Transcript PCI DSS - Verifone Support Portal

PCI DSS & Card Security
VeriFone Partner Forum
Dubai: 21 May 2008
Brad Harris
Regional Development Manager
Agenda
•
•
•
•
•
•
Trustwave Ltd
Relevant Headlines
PCI DSS: the standard
PCI PED
Compromise Statistics
Questions & Answers
Trustwave Corporation © Copyright 2007
Confidential
2
Global Organization
EMEA
Regional Headquarters: London
 Locations in Budapest, Hungary;
Stockholm, Sweden; the Netherlands; Dublin;
and Pretoria, South Africa

Headquartered in London,
Trustwave Ltd has more than
North America
Corporate Headquarters: Chicago
 Over 20 Locations throughout the US
 Toronto, Canada

20 office locations across EMEA
to serve our diverse client base
South America

Trustwave Corp. HQ is in
Chicago, USA.
Trustwave Corporation © Copyright 2007
Regional Headquarters: Miami
Asia
Regional Headquarters: Singapore
 Location in Shanghai, China

Confidential
3
Blue-chip Customers globally
Trustwave Corporation © Copyright 2007
Confidential
4
0
1
2
Chief Security Officers
Coalfire Systems
3
Trustwave Corporation © Copyright 2007
2
1
0
Ernst & Young
Fagan & Associates
Confidential
1
0
Mission Critical Systems
5
Lockheed Martin
1
3
2
2
PriceWaterhouseCoopers
Protiviti
RSM McGladrey
Savvis
2
1
Vectra Corporation
12
20
VeriSign
1
Symantec
1
Specialized Security Services
Solutionary
24
Self-Assessment
9
Security Metrics
3
PRESIG
12 12
Payment Software Company
7
KPMG, LLP
3
K3DES
0
Jefferson Wells
Internet Security Systems
20
Information Exchange
4
Foundstone
7
Fortrex Technologies
2
DynTek
2
Dynamics Research Corporation
Digital Resources Group
Deioitte & Touche
Cybertrust
1
Crowe Chizek
0
Computer Task Group
1
BDO Seidman
4
ASA Consulting
140
ATW
5PEG
Compliant Service Providers on Visa website: Jan ‘07
131
120
100
80
60
40
16
7
5
Recent Headlines
Trustwave Corporation © Copyright 2007
Confidential
6
Is PCI DSS Important to you?
PCI DSS auditors see lessons in TJX data breach
• TJX Companies Inc. violated some of the basic tenets of the PCI
Data Security Standard (PCI DSS) and according to several PCI
auditors, it will pay a heavy financial price. They said companies
should study the TJX security breach for clear lessons on what not to
do with customer data.
• Roger Nebel, director of strategic security for Washington D.C.-based
FTI Consulting, said fines will almost certainly be imposed on TJX
because it was clearly negligent in holding onto unencrypted
cardholder data, a direct violation of the PCI DSS.
- Tech-News daily, 29 Sept 2007
• To-date there has not been a data compromise on a PCI
Compliant organisation*
Trustwave Corporation © Copyright 2007
Confidential
7
An unwanted E-Commerce
HOW MUCH DOES A VISA OR MASTERCARD NUMBER
GO FOR THESE DAYS?
By Jacob Leibenluft
Posted Thursday, April 24, 2008, at 6:18 PM ET
Security experts at the InfoSecurity Europe
conference are drawing attention to "data
supermarkets" that sell stolen credit card
numbers for a fixed price. According to a BBC
story, "credit card details are cheap" on the black
market while "the logfiles of big companies can go
for up to $300."
Trustwave Corporation © Copyright 2007
Confidential
8
Retail Nightmare
Hannaford data thieves planted malware on
300 servers
Other retailers may be vulnerable
By Dan Goodin → More by this author
Published Friday 28th March 2008 22:39 GMT
The data breach at Hannaford, the US grocery chain, which enabled the
theft of info on more than 4.2 million credit card accounts was caused
by a sophisticated piece of malware that attackers installed in all the
company's retail outlets.
Installed on more than 300 servers in at least six states, the malware
was able to intercept credit card data while customers paid for purchases
using plastic and transmit the information overseas, The Boston Globe
reports. The rogue software was installed on servers in close to 300
different locations, though the company isn't saying how it got there.
Trustwave Corporation © Copyright 2007
Confidential
9
Non-Compliance: Risks, Fines, Fees, Costs, Loss
Non-compliant, compromised business could expect the following:
• Damage to their brand/reputation
• Investigation costs
• Remediation costs
• Fines and fees
-Non-compliance (each brand issues separate fines)
-Re-issuance
-Fraud loss
• Ongoing compliance audits
• Victim notification costs
• Financial loss
• Data loss
• Charge-backs for fraudulent transactions
• Operations disruption
• Sensitive info disclosure
• Denial of service to customers
• Individual executives held liable
• Possibility of business closure
Trustwave Corporation © Copyright 2007
Confidential
10
PCI Compliance Can Protect Against Fines
•Members receive “Safe Harbor”
For Compromised
Merchants Found
To Be PCI-Compliant
At Time Of Breach
Trustwave Corporation © Copyright 2007
Confidential
11
Trustwave & VeriFone
TRUSTWAVE VALIDATES PAYWARE POS
APPLICATION
•
VeriFone’s PAYware Software Application is
validated as PABP Compliant
•
VeriFone continues to validate new versions
and releases to keep its customer’s safe from
product-specific data compromise
Trustwave Corporation © Copyright 2007
Confidential
12
PABP to PA-DSS
PABP/PA-DSS: comprehensive set of security requirements
designed for payment application software vendors to facilitate
their customer’s PCI DSS compliance
• Updates
– August 2008: PA-DSS published
– “Grand-father” Scheme: (i) Validated to PABP v1.4 = 24 months
(ii) Validated to PABP v1.3 = 18 months
(iii) Validated to PABP v1.2 or before = 12 months
– Changes from PABP to PA-DSS are still being solidified
* There is no business advantage to waiting for PA-DSS to validate
Copyright Trustwave 2008
Confidential
13
PCI DSS – Overview



The PCI DSS consists of
twelve basic requirements
supported by more detailed
sub-requirements.
Compliance is mandatory for
all Merchants and Service
Providers that store,
process or transmit credit
cardholder data.
Applies to all acceptance
channels including face-toface, MOTO and ecommerce.
Trustwave Corporation © Copyright 2007
Build and
Maintain a
Secure
Network
1. Install and maintain a firewall
configuration to protect data.
2. Do not use vendor-supplied defaults for
system passwords and other security
parameters
Protect
Cardholder
Data
3. Protect stored data
4. Encrypt transmission of cardholder data
and sensitive information across public
networks
Maintain a
Vulnerability
Management
Program
5. Use and regularly update anti-virus
software
6. Develop and maintain secure systems
and applications
Implement
Strong Access
Control
Measures
7. Restrict access to data by business needto-know
8. Assign a unique ID to each person with
computer access
9. Restrict physical access to cardholder
data
Regularly
Monitor and
Test Networks
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and
processes
Maintain an
Information
Security Policy
12. Maintain a policy that addresses
information security
Confidential
14
PCI DSS - Data Storage Clarification
Storage
Permitted
Protection
Required
Req 3.4 Applies
PAN
YES
YES
YES
Expiration Date*
YES
YES
NO
Service Code*
YES
YES
NO
Cardholder Name*
YES
YES
NO
Full Magnetic Strip
NO
N/A
N/A
CAV2/CVC2/CVV2/CID
NO
N/A
N/A
PIN
NO
N/A
N/A
Component
Cardholder Data
Sensitive Authentication Data
* Data elements must be protected when stored in conjunction with PAN
Trustwave Corporation © Copyright 2007
Confidential
15
The Mandate: CEMEA Merchant Levels Defined
Level
1
CEMEA Merchant Classification Criteria
Any merchant regardless of acceptance channel that:
 Processes > 6 million transactions by most prevalent card-type
 Has suffered a hack or an attack that resulted in an account data compromise
 Any merchant the Card Brands determine should meet Level 1 merchant requirements
 Has been identified by any other payment card brand as Level 1
VALIDATION: (i) Annual Onsite Audit by QSA (ii) Quarterly Network scan by QSA or ASV
Deadline: 31 December 2007
Any merchant regardless of acceptance channel that processes < 6 million transactions
by most prevalent card-type
2
VALIDATION: (i) Annual Self-Assessment Questionnaire (ii) Quarterly Network scan by
QSA or ASV
Deadline: 31 December 2007
Trustwave Corporation © Copyright 2007
Confidential
16
CEMEA Service Provider Levels
Level
1
2
Criteria
Validation Actions
Validated By
VISA: All VisaNet processors
(member and Nonmember) and
all payment gateways
Annual On-Site Audit
Qualified Security
Assessor
MC: Third Party Processors
(TPP) & Data Storage Entities
(DSE) that store account data
on behalf of Level 1 or Level 2
merchants
Visa: Any SP not in Level 1 and
stores, processes, or transmits
more than 600, 000
transactions annually
MC: All DSEs that store
account data on behalf of Level
3 merchants
3
Visa: Any SP not in Level 1 and
stores, processes, or transmits
fewer than 600,000
transactions annually
MC: All other Data Storage
Entities not included in Level 1
or Level 2
Trustwave Corporation © Copyright 2007
Quarterly Network
Scan
Annual On-Site Audit
31/12/2008
QSA or ASV
Qualified Security
Assessor
31/12/2008
Quarterly Network
Scan
QSA or ASV
Annual PCI SelfAssessment
Questionnaire
Service Provider
Quarterly Network
Scan
Confidential
Deadline
Approved Scanning
Vendor
31/12/2008
17
The Mandate: CEMEA Issuers
Level
1
CEMEA Issuer Classification Criteria
Issuers who meet the following criteria:
 VisaNet processors
 Has suffered a hack or an attack that resulted in an account data compromise
 Has been identified by any payment card brand as Level 1
VALIDATION: (i) Annual Onsite Audit by QSA (ii) Quarterly Network scan by QSA or ASV
Deadline: 31 December 2008
Any other Issuer:
2
VALIDATION: Can self-validate
Deadline: 31 December 2008
Trustwave Corporation © Copyright 2007
Confidential
18
PCI DSS
Compliance
Validation
Programme
Trustwave Corporation © Copyright 2007
Confidential
19
Compliance Programme Life Cycle
Generate awareness of PCI
DSS among key stakeholders
inside the business such as
risk, compliance, financial and
legal
Determine your risk or which
merchants pose the greatest
risk for loss.
1. Education
2. Risk Analysis
Risk
Mitigation
Execution and Management
through tools required to
validate compliance with PCI
DSS in the quickest, most
efficient manner possible.
Trustwave Corporation © Copyright 2007
4. Compliance
3. Communication
Confidential
Convey compliance messages
internally and to all affected
merchants through a robust
communication program to
drive the message.
20
Compliance Validation Service - CVS
Action
External Vulnerability
Scanning
Self-Assessment
Questionnaire
(SAQ)
Onsite Audit
(for Level 1s)
/ Gap Analysis
Remediation
Description
• Scan of externally-visible IP addresses
 Must pass an external scan quarterly (monthly scans recommended)
 Report produced and analysed in TrustKeeper
• Interactive questionnaire about card holder environment
• Updated for 2008 based on Merchant or Service Provider classification
• A successful SAQ means a positive answer to every question
• Onsite visitation of 2-5 days by Qualified Consultant
 Strict audit and review process
 Major deliverable: Remediation Spreadsheet/Roadmap
• Network Penetration Test, Internal Vulnerability Scanning, SSL Cert
 Develop Remediation Project Plan
 Client or 3rd Party must Project Manage & Implement actions
Report on Compliance
(ROC)
•



THE MAJOR DELIVERABLE of a CVS
Achieved upon compliance
Written and submitted by QSA
A poorly written ROC will not pass through to compliance
Maintaining Compliance
•



Continuation of monthly scanning
Regular Support Calls with QSA
Analysis of effect on changes to network and infrastructure
Annual Pen Tests, regular Internal Scans, etc.
Trustwave Corporation © Copyright 2007
Confidential
21
Most Common PCI Requirements Not Met
Requirement 1: Install and
maintain a firewall to protect
cardholder data
Requirement 3: Protect stored
data
Requirement 6: Develop and
maintain secure systems and
applications
Requirement 8: Assign a
unique ID to each person with
computer access
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Req. 1 Req. 2 Req. 3 Req. 4 Req. 5 Req. 6 Req. 7 Req. 8 Req. 9 Req. 10 Req. 11 Req. 12
*Percentage of Compromised Merchants That
Failed To Meet Each PCI DSS Requirement
Requirement 10: Track and
monitor access to network and
card data
Requirement 11: Regularly
test security systems and
processes
Trustwave Corporation © Copyright 2007
*Data gathered from more than 250 card compromise
investigations conducted by Trustwave
Confidential
22
PCI Pin Entry Device (PED)
PCI PED: comprehensive set of security requirements designed for
POS devices to facilitate their customer’s PCI DSS compliance
• Members (or their Agents) have until 01 July 2010 to ensure that
all of their installed attended POS PED models have been
approved by Visa. PEDs must be on the current approved list at
www.pcisecuritystandards.org/pin
VeriFone continues to be a leader in PED Security
Copyright Trustwave 2008
Confidential
23
Who is at
Risk?
Trustwave Corporation © Copyright 2007
Confidential
24
25
Case Analysis: Merchant Level
While larger
merchants represent
greater transaction
volume, smaller
merchant have
greater risk due to
many factors
discussed in this
presentation.
Trustwave’s analysis is derived from more than 350 cardholder data compromise
investigations performed in over 14 different countries.
Copyright Trustwave 2007
Confidential
Case Analysis: Industry
Food Service Industry represents the majority of the
compromises
Retail Industry is the next largest industry seeing
compromises
Copyright Trustwave 2007
Confidential
27
Compromise Statistics: System Type
Majority of the cases involved a
compromise of a Software
POS system
Not one of these systems was Visa PABP validated or PCI DSS compliant
Copyright Trustwave 2007
Confidential
Case Analysis: Track Data Storage
Brick & Mortar
Merchants running NonCompliant software
packages are storing
Track Data and they do
not know until it is too
late!
Track Data storage is never permitted in any environment post authorization
Copyright Trustwave 2007
Confidential
29
SUMMARY
• The biggest threat to growth of Plastic, Mobile, e-commerce
payments is Fraud
• PCI DSS covers ALL organisations that STORE, TRANSMIT, or
PROCESS credit card data
• Organisations should validate their own internal compliance AND
insist on doing business with PCI DSS & PABP / PA-DSS
compliant suppliers
• The validation is becoming easier, but the standard is becoming
stricter – WAITING PUTS YOUR ORGANISATION AT RISK
Copyright Trustwave 2007
Confidential
Questions?