PCI DSS Lessons from the Frontline. Loop Technology Lyal Collins

Transcription

1 PCI DSS Lessons from the Frontline Loop Technology Lyal Collins

2 Objectives Common PCI Challenges Strategies that have worked Solutions that have delivered compliant outcomes Why I m still seeking the silver bullet of compliance

3 Background 1. It Depends AKA the QSA s first answer The generic QSA response to generalised questions E.g. will this be compliant if Card Data is <insert process term> in <insert product name> on <insert OS name>? The specific compliance outcome may not translate to other situations 2. QSA s are not permitted to require use of products or services our employer sells Any product or company names I use today are examples only 3. I reserve the right to disagree if this presentation is used to convey to your management that A QSA Ok ed this solution. See #1 above!

4 PCI Eco-System follows the contracts Card Brands Acquirers, Issuers Aka Banks In Australia, at least Merchants Accept payments card transactions in exchange for goods and services One to many, typically Service Providers Facilitate use of payments card for legitimate business purposes

5 Compliance Strategy PCI DSS is fundamentally a business problem Business ownership, or significant Buy In usually means: Solutions are chosen on business outcome and TCO Significant risk reduction Other benefits process re-engineering, legacy frameworks decommissioned, and increased automation etc. IT or IT Security ownership of PCI usually leads to a longer, more complex path to compliance

6 Documentation Policies and Procedures Settings defined and approved in your environment Network Diagram(s) Card data flow diagram(s) the entire lifecycle Artifacts e.g. Patching Vulnerability scanning, Penetration testing Logging and Monitoring, AV/AM Change management, Code management Create lots of documentation Maintain heaps of documentation and artifacts You will need it for next year s assessment!

7 Scope PCI DSS applies to everything: That process stores, or transmits cardholder data In the same logical network i.e. If a compromise occurred on platform X, would it facilitate compromise of cardholder data on platform Y? Used to operate and maintain the Cardholder Data Environment Don t put , Dev and Test systems into scope Compliance becomes really hard for you and me

8 Network Security Network Segmentation it NOT mandatory Although, flat network?, and Hard Shell, gooey interior are not secure network architectures in 2015 Applied effectively, network segmentation can reduce compliance costs, overheads thru reducing the compliance footprint. One Cardholder Data Environment (CDE) or many? Your choice; you have to support the outcome

9 Secure Coding Document your own company guidelines Massive amount of published resources OWASP, Microsoft SDL, RedHat, Oracle/Java etc. Leverage them; they are as close as google.com Peer code reviews, for every development environment / language / methodology Agile, continuous release Waterfall, Prinz, PMBOK, sprints, scrums, cutting and pasting neat stuff I found on the internet Tracking and security testing all releases

10 Segregation of Duties In theory Developers should not have access to Production In practice, for most Australian organisations: Developers have access to Production, with separately defined and limited privileges, for defined periods etc. E.g. a separate login, with access to specific tools Not/Not Administrator/root Migrate code into production via non-developer roles

11 Security testing - 1 Penetration testing Internal, external by skilled person, independence Annually, after significant changes Vulnerability scanning Internal (skilled person, independence), external (via ASV) Quarterly, after significant changes Retest to confirm that fixes have been effective File Integrity Monitoring / System Integrity Its on the ASD Top 4

12 Security Testing - 2 Wireless access points in/connected to CDE Every physical site housing the CDE Detection Rogue, Unauthorised or Mis-configured WAPs Response process A trigger in the organisation s Security Incident Response Plan Quarterly, at minimum

13 Policies and Procedures The PCI requirements and Reporting Template states the language/terms required in the organisation s policies and procedures for compliance. Mangle Re-state these into a form suitable for your culture and business needs, and also address PCI.

14 Target US a case study Based on published reports Initial access thru a third party 77m customer details, PII compromised Around 7 steps needed by attacker to get this far No card data 47m payment card records compromised Another 4 steps needed to get these records Because they had been PCI compliant, the card data impact was ~40% less than the PII compromise

15 Summary Wherever you don t need card data, get rid of it Processing, storing or transmitting Document what you are going to do/ operate / achieve Go do it Keep evidence that you did it If nothing else, your assessor will love you for this! So will your boss

16 Any Questions? I ll attempt to avoid responding with It Depends