PCI Compliance - Aug 2009 - Commonwealth Business Travel
Download
Report
Transcript PCI Compliance - Aug 2009 - Commonwealth Business Travel
Brian Cloud
August 06, 2009
Overall Digital Security
What is Digital Security
Murphy’s Law
Since 2005, over 263M records breeched
(privacyreports.com)
○ Hacking, Internal Flaws, Stolen Equipment
Marketing is Profitability, Profiles are
Productivity
Security Concerns
Databases
Communications and Transmissions
Media
Access Levels
Traveler Issues and Awareness
Types of Issues:
Data Breech
Intellectual Property Theft
DoS Attacks
Internal Issues and Employee Mindset
PCI Compliance Overview
What is it?
Payment Card Industry (PCI) Data Security Standard (DSS)
defines what cardholder data can be stored and how it may be
processed and managed to keep it secure.
Who must comply?
All members, merchants, and service providers that store, process, OR
transmit cardholder data.
All system components which are defined as any network component,
server, or application that is included in or connected to the cardholder
data environment.
PCI Security Standard Council
Develop and manage the PCI Data Security Standard.
Establish and maintain industry-level approval processes for Qualified
Security Assessors (QSA) and Approved Scanning Vendors (ASV).
Publish and distribute the PCI Data Security Standard.
Provide an open forum for all key stakeholders
Cardholder Data
Any personally identifiable information associated
with the cardholder that is stored, processed, or
transmitted.
Account number, expiration date, name, address, social
security number, etc.
It is never acceptable to retain magnetic stripe data
subsequent to transaction authorization. However,
the following individual data elements may be
retained subsequent to transaction authorization:
Cardholder Account Number
Cardholder Name
Card Expiration Date
Still applies even if cardholder data is not stored
Compliance Review
Build and Maintain a Secure
Network
Implement Strong Access Control
Measures
Install and maintain a firewall
configuration to protect data.
Do not use vendor-supplied defaults for
system passwords and other security
parameters.
Protect Cardholder Data
Protect stored data.
Encrypt transmission of cardholder data
and sensitive information across public
networks.
Regularly Monitor and Test
Networks
Restrict access to data by business
need-to-know.
Assign a unique ID to each person with
computer access.
Restrict physical access to cardholder
data
Maintain a Vulnerability
Management Program
Use and regularly update antivirus
software.
Develop and maintain secure systems
and applications.
Track and monitor all access to network
resources and cardholder data.
Regularly test security systems and
processes.
Maintain an Information Security
Policy
Maintain a policy that addresses
information security.
Getting Compliant
Compliance Classification (Levels I-IV) determined by number
of transactions in merchant account
Point of Sale (POS) environment
Merchant location (i.e. travel agency, retail store, restaurant, hotel
property, gas station, supermarket, or other point of sale location).
Internet protocol (IP) -based POS environment is one in which
transactions are stored, processed, or transmitted on IP-based systems,
or systems communicating via TCP/IP.
Compensating Controls for encryption of stored data
Complex network segmentation
Internal firewalls that specifically protect the database
TCP wrappers or firewall on the database to specifically limit who can
connect to the database.
Separation of the corporate internal network on a different network
segment from production, with additional firewall separation from
database servers.
PCI Compliance Level Definitions
Compliance
Validation Level
Annual
On-site
Assessment
Quarterly
Perimeter
Scan
SelfAssessment
Questionnaire
Level 1
> 6M Transactions
Required
Required
N/A
Level 2
1M-6M Transactions
N/A
Required
Required
Level 3
20K-6M Transactions
N/A
Required
Required
Level 4
< 20K Transactions
N/A
Determined
by Acquirer
Determined
by Acquirer
** Anyone suffering a breech may be escalated
Participating Card Associations
Cardholder Information
Security Program (CISP)
PCI Compliance
Site Data Protection (SDP)
Penalties and Fees
When do I get penalized?
Not meeting PCI Compliance by the specified date.
Card Holder data compromise when not PCI compliant.
What are the fines associated?
Dependent on the card brand and acquiring bank.
Non-compliance (Visa Example) – $5,000 and $25,000 a month for each of its
Level 1 and 2 merchants (CVV2 can be worse).
Card Holder Breach (Visa Example) –Fines up to $500,000 per incident, for any
merchant or service provider that is compromised and not compliant at the time of
the incident. Safe Harbor if PCI Compliant.
Impose restrictions on noncompliant merchants
All fraud losses incurred from the use of the compromised account numbers from
the date of compromise forward.
Cost of re-issuing cards associated with the compromise.
Cost of any additional fraud prevention/detection activities required by the card
associations (i.e. a forensic audit) or costs incurred by credit card issuers
associated with the compromise (i.e. additional monitoring of system for fraudulent
activity).
Possible revocation of merchant status
Loss of Business Integrity with Customers
Credit Card Breeches
The Cost of Non-Compliance
20% of individuals who received a data breach notification during 2005
terminated their relationship with that company.
Stock price: A 2004 study found that companies that suffered data
breaches lost an average of just over 5% of their market valuation.
Breach Recovery: Average cost to recover from a data breach - $14
million ($140 per customer record).
Average loss was 2.6% of all customers.
Examples of breaches
TJMax: At least 45.7 million credit/debit cards of shoppers stolen. Largest
ever.
BJ’s Wholesale: Booked $16 million reserve to cover all costs related to
breach.
DSW Shoe Warehouse: Booked $6.5 million reserve to cover breach
costs.
ChoicePoint: $15 million fine.
Common Security Holes
Databases
Disk encryption
VPN Usage
Selective Access to Files
Secured Wireless (no WEP 3/31/10)
Flash Drives, CDs
Networks
Firewalls
User security
DMZs
Workplace Mentality
Signed agreements
Limited accounts
Restrictive web and IM access
Enforce good passwords
DR and BCP
Verify!
SaaS usually better
Online Tools
Employee Controls
Media
Antivirus
Antispyware
Patches and Updates
Vendors
Laptops
PCs
Database activity monitoring
Set access levels
make certain security is #1
data recovery is secure
Traveler Issues
Lock machines
Limit usage of private data
Use firewalls
Secure passports
Common Failure Points
Data Encryption
Network Monitoring and Logging
Customer network’s typically flat.
Systems serve multiple purposes.
Data Archival and Disposal
Inability to recreate user’s activity (who did what, when, where, and how).
Lack of real time monitoring of network events (e.g., IDS and firewall).
Network Segmentation
While at rest and during transit.
Proper encryption key management.
Backup tapes not secured or encrypted.
Hard copies not secured or not disposed of properly.
Web Application Security
Lack of software development life cycle.
Poor QA process and testing.
Steps You Should be Taking
Get A Security Assessor
Re-Assess Until Compliant
Self-Audit (PCI Data Security Standards Compliance Questionnaire)
https://www.pcisecuritystandards.org/saq/index.shtml
Perform a System Perimeter Scan
Inform Employees, Change Environments and Mindsets
Key Questions
Only applicable to e-commerce merchants?
How do merchants determine the cost of compliance validation?
What if a merchant has outsourced the storage, processing, or
transmission of cardholder data to a service provider?
Do merchants need to include their service providers in the scope of their
PCI Data Security Standards Review?
Path to Compliance
Determine the locations of the card holder data.
Reduce scope by eliminating or segmenting the card holder
data.
Baseline your environment against the PCI DSS to identify gaps.
Online tools available for Vulnerability Reports
For all gaps determine recommendations with associated effort
(don’t overlook “gotcha’s” such as logging track data on a Point
of Sales system). (Online Mediation Reports)
Develop a prioritized plan to address gaps.
Execute (…but with management support).
Continue to Scan