Continuous compliance through good governance

Transcription

1 PCI DSS Compliance: A step into the payment ecosystem and Nets compliance program Continuous compliance through good governance

2 Who are the PCI SSC? The Payment Card Industry Security Standard Council is an independent body providing oversight of the payment card security standards on a global basis. It was founded by American Express, Discover, JCB International, MasterCard, and Visa. The Council s main standards are: PCI Data Security Standard (PCI DSS) PCI Pin Transaction Security Standard (PCI PTS) Payment Application Data Security Standard (PA DSS) Point-to-Point Encryption Standard (P2PE)

3 What is PCI DSS? PCI is not government legislation. It is an industry regulation. PCI DSS was developed to enhance cardholder security and to provide a baseline to protect cardholder data. PCI DSS applies to any entity that stores, processes, or transmits cardholder data. The cardholder data environment is comprised of people, processes and technologies. For Nets, PCI DSS is like our license to operate. Without it we cannot conduct businesses.

4 PCI DSS standards overview The PCI DSS is based on six primary goals. 1. Build and maintain a secure network and systems 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy Each goal contains a set of requirements across 12 domains with a total of 350+ requirements.

5 What is card holder data? PCI DSS applies wherever account data is stored, processed, or transmitted. Account Data consists of Cardholder Data and/or Sensitive Authentication Data, as depicted in the chart on this screen. Account data should be properly protected in compliance with PCI DSS or not stored at all. Sensitive authentication data must not be stored.

6 Actors across the payment ecosystem

7 Malicious actor

8 The Actors Defined Cardholder Customer purchasing goods/services as card present or card not present transactions Issuer Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard, Visa) Payment brand issuing a payment card directly (e.g. Amex, Discover, JCB) Merchant Organization accepting the payment card during a purchase Acquirer Teller, subsidiary of Nets Group Entity the merchant uses to process the payment card transactions Receive authorization requests from merchant and forward to issuer for approval Provide authorization, clearing, and settlement services to merchants Also referred to as: merchant bank or Payment Brand (Amex, Discover, JCB) Payment processor / payment brank network Nets Group

9 Which entities are in PCI scope? Issuer Merchant Acquirer Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard, Visa) Payment brand issuing a payment card directly (e.g. Amex, Discover, JCB) Organization accepting the payment card during a purchase Bank or entity the merchant uses to process the payment card transactions Receive authorization requests from merchant and forward to issuer for approval Provide authorization, clearing, and settlement services to merchants Also referred to as: merchant bank or Payment Brand (Amex, Discover, JCB) Payment processor / payment brank network Nets Group

10 PCI Governance at Nets

11 What to avoid

12 Governance structure This governance structure should be applicable to any kind of compliance management, but in this case PCI DSS compliance management is used as the example. Future scaling to multi-framework compliance management is more a matter of resourcing than anything else.

13 PCI Compliance Annual Timeline The audit is a snapshot in time. PCI compliance must be achieved 365 days a year. Example evidence deliverable dates Example audit deadlines ROC Signature Pre-Audit Final Audit Pre-Audit Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr Evidence Collection & Issue Remediation Evidence is collected prior to and during the audit, and previously identified issues remediated. Evidence Validation & Issue Closure The audit looks back 12 months to verify compliance in the previous year.

14 PCI Compliance Wheel for BAU ANNUALLY Change SEMI-ANNUALLY cryptographic keys for keys that have reached the end of their cryptoperiod (PCI 3.6.4). Review QUARTERLY firewall and router rule sets at least every six months (PCI 1.1.7). DAILY/WEEKLY/MONTHLY Review Identify public-facing and securely web delete applications stored cardholder via manual data or that automated exceeds application defined Review retention vulnerability the periods following security that assessment at are least required daily tools (PCI for or ): legal, methods, regulatory, least and/or annually business and after - requirements any All changes security events (PCI (PCI 6.6). 3.1). - Logs of all system components that store, process, or transmit CHD and/or SAD Perform Maintain periodic logs of all evaluations media and to conduct identify media and evaluate inventory evolving (PCI 9.7.1) malware threats - in Logs order of to all confirm critical system whether components systems continue to not require anti-virus - software Perform Logs internal all (PCI servers 5.1.2). and and external system penetration components testing that perform at least annually security functions and after (for any significant example, firewalls, infrastructure intrusion-detection or application systems/intrusion-prevention upgrade or modification (PCI systems Remove/disable & ). (IDS/IPS), inactive authentication user accounts servers, within e-commerce 90 days (PCI redirection 8.1.4). servers, etc.). Change Perform user penetration passwords/passphrases tests at least annually at least and once after every any 90 changes days (PCI to 8.2.4). Install segmentation applicable controls/methods critical vendor-supplied to verify security that the patches segmentation within methods one month are of release Test operational for (PCI the and presence 6.2.a). effective, of wireless and isolate access all points out-of-scope (802.11), systems and detect from and systems in identify the CDE all (PCI authorized ). and unauthorized wireless access points (PCI 11.1). Use intrusion-detection and/or intrusion-prevention techniques to detect and/or Perform Review prevent the quarterly security intrusions internal policy into and vulnerability the update network. the scans policy and when rescans the as environment needed, until all Monitor high-risk changes (PCI all vulnerabilities traffic ). at the perimeter (as identified of the in cardholder Requirement data 6.1) environment are resolved. as Scans well as must at critical be performed points in by the qualified cardholder personnel data environment, (PCI ). and alert personnel to suspected Perform risk compromises. assessments on the following situations (PCI 12.2): Keep Perform - at least all intrusion-detection quarterly annually and external upon vulnerability and significant prevention changes scans, engines, via to the an baselines, Approved environment and Scanning signatures (for up Vendor example, to date (ASV) acquisition, (PCI approved 11.4). merger, by the relocation, Payment Card etc.), Industry Security Standards Council - on identifies (PCI SSC). critical Perform assets, rescans threats, as and needed, vulnerabilities, until passing and scans are achieved Keep (PCI - create ). system a formal, configuration/settings documented analysis updated. of risk. Educate personnel on cardholder data security (PCI ).. Monitor service provider compliance (PCI ). Test incident response plan at least annually (PCI ). Review and update service documentation.

15 PCI Compliance Wheel for Infosec Compliance Management Final Assessment Pre-Assessment

16 BAU vs. Compliance Management Wheel BU/GU responsibility: Compliance requirement fullfillment for corresponding area of responsibility Finding remediation Evidence collection (from recurring tasks completion & finding remediation) InfoSec s responsibility: PCI assessment cycle PCI audit management PCI finding remediation follow-up

17 Key Takeaways PCI is NOT just an IT issue A well-defined governance structure with key roles & responsibilities must be in place to support compliance across the organization PCI Compliance validation is a review of the last 12 months thus cramming for the audit is not an option Requires continuous compliance 365 days a year with demonstrable evidence of compliant processes and procedures to achieve certification

18