PCI Security as a Lifecycle: How to Plan for PCI in 2012 and Beyond

Transcription

1 PCI Security as a Lifecycle: How to Plan for PCI in 2012 and Beyond Bob Russo PCI SECURITY STANDARDS COUNCIL Session ID: GRC-204 Session Classification: Intermediate

2 About the Council Open, global forum Founded 2006 Responsible for PCI Security Standards Development Management Education Awareness

3 PCI Security Standards Protection of Cardholder Payment Data Manufacturers PCI PTS Pin Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments PCI Security & Compliance P2PE Ecosystem of payment devices, applications, infrastructure and users 3

4 PCI Update 4

5 2012: Feedback Year Submit feedback today Implementation Feedback Formal Feedback Draft Revisions Feedback

6 POI Security Requirements V3.1 Errata Standard months after initial publication P2P Support Leverage Existing POI Criteria Secure (Encrypting) Card Readers Select Core and SRED Requirements Non-PIN Entry Devices Mandatory SRED module Open Protocols (if applicable)

7 New Program P2PE Hardware/Hardware Point-to-Point Encryption (P2PE) The Council delivered Initial Framework on Point-to- Point Encryption guidance in October 2010 P2PE solutions may help merchants reduce scope of their CDE and their PCI DSS assessment The Council now has the first set of P2PE validation requirements for hardware-based encryption and decryption solutions Developed with the Encryption Task Force Supporting testing procedures, assessor training, and other resources available in 2012

8 New Guidance - Mobile PCI SSC Update June 2011 Mobile Update & FAQ on applicability of PA-DSS to mobile payment acceptance applications Category 1 and 2 applications are eligible for PA- DSS Category 3 applications are pending development of further guidance and/or standards Category 1 PTS Approved PED Devices Category 2 Purpose Built POS Devices Category 3 General Purpose Smart Device

9 Planning ahead for PCI by building a security lifecycle into your everyday business 9

10 PCI Bridge of Compliance Compliance

11 What is a PCI Lifecycle Approach Reduce the attack surface Continuous Awareness & Protection Prevent New Types of Exposure Measure success and identify opportunity

12 Lifecycle Principles Within PCI DSS & PA-DSS The lifecycle process approach to information security management presented in ISO encourages users to: Understand your information security requirements Implement controls to manage overall business risks Monitor and review the performance and effectiveness of the controls Continual improvement based on objective measurement Some examples from the PCI Standards Req Req 11.2 Req 12.1

13 Why PCI DSS Requires Ongoing Risk Assessment Technology innovation leads to new attack vectors Consider the amount of business changes as well as technical A keystroke-logging system that allegedly August Hackers 16, around 2011 the world CSO are Security gaining experts more allowed hackers to steal computer passwords is Symantec Mobile attention malware than warned usual developers that in the a new last are type few focusing of months. aggressive Now Chinese thought to authorities be at the heart have of not a failed yet agreed attempt to malware Android Google has devices is threatening added more another than network announcement any other world platform. as to they cooperate steal 229 million ($437m) from the London prey But pile mobile that upon hundreds social malware networks of remains Gmail and accounts a tiny mobile segment have phone been of branch of a Japanese bank. users. total There's hacked malware recently. an elephant output. in the room, when it comes to The internet attempted attacks, cyber-heist and that at elephant the Sumitomo is China. In Google's Now, its July Google Android 2011 affirms Symantec has that overtaken the Intelligence problem Java Micro doesn t Report, While Mitsui America Bank was once first was detected fearful by of the China's bank in Symantec Edition rest with as Gmail the said most that security attacked "polymorphic but rather mobile malware", this platform, scheme or communist October 2004, philosophies, and the police today were the informed. Asian giant But malware McAfee was a result said that of in is phishing its aggressive latest and quarterly and malware. rapidly threat changes, report. poses it only become a far greater public threat on Thursday in its economic after a man was seen in percent of s identified as Out success. Google was of arrested about spilled 1,200 in the Israel details mobile for allegedly on malware Wednesday preparing samples via that its a malicious. This figure is more than double seen McAfee official bank account blog: Labs collected to receive and nearly analyzed 14 million in the six China months is home agotosymantec some of the added world's "indicating most a

14 Easier Said Than Done Why we fail to maintain secure environments Lack of awareness by IT practitioners Incentive to keep security a primary focus Quickly evolving technology landscape Rapid development and distribution of new solutions Still unnecessary exposure of CHD

15 Eliminate the Simple 92% of compromises were simple 96% were avoidable through simple or intermediate controls 92% 96% Verizon Business 2011Data Breach Investigations Report

16 Results from a PCI Lifecycle PCI Lifecycle can prevent one mistake leading to mass data compromise PCI Lifecycle can minimize validation and improve security response

17 How to Implement a PCI Security Lifecycle 17

18 Reduce the Attack Surface Continually identify the environment Maintain a CHD Dataflow Diagram Meet regularly with those able to create cardholder data pathways DLP Methodology

19 Partner with Trusted Experts Consider Payment Security Alliances Trust but verify partners Verify all third-party access Verify claims of PCI DSS compliance Require agreements to maintain skillset Scope of Access: -Approval Process -Revocation Process -Periodic Review

20 You Can t Attack What Isn t There Confirm there is still need to retain Verify with your financial partners Evaluate opportunities to use surrogate values to replace PAN

21 Management Commitment for Success Don t let management think the finish line was a compliant ROC Strategy for management commitment

22 IT Commitment for PCI Success Strategy for having IT commit to PCI success Engage Engage IT in IT the in threat the threat modeling modeling process process Incentive to attend training Security as Business Goal annually Incentive to attend training Security part of goals annually If your engineers do not know what constitutes a security bug, they will find none when reviewing their work

23 Building a PCI Leadership Team Set objective metrics for success Each PCI security coach should be able to translate threats into relevant questions for their group Security should be a common skillset not confined only to PCI auditors Assigning security advisors within your organization

24 Education and Awareness of your PCI Lifecycle Strategy for on-going PCI training and how to keep it fresh Measuring retention of knowledge Introduction to PCI requirements Trustworthy computing Basic security design Threat modeling & Attack Surface Analysis Security Response

25 Practice Good Security Hygiene Common Secure Development Principles Keep it simple Fail-safe default Open design Separation of privilege Minimize shared resources Localize Security

26 Prevent New Types of Exposure Create a threat model for cardholder data Use real-case scenarios Identify dependencies (people, systems, services) What security assumptions have you made? Any updated information available externally? Using that threat model as a gap analysis before your QSA or PA-QSA assessment

27 Defining and Following Best Practices Have Clear Asset Identification of Payment Account Data Are you asking the right questions? How does the cardholder data flow? Where is there storage of data? Where is there available connectivity? Is all cardholder data classified as such? What are our dependencies? What features are installed by default?

28 New things should come with warnings Create Asset Identification for CHD - Flag new systems and payment dataflows - Flag when new privileged access is provided - More closely monitor the behavior of new applications

29 Utilizing Policy Creating and Executing Good Policy Importance of the Implementation Guide Creating tools to help Enterprise Application Store DLP Methodology Use Policy ASV Scanning

30 Testing the Policy Test the documentation Re-evaluate the policies Have environmental values changed?

31 Test the Strategy Proactively look for updates The Importance of Fuzzing Default Passwords

32 Measure Success and Identify Opportunities Examples of PCI Lifecycle metrics Req 1 Number of systems with direct connectivity Ratio of attacks per e-commerce sessions Req 2 Number of accounts with no owners Percentage of systems not patched within 30 days Req 3 Percentage of systems containing cardholder data Number of business units with access to cardholder data Req 5 Percentage of systems with up-to-date signature files Number of systems identified with malware Req 11 Percentage of systems undergoing vulnerability scan Percentage of external to internal servers with latent patches

33 How PCI Security Lifecycle can Simplify Compliance 33

34 May Discover Ways to Simplify the Process Any exposure of cardholder data beyond acceptance? Reduce number of departments and individuals with direct access

35 Simplify the Environment Remove unnecessary systems Use compliant service providers and partners

36 Simplify Payment Application Development Development team aware of need to protect data Lab Validated Applications

37 Simplify the Implementation Installation consistently aligns with policy Installed to specification by a qualified professional

38 Use of Trusted Devices Lab Accredited Devices Aware of skimming attacks

39 What the Council is Doing to Help Creating P2PE requirements Providing guidance on tokenization Improving the quality of installations Updating our training offerings Expanding the devices that can be lab tested

40 PCI Bridge of Compliance Compliance Point-of- Sale Device Payment Application Merchant Server Service Provider P2PE P2PE P2PE P2PE Return to Merchant

41 PCI Bridge of Compliance Compliance Eliminate by: Outsourcing Point-of- Sale Device Payment Application Merchant Server Service Provider Return to Merchant Outsource processing to PCI Compliant Entities

42 PCI Bridge of Compliance Compliance Eliminate by: Outsourcing Removing Point-of- Sale Device Payment Application Service Provider Return to Merchant Remove through means such as TOKENIZATION

43 PCI Bridge of Compliance Compliance Eliminate by: Outsourcing Removing Encrypting Point-of- Sale Device Payment Application Service Provider Render Cardholder Data Unreadable Such As P2PE

44 PCI Bridge of Compliance Compliance Eliminate by: Outsourcing Removing Encrypting 3 rd Party Validation Point-of- Sale Device Payment Application Use Validated Applications PA-DSS and qualified installation

45 PCI Bridge of Compliance Compliance Eliminate by: Outsourcing Removing Encrypting 3 rd Party Validation Point-of- Sale Device Validated Devices Such as PTS v3.1 and qualified installation

46 PCI Council Resources 46

47 New Guidance - Technologies in Payments Telephone-based Payment Card Data Virtualization Tokenization Wireless EMV

48 2012 Training Highlights PCI SSC Internal Security Assessor (ISA) Program Helps security professionals improve their organizations understanding or PCI DSS and validate and maintain ongoing compliance Check out our Training Webinar! PCI Awareness Training Offers general PCI training across your business to ensure a universal understanding of PCI compliance Training Schedule ISA: Las Vegas, NV, USA April, 2012 QSA: Denver, CO, USA 1-2 March, 2012 PA-QSA: Orlando, FL, USA February, 2012 PCI Awareness Training online anytime!

49 Special Interest Groups (SIGs) Guidance & Alignment on Risk Assessment Level 3 and Level 4 E- Commerce Merchants Cloud (Virtualization Phase 2) sigs@pcisecuritystandards.org today to join!

50 Community Meetings Orlando, Florida September 12-14, 2012 Dublin, Ireland October 22-24, 2012 Join us as a Participating Organization to get involved in setting global PCI Standards!

51 Get Involved Join the PCI Brain trust! Chief Security Officers Information Security Professionals Compliance Officers Join! Become a Participating Organization today Forensic Investigators Technologists IT Managers Risk Managers Chief Information Officers Legal Experts Data Security Experts

52 Questions?