PCI DSS 3.0 and You Are You Ready?

Transcription

1 PCI DSS 3.0 and You Are You Ready? 2014 STUDENT FINANCIAL SERVICES CONFERENCE Linda Combs Ron King

2 AGENDA PCI and Bursar Office Role Key Themes in v3.0 Timelines Changes What Will Affect You the Most Best Practices and Conclusions Q&A

3 BURSAR OFFICE Historical keeper of rules and regulations May also have PCI responsibility Administrative and Physical Inventory roles RFP/purchase committee software w/ payment options

4 The Target Breach 40 million+ customers Insider? POS was the vector Lessons for all

5 PCI DSS Version /07/2013 Released 01/01/2014 Effective 12/31/2014 v2.0 Retired Let s talk about it

6 PCI DSS Life Cycle We are here 1/01/2014 Interim Period? 12/31/2014

7 PCI DSS: 12 Requirements No change Control Objective 1. Build and maintain a secure network Requirements 1. Install and maintain a firewall configuration to protect data 2. Change vendor-supplied defaults for system passwords and other security parameters 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 3. Protect stored data 4. Encrypt transmission of cardholder magnetic-stripe data and sensitive information across public networks 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data to a need-to-know basis 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 5. Regularly monitor and test networks 6. Maintain an information security policy 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security

8 Merchant Levels No change Level 1 > 6 million Visa/MC txns/yr > 2.5 million transactions/yr 2 1 to 6 million Visa/MC txns/yr 50,000 to 2.5 million txns/yr 3 20,000 to 1 million Visa/MC ecommerce txns/yr Most Colleges and Universities All other Amex Merchants 4 All other Visa/MC merchants N/A

9 Validation Requirements No change Level Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan (ASV) Annual penetration test (ASV) At discretion of acquirer Annual SAQ Quarterly network scan (ASV) Annual penetration test (ASV) Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Quarterly network scan (ASV) Annual penetration test (ASV) Quarterly network scan (ASV) Annual penetration test (ASV) N/A

10 SAQs No change* Card-Not Present, All Cardholder Data Functions Outsourced Imprint Only, No Cardholder Data Storage Standalone Dial Out Terminal, No Cardholder Data Storage Payment Application Systems Connected to the Internet All other methods SAQ A SAQ B SAQ B SAQ C / VT SAQ D (11 questions) (29 questions) (29 questions) (80/51 questions) (244 questions) Move as far to the left as possible!

11 Drivers for Changes Education and Awareness POS Physical Security v3.0 Malware Self-Detection Third-Party Challenges

12 Key Themes Education and Awareness Evolving Scope Increased Flexibility Security as a Shared Responsibility Encourage a focus on security, not just compliance

13 Compliance vs. Security Security Compliance

14 Compliance vs. Security "Every person operating a motorcycle shall wear a face shield, safety glasses or goggles, or have his motorcycle equipped with safety glass or a windshield at all times while operating the vehicle, and operators and any passengers thereon shall wear protective helmets...

15 Compliant Helmet Windshield

16 Secure!

17 3.0 Major Changes Requirement 3.0 Update Purpose 1 Current cardholder data flow diagram Clarify importance 2 Inventory of in-scope components Effective scoping practices 5 Evaluate ALL malware threats 6 Update list of common vulnerabilities 8 Security for authentication mechanisms Promote ongoing awareness and due diligence Keep current with emerging threats Authentication methods other than passwords 9 Protect POS terminals Physical security of terminals 11 Pen testing changes More details for pen tests and scoping verification 12 Stronger Service Provider management Stronger management

18 What Will Affect You The Most? Cardholder Data Flow Diagrams In-Scope Systems Physical Protection of POS Terminals and Systems Common Vulnerabilities Pen Testing Methodology Increased Audit Reporting and Methodology Managing Service Providers

19 Terminals and Software Physical Protection of POS Terminals and Systems Centralized control vs. Department control PCI compliant equipment vs. non-supported Random check of compliance vs self audit Managing Service Providers Procurement coordination on RFPs and approvals Centralized control vs. Department control Large vendors vs. Garage types

20 3 rd Parties and Merchant Responsibilities Organizations that outsource their CDE or payment operations are responsible for ensuring that the account data is protected by the third party per the applicable PCI DSS requirements Must maintain documentation about which PCI DSS requirements are managed by service providers and which are managed by the customer Service providers to acknowledge responsibility for maintaining applicable PCI DSS requirements

21 Other Changes Clarification of the intent of segmentation Clarified that Sensitive Authentication Data (SAD) cannot be stored after processing even if PAN is not Recommendations for the limiting of wireless Destruction of CHD clarification Shred Vendors Web servers with Pay Now button Mobility is not addressed watch this space

22 MOBILE PAYMENTS? Mobile POS Terminals Few are certified compliant Check with your bank Card Readers: Smart Phone/Tablets Square and others None are certified compliant!

23 MOBILE PAYMENTS? Who Needs Mobile? Fundraising off campus events Student Groups Athletic Events What they will say. Other schools use it PCI Council addresses Mobile Don t tell, but do you ask? None are certified compliant!

24 Business as Usual Business as Usual (BAU) approach Daily log reviews Review changes to the environment Periodic communication Periodic reviews of systems, technologies and software To insure scope hasn t changed

25 Additional Requirements Evaluate evolving malware threats Flexibility for alternative passwords Service providers to use unique authentication credentials for each customer* 8.6- other authentication mechanisms must be linked to individuals. 9.3-control physical access to sensitive areas for onsite personnel. 9.9-protect POS devices from tampering and substitution* 11.3 and implement a methodology for penetration testing; Implement a process to alert on changes to systems Maintain information about what Service Providers responsibilities 12.9 (Service Providers) must maintain written acknowledgement about responsibilities and portions of PCI DSS covered.

26 Best Practices PCI DSS should be implemented into business-as-usual activities (BAU) Monitoring of security controls for effectiveness Ensure all failures are detected and responded to Review changes in the environment Organizational structure changes Periodic reviews and communication to confirm controls continue to be in place Review hardware and software technologies

27 Closing Thoughts V3.0 is an important improvement, but doesn t change what you should be doing to comply with PCI, nor how QSAs will conduct reviews Promotes understanding that PCI is a shared responsibility Aimed a making compliance a part of Business as Usual More definitive information about the intent of the requirements and how they should be applied Helps colleges and universities adopt a framework of continuous security, and move closer to the true intent of the Standard

28 PCI Workshop April 27-30, 2014 Chicago Palmer House

29 Questions? Ron King Linda Combs