Troy Leach May 6, 2009

Transcription

1 The PCI Security Standards Council Troy Leach May 6, 2009

2 About the Council Open, global forum Founded 2006 Responsible for PCI Security Standards Development Management Education Awareness * 2

3 PCI Standards * 3

4 Founders * 4

5 Organization * 5

6 Drivers Advisory Board Industry Best Practices Community Meeting Proactive feedback from POs and Assessor Community PCI Data Security Standard Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs) ADC Forensics Results Security Scans On-Site Audits Self- Assessment Questionnaire * 6

7 New Highlights Global growth 500+ organizations Participated in 33 events worldwide Community meetings with 700+ global attendees * 7

8 New Highlights (cont.) Global help 164 QSAs (of these, 74 are ASVs) Total QSA people trained: 1,063 Regional assessors: Asia Pacific: 29 Canada: 16 CEMEA: 28 Latin America & Caribbean: 27 United States: 87 Europe: 57 * 8

9 New Highlights (cont.) Standards & Tools Released PCI DSS Version 1.2 Lifecycle process New devices for PED PA DSS listings on Web site Quick Reference Guide Pi Prioritized ii dapproach Standards Training * 9

10 PCI Standard Lifecycle * 10

11 Ground Rules PCI SSC. Is an Independent d Industry Standard Manages the technical and business requirements for how payment data should be stored and protected Maintains List of Qualified PCI Assessor Community QSAs, ASVs, PA-QSA and PED Labs PCI SSC Does Not Manage or Drive Compliance Each brand continues to maintain its own compliance programs Identifies stakeholders that need to validate compliance Definitions of Validation Levels Fines and Fees * 11

12 Council Resources Security standards and supporting documents Quick Reference Guide Searchable Frequently Asked Questions List of approved QSAs, ASVs, PA-QSAs, PED Labs Education and outreach - e.g., fact sheets, case studies Participating membership, meetings, collaboration A global voice for the industry * 12

13 PCI Quick Reference Guide 13

14 PCI DSS Prioritized Approach What is it? Guidance for organizations to prioritize their PCI DSS implementation efforts What are the benefits? Provides a roadmap that an organization can use to address risks in priority order Enables merchants, of any size, to demonstrate progress on PCI DSS compliance process to key stakeholders banks, acquirers, QSAs and others Promotes objective and measurable progress indicators

15 How was it created? PCI DSS Prioritized Approach Payment brands examination of account data compromise events Feedback from PCI SSC Board of Advisors, Council leadership and the Technical Working Group Feedback from several QSAs and forensics investigators f 1 C SS f Asked to identify the top 15 PCI DSS requirements for protecting cardholder data

16 PCI DSS Prioritized Approach Objectives of Prioritized Approach Prioritize efforts based on the risk associated with handling cardholder data Security efforts can first focus on certain PCI DSS requirements Reduce risk associated with account data compromise by: Not retaining magnetic stripe data Minimize and secure storage of PAN Using network segmentation to reduce scope

17 PCI DSS Prioritized Approach Six Security Milestones Milestone One - If you don t need it, don t store it. The intent t of Milestone One is to remove sensitive authentication ti ti data and limit data retention. This milestone targets a key area of risk for entities that have been compromised if sensitive authentication data and other cardholder data had not been stored, the effects of the compromise would have been greatly reduced. Milestone Two - Secure the perimeter. The intent of Milestone Two is to protect the perimeter, internal, and wireless networks. This milestone targets a key area that represents the point of access for most compromises: vulnerabilities in networks or at wireless access points. Milestone Three - Secure applications. The intent of Milestone Three is to secure applications. This milestone focuses on applications, as well as application processes and application servers, since application weaknesses are a key access point used to compromise systems and obtain access to cardholder data.

18 PCI DSS Prioritized Approach Milestone Four - Control access to your systems. The intent of Milestone Four is to protect the cardholder data environment through monitoring and access control since this is the key method to detect the who, what, when and how about who is accessing your network. Milestone Five - Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protection mechanisms for that stored data. Milestone Six - Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone Six is to complete PCI DSS requirements and finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment.

19 PCI DSS Prioritized Approach Prioritized Approach Tools

20 Standards Training Update First PCI SSC Standards Training Merchant training endorsed by PCI SSC Objective: Arm merchants with everything they need to know to best prepare for an onsite PCI DSS inspection or to perform the assessment internally Focus: Four key modules PCI Program defining the payment card industry Scoping a PCI DSS Assessment PCI DSS v1.2 Requirements Compensating Controls Where: Atlanta & Sydney in June, 2009

21

22 Threat Landscape Implementing the Standard is a Journey Not a Destination Risky Behavior 81% store payment card numbers 73% store payment card expiration dates 53% store customer data from magnetic stripe on card 16% store other personal data Source: Forrester Consulting, September 2007 * 22

23 Value of Compliance Cost of Complying Upgrading payment systems and security Verifying compliance via assessment Sustaining i compliance May cost millions for complex or older systems Cost of a Breach Crisis upgrades Repeat assessments Notification Brand reputation loss Shareholder and consumer lawsuits May cost 20 times the price of compliance PCI Compliance Cost Analysis: A Justified Expense. A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex. January 2008 [This study utilized data from several sources including level 1 and level 2 merchants with 2,000 2,500 retail locations.] * 23

24 Top Violations Common Audit / Forensic Results Bad or no firewall Unprotected stored data Insecure systems and applications No unique user IDs No tracking or monitoring of access No regular tests of security No security policy * 24

25 The Five Stages of Grief Denial Anger Bargaining Depression 25 It doesn t apply to me PCI compliance is mandatory It isn t fair PCI applies to all parties in the payment process I ll do some of it Compliance is pass / fail I ll never get there Many merchants already have Acceptance It ll be OK PCI doesn t introduce any new, alien concepts * 25

26

27 PCI Data Security Standard * 27

28 SC1 The PCI Data Security Standard Six Goals Twelve Requirements Build and Maintain a Secure 1. Install and maintain a firewall configuration to protect cardholder data Network 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors * 28

29 Slide 28 SC1 This will likely tie in to the risk-based approach. Sarah Cummins, 1/9/2008

30 PCI Data Security Standard Principles Driving Version 1.2 More clarity on requirements More flexibility Manage evolving risks and threats Incorporate new best practices Clarify scoping and reporting Eliminate redundant sub-requirements Consolidate documentation * 29

31 PCI Data Security Standard Summary of Changes in Version 1.2 Consolidate PCI DSS and assessment procedures Consistent use of terms Enhance Report on Compliance Clarify compensating controls Add Attestation of Compliance forms Add flowchart for scoping and sampling * 30

32 PCI DSS 1.2 Changes Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Clarified requirements for routers and firewalls Added flexibility for review time * 31

33 PCI DSS 1.2 Changes Build and Maintain a Secure Network Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Clarified requirement for wireless Deleted references to WEP Removed requirement to disable SSID broadcast * 32

34 PCI DSS 1.2 Changes Protect Cardholder Data Requirement 3: Protect stored cardholder data Used consistent terms ( PAN and strong cryptography ) Clarified requirement for disk encryption * 33

35 PCI DSS 1.2 Changes Protect Cardholder Data Requirement 4: Encrypt transmission of cardholder data across open, public networks Wireless must use strong encryption New implementations of WEP not allowed after March 31, 2009 Current WEP must be discontinued after June 30, 2010 * 34

36 PCI DSS 1.2 Changes Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Required for all operating systems Must address all known types of malicious software * 35

37 PCI DSS 1.2 Changes Maintain a Vulnerability Management Program Requirement 6: Develop and maintain secure systems and applications May use risk-based approach to prioritize patching Mandatory yprotection for all public-facing Web applications * 36

38 PCI DSS 1.2 Changes Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need- to-know Clarified testing procedures Requirement 8: Assign a unique ID to each person with computer access Clarified password testing procedures Clarified user authentication ti ti * 37

39 PCI DSS 1.2 Changes Implement Strong Access Control Measures Requirement 9: Restrict physical access to cardholder data Visit off-site storage locations at least annually More flexibility for use of surveillance cameras Electronic and paper media with cardholder data must be protected Clarified media destruction * 38

40 PCI DSS 1.2 Changes Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Clarified processing of log files Clarified immediate availability of audit trail history * 39

41 PCI DSS 1.2 Changes Regularly Monitor and Test Networks Requirement 11: Regularly test security systems and processes New guidance on wireless security systems ASVs must be used for quarterly external vulnerability scans External and internal penetration tests required Not required to use QSA or ASV for penetration tests * 40

42 PCI DSS 1.2 Changes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for employees and contractors t More examples of critical employeefacing technologies New timeframe for employee acknowledgement of policy Clarified requirements for policies related to service providers * 41

43 Self-Assessment Questionnaire * 42

44 Self-Assessment Questionnaire SAQ Validation Type Description Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced. This would never apply to face-toface merchants Imprint-only merchants with no cardholder data storage Stand alone dial-up terminal merchants, no cardholder data storage Merchants with payment application systems connected to the Internet, no cardholder data storage All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ SAQ A <11 Questions B 21 Questions B 21 Questions C 38 Questions D Full DSS * 4/27/

45 PCI DSS Applicability Information Data Element Storage Permitted Protection Required Rendered Unreadable Cardholder Data Sensitive Authentication Data [2] Primary Account Number (PAN) Yes Yes Yes Cardholder Name [1] Yes Yes 1 No Service Code 1 Yes Yes 1 No Expiration Date 1 Yes Yes 1 No Full Magnetic Stripe Data [3] No N/A N/A CAV2/CVC2/CVV2/CID No N/A N/A PIN/PIN Block No N/A N/A [1] These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted. [2] Sensitive authentication data must not be stored after authorization (even if encrypted). [3] Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere. * 44

46 Payment Application DSS * 45

47 Payment Application DSS Fourteen Requirements Protecting Payment Application Transactions Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2) or PIN block data Provide secure password features Protect stored cardholder data Log Application Activity Develop Secure Applications Protect wireless transmissions Test Applications to address vulnerabilities Facilitate secure network implementation Cardholder data must never be stored on a server connected to the Internet Facilitate secure remote software updates Facilitate secure remote access to application Encrypt sensitive traffic over public networks Encrypt all non-console administrative access Maintain instructional documentation and training programs for customers, resellers, and integrators * 46

48 PIN Entry Device * 47

49 PIN Entry Device PED Requirements Device Characteristics Physical security Logical security Device Management During manufacturing Between manufacturing and initial key loading Addresses lifecycle of how PED is produced, controlled, transported, stored and used * 48

50 Devices Covered by PED PIN Entry Device Standards In Place Point of sale used for secure PIN entry Attended by clerk Standards Under Consideration in 2009 Unattended payment terminals (UPTs such as fuel pumps, kiosks) Hardware / host security modules (HSMs as non-cardholder interfaces or embedded devices) * 49

51 Special Interest Groups Board of Advisors Chair Special Interest Groups Why participate on a SIG? Opportunity to leverage Participating Organizations expertise SIGs analyze and address specific industry challenges SIGs determine own deliverables Recommend changes, clarifications, improvements, best practices, etc. SIGs dissolve after deliverable is achieved New SIGs can be proposed at any time

52 Two Current SIGs Pre-Authorization Pending Deliverables: Definition of pre-authorization Define pre-authorization issues by industry Special Interest Groups Best practices for handling pre-authorization data Wireless Pending Deliverables DSS accommodation of wireless network methods Wireless network guidance

53

54 Organizational Structure * 53

55 Organizational Structure * 54

56 Executive Committee Seana Pitt, American Express Suzanne Smits, Discover Financial Services Lib de Veyra, JCB International (Chair) Bruce Rutherford, MasterCard Worldwide Lance Johnson, Visa Inc. * 55

57 Board of Advisors * 56

58 Board of Advisors Provide feedback Set strategy Emerging security issues Additional standards Evolving the current standard(s) Set agenda/programs for Community Meetings Time commitments Face-to-face meetings (as needed) Conference calls (regularly scheduled) SME, panelists, moderator (Community Meetings/Webinars) Regional and business category market feedback Ad hoc working groups * 57

59 Board of Advisors Representatives on Board of Advisors Financial Institutions Bank of America JP Morgan Chase and Co. Citibank N.A., Global Consumer Group Commonwealth Bank of Australia The Royal Bank of Scotland Merchants British Airways, plc Exxon Mobil Corporation McDonalds Corporation Microsoft Tesco Stores Ltd. Wal-Mart Stores, Inc. Processors Chase Paymentech Solutions First Data Corporation Interac Association Moneris Solutions Corporation SERVICIOS ELECTRONICOS GLOBALES S.A. DE C.V. TSYS Acquiring Solutions Associations & Vendors APACS EPC PayPal, Inc. VeriFone, Inc. * 58

60 Organizational Structure * 59

61 Management Committee Michael Mitchell, American Express Gina Gobeyn, Discover Financial Services (Chair) Lib de Veyra, JCB International John Verdeschi, MasterCard Worldwide Ross Snailer, Visa Inc. * 60

62 Organizational Structure * 61

63 Working Group Chairs PCI DSS and PA-DSS Michael Nott, American Express PED Leon Fell, Visa Inc. Marketing Jennifer Mack, MasterCard Worldwide * 62

64 Council Staff Bob Russo General Manager Troy Leach Technical Director Ella Nevill Marketing & Communications Director Paul Caloca QA Program Manager James Barrows QA Program Jeff Foresman Standards Trainer * 63

65

66 Community Meetings Acquirers Vendors Community Meeting * 65

67 Community Meetings Two Meetings in 2009 Responsive to Industry! Las Vegas, NV, September 22 24, 2009 European Meeting, Prague, October 26 28, 2009 We had very successful Community Meetings in 2008! Join us as a Participating Organization to get involved in setting global PCI standards! * 66

68

69 Global Growth More than 500 organizations have been accepted Europe: 78 North ot America: 411 Central Europe / Middle East / Africa: 14 Asia Pacific: 12 Latin America / Caribbean: 6 * 68

70 Participating Organizations A Seat at the Table Financial institutions Merchants Gateways Processors Service providers EFT networks Associations Vendors * 69

71 Participating Organizations Financial Associations Other POS Processors Merchants Vendors Institutions For a full list: For a full list: * 70

72 Growing Ecosystem 164 QSA companies (74 of these are ASVs) QSAs trained 147 ASVs 100+ PA-QSAs trained 8 PED labs * 71

73 Participating Organizations Privileges of Membership Vote and run for Advisory Board Comment on standards and documentation before public release Attend Community meetings Attend Webinars Recommend initiatives and standards Get early notice of new press releases Get monthly bulletin Soon: exclusive private Web site for PO and assessor community * 72

74 Need More Information? * 73

75 Compliance is a Journey Compliance/Security Requires Vigilance All The Time 74

76 Security is Only as Good as the Weakest Link 75

77 Thank You!