PCI Deadline Are you Complying? Mark Cuneo. CardConnect

Transcription

1 PCI Deadline Are you Complying? Mark Cuneo CardConnect

2 PCI Compliance is Very Important And Very Exciting

3 Agenda Why Do I Care? Key Changes Guidance Maintaining Inventory Penetration Testing Protect Card Reading Devices SafeNet Risks Beyond PCI

4 Why Do I Care? You Accept Credit Cards Today You have considered accepting Credit Cards It s helpful to understand a business process like this

5 Types of Changes

6 Key Changes to Consider Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.0 November 2013

7 The Addition of Guidance

8

9 Addition of Guidance Guidance answers the Why Now PCI Provides You With: The Requirements The Testing Procedures The Guidance Why this is being asked of you The Logic behind the requirement

10 Maintaining Inventory 2.4

11 2.4 Maintain Inventory

12

13 2.4 Maintaining Inventory Requirement Maintain an inventory of system components that are in scope for PCI DSS. Testing Procedure Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each.

14 2.4 Maintaining Inventory What is included in this? All hardware Virtual Hosts Physical hosts Network devices Software components Custom Commercial (Oracle & Oracle Database) Off-the-shelf applications Complexity increases with Virtualization Environment in multiple geographic locations Distributed retail locations

15 Penetration Testing 11.3

16

17

18 11.3 Penetration Testing Requirement Requirement 11.3 is a best practice until June 30, 2015, after which it becomes a requirement Implement a methodology for penetration testing that includes the following: Is based on industry-accepted penetration testing approaches (for example, NIST SP ) Guidance A penetration test differs from a vulnerability scan, as a penetration test is an active process that may include exploiting identified vulnerabilities Penetration testing is generally a highly manual process. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. A tester is able to simulate the methods performed by an attacker to identify areas of potential weakness in the environment.

19 11.3 Penetration Testing Clearly the EBS and the Oracle database fall under this PCI requirement. You may not have the in-house resources to provide penetration testing Even if you do you must follow an industry accepted testing approach. If you do use outside resources (or if you now feel that you must use an outside resource) you must be confident that they are using industry accepted testing approach.

20 Protect Card Reading Devices 9.9

21

22 9.9 Protect Card Reading Devices Requirement Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement. 9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. Maintain an up-to-date list of devices. The list should include the following: Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification.

23 9.9 Protect Card Reading Devices Tip There are at least two serial numbers per terminal: Device ID Encryption Key ID If you are using a Point to Point Encryption solution with a HSM Ensure that the solution checks the device id per transaction by the terminal management database to determine it is an authorized device, and if not decline the transaction Ensure that the solution validates the encryption key id, and if it does not match the one expected for the device decline the transaction Ensure that the solution can automatically disable devices upon a preset number of errors as indication of tampering

24 9.9 Protect Card Reading Devices Requirement Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.

25 Risks Beyond PCI A Look at SafeNet

26

27 Gemalto (Formerly SafeNet) Safenet Overview: Data Security Encryption Company ERP EBS $10 Million in Credit Card Sales Annually US Headquarters Belcamp MD

28 SafeNet Considerations 1. SafeNet determined that ultimately the Security of their business rest with them PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations. Payment Card Industry (PCI) Data Security Standard, v3.0 Page PCI Security Standards Council, LLC. All Rights Reserved. November 2013

29 SafeNet Considerations 1. SafeNet determined that ultimately the Security of their business rest with them 2. PCI Compliance is not enough 1. PCI 3.0 came into effect January Was originally drafted 3 years ago to provide sufficient time for customers to prepare for it 3. It became clear to SafeNet that they cannot base their Data Security on the PCI standard alone.

30 Building for Data Security Building for Data Security The Cornerstone PCI Standards Foundation: Point to Point Encryption Tokenization Data Security Tokenization Data At Rest PCI Standards P2PE Data In Transit

31 Building the Foundation Building The Foundation Point to Point Encryption Customer Service Token The P2PE and related PCI SSC standards define a common security assessment framework that is currently recognized by all Participating Payment Brands Customers may choose to implement Validated P2PE Solutions in order to reduce the scope of their PCI DSS assessments PCI P2PE Program Guide, v1.1 February 2013 PCI Security Standards Council, LLC Page 6 Data Security PCI Standards Tokenization P2PE

32 Building The Foundation Tokenization With a rising demand for tokenization products, the PCI Security Standards Council (PCI SSC) believes it is imperative to build, test, and deploy products that provide strong support for compliance with the PCI Data Security Standard (PCI DSS) The security objective of a tokenization process is to ensure the resulting token has no value to an attacker PCI Security Standards Council, Tokenization Product Security Guidelines Version:1.0 April 2015 Page 4 PCI Standards Data Security Tokenization Data At Rest P2PE

33 SafeNet Impact Compliance with PCI 3.0 Adding P2PE o Customer Service Computers Moving Out of Scope o Network Moving Out of Scope Adding Tokenization o EBS Moving Out of Scope Cost Savings o Reducing Scope and Cost of PCI Risk Avoidance o Removed threat of credit card theft o Prevent damage to SafeNet brand

34 Who Is CardConnect?

35 Who Is CardConnect

36 Who is CardConnect Founded in 1997 Over $300 Million in Revenues Processing Over $15 Billion Patent for P2PE for Card-Not-Present

37 Validations & Patents Oracle Validated Integration PCI Validated P2PE Application PCI Validation P2PE Solution Patent for P2PE for Card-Not-Present

38 CardConnect Contact Information Mark Cuneo Office Cell