The PCI Security Standards Council. Bob Russo, General Manager January 30, 2009

Transcription

1 The PCI Security Standards Council Bob Russo, General Manager January 30, 2009

2 PCI SSC - The Standards 2

3 The PCI Security Standards Council Founders 3

4 Organizational Structure 4

5 PCI DSS Drivers Advisory Board Industry Best Practices Community Meeting Proactive feedback from POs and Assessor Community PCI Data Security Standard Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs) ADC Forensics Results Security Scans On-Site Audits Self- Assessment Questionnaire 5

6 Notable Successes Assessor Servicing Markets per Region Asia Pacific: 29 Canada: 16 CEMEA: 28 Latin America & Caribbean: 27 United States: 87 Europe: 57 Over 500 Participating Organizations around the world Successful Community Meetings with over 700 attendees from around the world Board of Advisors driving special interest groups -Wireless - Pre-authorization 164 current QSA Companies, of these 74 are also ASV Companies Total QSAs (individuals) trained to date is 1,063 Additional devices added to PED Standard Implemented two-year lifecycle process for DSS & SAQ PCI SSC participated in 33 events worldwide 6

7 Roles and Responsibilities of the Council PCI SSC. Is an Independent Industry Standard Manages the technical and business requirements for how payment data should be stored and protected Maintains List of Qualified PCI Assessor Community QSAs, ASVs, PA-QSA and PED Labs PCI SSC Does Not Manage or Drive Compliance Each brand continues to maintain its own compliance programs Identifies stakeholders that need to validate compliance Definitions of Validation Levels Fines and Fees 7

8 Resources Provided by Council Security standards and supporting documents Frequently asked questions List of approved QSAs, ASVs, PA-QSAs, PED Labs Education and outreach programs - Webinars - Newsletters/bulletins Council appeared in almost 300 pieces of coverage globally since January Searchable FAQ tool for all standards-related questions Participating organization membership, community meetings, qualifications standards feedback One global voice for the industry 8

9 A Phased Approach to Standard Updates Revised PCI Standard Revisions for Consideration Community Meeting Input from Participating Organizations, QSAs and ASVs Phase 1 Phase 2 Phase 3 PHASED APPROACH 9

10 PCI SSC Standards

11 Threat Landscape Implementing the standard is a Journey Not a Destination Risky Behavior 81% store payment card numbers 73% store payment card expiration dates 53% store customer data from magnetic stripe on card 16% store other personal data Source: Forrester Consulting, Sept

12 The Cost of Complying Three Categories of Compliance Upgrading Payments Systems and Security Verifying Compliance (Assessment) Sustaining Compliance How much does this cost your organization? For merchants with complex or older systems, it may cost millions The Cost of Not Complying Same study estimated non-compliance costs significantly higher, including Crisis cost upgrades Repeat assessments Notification costs Brand reputation Shareholder and consumer lawsuits The cost of a breach can easily be 20 times the cost of PCI Compliance PCI Compliance Cost Analysis: A Justified Expense. A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex. Jan [This study utilized data from several sources including level 1 and level 2 merchants with 2,000 2,500 retail locations.] 12

13 Inside Jobs vs. Intrusions 17% Inside ~77% are partial insiders Incident Detection >75% via allegation of compromise Findings Percentages 92% Confirmed Security Breach >60% Confirmed Data Compromise Law Enforcement Involvement 87% of cases Incident Detection >75% via allegation of compromise > 60% Payment Cards vs. Others Consumer data: Payment card information -Credit / Debit -Card-present / CNP Personal Check information Identity-related data: Name, address, Social security, Social insurance IRS / tax return information Company-proprietary: Financial records HR / employee data Product strategy & roadmap Trade secrets & technology Forensics Statistics Breach Sources ~13% Inside U.S. Case Commonalities 19% SQL injection 45% POS systems 10% Wireless infrastructure ~50% Via 3rd party connections Vulnerability Scanning SQL Injection cases: 71% had commercial scanning 63% detected SQL vulnerability 15% in scan reports for 1 year + 13

14 Top PCI DSS Violations Requirement 1: Install and maintain a firewall to protect cardholder data Requirement 3: Protect stored data Requirement 6: Develop and maintain secure systems and applications Requirement 8: Assign a unique ID to each person with computer access Requirement 10: Track and monitor access to network and card data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses information security Violations >50% Found During Forensic Investigations Violations <50% Found During Forensic Investigations Violations Found During Initial PCI DSS Audits 14

15 The Five Stages of Grief Denial Anger Bargaining Depression 15 It doesn t apply to me PCI compliance is mandatory It isn t fair PCI applies to all parties in the payment process I ll do some of it Compliance is pass / fail I ll never get there Many merchants already have Acceptance It ll be OK PCI doesn t introduce any new, alien concepts 15

16 The PCI Data Security Standard Payment Card Industry (PCI) Data Security Standard Version 1.2 Release: October 2008 The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures This comprehensive standard is intended to help organizations proactively protect customer payment data 16

17 The PCI Data Security Standard Six Goals, Twelve Requirements Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-toknow 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors 18

18 Consolidate PCI DSS documents PCI DSS Security Assessment Procedures Consistent use of terms throughout System components, cardholder data environment, cardholder data Enhance required introductory content for Report on Compliance Clarify use and review of compensating controls in Appendices B and C Add Attestation of Compliance forms Replace current payment brand forms Add flowchart for scoping and sampling Summary of General Changes 18

19 Build and Maintain a Secure Network Summary of General Changes (cont.) Requirement 1: Install and maintain a firewall configuration to protect cardholder data Clarified requirement to illustrate that all sub-requirements apply to both routers and firewalls Combined requirements and sub-requirements to clarify requirement 1 Added flexibility in the time frame for review of firewall rules, from quarterly to every 6 months, based on Participating Organization feedback. Now the control can be better customized to the organization s risk management policies 19

20 Build and Maintain a Secure Network Summary of General Changes (cont.) Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Clarified that the requirement applies to wireless environments attached to cardholder environment or transmitting cardholder data Removed references to WEP in order to emphasize using strong encryption technologies for wireless networks, for both authentication and encryption Removed requirement to disable SSID broadcast since disabling SSID broadcast does not prevent a malicious user from determining the SSID, as the SSID is broadcast over numerous other messaging/communication channels 20

21 Summary of General Changes (cont.) Protect Cardholder Data Requirement 3: Protect stored cardholder data Emphasized use of consistent terms throughout, such as PAN and strong cryptography Clarified requirement for disk encryption to emphasize local user account databases Requirement 4: Encrypt transmission of cardholder data across open, public networks Wireless must now be implemented according to industry best practices (e.g., IEEE i) using strong encryption for authentication and transmission New implementations of WEP are not allowed after March 31, 2009 Current implementations must discontinue use of WEP after June 30,

22 Summary of General Changes (cont.) Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Clarified that requirement for use of anti-virus software applies to all operating system types Clarified that anti-virus software must address all known types of malicious software Requirement 6: Develop and maintain secure systems and applications Added flexibility to the patching requirement by specifying that a riskbased approach may be used to prioritize patch installation Requirement 6.6 is now mandatory. All public-facing Web applications are subject to either 1) reviews of applications via manual or automated vulnerability assessment tools or methods, or 2) installing an application-layer firewall in front of public-facing Web applications 22

23 Summary of General Changes (cont.) Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Clarified language around testing procedures Requirement 8: Assign a unique ID to each person with computer access Clarified that testing procedures must verify that passwords are unreadable in storage and transmission Clarified user authentication by allowing both passwords and passphrases, and by combining previous bullets under two-factor authentication and providing examples 23

24 Summary of General Changes (cont.) Implement Strong Access Control Measures Requirement 9: Restrict physical access to cardholder data Specified that offsite storage locations must be visited at least annually Provided flexibility in the requirement for cameras to allow organizations to select other appropriate access control mechanisms Clarified that the requirement to secure media applies to electronic and paper media that contains cardholder data Clarified destruction requirements for media containing cardholder data 24

25 Summary of General Changes (cont.) Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Clarified that logs for external facing technologies (for example, for wireless, firewalls, DNS and mail) must be copied to an internal log server Provided flexibility and clarified that three months of audit trail history must be immediately available for analysis or quickly accessible (online, archived or restorable from backup) 25

26 Summary of General Changes (cont.) Regularly Monitor and Test Networks Requirement 11: Regularly test security systems and processes Provided more guidance on use of wireless analyzers and/or wireless intrusion detection or prevention systems Outlined that ASVs must be used for quarterly external vulnerability scans Specified that both internal and external penetration tests are required and clarified that it is not required to use a QSA or ASV for penetration tests 26

27 Summary of General Changes (cont.) Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for employees and contractors Expanded list of examples of critical employee-facing technologies to include remote access technologies, wireless technologies, removable electronic media, usage, Internet usage, laptops, and Personal Data Assistants (PDAs) Updated timeframe that requires employees to acknowledge that they have read and understood the company s security policy and procedures to at least annually Updated former contract and connected entities language to clarify that organizations must have policies and processes implemented to manage and monitor service providers. 27

28 PCI DSS Lifecycle Process 28

29 SAQ Objectives Self Assessment Questionnaires Self-Assessment Questionnaire (SAQ) A Alignment with the PCI DSS v1.2 Based on industry feedback Flexibility for multiple merchant types Providing guidance for the intent and applicability of the underlying requirements 29

30 Self Assessment Questionnaire SAQ Validation Type 1 Description Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants SAQ A <11 Questions 2 Imprint-only merchants with no cardholder data storage B 21 Questions 3 Stand alone dial-up terminal merchants, no cardholder data storage B 21 Questions 4 Merchants with payment application systems connected to the Internet, no cardholder data storage C 38 Questions 5 All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ D Full DSS 30

31 The Payment Application Data Security Standard Payment Application (PA-DSS) Data Security Standard Distinct from but aligned with PCI DSS PA-DSS is a comprehensive set of requirements designed for payment application software vendors to facilitate their customers PCI DSS compliance This comprehensive standard is intended to help organizations minimize the potential for security breaches due to flawed payment applications, leading to compromise of full magnetic stripe data 31

32 The Payment Application Data Security Standard Fourteen Requirements Protecting Payment Application Transactions Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2) or PIN block data Provide secure password features Protect stored cardholder data Log Application Activity Develop Secure Applications Protect wireless transmissions Test Applications to address vulnerabilities Facilitate secure network implementation Cardholder data must never be stored on a server connected to the Internet Facilitate secure remote software updates Facilitate secure remote access to application Encrypt sensitive traffic over public networks Encrypt all non-console administrative access Maintain instructional documentation and training programs for customers, resellers, and integrators 32

33 PIN Entry Device Requirements Physical Attributes Attributes that deter physical Attacks ex penetration of device to determine key(s) Planting a PIN disclosing bug within Logical Attributes Logical security characteristics include functional capabilities that preclude: Allowing device to output clear text PIN encryption key The PED Security Requirements are designed to secure personal identification number (PIN)-based transactions globally and applies to devices (attended or unattended) that accept PIN entry for all PIN-based transactions as well as non-cardholder interface devices (hardware security modules) 33

34 PIN Entry Device Requirements Device Types Under PED Traditional Devices include Point-of-sale PED Designed for Secure PIN Entry Attended devices (e.g., sales clerk, cashier) New Devices scheduled for 2008 include Unattended Payment Terminals (UPTs) Fuel Pumps, Kiosks, Ticketing Machines Hardware (or Host) Security Modules (HSMs) Non-cardholder interface Embedded devices that are used for PIN translation, Card Personalization, Data Protection, Electronic Commerce 34

35 PCI DSS Applicability Information Data Element Storage Permitted Protection Required PCI DSS Req. 3.4 Primary Account Number (PAN) Yes Yes Yes Cardholder Data Sensitive Authentication Data [2] Cardholder Name [1] Yes Yes 1 No Service Code 1 Yes Yes 1 No Expiration Date 1 Yes Yes 1 No Full Magnetic Stripe Data [3] No N/A N/A CAV2/CVC2/CVV2/CID No N/A N/A PIN/PIN Block No N/A N/A [1] These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted. [2] Sensitive authentication data must not be stored after authorization (even if encrypted). [3] Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.

36 PCI SSC Community Meetings

37 Community Meeting Merchants Acquirers Approved Scanning Vendors Qualified Security Assessors Community Meeting Service Providers Brands 37

38 Community Meeting Two Meetings. Responsive to industry. Orlando, Fla., Sept Offered vendor showcase opportunity Brussels, Belgium, Oct Program in conjunction with PCI Europe Your Opportunity to get involved in setting the global PCI standards Not yet a Participating Organization? Join us at 38

39 How To Get Involved

40 Global Participation & Representation More than 500 organizations have been accepted North America: 411 Asia Pacific: 12 Europe: 78 Latin America / Caribbean: 6 Central Europe / Middle East / Africa: 14 40

41 Board Representation & Special Interest Groups A Seat at the Table Financial institutions Merchants Gateways Processors Service providers EFT networks Associations Vendors 41

42 Participating Organization Privileges Vote and run for Participating Organization Board of Advisors Comment on DSS, SAQ, PED, PA-DSS and on other PCI SSC documentation, prior to public release Attend Community Meetings Attend Webinar meetings Recommend new initiatives and standards Early updates on upcoming press releases Monthly bulletin from SSC General Manager Coming soon: Exclusive private Web site for PO and assessor community Reserve Your Seat at the Table 42

43 Board of Advisors Financial Institutions Bank of America JP Morgan Chase and Co. Citibank N.A., Global Consumer Group Commonwealth Bank of Australia The Royal Bank of Scotland Processors Chase Paymentech Solutions First Data Corporation Interac Association Moneris Solutions Corporation SERVICIOS ELECTRONICOS GLOBALES S.A. DE C.V. TSYS Acquiring Solutions Merchants British Airways, plc Exxon Mobil Corporation McDonalds Corporation Microsoft Tesco Stores Ltd. Wal-Mart Stores, Inc. Associations & Vendors APACS EPC PayPal, Inc. VeriFone, Inc. 43

44 Roles and Responsibilities Provide feedback Set strategy Emerging security issues Additional standards Evolving the current standard(s) Set agenda/programs for Community Meetings Time commitments Face-to-face meetings (as needed) Conference calls (regularly scheduled) SME, panelists, moderator (Community Meetings/Webinars) Regional and business category market feedback Ad hoc working groups 44

45 Board of Advisors (Working Groups) PA DSS Task Force Develop Best Practices into to Industry Standards Evolution of testing criteria in the applications Driving Marketplace adoption Members Include: Paypal Verifone Moneris JP Morgan Chase Community Meeting Agenda Task Force Restructure Agenda Define clear business models to use going forward Members Include: Paypal TSYS Acquiring Solutions Microsoft RBS Outreach and Education Task Force Identify additional marketing and educational needs, based on industry size, region, etc. Members Include: Walmart Stores Inc. APACS British Airways First Data Corporation 45

46 Participating Organizations Financial Associations Other POS Processors Merchants Vendors Institutions For a full list: For a full list: 46

47 Need More Information? 47

48 Thank You!