PCI Security Standards Council

Today’s Speaker

Mark Mrotek

Certifications Program Manager

PCI Security Standards Council

NEED MARK PHOTO

Today’s Agenda

• About the PCI Security Standards Council

• Protecting Payments with PCI Standards, Best Practices & Services

• 2016 Updates

• Educational Resources & Training

• Involvement Opportunities

About the PCI Security Standards Council

Founded in 2006 -

Guiding open standards for

payment card security

• Development

• Management

• Education

• Awareness

Our Focus

Collaboration and information sharing

Education

Simplified solutions for merchants

5

38% more security incidents were detected in 2015 than the year before. – PWC 2016

Global State of Information Security Survey

Cyber

$7.7 million - average cost of global cybercrime in 2015

Ponemon/HP

Cybercrime is on the Rise

ISACA, January 2016

Breaches can be Prevented

92% 97%compromises were simple were avoidable through

simple or intermediate

controls

99.9% of breaches were preventable – caused

by known vulnerabilities with fixable patches

76% of companies took weeks or more to

discover breach

67% of organizations did not adequately test the

security of all in-scope systems

72 percent of hackers say they won't waste time on an attack that doesn't hold the promise of quick and high-value information, and 69 percent will quit if they see that the target has a strong defense. – Ponemon Institute

PCI Security StandardsBest Practices & Services

Training – Assessors, Investigators

Certification – Equipment, Service Providers, Assessors, Investigators

Payment Equipment Payment SoftwareMerchant & Payment Service Provider

Environments

PCI Security Standards

Point of

Interaction

Data center

EcommerceMoto

In Store

Server

3rd Party

Processor

The

Internet

3rd party

suppliersStock

ControlMgmt.

Sales and

Marketing

Acquiring

Bank

Merchant

Protect cardholder data throughout the transaction cycle

Six Goals Twelve Requirements

Build and Maintain a Secure

Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security

parameters

Protect Cardholder Data3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability

Management Program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access

Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test

Networks

10.Track and monitor all access to network resources and cardholder data

11.Regularly test security systems and processes

Maintain an Information Security

Policy

12.Maintain a policy that addresses information security for employees and

contractors

PCI Data Security Standard (PCI DSS)

Other Standards & Solutions

• Point-to-Point Encryption

• Payment card production

• Payment terminals

• Payment applications

• Cover wide variety of payment

security challenges

• Provide protection for payment

data in multiple channels – online,

mobile, in-store

• Ensure lab-tested devices and

technology solutions

• Token Service Providers

Certification

• Payment Application

Assessors

• PCI Forensic Investigators

• Internal Security Assessors

• Approved Scanning Vendors• Point-to-Point Encryption

Assessor

• Qualified Security Assessor

• Qualified Integrator &

Reseller

• U.S. EMV VAR Qualification

Program

Training

PCI Awareness Training

PCI Essentials

PCI Professional Program (PCIP)™

Internal Security Assessor (ISA) – Online!

Qualified Security Assessor (QSA)

Qualified Integrators and Resellers (QIR)™ Program

Corporate Group Training– Let Us Come To You!

To learn more, visit:

www.pcisecuritystandards.org/training

Logging and

monitoring controls

(PCI DSS Req. 10)

Maintaining secure

systems (PCI DSS

Req. 11)

Ongoing Security Remains Challenge

Testing security

systems (PCI DSS

Req. 11)

Key problem areas for breached organizations

“The security benefits associated with maintaining PCI compliance are vital to the long-term success of all merchants who process card payments. This includes continual identification of threats and vulnerabilities that could potentially impact the organization. Most organizations never fully recover from data breaches because the loss is greater than the data itself.”

– QSR Magazine

Why we fail to maintain secure environments

• Lack of awareness by IT practitioners

• Incentive to keep security a primary focus

• Quickly evolving technology landscape

• Rapid development and distribution of new solutions

• Still unnecessary exposure of card holder data

Why?

Compliance vs. Security

Reliance on annual assessments

Pressure to meet customer demands

Failing to adapt to changes

Compliance vs. Security

“While validation is no assurance of security, not being compliant is pretty much a guarantee that you’re not secure.”

-2015 Verizon PCI Compliance Report

Moving From Compliance to Protection

• Focus on security not compliance

• PCI DSS is not a once-a-year activity

• Don’t forget about people

Mitigate Risk with Vigilance

• Software patched & up-to-date

• Configuration settings don’t expose payment card data

• Monitor internal & 3rd party access

• Use strong authentication & strong passwords

Regularly Monitor Controls!

Ongoing Security

Understand how

changes in the

organization affect

security controls

Monitor security control

operation

Conduct periodic

security control

assessments

Detect and respond to

security control failures

The Standards Continually Evolve

Research Threat and Risk LandscapeIndustry Feedback

Secure Sockets Layer (SSL)

SSL to TLS Background and Timeline

• SSL/TLS used as example in DSS v3 and earlier

• Example of ‘strong cryptography’

• Example of additional security for insecure services

• Marketplace feedback

• Technical issues - relatively easy

• Business issues - complex

April 2014 NIST –

SSL&TLS 1.0 Unsafe

PCI SSC Seeks

Industry Input

April 2015

PCI SSC Issues PCI

DSS v3.1 and Guidance

Marketplace Feedback

December 2015 PCI SSC Issues New Migration

Dates

SSL and Early TLS: New Migration Dates

All processing and third party entities – including Acquirers, Payment Processors, Gateways and Service

Providers must provide a TLS 1.1 or greater service offering by 30 June 2016.

All entities must cutover to a secure version of TLS (as defined by NIST) by June 2018.

Consistent with the existing language in PCI DSS v3.1, all new implementations must be enabled with

TLS 1.1 or greater (TLS 1.2 recommended).

POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not

being susceptible to all known exploits for SSL and early TLS, can continue to use SSL/early TLS beyond June 2018 consistent with the current exception.

SSL & early TLS not considered strong cryptography & not allowed as

security control after 30 June 2018

Key Recommendations

• Migrate to a minimum of TLS 1.1,

preferably TLS 1.2.

• Patch TLS software against

implementation vulnerabilities

• Configure TLS securely

Additional GuidanceInformation Supplement & FAQ

• Clarification on “new” vs. “existing” implementations

• Guidance on allowances for POS POI environments

• Suggestions/examples of risk mitigation techniques

• Suggestions/examples on alternative cryptographic options to replace SSL/early TLS

• Best practices for proper TLS configuration

• FAQs and tips for small merchant environments

PCI DSS Version 3.2

• DSS v3.2 to be released in first half of 2016• To address SSL/TLS migration

• Additionally Under Review for DSS• Access controls for authentication to CDE

• Review of Designated Entities requirements for inclusion

• Review of existing PAN criteria for masking, etc.

Prioritize Technology: Devalue Data and Reduce Risk

EMV chip

Tokenization

Point-to-Point Encryption

• Improve your security.

• Reduce your risk.

• Simplify your PCI DSS

compliance efforts.

“Fraud is evolving at a frantic pace…When the industry cracks down on one type of fraud, criminals quickly shift their attack vector and area of operation.”

– Al Pascual, Fraud & Security, Javelin Research

Magnetic Stripe Fraud

Data on magnetic stipe is static

Can be easily captured or copied

Written onto a second card to make a clone

Used to undertake fraudulent transactions

Hand held skimmer Skimmer in POI device Skimmer attached to ATM

Impact of EMV Chip on F2F Fraud

If I Have EMV Chip, Do I Need PCI?

The Security Fruit Tree

Low hanging fruit

Bulk fruit

High Fruit

Card-Not-Present data

EMV chip card data

PCI and EMV chip

together

“Card-not-present (CNP) fraud is expected to more than double from $2.8 billion to more than $6.3 billion by 2018.” – Aite Group

Preparing for EMV Chip with PCI

• There is no silver bullet

• EMV does not negate the

need for secure passwords,

patching systems, logging

monitoring for intrusions,

using firewalls, etc.

• EMV chip brings great

benefits to transactions in

your stores, but fraud will

migrate to the online

marketplace

• Multi-channel organizations

need to consider their entire

payment infrastructure, not

just brick and mortar, and

ensure proper security

protocols are in place

• Talk to your acquiring bank to

understand implications and

benefits of EMV chip

migration for your business

• Talk to you technology

vendors and service

providers to make sure you

are securing the other parts

of your system and

purchasing the right products

and services

EMV chip needs PCI protections

Don’t forget e-commerce security

Use trusted partners

Upgrade your terminals and devices for the best security and to take advantage

of the latest technology options to enable your business.

Replace any version that

has expired – choose a 3.1

version device or higher

from the PCI PIN

Transaction security

listing.

Consider any future Point-

to-Point Encryption

(P2PE) and tokenization

plans and what additional

layers of security you may

want to make the best

investment.

Preparing for EMV Chip with PCI

Point-to-Point Encryption and Tokenization

PCI Guidance and Best Practices

• Tokenization best practices

• Merchant Guide to Point-to-Point Encryption

• PCI DSS compliance in the cloud

• Building a security awareness program

• Protecting against malware

• Skimming prevention

• Defending against phishing attacks

• Working with third parties

• Maintaining PCI DSS compliance

• Accepting payments with a mobile phone

Available at: www.pcisecuritystandards.org

“90% of all incidents were attributed to human error or misuse of systems.” – Verizon 2015 Data Breach Investigation Report

PCI Awareness Training

• Entry-level course that provides baseline knowledge of PCI DSS for organizations that must meet compliance with PCI DSS

What is it?

• Managers or business owners charged with PCI DSS compliance / data security

Who should attend?

• Drive understanding of PCI DSS compliance across your business

• Learn how and where to implement PCI across your organization

What’s the benefit?

• One day instructor led training

• Four hour online course

How is this course offered?

PCI Professional (PCIP) TrainingProfessionals in payment industry with two years experience in an IT or IT related role and knowledge of information technology, network security and architecture, and the payment industry

Who?

What you get?

Anytime, from home or office - Six hour self-paced eLearning course. Final exam administered at Pearson VUE Testing Center

When and Where?

You’ll learn :

• Principles of PCI DSS, PA-DSS, PCI PTS, and PCI P2PE

• Appropriate uses of compensating controls

• How new technologies effect PCI

• And more

Why?

Two year individual qualification that demonstrates knowledge of PCI

standards

ISA Training

Experienced security assessment, risk management and audit staff at ISA Sponsor companies Who?

What you get?

• eLearning training available anytime, from home or office - 8 hour self-paced course (plus four hour online pre-requisite course)

• Two day instructor-led classes scheduled at locations worldwide (plus four hour online pre-requisite course)

When and Where?

You’ll learn :

• PCI DSS assessment and testing and reporting procedures

• Network segmentation

• Hardware and communications infrastructure

• And more

Why?

Annual qualification to assess and validate their company’s

adherence to PCI DSS

“As threats continue to mount, understanding and managing cybersecurity risks have become top of mind for leaders in business and government…Businesses are also embracing a more collaborative approach to cybersecurity.”

– PWC 2016 Global State of Information Security Survey

Partnerwith the Council

Participating Organizations

727PCI Council

Participating Organizations

Join the Global Collaboration Today!

https://www.pcisecuritystandards.org/get_involved/participating_organizations

Community Meeting – Las Vegas

www.pcisecuritystandards.org/about_us/events

20 – 22 September 2016

Q&A

Thank you