PCI COMPLIANCE TO BUILD HIGHER CONFIDENCE FOR CARD HOLDER AND BOOST CASHLESS TRANSACTION. Suresh Dadlani, ControlCase

Transcription

1 PCI COMPLIANCE TO BUILD HIGHER CONFIDENCE FOR CARD HOLDER AND BOOST CASHLESS TRANSACTION Suresh Dadlani, ControlCase

2 About Vietnam Google search 2 Population 86 Mn Urban Population 25 Mn, approx 30% - Hanoi and Ho Chi Minh City -14 Mn Literacy Rate 94%, above age group of 15 Per Capita Income Approx 1200 USD 5/23/2012

3 About Vietnam source interaction at the Conference Mn Payment Card Holders- Debit/Credit Cards 4000 Bank branches approx persons/bank branch ATMs 6000 Persons/ATM POS Terminals Persons/POS terminal 5/23/2012

4 About Vietnam Preparedness towards Cashless Transactions Mn Payment Card Holders- Debit/Credit Cards Good news Internet Connectivity- Good Literacy rate - Favorable 4000 Bank branches approx Cashless transactions will not have excessive pressures ATMs Need enhancing of network POS Terminals- Need enhancement with more merchants to be included to minimise cash transactions 5/23/2012

5 About Vietnam Preparedness towards Cashless Transactions 5 Technology status in Banks Satisfactory but has to keep pace with advancements. Data Security status in Banks Needs attention Service Providers for Banks Need strengthening Compliance to PCI DSS Needs impetus Payment applications in Banks, Service Providers and ecommerce Merchants Require compliances to regulations ecommerce business Needs encouragement 5/23/2012

6 Background Why Cashless Transactions 6-24 X7 Operations - Flexibility in operations - Lower cost of transactions across geographies - No barriers or boundaries - Lower cost of funds - Customer Friendly - Safe and Secured - Ease of Managing accounts 5/23/2012

7 7 Cashless Transactions - Major Modus Operandi Internet Banking - Banking Payment Applications - Infrastructure - Data Security Payment Cards - Issuers and acquirers - ATMs - Merchants with POS terminals - Data Security 5/23/2012

8 8 Cashless Transactions Prerequisites Infrastructure spread ATMs, Branches, Merchants with POS etc. Technology Continuous improvements Connectivity Speed, Accuracy and security Data Security Physical Security Customer Education and Knowledge Customer Friendly operations 5/23/2012

9 Cashless Transactions Addressing Issues 9 Data Security protection Training to all stake holders involved with storing, processing and transmission of Sensitive data Timely and continuous up gradation of Infrastructure managing the transactions to minimise compromises and frauds Strengthening physical security including through strong HR and Legal processes. Customer Awareness and Knowledge sharing 5/23/2012

10 Cashless Transactions Addressing Issues 10 Service Providers must ensure Compliances to the applicable and relevant Data Security Standards Compliance to standards like PCI DSS and those from the Central Bank from time to time provides confidence to customers and also protects the Service Providers from major damages financial and business due to frauds and compromises that may happen due to non compliances Statistics show that the entities having experiences of frauds and compromises are generally found to be non compliant to such standards at the time of incidents and hence it is critical to attain compliances but equally critical is to maintain compliances. 5/23/2012

11 What is a data breach 11 A data breach is the intentional or unintentional release of secure information to an untrusted environment. A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. 5/23/2012

12 Cost of Data Breach An example 12 $204 per customer record The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in Cost includes : the cost of lost business because of an incident; legal fees; disclosure expenses related to customer contact and public response; consulting help including forensic audit; and remediation expenses such as technology and training. 5/23/2012 Source: Ponemon Institute

13 Data Breach Impact 13 Loss of customer confidence Penalties and Fines Negative Publicity Legal liabilities 5/23/2012

14 How Secure my DATA is..? 14 Customer has become wise and is concerned more about security Awareness programs in/via the IT/Banking Industry News Media coverage in detail for Hacking, Financial Frauds etc Customer wishes ease of operation, but SECURELY. Customer Query: Where shall I purchase/bank? Is my CARD Details are securely processed/stored? Is my Bank/Merchant Certified? 5/23/2012

15 ControlCase Corporate Overview/Profile More than 400 clients in 38 countries in the IT GRC space (60% of business is in PCI/PA DSS space) ControlCase is a Qualified Security Assessor Company, QSAC as certified by PCI Security Standards Council. ControlCase has 24 QSAs and over 30 Consultants/Testing Engineers and have the direct presence in 7 countries. ControlCase is a Approved Scanning Vendor, ASV as certified by PCI Security Standards Council ControlCase is a certified Application Assessor (PA-DSS) as certified by the PCI Security Standards Council ControlCase is accredited to RvA, Netherland and is a Certifying body for ISO ControlCase is certified as per CERT IN Empanelled Company ControlCase is a certified product licensee and assessor for the Shared Assessment Program, formerly Financial Institutions Shared Assessments Program (FISAP) by banking institution forum BITS.

16 Why PCI DSS?

17 PCI DSS Data

18 PCI Family of Standards Protection of Card holder payment data PCI PED: Vendors manufacturing Pin Entry Devices PCI DSS PA DSS PCI PA DSS: Software vendors who develop commercial secure payment applications PCI DSS: If a Primary Account Number (PAN) is stored, processed, or transmitted. PCI PED Payment Card Industry Security Standards

19 PCI DSS Requirements Goals PCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks Maintain an Information Security Policy 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors

20 General Overview of PCI DSS Assessment Metholology ControlCase methodology will assist your organosation to Attain, Maintain and Retain PCI DSS compliance certification business needs. This methodology is propriety to ControlCase that has been proven successful on all our PCI projects including Large Service Providers, Banks in a number of countries across regions.

21 Dimensions of Compliance Service Providers Banks VISA/ MasterCard Gateways AMEX/ Discover Vendors Merchants

22 Overall Approach Project Initiation Phase I Phase II Phase III Phase IV Setup of Project Management Office IT GRC Portal Creation ControlCase GRC Appliance PCI DSS Awareness Training Detailed Scoping Schedule of Activities Vulnerability Management Gap Analysis Onsite/ Offsite Gap Remediation Support Product Evaluation Policy/ Procedures Formulation Vulnerability Management Onsite Audit Certification Continual Compliance Recertification Audit

23 Ongoing Compliance Quarterly Compliance Review Meetings Quarterly Compliance tracking Quarterly ASV Scanning Quarterly Vulnerability Assessment Quarterly User Account Reviews Six-monthly firewall rule-set review Quarterly Data Discovery Annual Network Penetration Testing Annual Application Security Testing Annual PCI DSS Awareness Training Annual Recertification Project Initiation Phase I Phase II Phase III Phase IV

24 Well integrated Continual Compliance Methodology and Technology Certifications Managed Services Software 1. PCI Gap Assessment Services 1. Firewall Rule set Review 5. Application Security Test 1. Compliance Manager 6. Audit Manager Software 2. PCI Remediation Support Services 3. PCI DSS Certification 2. ASV External Scanning 3. Internal Vulnerability Scanning 6. Internal Network Penetration Test 7. Card Data Discovery 2. Risk Manager 3. Asset & Vulnerability Manager 7. Log/FIM Manager 8. Policy Manager 4. External Network Pent Test 8. Risk Assessment 4. Training Manager 9. Data Discovery 5. Vendor Manager 10. Compliance Scanner

25 PCI Compliance as a Service (CAAS)

26 PCI Compliance as a Service (CAAS)

27 Component Category PCI Requirement Met PCI Gap analysis Certification Overall PCI DSS PCI Remediation support Certification Overall PCI DSS PCI SAQ Assistance Advisory Services Overall PCI DSS Data discovery scanner for cardholder data Software Overall PCI DSS Centralized compliance management portal and Software 1 reminders Firewall rule-set analysis Managed Service 1 Configuration scanner Software 2 Configuration scanning of IT assets Managed Service 2 Data discovery scanner for cardholder data Software 3 Searching of cardholder data within environment Managed Service 3 Application security scanner Software 6 Application security scanning Managed Service 6 Logging platform Software 10 File integrity monitoring platform Software 10 24/7/365 monitoring with Alerts and Daily PCI log reviews Managed Service 10 Secure storage and archival of logs Software 10 Internal vulnerability scanner Software 11 External vulnerability scanner Software 11 Internal vulnerability scanning Managed Service 11 External vulnerability scanning (ASV approved scan) Managed Service 11 Internal penetration testing Managed Service 11 External penetration testing Managed Service 11 Policy manager Software 12 Customization and updating of policies to meet PCI requirements Managed Service 12 Annual PCI training portal Software 12 Distribution and Attestation of Annual Security Awareness Training Managed Service 12 Annual Risk Assessment Managed Service 12

28 Calendar of Compliance

29 Technical Challenges Do you know where your Confidential, PCI data is located? Do you know what your sensitive data is? What users and groups have access to sensitive data? What users and groups are accessing sensitive data? Where is sensitive data most at risk? Which of my sensitive data is not being used and can be archived or simply deleted? Network Segmentation and Isolation IT operations and maintenance of systems with cardholder data Documentation and demonstration of compliance (evidence) Training and user awareness

30 Business Challenges A challenge to change the attitude of the organization towards security and card data Time, Resource and Budget Prioritization of Remediation activities Keep PCI Certification as a goal for everyone to achieve

31 Business Challenges A challenge to change the attitude of the organization towards security and card data Time, Resource and Budget Prioritization of Remediation activities Keep PCI Certification as a goal for everyone to achieve