Transcript IBM Presentations: Blue Onyx Basic template

Internet Security Systems (ISS) an IBM owned Company
Payment Card Industry (PCI)
Cary Lynch – Engagement Manager
IBM Internet Security Systems
Ahead of the threat.™
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
My Role
Cary Lynch – West Engagement Manager (Security
Services).
– Engagement Management of PCI projects in region
– Facilitation of Merchant / Acquirer Bank communication
throughout remediation effort
– Certified QSA to conduct PCI Assessments
2
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Agenda – PCI and Limited Budgets
 IBM ISS Overview
 PCI Overview
– PCI History
– PCI Assessment Criteria
 Consequences of No Action
 The Reality of Limited Budgets
– Where to Start?
– What to Do?
 How to Stay Compliant
3
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
The reality of limited budgets
 PCI compliance does not = good information security
 Good information security can lead to PCI compliance
 Becoming PCI compliant (or staying PCI compliant) requires
a budget but…
 There are ways to become (or stay) PCI compliant without
breaking the bank
So, The Question Becomes….
 What to do with a limited budget?
 Where to start on a limited budget?
4
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
PCI History
 Visa first developed the Cardholder Information Security Program (CISP)
 MasterCard and others started to develop separate criteria – all slight
variations of each other
 In 04/05, Visa and MasterCard formally agreed to combine efforts and
created the Payment Card Industry (PCI) assessment criteria
– Visa’s heavy policy emphasis
– MasterCard’s technical scanning requirements
 In 09/06, all payment card providers joined forces to establish the PCI
Security Standards Council (PCISSC)
– Founders include: American Express, Discover Financial Services, JCB, MasterCard
Worldwide, and Visa International.
– Several releases of PCI data security standards: PCI v1.2 released Oct. 2008
– http://www.pcissc.org
5
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
What is the PCI DSS
 An information security standard that
includes:
– Objectives
– Requirements
– Controls
 Created to assist organizations in
protecting cardholder data.
6
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
PCI Requirements – The “Digital Dozen”
 Install and maintain a firewall configuration to protect data
 Do not user vendor supplied defaults for system passwords and other
security parameters
 Protect stored cardholder data
 Encrypt transmission of cardholder data sent across open, public networks
 Use and regularly update anti-virus software
 Develop and maintain secure systems and applications
 Restrict access to cardholder data by “need to know”
 Assign unique IDs to each person with access
 Restrict physical access to information
 Track and monitor all access to network resources and cardholder data
 Regularly test security systems and processes
 Implement an information security policy
7
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Who is required to be PCI compliant?
Any merchant or service provider that
stores, processes, or transmits cardholder
data!
8
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
When are you required to be PCI compliant?
Initial PCI compliance deadlines for
merchants and service providers has
passed.
9
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Merchant Criteria Risk Prioritized Validation
Merchant
Level
Annual Transaction Volume
Level 1
6 Million or more
Any merchant that has suffered an attack
Level 2
1 Million to 6 Million
Level 3
20,000 – 1 Million transactions
Level 4
All other merchants
Visa
10
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Compliance Requirements for Merchants
Validation
Priority
Validation Action Required
Scope of Validation
Validation by:
Level 1
Annual On-site Audit (Report
On Compliance)
Any systems storing, processing,
or transmitting Visa cardholder
data.
Independent Assessor or
Internal Audit if signed by
Officer of the company.
Internet Facing Perimeter Systems
Approved Scan Vendor
Any systems storing, processing,
or transmitting Visa cardholder
data.
Merchant
Quarterly Network Scan
Level 2
Annual PCI Self Assessment
Questionnaire
Approved Scan Vendor
Quarterly Network Scan
Internet Facing Perimeter Systems
Level 3
Annual PCI Self Assessment
Questionnaire
Any systems storing, processing,
or transmitting Visa cardholder
data.
Merchant
Approved Scan Vendor
Quarterly Network Scan
Internet Facing Perimeter Systems
Level 4
Annual PCI Self Assessment
Questionnaire recommended
Quarterly Network Scan
recommended
Any systems storing, processing,
or transmitting Visa cardholder
data.
Merchant
Internet Facing Perimeter Systems
Visa
11
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Service Provider Criteria Risk Prioritized Validation
Validation
Priority
Annual Transaction Volume
Level 1



All VisaNet Processors (Member and non-Member)
All Payment Gateways
Any service provider that stores, processes or transmits
over 300,00 transactions annually
Level 2

Service Providers not in Level 1 that stores, processes or
transmits less than 300,00 transactions annually
Visa
12
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Compliance Requirements for Service Providers
Validation
Priority
Validation Action Required
Scope of Validation
Validation by:
Level 1
•
Any systems storing,
processing, or transmitting
Visa cardholder data.
•
•
Annual On-site Security
Audit
Quarterly Network Scan
•
Level 2
•
Included on Visa Inc’s List of
PCI DSS Complaint Service
Providers
Internet Facing
Perimeter Systems
•
Annual On-site Security
Audit
Any systems storing,
processing, or transmitting
Visa cardholder data.
•
Quarterly Network Scan
•
Not included on Visa Inc’s List
of PCI DSS Complaint Service
Providers
•
•
Internet Facing
Perimeter Systems
Qualified
Independent
Security Assessor
Approved Scan
Vendor
Qualified
Independent
Security Assessor
Approved Scan
Vendor
Visa
13
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
PCI Process
 To be an approved 3rd party PCI assessor:
Participate in PCI training (and pass the exam)
Obtain CPE Credits on a 3 year cycle
Individual background checks
Both the organization and individual must be certified
Qualified Security Assessor Company (QSAC)
Approved Scan Vendor (ASV)
Qualified Security Assessor (QSA)
Qualified Payment Application Security Professional (PA-DSS)
Must also already be a QSAC
 All assessors must follow the Data Security Standards (DSS) and
generate an approved Report on Compliance (ROC) to meet
documentation requirements
 All quarterly scanning must utilize the same software, and
approved PCI scan policy
14
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Consequences of NO Action
 Acquirers may be levied fines of $5000-$100,000 a month for
non-compliance.
– This may be passed down to you.
 Increased Transaction fees
 Potential Termination of relationship
Ultimately up to your acquiring bank’s discretion….
15
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
PCI non-compliance and a Breach (or suspicion of a
breach)
 Brand name damage should a breach occur
– Loss of existing and new customers
 Potential forensic analysis costs
 Cost of dealing with a breach
– Detection
– Notification
– Follow-up
16
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Cost of a Breach
Poneman Institute
17
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
The reality of limited budgets
 PCI compliance does not = good information security
 Good information security can lead to PCI compliance
 Becoming PCI compliant (or staying PCI compliant) requires
a budget but…
 There are ways to become (or stay) PCI compliant without
breaking the bank
So, The Question Becomes….
 What to do with a limited budget?
 Where to start on a limited budget?
18
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
What we typically see out there….
 Common Findings
– Lack of network network segmentation
– Lack of knowledge where all the data is at rest
– Lack of encryption for data at rest
– Storing too much data
– Lack of encryption for emails and messaging
– Lack of segregation of duties
– Back end operation networks breaking the isolation of PCI networks
from other networks
– Too many firewall rules with no business justification
– Generic IDs and Shared IDs
– Insufficient Documented Policies and Procedures
19
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
PCI – Where to Start on a limited budget?
 Identify where PCI data is stored, processed, and
transmitted
– Map your data flow
– Who has access to PCI data and systems
– Evaluate your processes
– Document your processes (policy, procedures)
20
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
PCI - What to do with a limited budget?
 Reduce your PCI in scope environment
– Segmentation
– Stop/Modify unnecessary processes
• Ask yourself, is this necessary and required?
– Limit data retention to only what is necessary
• Do not store what you do not need.
– Only allow access to those who require it
– Ask an Expert
– Consider compensating controls
– Document your standards
Prioritize Your Approach
21
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Phase I
www.pcisecuritystandards.org
 Reduce your PCI in scope environment
– Stop/Modify unnecessary processes
• Ask yourself, is this necessary and required?
– Limit data retention to only what is necessary
• Do not store what you do not need.
22
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Phase 2
www.pcisecuritystandards.org
 Reduce your PCI in scope environment
– Segmentation
– Stop/Modify unnecessary processes
• Ask yourself, is this necessary and required?
23
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Phase 3
www.pcisecuritystandards.org
 Reduce your PCI in scope environment
– Segmentation
– Stop/Modify unnecessary processes
• Ask yourself, is this necessary and required?
24
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Phase 4
www.pcisecuritystandards.org
 Reduce your PCI in scope environment
– Stop/Modify unnecessary processes
• Ask yourself, is this necessary and required?
– Only allow access to those who require it
25
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Phase 5
www.pcisecuritystandards.org
 Reduce your PCI in scope environment
– Stop/Modify unnecessary processes
• Ask yourself, is this necessary and required?
– Limit data retention to only what is necessary
• Do not store what you do not need.
– Only allow access to those who require it
26
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Phase 6
www.pcisecuritystandards.org
 Reduce your PCI in scope environment
– Stop/Modify unnecessary processes
• Ask yourself, is this necessary and required?
– Limit data retention to only what is necessary
• Do not store what you do not need
– Only allow access to those who require it
– Ask the Expert
27
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Prioritize your approach
www.pcisecuritystandards.org
28
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Compensating Controls – What is it?
 When an entity cannot meet a requirement explicitly due to
LEGITIMATE technical or documented business constraints.
 A compensating control must:
– Meet the intent and rigor of the requirement
– Sufficiently offset the risk that the original requirement was
designed to defend against.
– Above and Beyond other PCI requirements.
– Be commensurate with additional risk imposed by not
adhering to the original PCI requirement.
 Compensating Controls are typically valid for 1 year.
PCI SSC
29
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Compensating Controls – Example
 An FTP server has been utilized for transferring data including cardholder
information.
 Customer could not implement a secure form of transfer prior to
compliance deadline due to documented business constraints.
– Install the latest, and most updated, version of the FTP daemon on the FTP server.
– Lock down all directories so that only authorized users can get access to their own
directories and no one else's.
– Disable anonymous access.
– Enable audit logging to a file in /var/log that logs who transferred what and when.
– Enable disk quotas at 4GB, so that someone with mal-intent cannot fill up the disk with
extraneous data.
– Lock down network access to the FTP server(s) to specific IP addresses.
– Enable a strong password policy for each user ID that has access to the FTP server.
– Enable account lockout after 5 failed attempts and lockout persists until an Administrator
unlocks the account.
– Encrypt any sensitive cardholder data that may be resident on the FTP server(s).
– Enable TCP wrappers to more closely monitor access.
– Require the FTP server display a warning banner.
30
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
How to stay PCI compliant
 PCI compliance is required
 Executive Sponsorship/Buy-in
 Evaluate any new business processes to see how
it will affect your PCI compliance status/PCI
environment.
– Is it necessary/required?
– What is the impact?
 Continue PCI processes – Penetration Testing,
Network scans, Internally developed processes.
Consider PCI a lifecycle process, not a last minute
requirement.
31
7/18/2015
© 2009 IBM Corporation
Internet Security Systems (ISS) an IBM owned Company
Questions?
Thank You!
IBM Internet Security Systems
Ahead of the threat.™
7/18/2015
© 2009 IBM Corporation