PCI DSS Compliance White Paper

Transcription

1 PCI DSS Compliance White Paper 2012 Edition Copyright 2012, NetClarity, Inc. All rights reserved worldwide. Patents issued and pending. PCI DSS Compliance White Paper NetClarity, Inc. Page 1

2 Welcome to the SMB Retailer Security Castle over 80% of successful exploitation happens from the inside, behind the firewall - SANS.org Most e-tail and traditional brick and mortar retailers are not secure. The Payment Card Industry (PCI) Data Security Standard (DSS) is designed to pressure retailers and merchant card service providers to maintain higher integrity in their IT security posture. With more consumers making purchases over the internet and telephone, security has become a key concern for the credit card processing industry. PCI DSS Compliance White Paper NetClarity, Inc. Page 2

3 Why Should Retailers Worry? Retail and E-tail Outlet Attacks have outpaced Attacks Targeting Banks: Banks are getting much more secure Banks are audited regularly by the FDIC (in the USA) Cybercriminals are finding it harder and harder to break into banks Retail and E-tail are easy targets: Wireless routers Wireless CVEs Spoof-able Barcode Scanners Spoof-able Cash Registers Real-time Connections to MONEY (Visa Payment Gateway, etc ) VISA will fine a retailer, increase their per transaction fees, or disable their ability to take credit cards if they do not comply with PCI DSS, no matter how small they are. PCI DSS Compliance White Paper NetClarity, Inc. Page 3

4 PCI Compliance: Is it Worth It for SMBs? The Cost of Complying Three Categories of Compliance Upgrading Payments Systems and Security Verifying Compliance (Assessment) Sustaining Compliance How much does this cost your organization? For merchants with complex or older systems, it may cost millions PCI Compliance Cost Analysis: A Justified Expense. A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex. Jan [This study utilized data from several sources including level 1 and level 2 merchants with 2,000 2,500 retail locations.] The Cost of Not Complying Same study estimated non-compliance costs significantly higher, including Crisis cost upgrades Repeat assessments Notification costs Brand reputation Shareholder and consumer lawsuits The cost of a breach can easily be 20 times the cost of PCI Compliance PCI DSS Compliance White Paper NetClarity, Inc. Page 4

5 You are the target Hackers shift attacks to SMBs One Breach Could Put You Out of Business! In this case, the smaller you are, the harder you fall. See: According to John Chambers, CEO of Cisco, July, 2012, the cost of a successful breach or downtime to a very large organization such as a Fortune 1000 is still significant approximately 3.9% of annual revenues, however, the smaller the business, the greater the cost. Take the small business Burger Me who may have had plans to become the next large hamburger franchise after a single breach, where hackers stole electronic credit card transaction information from the computerized cash register, over the internet, this single breach put Burger Me out of business. The owner of City Newsstand says he s still paying off the $22,000 he spent on the investigations and security improvements to his business after a similar credit card breach he is still digging his business out of the hole caused by this one, single PCI compliance breach. Top security experts believe that this is an explosive trend. PCI DSS Compliance White Paper NetClarity, Inc. Page 5

6 PCI Forensics Inside Jobs vs. Intrusions 17% Inside ~77% are partial insiders Incident Detection >75% via allegation of compromise Findings Percentages 92% Confirmed Security Breach >60% Confirmed Data Compromise > 60% Payment Cards vs. Others Consumer data: Payment card information -Credit / Debit -Card-present / CNP Personal Check information Identity-related data: Name, address, Social security, Social insurance IRS / tax return information Law Enforcement Involvement 87% of cases Incident Detection >75% via allegation of compromise Breach Sources ~13% Inside U.S. Vulnerability Scanning SQL Injection cases: 71% had commercial scanning 63% detected SQL vulnerability 15% in scan reports for 1 year + (source Verizon) Company-proprietary: Financial records HR / employee data Product strategy & roadmap Trade secrets & technology Case Commonalities 19% SQL injection 45% POS systems 10% Wireless infrastructure ~50% Via 3rd party connections PCI DSS Compliance White Paper NetClarity, Inc. Page 6

7 PCI Violations in SMBs who Were Hacked Requirement 1: Install and maintain a firewall to protect cardholder data Requirement 3: Protect stored data Requirement 6: Develop and maintain secure systems and applications Requirement 8: Assign a unique ID to each person with computer access Requirement 10: Track and monitor access to network and card data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses information security Violations >50% Found During Forensic Investigations Violations <50% Found During Forensic Investigations Violations Found During Initial PCI DSS Audits PCI DSS Compliance White Paper NetClarity, Inc. Page 7

8 What is PCI DSS? Payment Card Industry (PCI) Data Security Standard Version 1.2 Release: October 2008 The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures This comprehensive standard is intended to help organizations proactively protect customer payment data PCI DSS Compliance White Paper NetClarity, Inc. Page 8

9 The PCI Data Security Standard Six Goals, Twelve Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors NetClarity s NACwall appliances family is designed to help you handle most of the PCI DSS security requirements through self-assessment. With internal intrusion prevention, protection of wireless routers and devices plus the ISO27001 policy auditor and document tool, SYSLOG and PDF reporting you can produce what you need to show best practices to VISA. PCI DSS Compliance White Paper NetClarity, Inc. Page 9

10 Leverage the PCI DSS Self-Assessment Questionaire (SAQ) Self-Assessment Questionnaire (SAQ) Alignment with the PCI DSS v1.2 Based on industry feedback Flexibility for multiple merchant types Providing guidance for the intent and applicability of the underlying requirements SAQ Validation Type Description SAQ Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants Imprint-only merchants with no cardholder data storage Stand alone dial-up terminal merchants, no cardholder data storage Merchants with payment application systems connected to the Internet, no cardholder data storage A <11 Questions B 21 Questions B 21 Questions C 38 Questions 5 All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ D Full DSS PCI DSS Compliance White Paper NetClarity, Inc. Page 10

11 To comply with PCI DSS, use your NACwall appliance to: Build and maintain a secure network by protecting the internal network from rogue devices and malicious insiders. Protect cardholder data by using it to audit all payment gateway touchpoints, shopping cart software and database systems for their known CVEs and use the workflow engine to track your remediation and system hardening of these critical network assets. Maintain a vulnerability management program by using the built-in CVE differential auditing, reporting, and workflow engines. Implement effective access control measures by locking down your internal trust list of users and trusted assets. Regularly monitor and test networks by running SYSLOG server to obtain PCI compliant syslog traps from the appliance Maintain an information security policy by using the built-in ISO27001 policy tool PCI DSS Compliance White Paper NetClarity, Inc. Page 11

12 Could NACwalls Have Saved 100M Credit Cards? Ultimately, you can guard against data breaches and d ocument PCI compliance using NACwall NG appliances. For a real world example, read on to learn about the largest PCI breach in history and how it coul d have been prevented using NACwall NG appliances. The largest PCI breach in history was TJMAXX. It cost them $200M+ to remediate the personally identifiable information (PII) data loss on over 100M consumers credit cards/profiles. The breach was done by a hacker who sat in the parking lot, hacked the wireless router s (WIFI HACKING) common vulnerabilities and exposures (CVEs), spoofed a trusted asset (MAC SPOOFING), pretending to be a wiress barcode scanner that was a trusted device, and then found the database server that connected to the Visa payment gateway and installed eavesdropping software (PLANTING A BACKDOOR) to watch every credit card transaction that phoned home. So the PCI compliance breach was: 1. WIFI HACKING 2. MAC SPOOFING 3. EXPLOITING CVEs 4. PLANTING BACKDOOR 5. PHONING HOME The solution to this problem is: 1. NACwall EasyNAC blocking protection for WIFI agai nst HACKING 1. No untrusted asset gains access to wifi 2. Even a WEPcrack, KISMET or BACKTRACK 4.0 (WPA) exploit attack is blocked. 3. NACwall MAC spoof protection should be enabled. 4. NACwall should be auditing all devices for their CVEs 5. Backdoors can t be planted if there is no access allowed and there are no CVEs to exploit 6. NACwall s Malware Quarantine engine should be enabled to block callbacks ie phoning home. This should take about minutes to setup at a single location or using the command center to replicate these rules to all branch locations, automatically. Problem Solved. PCI Breach Avoided. Contact sales@netclarity.net to learn more. PCI DSS Compliance White Paper NetClarity, Inc. Page 12