PIN Security and Key Management to Prevent Data Breaches
|
|
- Rosa Ada Hines
- 8 years ago
- Views:
Transcription
1 white paper PIN Security and Key Management to Prevent Data Breaches January 2009»»Summary In 2008, it was shown that persistence can indeed pay off for the criminal element. Data breaches and compromises are plentiful and appear to be gaining momentum in frequency and scope. According to the Identity Theft Resource Center as of November 13, 2008, there have been an estimated 33,585,557 records exposed in 572 data breaches in 2008 alone. Other organizations, such as the Privacy Rights Clearinghouse, put the number of reported compromised records at over 245 million since January This number may actually be larger because many organizations are not compelled by local laws to divulge this information or are unaware a breach has even taken place. The sheer amount of information that has been breached forces the industry to focus less on breach prevention and more on loss mitigation as the resulting fraud losses accumulate. The financial industry s task in recent months has been to focus on cleaning up from breach aftermaths and scripting customer service and media responses to consumers and reporters alike. Meanwhile, the criminal elements focus on identifying and exploiting additional weaknesses that range from compromising PCI compliant merchants to accessing authorization systems to increase the value of a payment card. This white paper will examine best practices in several areas of ATM processing and computer security that any financial institution or service provider can use as a starting point to secure its processing infrastructure against the latest internal and cyber attacks. Make Every Decision Count TM
2 »»Encryption to Authorization (and back again) Financial institutions and service providers focus on providing their constituents with the most innovative services at competitive prices. Criminals, on the other hand, expend tremendous amounts of resources on attacking the soft spots in the financial services value chain. The financial services industry views fraud as a nuisance and criminals view fraud as a line of business. As criminals become more successful in their attacks, they reinvest in identifying new attacks. Each time the financial services community responds with a counter-measure, the criminals apply another twist to circumvent the change. One of the most difficult positions to be in is the defender of a system. As defenders we have difficulty identifying the actual threat scenarios criminals will mount. A common example of this is the Maginot Line problem. The French built a wall along the Maginot Line which blocked Germany s attack route to France in World War I. The well constructed bunkers made France feel safer since Germany won t be able to attack us there again. In World War II, when the Germans came back they left a decoy force at the Maginot Line and attacked into Belgium and then down through a less fortified part of the French border. This situation is similar to the mindset that a firewall and an intrusion prevention system (IPS) are all one needs to stop marauding cyber criminals. That might have worked twenty years ago, but criminals have moved way beyond this point. Keeping an open and flexible awareness will allow you to identify (and anticipate) new risks as they come up. Looking at your systems in a holistic fashion will minimize vulnerabilities and therefore move criminals elsewhere to lower hanging fruit. If every organization is able to do this effectively, we might move the criminals into another line of business. Fraud demands a heightened awareness of the problem and a constant focus on hardening the soft spots. This starts with a complete review of your payment processing infrastructure to understand where card and PIN data is touched, processed and stored. Once you get started, you will find many more soft spots than you expected. Security is a journey not a destination. Every single step in a systematic process can have exploitable weaknesses. It is very important to know how your organization s systems operate, who has access to them and how they access them. One of the requirements of the PCI Data Security Standard (PCI DSS) is that transaction acquirers (merchants, financial institutions or other ATM deployers) must not improperly store detailed card (Track 1 and 2) data after authorization. Distressingly, 95% of brick-and-mortar merchants surveyed in a recent study are running non-compliant software and are storing track data after authorization. Online merchants aren t doing much better 60% of them are improperly storing card validation codes on the back of a card that aims to provide one extra layer of security ATM Marketplace ; Bickers, James 09/16/08 *including Top Ten Data Compromise sources used in Fig Fair Isaac Corporation. All rights reserved. page 2
3 »»Top Ten Data Compromise Methods Figure 1: Compromise sources & Preventative measures Compromise Source SQL Injection Trojans/Backdoor Attacks Remote Access Perimeter Security Weak Passwords Remote Exploitation Internal Attacks Physical Security Wireless Intrusion Fair Isaac Recommended Preventative Measures Use secure application coding practices. Implement application firewalls. Application testing should include security tests. Limit the number of allowable characters in a data entry field to the actual size of the field in the database table. All data entry fields should be tested and verified to only allow the maximum field length of characters in the database field. Prohibit any stored procedure that allows in-bound calls to the operating system. Deploy anti-virus software on servers. White list executable files on servers and validate files with a hash. Monitor for unusual network activity and data transmissions to unknown hosts. Secure session tokens. Install secure internet access points. IP address profiling to prevent unauthorized access. Use multi-factor authentication for employees, business partners and customers. Monitor and maintain firewalls. Maintain redundant IPS and monitor their activity. Certify every IPS and firewall change, after implementation including regression testing to verify prior rules are correct and functioning. Segment production networks with firewalls and router access control list (ACL). Lock down IP addresses for internal and external hosts. Monitor for unusual file transmission patterns. Convert to longer passwords and require variety of characters. Force passwords changes every 90 days. Change default User IDs and passwords. Audit/eliminate User IDs that are no longer required. Monitor and segment Hardware Security Modules (HSM) with router access control list (ACL). Segment HSM duties by application. Disable unnecessary HSM commands. Limit in-bound and out-bound IP addresses from production networks. Verify business reasons for each employee s system access and remove it when no longer necessary. Log and monitor employee use of applications to identify unusual system access. Use groups to give access to applications rather than granting specific access to an individual s User ID. Educate employees on data security and storage to reduce breaches from carelessness. Get employees involved as your first line of defense. Perform periodic criminal background and financial checks on employees during their employment. Combine responsibility for physical and computer security. Eliminate WEP protocol from any wireless access points. Segment wireless networks from production networks. Monitor network activity on wireless networks Fair Isaac Corporation. All rights reserved. page 3
4 »»PIN Security and Key Management for Acquirers Use caution in selecting an Encryption and Service Organization (ESO) for any of the following services: 1. Loading software into an ATM or terminal that accepts cards 2. Loading or injecting encrypting keys into an ATM or terminal/pin pads 2 3. Providing help-desk support that includes re-programming of ATM/terminal software Don t use the same encryption key for both PIN and key encryption. Ensure that agreements with ESOs clearly state the required standards of operation. Utilize separate keys for test and production systems. This limits the magnitude of exposure in case any key is compromised. Require ESOs to be registered by the acquirer as agents with the payments network(s) that your organization participates in. Verify registration for any ESO before you engage in a contractual relationship. Securely manage all keys used for the protection of PIN data during all key life cycle stages, from creation of the key to its eventual destruction. ATM, Point-of-sale (POS) PIN entry devices (PED), Encrypting PIN Pad (EPP) and Hardware Security Module (HSM) must be securely loaded with encryption keys upon initialization. 3 Never store clear text PINS or encrypted PINS (PIN blocks). Never store clear text keys. Log every organization and all individuals who have a copy of your key encryption keys (KEK) to ensure that everyone is held accountable for the highest degree of security. Require ESOs to be PCI PIN and ANSI TG-3 certified upon initiation and then on a periodic basis no less than every other year. Only TDES and unique keys should be generated and injected into an ATM environment. Insist on dual control and a separate key for each function loaded and maintained.»»atm Security Best Practices All PIN encryption activity should take place on an Encrypting PIN Pad (EPP) or PIN Encryption Device (PED) to prevent the compromise of a PIN in the clear at a terminal. ATM PIN encryption should be triple DES and PC DSS compliant. PIN Blocks should never be stored in ATM log files. Personal Account Numbers (PAN) should be truncated and protected in ATM logs. Secure remote access controls must be established for all ATMs. Anti virus and Malware detection systems should be installed, updated and tested frequently. Insist upon a vendor s written results of each test. Segment ATM network traffic from other network activity. ATM vendor supplied default passwords must be re-set with unique passwords. Make sure that core ATM processing applications do not store exploitable information like magnetic stripe data, PANs or PIN blocks. Core processing applications should be PCI DSS and in some even cases PA-DSS compliant Definition appears on ATMIA ESO Registration Clearinghouse page of 3. VISA PIN Security and Key management Best Practices for Debit Issuers with ATMs; web seminar; September Fair Isaac Corporation. All rights reserved. page 4
5 »»Issuer Security Best Practices Use the PCI PIN security requirements as a best practice for issuer key management. Validate the Card Verification Values (CVV) or Card Verification Code (CVC) and PIN Verification Key (PVK) for all ATM transactions, including debit cards that only initiate PIN transactions (ATM only cards). Consult with your internal risk manager and then adjust daily limits if appropriate for POS purchases, cash withdrawals, cash-back and quasi-cash transactions. Monitor non-cash transactions (balance inquiries and denials) to detect phishing attempts. Review Hardware Security Module (HSM) activity for automated voice response systems (AVR) and branches to detect unusual activity such as brute force decryption processes. Use a real-time neural net fraud monitoring system to ensure adequate fraud monitoring for all debit cards issued by your organization. Use account hotlists to monitor cards that have been reported as compromised. This enables the issuer to deny risky transactions at authorization. Review processes for securing and maintaining branch PIN pads. Review the process for cardholder PIN changes. It is important to know who has access to such changes. Manage PIN offset tables securely. Regularly review access records and monitoring practices. Double-length PIN verification keys (PVK) are recommended. Payment Application-Data Security Standard or PA-DSS should be required for all vendorsupplied or internally developed payment applications. This includes card authorization and card management systems. All card issuers, acquirers and card processors must comply with the PCI DSS Standard. The method and frequency of the audit depends on the number of transactions processed by the organization on an annual basis. See PCI Standard for details.»»hardware Security Modules Best Practices A Hardware Security Module or HSM is installed and used to protect encrypted data like critical keys. Critical keys should always be stored using an HSM. These are also sometimes known as Tamper Resistant Hardware Security Modules (TRHSMs). Every HSM should only be accessed via an access control list (ACL) on a router to limit access. All inbound and outbound traffic should be logged and monitored. The router should accurately log and record every IP address and critical data that travelled through the HSM. All addresses should be blocked from contacting the HSM, except specific IP addresses authorized to communicate with the HSM. Each PIN, CVV, and CVV2 must be encrypted via HSM. Segregation of functionality is very important. Multiple HSMs should be used for critical functions like On Us PIN validation and AVR/VRU PIN validation. These require two separate HSMs to be secure. An automated voice response system (AVR) should have its own separate HSM. PIN encryption via AVR must be secure. Disable HSM commands that are not used by your organization to avoid potential attacks and misuse. File integrity security monitoring is essential and required as part of PCI compliance. This includes database access, user access and third party vendor services. Note: Check with your organization s vendor as to how your HSM is being used Fair Isaac Corporation. All rights reserved. page 5
6 Figure 2: Example of stronger security measures for various access points SECURING ACCESS POINTS ATM IPS SECURITY ZONE CORPORATE ZONE IPS HSM Router Secure Network ATM HSM Log Monitoring IPS Employee ATM Processing Server»»Intrusion Monitoring Intrusion detection systems (IDS) detect potential security breaches within a system and send alerts. During an attack, the IDS will also log pertinent information and signal an alarm. An intrusion prevention system (IPS) is a network security device that monitors network traffic activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. An IPS is an evolution of an IDS and should be considered a replacement for IDS since an IPS not only detects unusual network activity, it can also prevent it. Criminals are constantly pinging networks and hosts waiting for moments of vulnerability to attack. The vulnerabilities come about during application and infrastructure upgrades and during merger or migration activities. It is critical to have redundant IPS hardware so that when an IPS fails, your network is not open to attack Fair Isaac Corporation. All rights reserved. page 6
7 »»Intrusion Prevention Systems Best Practices Make sure that your organization maintains an intrusion prevention system (IPS) that monitors network traffic. An IPS is any device (hardware or software) that has the ability to detect AND take actions to automatically block various attacks based on a set of rules established by a network administrator. An IPS can be monitored and maintained by a third-party vendor. Select a third-party vendor very carefully by verifying all references. Contractually require your IPS vendor to create and implement a crisis incident procedure that is specific to your organization. It is important to do this as soon as your business relationship is formalized. Identify members of your team who will be responsible for handling escalation relating to the IDS/IPS. It is critical to re-set all system default passwords on all newly installed IPS. Third party installed systems may still have default passwords. Frequently, one password is used over and over throughout one system leaving the entire organization exposed to intrusion risk. Suggestion: Vendor contracts should require the third party vendor to re-set all passwords after installation of the IDS/IPS. Test the IDS/IPS to ensure that every facet is working. It is very important that intrusion notifications are always monitored and tested on a monthly basis to ensure that they are functional. An IPS should be installed on BOTH sides of a perimeter firewall. Implementing redundant IPS is critical if one goes down, your network will still be protected. Intrusion alerts should be automatically sent to people on a contact list with an escalation procedure to ensure that someone is always available to react to any suspected intrusion. It is also important to decide the type of communication required based on the severity of an attack, such as or direct voice contact. Some severe events may require higher levels of escalation sooner in the process. IPS passwords should be changed every 90 days and more often if third-party vendors have recently worked on any internal controls. Password security should include a minimum length of 8 various characters, letters and numbers or symbols. Never disable IPS. A disable action should trigger an immediate alert. Regularly perform independent intrusion testing weekly to ensure that all IPS are working properly. It is important to stress that these tests be random and unannounced particularly if a third-party vendor is providing the IPS monitoring service. Network penetration testing should regularly be performed by targeting the IP addresses inside of the organization from external IP addresses.»»firewall Security Port 80: The port that the server listens to or expects to receive from a web client can also be a vulnerable area that requires security monitoring to prevent unauthorized entry or export of data. Security monitoring reports should be collected on each port and IP address. The number of incidents by port should be monitored for an increase in inbound or outbound activity each day. Compare historical port activity to current activity to identify unusual patterns of activity. Study recently opened or closed ports to see if someone is trying to stealth or hide an intrusion or data transfer Fair Isaac Corporation. All rights reserved. page 7
8 A regular scan of server logs for common hacker character usage can reveal an early warning for intrusions. #, {}, ^, and [] requests may show up in logs if an attacker is echoing some source code into a file of C program. Once a file is created and interpreted, the attacker could bind a shell to a port providing easy access. 4 Employees who need to browse the internet should be required to log into a secure internet access point like Citrix MetaFrame Secure Access Manager. This infrastructure software provides secure, single-point access over the Internet to virtually any internal and external information resources, including applications, data sources, documents, Web content and services. Improperly configured systems: Just who is to blame for those improperly configured systems? Sixty-three percent of the time it s a third party a POS developer, an integrator or a local IT firm. An alarming finding is that many local IT integrators will use the same passwords for all of their clients that run a particular piece of software. So the attacker knows, If I can get into one of them, I can get into all of them. It is entirely possible that old servers and applications are still using default passwords at your organization today. 5 Keep in mind that if you are blocking foreign (non-us) IP addresses, US-based proxy servers could be used to disguise the originating address.»»crisis Management Create a data intrusion crisis plan. Take into consideration severity levels that will drive reaction and workforce requirements. A periodic intrusion procedure test similar to a fire drill should be carried out without warning several times a year to gauge the effectiveness of the plan. This plan should include an up-to-date Incident Response Plan from all of your PCI providers and kept online if possible. Contact names and numbers should be verified at least annually. Don t neglect the aspects of customer care. Every solid intrusion crisis plan will involve customer service representative scripts and media templates which can easily be customized to fit a particular event. Immediately disconnect all infected servers and PCs. Do not reboot to prevent a loss of critical forensic evidence. Block all servers from outbound activities. Reintroduce safe IP addresses slowly based upon the critical needs of your organization. Never remove Malware, worms or any other evidence of an intrusion prior to a thorough forensic examination. It is acceptable to disable these to prevent additional damages. Forensic examinations should only be provided by vendors who are approved by the card associations and/or debit networks. In most cases, these vendors mirror the Qualified Security Assessors (QSA s) noted on the PCI Security Standards Councils website under QSA s Always alert your partner payment companies in the wake of any data breach. Not on us foreign cards and any other miscellaneous information should be disseminated quickly to protect external organizations from as much loss as possible. Blocking the IP address attributed to Malware is not enough to prevent its spread. The Malware must be disabled by qualified professionals. Eventual removal of all Malware should be performed as soon as a complete forensics examination has been completed Reference appears 5. ATM Marketplace Bickers, James 09/16/ Fair Isaac Corporation. All rights reserved. page 8
9 A wise person once said, The time to fix the roof is while the sun is shining. This simple phrase tells us that preparedness is simply the wise anticipation of future challenges. The tools and information provided within this publication echo the same sentiment. So prepare, plan and implement now to reduce your organization s exposure to data security weaknesses before a crisis develops. Please consider that there are two things that one cannot retrieve in the wake of a security breach: Your data and your reputation.»»helpful Resources ATM Industry Association Fair Isaac s Card Alert Service Network Information Security & Technology News PCI Knowledge Base PCI Security Standards Council ThoughtKey, Inc Visa Cardholder Information Security Program Special thanks to our key industry partners including ThoughtKey, Inc for providing guidance and content for this publication Fair Isaac Corporation. All rights reserved. page 9
10 about Fair Isaac Fair Isaac Corporation (NYSE:FIC) is the leader in Decision Management, transforming business by making every decision count. We use predictive analytics to help businesses automate, improve and connect decisions across organizational silos and customer lifecycles. Clients in 80 countries work with Fair Isaac to increase customer loyalty and profitability, cut fraud losses, manage credit risk, meet regulatory and competitive demands, and rapidly build market share. Most leading banks and credit card issuers rely on Fair Isaac solutions, as do insurers, retailers, healthcare organizations and other companies. Through the Web site, consumers use the company s FICO scores, the standard measure of credit risk, to manage their financial health. Fair Isaac provides leading fraud protection systems to the financial services industry, including the Fair Isaac Falcon Fraud Manager system used to protect 2 out of 3 cards and the Fair Isaac Card Alert network that protects 11,000 ATMs for thousands of US banks. Learn more at Fair Isaac, Falcon, FICO, myfico, and Make every decision count are trademarks or registered trademarks of Fair Isaac Corporation. Other product and company names herein may be trademarks or registered trademarks of their respective owners Fair Isaac Corporation. All rights reserved. 2530WP 01/09 PDF For more information US toll-free International toll-free web FIC info@fairisaac.com
Cyber - Security and Investigations. Ingrid Beierly August 18, 2008
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
More informationPCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00
PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)
More informationTop Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009
Top Five Data Security Trends Impacting Franchise Operators Payment System Risk September 29, 2009 Top Five Data Security Trends Agenda Data Security Environment Compromise Overview and Attack Methods
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationPCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core
PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566
More informationPCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationFranchise Data Compromise Trends and Cardholder. December, 2010
Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationNeed to be PCI DSS compliant and reduce the risk of fraud?
Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction
More informationBeef O Brady's. Security Review. Powered by
Beef O Brady's Security Review Powered by Why install a Business Class Firewall? Allows proper segmentation of Trusted and Untrusted computer networks (PCI Requirement) Restrict inbound and outbound traffic
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationEncryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013
Encryption and Tokenization: Protecting Customer Data Your Payments Universally Amplified Tia D. Ilori Sue Zloth September 18, 2013 Agenda Global Threat Landscape Real Cost of a Data Breach Evolution of
More informationData Security for the Hospitality
M&T Bank and SecurityMetrics Present: Data Security for the Hospitality Industry Featuring Lee Pierce, SecurityMetricsStrategicStrategic Accounts Dave Ellis, SecurityMetrics Forensic Investigator Doug
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationPayment Card Industry Self-Assessment Questionnaire
How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationTemplate for PFI Final Incident Report for Remote Investigations
Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report for Remote Investigations Template for PFI Final Incident Report for Remote Investigations Version 1.1 February 2015 Document
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationPayment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.0.
Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report Template for PFI Final Incident Report Version 1.0 August 2014 Document Changes Date Version Description August 2014 1.0 To
More informationMinnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
More informationTarget Security Breach
Target Security Breach Lessons Learned for Retailers and Consumers 2014 Pointe Solutions, Inc. PO Box 41, Exton, PA 19341 USA +1 610 524 1230 Background In the aftermath of the Target breach that affected
More informationAIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009
AIS Webinar Payment Application Security Hap Huynh Business Leader Visa Inc. 1 April 2009 1 Agenda Security Environment Payment Application Security Overview Questions and Comments Payment Application
More informationPayment Card Industry (PCI) Data Security Standard PFI Final Incident Report. Template for PFI Final Incident Report. Version 1.1.
Payment Card Industry (PCI) Data Security Standard PFI Final Incident Report Template for PFI Final Incident Report Version 1.1 February 2015 Document Changes Date Version Description August 2014 1.0 To
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationMITIGATING LARGE MERCHANT DATA BREACHES
MITIGATING LARGE MERCHANT DATA BREACHES Tia D. Ilori Ed Verdurmen January 2014 1 DISCLAIMER The information or recommendations contained herein are provided "AS IS" and intended for informational purposes
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationPCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz
PCI-DSS: A Step-by-Step Payment Card Security Approach Amy Mushahwar & Mason Weisz The PCI-DSS in a Nutshell It mandates security processes for handling, processing, storing and transmitting payment card
More informationProtecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems
Page 1 of 5 Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems In July the Payment Card Industry Security Standards Council (PCI SSC) published
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationA Rackspace White Paper Spring 2010
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationBendigo and Adelaide Bank Ltd Security Incident Response Procedure
Bendigo and Adelaide Bank Ltd Security Incident Response Procedure Table of Contents 1 Introduction...1 2 Incident Definition...2 3 Incident Classification...2 4 How to Respond to a Security Incident...4
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationVisa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices
This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment
More informationHow NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements
How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationSecurity Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments
Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,
More informationWhat To Do if Compromised. Visa USA Fraud Investigations and Incident Management Procedures
What To Do if Compromised Visa USA Fraud Investigations and Incident Management Procedures Table of Contents Introduction......................................................... 1 Identifying and Detecting
More informationFor more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at www.visa.
Global Partner Management Notice Subject: Visa Data Security Alert Malicious Software and Internet Protocol Addresses Dated: April 10, 2009 Announcement: The protection of account information is a responsibility
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationNew PCI Standards Enhance Security of Cardholder Data
December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target
More informationPCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.
PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers. White Paper January 2013 1 INTRODUCTION The PCI SSC (Payment
More informationEnforcing PCI Data Security Standard Compliance
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationTechnology Innovation Programme
FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk
More informationCase 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A
Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationREDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance
REDSEAL NETWORKS SOLUTION BRIEF Proactive Network Intelligence Solutions For PCI DSS Compliance Overview PCI DSS has become a global requirement for all entities handling cardholder data. A company processing,
More informationRecent Developments in PCI DSS. PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2
Recent Developments in PCI DSS PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2 1 2009 Breach Investigation Who did it? 74% external parties 20% insiders 32% implicated business partners
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationUsing Skybox Solutions to Achieve PCI Compliance
Using Skybox Solutions to Achieve PCI Compliance Achieve Efficient and Effective PCI Compliance by Automating Many Required Controls and Processes Skybox Security whitepaper August 2011 1 Executive Summary
More informationAgenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007
Security Testing: The Easiest Part of PCI Certification Core Security Technologies September 6, 2007 Agenda Agenda The PCI Standard: Security Basics and Compliance Challenges Compliance + Validation =
More informationSymposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda
2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR
More informationONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS
$ ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS Boston Private Bank & Trust Company takes great care to safeguard the security of your Online Banking transactions. In addition to our robust security
More informationA MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)
A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS) The mandatory guide for storing, processing or transmitting cardholder information Overview and applicability Any application
More informationThis appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
More information05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationWHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI
WHITEPAPER Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI About PCI DSS Compliance The widespread use of debit and credit cards in retail transactions demands
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationPayment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS
The PCI Security Standards Council http://www.pcisecuritystandards.org The OWASP Foundation http://www.owasp.org Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS Omar F. Khandaker,
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationThe Comprehensive Guide to PCI Security Standards Compliance
The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment
More informationCHEAT SHEET: PCI DSS 3.1 COMPLIANCE
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,
More informationHow To Secure Your Store Data With Fortinet
Securing Wireless Networks for PCI Compliance Using Fortinet s Secure WLAN Solution to Meet Regulatory Requirements Introduction In the wake of many well-documented data breaches, standards such as the
More informationHow to complete the Secure Internet Site Declaration (SISD) form
1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,
More informationP R O G R E S S I V E S O L U T I O N S
PCI DSS: PCI DSS is a set of technical and operational mandates designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment and safeguard
More informationIntroduction to PCI DSS
Month-Year Introduction to PCI DSS March 2015 Agenda PCI DSS History What is PCI DSS? / PCI DSS Requirements What is Cardholder Data? What does PCI DSS apply to? Payment Ecosystem How is PCI DSS Enforced?
More informationPCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR
PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance
More information8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year
Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions
More informationSECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
More informationImplementation Guide
Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein
More informationPayment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security
Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationwhitepaper 4 Best Practices for Building PCI DSS Compliant Networks
4 Best Practices for Building PCI DSS Compliant Networks Cardholder data is a lucrative and tempting target for cyber criminals. Recent highly publicized accounts of hackers breaching trusted retailers
More informationPCI: It Never Ends. Why?
PCI: It Never Ends. Why? How to stay prepared? Shekar Swamy American Technology Corporation St. Louis, MO January 13, 2011 PCI compliance basics It s all about Data Security 12 major areas of compliance
More informationPAI Secure Program Guide
PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationBreach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security
Breach Findings for Large Merchants 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Disclaimer The information or recommendations contained herein are
More information6-8065 Payment Card Industry Compliance
0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card
More informationTo ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors.
About PSC With offices in the USA, Canada, UK and Australia, PSC is a leading PCI, PA DSS, and P2PE assessor, PCI Forensics Company and Approved Scanning Vendor. PSC is one of an elite few companies qualified
More informationThoughts on PCI DSS 3.0. September, 2014
Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology
More information