures• Requirement 7: Restrict access to cardholder data by business need-to-

know• Requirement 8: Assign a unique ID to each person with computer access• Requirement 9: Restrict physical access to cardholder data

The PCI DSS requirements• Regularly Monitor and Test Networks

• Requirement 10: Track & monitor all access to network resources and cardholder data

• Requirement 11: Regularly test security systems and processes

• Maintain an Information Security Policy• Requirement 12: Maintain a policy that addresses information security

Steps of the PCI assessment• Preparation for the assessment

• Perform penetration testing• Perform vulnerability scanning• Perform security awareness training• Establish testing procedures regarding hosting

providers• Develop data retention and disposal policy and

procedures• …

Steps of the PCI assessment• Type of the assessment

• Qualified Security Assessors onsite review• Self assessment• Network security scan

• Depends on• Number of transactions• Special request from certain payment brand

Compliance Level Definitions - MerchantsCompliance Validation Level QSA Onsite

ReviewSelf

Assessment Network Security

ScanLevel 1 - Any merchant - regardless of channel >6M transactions)Any merchant that has suffered a hack.Any merchant identified by any paymentcard brand as Level 1

Required(annually)

Not required Required(quarterly)

Level 2 - Any merchant - regardless of channel 1M to 6M transactions

Not required Required(annually)

Required(quarterly)

Level 3 - 20K-1M e-commerce transactions Not required Required(annually)

Required(quarterly)

Level 4 - <20,000 e-commerce transactions<1M non-ecommerce transactions

Not required Recommended(annually)

Recommended(annually)

Compliance Level Definition – Service Providers

Compliance Validation Level QSA onsite review

Self assessment

Network Security Scan

Level 1 - VisaNet connection; All PaymentGateways; TPP and DSE that handledata for Level 1 & 2 Merchants

Required(annually)

Not required Required(quarterly)

Level 2 - Not Level 1 w/ >1M transactions; DSE thathandle data for Level 3 Merchants

Required(annually)

for MasterCard

Required(annually)

for Visa

Required(quarterly)

Level 3 - <1M transactions; all other DSEs

Not required Required(annually)

Required(quarterly)

Incidents• Heartland Payment System (2009) • Hannaford Brothers and Sweetbay (2008)• TJX (2007) • Cardsystem Solution Inc. (2005)

Background of an incident• CardSystem Solutions Inc.

• Credit card processing company

• Purposes of managing data• „research”• 40 million card accounts (name, bank account number)

• Attack• Breached security protocol• Virus• Sensitive data stored in clear

Background of an incident• Data removal process

• Contractually obligated to delete• Inappropriate data removal process

• Use of information• Sold on a Russian website

• Affected a number of high-profile companies

Typical examplePCI DSS 6.1

“Ensure that all system components and software have the latest vendor-supplied

security patches.”

Typical example• We have Windows based system• We use WSUS (Windows Server Update

Services), therefore all of our servers and workstations are patched

Are we compliant?

Typical example• How does a client PC look like?

– Adobe FLASH– Adobe Acrobat– JRE– … and many more

• These software versions and patches are typically not managed centrally

Typical exampleID Description

APSB09-15 Security Advisory for Adobe Reader and Acrobat

APSB09-10 Security Updates available for Adobe Flash Player, Adobe Reader and Acrobat

APSA09-03 Security Advisory for Adobe Reader, Acrobat and Flash Player

APSB09-07 Security Updates available for Adobe Reader and Acrobat

APSB09-06 Security Updates available for Adobe Reader and Acrobat

APSA09-02 Buffer overflow issues in Adobe Reader and Acrobat

APSB09-04 Security Update available for Adobe Reader and Acrobat

APSB09-03 Security Update available for Adobe Reader 9 and Acrobat 9

APSA09-01 Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and Acrobat

Source: http://www.adobe.com/support/security/

Typical example• …and of course they are exploited in the wild• Easy to use tools for PDF mangling

– Metasploit– Origami– …

Typical example

Typical example

Typical example

Hvala