HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Transcription

1 HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1

2 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security Practice PCI Practice Leader Kevin Villanueva, CISSP, CISA, CISM, PCI QSA Senior Manager, IT Security and Infrastructure Practice Leader SLIDE 2 MOSS ADAMS LLP 2

3 OBJECTIVES You will leave this session with an understanding of: The background, history, compliance, and audit requirements of Payment Card Industry (PCI) Data Security Standards (DSS) Highlights of the changes from 2010 (v1.2) to (v2.0) Key compliance tips Leveraging PCI DSS audit to achieve audit efficiencies with other compliance and/or regulatory audits SLIDE 3 MOSS ADAMS LLP 3

4 POLLING QUESTION Question #1 SLIDE 4 MOSS ADAMS LLP 4

5 Question #1 How would you classify yourself? 1. A level 1 service provider or merchant 2. A non-level 1 service provider or merchant 3. Other 4. I do not know SLIDE 5 MOSS ADAMS LLP 5

6 BACKGROUND & HISTORY MOSS ADAMS LLP 6

7 CARD BREACHES ARE ON THE RISE 2010 Security Breaches Food and Beverage 57% Retail 18% Hospitality 10% Financial 6% Government - 6% Education 1% Construction - 1% Entertainment - 1% Source: Trustwave s Global Security Report 2010 MOSS ADAMS LLP 7

8 NOTABLE CARD BREACHES TJX Companies 2007 Hackers compromised wireless network to steal information on approximately 94 million card transactions. Heartland Payment Systems 2008 Hackers attacked system used to process card transactions. Inserted malware. Up to 100+ million transactions compromised. Lush Cosmetics 2010 Ecommerce website hacked. 5,000 card transactions accessed. Led to shutdown of their ecommerce operations. Sony PS Network 2011 Hackers accessed an old database containing consumer info and credit card info. Millions of customers information stolen. MOSS ADAMS LLP 8

9 PCI OVERVIEW PCI Security Standards Council (PCI SSC or the Council) founded in 2006 is responsible for the development, management, education, and awareness of the PCI Security Standards. PCI Data Security Standard (PCI DSS) is a comprehensive set of international security requirements for protecting cardholder data. Payment Application Data Security Standard (PA-DSS) is a set of requirements for software vendors to develop secure payment applications. PCI PIN Transaction Security (PCI PTS) is a set of requirements for device vendors and manufacturers for all personal identification number (PIN) terminals, including POS devices, encrypting PIN pads, and unattended payment terminals. SLIDE 9 MOSS ADAMS LLP 9

10 PCI OVERVIEW Not a government regulation, but an industry regulation. Purpose is to help prevent credit card fraud and maintain public confidence in payment cards. Applies to all entities that process, store, or transmit payment card information need to comply (Primary Account Number PAN is the deciding factor.) Card transaction players: card brands, merchants, service providers, acquirers, and issuers. Effective compliance dates varies depending on merchant level or service provider level and card brand. All deadline enforcement will come from the acquiring bank. Card brands have their own compliance programs and are responsible for compliance tracking, enforcement, penalties, and fees. MOSS ADAMS LLP 10

11 THE PAYMENT CARD TRANSACTION Payment Brand Network Issuer (Consumer Bank) Service Provider Acquirer (Merchant Bank) Cardholder Merchant MOSS ADAMS LLP 11

12 THE ACQUIRER S ROLE Acquirers are responsible for: o Ensuring their merchants are PCI DSS compliant o Managing merchant communications o Working with their Level 1 merchants until full compliance has been validated: Merchants are NOT COMPLIANT UNTIL ALL REQUIREMENTS have been met and validated Acquirer is responsible for providing Visa their merchants compliance status o Any liability that may occur as a result of noncompliance MOSS ADAMS LLP 12

13 ROLES OF THE QSA AND ASV QSA Qualified Security Assessor o Certified to validate compliance with PCI-DSS o Qualified Security Assessor companies have been qualified to have their employees assess compliance to the PCI-DSS standard o Qualified Security Assessors are employees of these organizations who have been certified to validate an entity s adherence to the PCI-DSS ASV Approved Scanning Vendor o Approved Scanning Vendors are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet-facing environments of merchants and service providers. MOSS ADAMS LLP 13

14 PCI DSS REQUIREMENTS MOSS ADAMS LLP 14

15 MERCHANT LEVELS Merchant Level Description 1 Merchants processing over 6 million Visa transactions annually (all channels) or global merchants identified as Level 1 by any Visa 2 region. Merchants processing 1 million to 6 million Visa transactions annually (all channels) 3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually. 4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit, and prepaid) from a merchant Doing Business As (DBA). MOSS ADAMS LLP 15

16 SERVICE PROVIDERS Service Provider Level Description 1 VisaNet processors or any service provider that stores, processes, and/or transmits over 300,000 Visa transactions annually. 2* Any service provider that stores, processes, and/or transmits less than 300,000 Visa transactions annually. Posted on Visa s Global List of Validated Service Providers Yes No* * Level 2 service providers may choose to validate as a Level 1 service provider in order to be listed on Visa s Global List of Validated Service Providers. MOSS ADAMS LLP 16

17 VALIDATION REQUIREMENTS Group Level Compliance Actions Comply with PCI-DSS On-Site Security Assessment Merchant 1 Required Required Annually Validation Actions Self- Assessment Questionnaire Network Scan* Required Quarterly 2 & 3 Required Required Annually Required Quarterly 4** Required Recommended Recommended Quarterly Service Provider 1 Required Required Annually 2 Required Required Annually Required Quarterly Required Quarterly *Network scanning is applicable to any internet facing system. ** Validation requirements are determined by the merchant s acquirer. MOSS ADAMS LLP 17

18 SELF-ASSESSMENT QUESTIONNAIRES (SAQS) SAQ A B C-VT C D Description Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage. Merchants using only web-based virtual terminals, no electronic cardholder data storage. Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment card brand as eligible to complete an SAQ. MOSS ADAMS LLP 18

19 POLLING QUESTION Question #2 SLIDE 19 MOSS ADAMS LLP 19

20 Question #2 The Payment Card Industry (PCI) Security Standards Council (SSC) is responsible for enforcing PCI-DSS compliance. 1. True 2. False SLIDE 20 MOSS ADAMS LLP 20

21 HIGHLIGHTS OF CHANGES V1.2 V2.0 MOSS ADAMS LLP 21

22 HIGHLIGHTS OF CHANGES V1.2 TO V2.0 v1.2.1, which had been in effect since July of 2009, was superseded by v2.0 on October 28, 2010 Aligned PCI-DSS better with PA DSS and other industry best practices No new requirements; only added guidance or clarifications Clarifications on intent and wording of requirements or test procedures with example(s) MOSS ADAMS LLP 22

23 HIGHLIGHTS OF CHANGES V1.2 TO V2.0 Added guidance on test procedures and new technologies, such as virtualization and private cloud adoption Recognition of small merchant environments be more flexible Eliminate redundant sub-requirements MOSS ADAMS LLP 23

24 HIGHLIGHTS OF CHANGES V1.2 TO V2.0 - EXAMPLES Virtualization req o In-scope and out-of-scope virtual machines can co-exist as long as there is only one primary function per virtual system component. Storage of Sensitive Authentication Data (SAD) - req 3.2 o V2.0 allows the storage of SAD if there is sufficient business justification and the data is stored securely. This is only for card issuers and companies that support issuing processing. MOSS ADAMS LLP 24

25 HIGHLIGHTS OF CHANGES V1.2 TO V2.0 - EXAMPLES Risk based approach for addressing vulnerabilities - req 6.2 & o Assign risk ranking to vulnerabilities o Also impact reg and 11.2 o Implementation date July 1, 2012 MOSS ADAMS LLP 25

26 HIGHLIGHTS OF CHANGES V1.2 TO V2.0 - EXAMPLES Expansion of definition of personnel req 9.2 o This requirement now applies to on-site personnel and not just employees Support centralized auditing req 10.5 o Audit data must be able to be moved to a centralized log server, such as syslog-ng, Windows Event Logs. o External-facing technologies (for example, wireless, firewalls, DNS, mail) are offloaded or copied onto a secure centralized internal log server or media. MOSS ADAMS LLP 26

27 POLLING QUESTION Question #3 SLIDE 27 MOSS ADAMS LLP 27

28 Question #3 In PCI DSS v2.0, for req 9 Restrict Physical Access to Cardholder Data, it was changed such that it applies to: 1. Only card database administrators 2. Only employees 3. All on-site personnel 4. All personnel SLIDE 28 MOSS ADAMS LLP 28

29 KEY COMPLIANCE TIPS MOSS ADAMS LLP 29

30 KEY COMPLIANCE TIPS If the cardholder data is not needed, don t keep it! Know what is on your network (run discovery tools: Cornell Spider, PANbuster, Vericept) Maintain a central repository for security-related activities throughout the year (vulnerability scan results, system/device reviews, diagrams, etc.) Develop security configuration standards for all your server types and devices. (e.g., DCs, web, database, firewall, etc.) Maintain a data retention policy and stick to it! MOSS ADAMS LLP 30

31 KEY COMPLIANCE TIPS (CONT.) Encrypt databases/files prior to committing them to backup tape/removable media Install A/V on your database servers that store cardholder data (or document compensating controls) Segment ( cocoon ) your CDE and use two-factor authentication for remote access (internal pen testing is not necessary) Institute a verification step for non-face-to-face password resets (e.g., employee ID) MOSS ADAMS LLP 31

32 KEY COMPLIANCE TIPS (CONT.) In virtualized environments, limit the number of mixed mode servers (use separate partitions for each virtual host) Implement POS systems with point-to-point encryption (P2PE) functionality (reduces scope) Conduct quarterly vulnerability scans and address vulnerabilities immediately Look to information security best practice frameworks for guidance (ISO 27002, NIST 800, COBIT) MOSS ADAMS LLP 32

33 PREPARING FOR A PCI-DSS ASSESSMENT Gather Documentation: Security policies, change control records, operational procedures, network diagrams, PCI DSS letters, and notifications Schedule Resources: Obtain dedicated participation of a project manager and key people from IT, business operations, human resources, and legal Describe the Environment: Organize information about the cardholder data environment, including cardholder data flows and locations of cardholder data repositories MOSS ADAMS LLP 33

34 POLLING QUESTION Question #4 SLIDE 34 MOSS ADAMS LLP 34

35 Question #4 Which of the following are ways I can reduce the scope of a PCI- DSS compliance audit? 1. Use POS systems with point-to-point encryption functionality 2. Segment the cardholder data environment 3. Delete primary account numbers from systems 4. 1 and 2 only 5. All of the above SLIDE 35 MOSS ADAMS LLP 35

36 LEVERAGING PCI DSS AUDIT MOSS ADAMS LLP 36

37 LEVERAGING PCI DSS AUDIT Documentation collected for PCI-DSS requirements can be repurposed for other audits: o Test results completed for PCI requirements can be used or relied upon by SAS 70/SSAE16 auditors o Policies and templates developed for PCI compliance such as information security policies and user request forms can be used for systems without cardholder data o Security awareness training and acceptable use policies can fill possible gaps in existing Human Resources polices MOSS ADAMS LLP 37

38 LEVERAGING PCI DSS AUDIT Description of Good Practices PCI-DSS v2 ISO HIPAA Install and maintain a firewall configuration to protect data COBIT (SOX) (e) (1) DS5.11 Use and regularly update anti-virus software or programs Assign a unique ID to each person with computer access Regularly test security systems and processes (a) (5) DS (a) (1) DS (b) AI2.3 MOSS ADAMS LLP 38

39 LEVERAGING PCI DSS AUDIT PCI requirements can be used to drive existing internal projects: o In some areas, PCI requirements may be more stringent than existing practices and used to enforce stronger security. For example, two factor authentication required for remote access and prohibited weak wireless encryption such as WEP. o Communication of scheduled QSA assessment dates can force deadlines and uniform practices for unresponsive or isolated departments. MOSS ADAMS LLP 39

40 REFERENCE MATERIALS PCI Website: PCI DSS v2.0: SLIDE 40 MOSS ADAMS LLP 40

41 QUESTIONS Francis Tam CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, PCI Practice Leader (310) Kevin Villanueva CISSP, CISA, CISM, PCI QSA Senior Manager, IT Security Practice Leader (206) SLIDE 41 MOSS ADAMS LLP 41

42 THANK YOU FOR YOUR PARTICIPATION! Please complete your evaluation The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought. MOSS ADAMS LLP 42 42

43 PRESENTER Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, PCI Practice Leader Francis has been consulting since 1993 and began his career in a Big 4 firm directing hundreds of projects ranging in size from small advisory-based projects to multi-year projects. Francis expertise in technology security consulting includes SAS 70/SSAE 16 audits, payment card industry (PCI) data security standards (DSS) security audits, network vulnerability assessment, IT governance, IT planning, risk management, systems selection and configuration, policy development, organizational analysis and development, and business process reengineering. SLIDE 43 MOSS ADAMS LLP 43

44 PRESENTER Kevin Villanueva, CISSP, CISA, CISM, PCI QSA Senior Manager, IT Security Practice Leader Kevin has over 14 years of experience providing IT security consulting services to a variety of clients. His areas of practice include information security audits, system security assessments, penetration testing, PCI-DSS compliance, disaster recovery risk assessment and planning, security policy and procedures development, and project management. In addition, he has designed and conducted technology assessments based on ISO 27002, NIST 800, CoBIT and SysTrust standards and has served as technical counsel on dozens of technology security projects. SLIDE 44 MOSS ADAMS LLP 44