PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Transcription

1 PCI-DSS: A Step-by-Step Payment Card Security Approach Amy Mushahwar & Mason Weisz

2 The PCI-DSS in a Nutshell It mandates security processes for handling, processing, storing and transmitting payment card data. ALL merchants or merchant service providers that accept, transmit, or store any cardholder data must comply. This is a contractual standard. Payment processor contracts and merchant rules bind you to PCI-DSS compliance. The PCI-DSS acts as a floor, not a ceiling many PCI-compliant entities are breached. 2

3 Why is compliance important? It s the law in some states (i.e., Washington, Minnesota, Nevada and Massachusetts) Fines for non-compliance MasterCard: $25,000 $200,000 depending on # of past violations Visa: $5,000 $25,000/monthly depending on merchant s level American Express: 0.75% of each non-compliant transaction Discover: $20,000 $50,000 per violation plus up to $50,000 per month of non-compliance Fines for data breaches during non-compliance period MasterCard: $100,000 for each violation of a PCI requirement Visa: $500,000 per incident Chargebacks for fraudulent transactions Reputational harm Costs of investigating, remedying and litigating breaches 3

4 Lawsuits Abound Parties to litigation 4

5 PCI-DSS Myths A PA-DSS-compliant vendor will make us compliant. We outsource card processing, so PCI-DSS couldn t possibly apply. Outsourcing card processing makes us compliant. Becoming compliant with PCI-DSS is an IT project. PCI-DSS compliance makes us secure. We don t take enough cards to be subject to the PCI-DSS. 5

6 Be Aware of Other Payment Card Standards Payment Application Data Security Standard (PA DSS) Applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data and are used by third parties. PCI Personal Identification Number (PIN) Security Requirements Complete set of requirements for secure management, processing, and transmission of PIN data. Applies to online and offline transactions at ATMs and point-of-sale terminals. Card Brand Merchant Rules 6

7 What Rules Apply? Payment card data can be sent directly to the processor through a dedicated telephone circuit or VPN tunnel to minimize the PCI-DSS compliance. The PIN security rules also apply here at the Pin pad. Merchant card rules apply to identification and authorization when a customer uses a payment card. When a card is swiped on a point of sale (POS) terminal, the card data may be transmitted, processed or cached by the merchant, and PCI-DSS rules apply. Careful! Malware attacks have exploited centralized processing systems. 7

8 What Rules Apply? When a website connects to a payment processor, the PCI-DSS applies to the website, and the PA-DSS may apply for any payment applications. 8

9 What Rules Apply? Both the PCI-DSS and the PA-DSS can apply to mobile transactions. 9

10 Mobile Payments Find the requirements here: documents/accepting_mobile_payments_ with_a_smartphone_or_tablet.pdf 10

11 What Rules Apply? For call centers, PCI-DSS call recordings and clean room rules apply to workers who receive 16-digit account numbers voiced over the phone. 11

12 The Different Levels of PCI Compliance 12

13 Six PCI-DSS Areas 1. Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 2. Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 13

14 Six PCI-DSS Areas 3. Maintain a Vulnerability Management Program Protect against malware and regularly update anti-virus software or programs Develop and maintain secure systems and applications 4. Implement Strong Access Control Measures Restrict access to cardholder data by business need-toknow Identify and authenticate access to system components Restrict physical access to cardholder data 14

15 Six PCI-DSS Areas 5. Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes 6. Maintain an Information Security Policy Maintain a policy that addresses information security for all personnel 15

16 How to Approach Compliance: An Overview Assemble the team and require ownership of the issue Interview personnel and conduct scans to locate cardholder data in your environment Emphasize security and risk, not just security Conduct data store analysis: decommissioning, encryption and tokenization Implement thoughtful network segmentation Implement policy and programmatic changes to your IT standards Conduct training and awareness activities 16

17 Prioritized Approach Tool 17

18 Data Store Analysis: Decommissioning Retire systems and databases with payment card information that are not needed or not actively in use Make sure data is securely erased if drives will be re-purposed or end-of-life drives are disposed 18

19 Data Store Analysis: Tokenization & Encryption Tokenization: Don t store PAN, if possible Encrypt Data in Motion: PCI-validated point-to-point encryption (P2PE) Encrypt Data at Rest: But encryption is not a magic bullet 19

20 Practice Point: Internal vs. External Vulnerability Scanning External: looks for holes in network firewalls where outsiders can get in (pen testing) Internal: operates inside business s firewalls to identify real and potential vulnerabilities inside the network Both are necessary! Pen testing is not enough! 20

21 Practice Point: Policy and Programmatic Changes to IT Standards Review your company s policies and procedures to ensure they are compliant with the PCI-DSS The technical requirements are considerable But there are many policy and programmatic requirements There are also technology requirements that must be documented Don t underestimate the time that policy, programmatic, and documentation requirements will take! We can provide attendees with a complimentary informal summary of these requirements 21

22 Incident Response Document and rehearse an IR plan before the breach. Central reporting point, monitored 24/7/365 Obligation to report a very broad range of events/conditions Universal awareness of reporting obligation Designated response team that preserves privilege Immediately contain the breach. Do not access compromised systems. Do not turn the compromised systems off or reboot. Preserve all evidence and logs. Document all actions taken, including dates and individuals involved. Block suspicious IPs from inbound and outbound traffic. Be on high alert and monitor all systems with cardholder data. 22

23 Incident Response: PCI Notice Issues Determine whether notice must or should be given: To your merchant bank card processors (review contract) To the payment card brands (rules vary) To others pursuant to law (e.g., regulators, individuals) Key questions include: What data was compromised, by whom, and how? Was the data encrypted, and was the encryption key breached? What is the risk of harm? Determine notice strategy, content and timing. Provide evidence of PCI-DSS, PA-DSS, or PIN Security compliance status to merchant bank card processor within 48 hours of the notification. Provide all compromised payment card accounts to your merchant bank card processor within 10 business days. 23

24 Post-Breach Card Brand Investigation Document the following: The facts of the breach and the method of its detection Remediation steps Chain of custody Card brands will notify you if hiring a PCI Forensic Investigator (PFI) is necessary. The payment card processor or any of the payment card brands may require validation of subsequent PCI compliance and incident remediation by a Qualified Security Assessor (QSA). 24

25 Amy Mushahwar Mason Weisz