Transcript PCI Compliance - Aug 2009 - Commonwealth Business Travel

Brian Cloud
August 06, 2009
Overall Digital Security

What is Digital Security

Murphy’s Law
 Since 2005, over 263M records breeched
(privacyreports.com)
○ Hacking, Internal Flaws, Stolen Equipment

Marketing is Profitability, Profiles are
Productivity
Security Concerns





Databases
Communications and Transmissions
Media
Access Levels
Traveler Issues and Awareness

Types of Issues:




Data Breech
Intellectual Property Theft
DoS Attacks
Internal Issues and Employee Mindset
PCI Compliance Overview

What is it?
 Payment Card Industry (PCI) Data Security Standard (DSS)
 defines what cardholder data can be stored and how it may be
processed and managed to keep it secure.

Who must comply?
 All members, merchants, and service providers that store, process, OR
transmit cardholder data.
 All system components which are defined as any network component,
server, or application that is included in or connected to the cardholder
data environment.

PCI Security Standard Council
 Develop and manage the PCI Data Security Standard.
 Establish and maintain industry-level approval processes for Qualified
Security Assessors (QSA) and Approved Scanning Vendors (ASV).
 Publish and distribute the PCI Data Security Standard.
 Provide an open forum for all key stakeholders
Cardholder Data

Any personally identifiable information associated
with the cardholder that is stored, processed, or
transmitted.
 Account number, expiration date, name, address, social
security number, etc.

It is never acceptable to retain magnetic stripe data
subsequent to transaction authorization. However,
the following individual data elements may be
retained subsequent to transaction authorization:
 Cardholder Account Number
 Cardholder Name
 Card Expiration Date

Still applies even if cardholder data is not stored
Compliance Review

Build and Maintain a Secure
Network




Implement Strong Access Control
Measures

Install and maintain a firewall
configuration to protect data.
Do not use vendor-supplied defaults for
system passwords and other security
parameters.


Protect Cardholder Data



Protect stored data.
Encrypt transmission of cardholder data
and sensitive information across public
networks.
Regularly Monitor and Test
Networks



Restrict access to data by business
need-to-know.
Assign a unique ID to each person with
computer access.
Restrict physical access to cardholder
data
Maintain a Vulnerability
Management Program


Use and regularly update antivirus
software.
Develop and maintain secure systems
and applications.

Track and monitor all access to network
resources and cardholder data.
Regularly test security systems and
processes.
Maintain an Information Security
Policy

Maintain a policy that addresses
information security.
Getting Compliant

Compliance Classification (Levels I-IV) determined by number
of transactions in merchant account

Point of Sale (POS) environment
 Merchant location (i.e. travel agency, retail store, restaurant, hotel
property, gas station, supermarket, or other point of sale location).
 Internet protocol (IP) -based POS environment is one in which
transactions are stored, processed, or transmitted on IP-based systems,
or systems communicating via TCP/IP.

Compensating Controls for encryption of stored data
 Complex network segmentation
 Internal firewalls that specifically protect the database
 TCP wrappers or firewall on the database to specifically limit who can
connect to the database.
 Separation of the corporate internal network on a different network
segment from production, with additional firewall separation from
database servers.
PCI Compliance Level Definitions
Compliance
Validation Level
Annual
On-site
Assessment
Quarterly
Perimeter
Scan
SelfAssessment
Questionnaire
Level 1
> 6M Transactions
Required
Required
N/A
Level 2
1M-6M Transactions
N/A
Required
Required
Level 3
20K-6M Transactions
N/A
Required
Required
Level 4
< 20K Transactions
N/A
Determined
by Acquirer
Determined
by Acquirer
** Anyone suffering a breech may be escalated
Participating Card Associations
Cardholder Information
Security Program (CISP)
PCI Compliance
Site Data Protection (SDP)
Penalties and Fees

When do I get penalized?



Not meeting PCI Compliance by the specified date.
Card Holder data compromise when not PCI compliant.
What are the fines associated?









Dependent on the card brand and acquiring bank.
Non-compliance (Visa Example) – $5,000 and $25,000 a month for each of its
Level 1 and 2 merchants (CVV2 can be worse).
Card Holder Breach (Visa Example) –Fines up to $500,000 per incident, for any
merchant or service provider that is compromised and not compliant at the time of
the incident. Safe Harbor if PCI Compliant.
Impose restrictions on noncompliant merchants
All fraud losses incurred from the use of the compromised account numbers from
the date of compromise forward.
Cost of re-issuing cards associated with the compromise.
Cost of any additional fraud prevention/detection activities required by the card
associations (i.e. a forensic audit) or costs incurred by credit card issuers
associated with the compromise (i.e. additional monitoring of system for fraudulent
activity).
Possible revocation of merchant status
Loss of Business Integrity with Customers
Credit Card Breeches

The Cost of Non-Compliance
 20% of individuals who received a data breach notification during 2005
terminated their relationship with that company.
 Stock price: A 2004 study found that companies that suffered data
breaches lost an average of just over 5% of their market valuation.
 Breach Recovery: Average cost to recover from a data breach - $14
million ($140 per customer record).
 Average loss was 2.6% of all customers.

Examples of breaches
 TJMax: At least 45.7 million credit/debit cards of shoppers stolen. Largest
ever.
 BJ’s Wholesale: Booked $16 million reserve to cover all costs related to
breach.
 DSW Shoe Warehouse: Booked $6.5 million reserve to cover breach
costs.
 ChoicePoint: $15 million fine.
Common Security Holes

Databases




Disk encryption
VPN Usage
Selective Access to Files
Secured Wireless (no WEP 3/31/10)

Flash Drives, CDs
Networks



Firewalls
User security
DMZs
Workplace Mentality
Signed agreements
Limited accounts
Restrictive web and IM access
Enforce good passwords
DR and BCP



Verify!
SaaS usually better
Online Tools
Employee Controls





Media


Antivirus
Antispyware
Patches and Updates
Vendors



Laptops






PCs




Database activity monitoring
Set access levels
make certain security is #1
data recovery is secure
Traveler Issues




Lock machines
Limit usage of private data
Use firewalls
Secure passports
Common Failure Points

Data Encryption



Network Monitoring and Logging



Customer network’s typically flat.
Systems serve multiple purposes.
Data Archival and Disposal



Inability to recreate user’s activity (who did what, when, where, and how).
Lack of real time monitoring of network events (e.g., IDS and firewall).
Network Segmentation



While at rest and during transit.
Proper encryption key management.
Backup tapes not secured or encrypted.
Hard copies not secured or not disposed of properly.
Web Application Security


Lack of software development life cycle.
Poor QA process and testing.
Steps You Should be Taking
Get A Security Assessor
 Re-Assess Until Compliant
 Self-Audit (PCI Data Security Standards Compliance Questionnaire)

 https://www.pcisecuritystandards.org/saq/index.shtml
Perform a System Perimeter Scan
 Inform Employees, Change Environments and Mindsets


Key Questions
 Only applicable to e-commerce merchants?
 How do merchants determine the cost of compliance validation?
 What if a merchant has outsourced the storage, processing, or
transmission of cardholder data to a service provider?
 Do merchants need to include their service providers in the scope of their
PCI Data Security Standards Review?
Path to Compliance

Determine the locations of the card holder data.

Reduce scope by eliminating or segmenting the card holder
data.

Baseline your environment against the PCI DSS to identify gaps.
Online tools available for Vulnerability Reports

For all gaps determine recommendations with associated effort
(don’t overlook “gotcha’s” such as logging track data on a Point
of Sales system). (Online Mediation Reports)

Develop a prioritized plan to address gaps.

Execute (…but with management support).

Continue to Scan