Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

Transcription

1 Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008 Matthew T. Davis SecureState, LLC

2 SecureState Founded in 2001, Based on Cleveland Specialized in Security Assessments Vendor Agnostic Background of Big X and Military Four Practice Areas Audit and Compliant Testing and Validation Risk Management E.Discovery and Forensics 2 About Us

3 Your Presenters Matthew T. Davis CISSP, CISA, ISO 27001, QSA, CTGA Principal and Practice Lead for Audit and Compliance Joined SecureState in April 2004 About Us Matt Franko Regional Manager for Business Development in Greater Columbus Area 3

4 Agenda Need for PCI About PCI Management Backing Centralizing the Data Encryption and Tokenization Virtualization Changes in 1.2 Questions Agenda 4

5 Need For PCI Sum of all card programs.

6 Number of Breaches Source: 6

7 Source: Breach Disclosure Laws

8 Cost Per Record Source: Forrester Research 8

9 About PCI What you should already know.

10 About PCI PCi 10

11 History Payment Card Industry Data Security Standard (PCI DSS) was created in Founders include MasterCard, Discover, Visa, JCB, and American Express. PCI Council was created in 2006 to take maintenance of the DSS. Section About PCI of Slide 11

12 Build and Maintain a Secure Network Protect Cardholder Data Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks About PCI Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Maintain an Information Security Policy Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security Six (6) main areas with twelve (12) sub requirements.

13 Roles and Responsibilities owned and maintained by the PCI Security Standards Council PCI Council Maintain the DSS Certify QSA s and ASV s Card Brands Enforce PCI Promote Adoption Sanctions Rewards About PCI promoted and enforced by the card brands administered by acquiring banks interpreted by Qualified Security Assessors (QSA s) QSA s and ASV s Verify compliance through onsite assessment & quarterly vulnerability scans Render opinions to merchant bank Aquiring Banks Communicate with and educate merchants Report merchant compliance to Card Brands observed by merchants assessed by merchants or QSA s and by Approved Scan Vendors (ASV s) Merchants Comply with PCI Secure cardholder data Use compliant service providers Service Providers Secure cardholder data Comply with PCI 13

14 Management Backing The most important factor.

15 Convincing Management Nothing gets accomplished with the proper executive buy in and voice. Need to have the proper backing at all levels to mandate changes throughout the organization. Management Backing Need for budget 15

16 Arguments Risk/cost of a breach. Relate to customer care. Mandates from the bank. Management Backing PCI ROI Just asks for a good security program 16

17 New Legal Development Third Party Beneficiary Liability Sovereign Bank v. B.J. Wholesale Inferred by Brand business operations and regulations contract Management Backing May lead to more lawsuits, but more direct 17

18 Centralizing The Data Worry about one area, not multiple.

19 Where s the credit card data? Centralizing The Data 19

20 Convincing the Owners Business process flow and reprocessing Do we really need the PCI data? Can we adjust the process to minimize or eliminate the needs for storage? Are we really just looking for uniqueness i.e. can we use techniques like hashing? Need for owners to then be involved and responsible both at a project and potentially at a budget level too Centralizing the Data 20

21 Zoning Centralizing The Data 21

22 Network Segmentation What is meant by adequate network segmentation in the PCI DSS?... implementing adequate network segmentation can reduce the scope of the PCI DSS assessment if it isolates systems that store, process, or transmit cardholder data from other systems... Centralizing The Data 22

23 Network Segmentation Council will not consult on what adequate means. Some examples of internal segmentation are: internal firewalls, VLANs, or two-factor authentication. Consult with a qualified QSA in helping to define adequate segmentation. Centralizing The Data 23

24 Outsourcing Snappy lead in.

25 Outsourcing the PCI Risk Why hold onto the compliance responsibilities when you can give it to someone else? Does not necessarily eliminate PCI responsibilities. Make sure they are on the CISP list. Outsourcing 25

26 26 Outsourcing

27 Outsourcing the PCI Risk 1. Your customer inputs credit card information on the online store. 2. The Payment Gateway encrypts data and securely sends it to your merchant account. 3. The transaction is reviewed for authorization. 4. The result is encrypted and sent back through the payment gateway. 5. The results are sent and left up to you to fulfill the order. Outsourcing 27

28 Non-Service Providers Need to have contractual language to adhere to the PCI DSS Need to maintain PCI liability chain or waterfall Think outside the box cleaning crews, maintenance, IT support Outsourcing Due diligence not required, but should be done. Consider PCI SAQ or SAS70 28

29 Encrypting and Tokenizing Snappy lead in.

30 Rendering Data Useless Truncation First 6, Last 4 Hashing Salting not required but should be done Encryption Enterprise Architecture Need Why stop at PCI? What about PII? Encrypting and Tokenizing Tokenization Encryption Plus 3 0

31 Encryption Needs Needed for data both stored and transmitted. Need to use strong encryption Need to have strong key management Need to address different Data Types (field, file, disk, imaging) System Types (OS, database, applications, development languages) Encrypting and Tokenizing 3 1

32 Tokenizing Create tokens that are unique, not sensitive, and can be used to ultimately get PCI data again Is often used where encrypted values are not acceptable inside a given application or process e.g. SAP Encrypting and Tokenizing Essentially a database of token related to encrypted data. Encryption is still a must. 3 2

33 Example Section of Slide 33

34 Tokenizing Using tokens does not eliminate PCI responsibilities. Idea is to transfer the risk of storage to someone else. Note: Many of breaches still happen without storage. Encrypting and Tokenizing 34

35 Reality of Virtualization Virtual Technologies and How They Affect Scope

36 Virtualization Challenges Virtualization is typically in scope and can often help reduce or increase it Does the PCI DSS address virtualization security? Does my virtual host have to be PCI compliant? Do VLANs separate my PCI segment correctly? Do I have to encrypt my MPLS traffic? Virtualization and PCI 36

37 Virtualization Machines Host Machines Access Control Stronger Security Reduce Sharing Hosted Machines Treat as a physical machine Examine connectivity PHYSICAL HOST HYPERVISOR HARDWARE Virtualization and PCI 37

38 Virtual LANs (VLANs) Segment network traffic at layer 2 Firms use to reduce scope of PCI Switch layer controls Access Control Lists INTERNAL PCI ZONE EXTERNAL Virtualization and PCI Stateful Firewall PCI DSS

39 Multiple Protocol Label Switching (MPLS) PCI DSS Requirement 4.1 Is MPLS Private or Public? Today it is classified as private by PCI SSC Today some MPLS providers send their traffic over the internet Ensure your MPLS is actually private Utilize encryption Virtualization and PCI 39

40 References Some sources to read at home.

41 Changes in 1.2 besides clarification Penetration Testing Both External AND Internal Cost increase! References Web App 6.6 is permanent WEP eliminated A/V is now for ALL operating systems Consider opensource Clam AV Firewall reviews 2/year, not 4/year First time they have eased up 4 1

42 Card Security Program American Express Data Security Operating Policy dswfrontservlet&request_type=dsw&pg_nm=merchinfo&ln =en&frm=us Discover Information Security and Compliance MasterCard Site Data Protection Visa Card Information Security Program ep=v_sym_cisp ( References 42

43 Blogs and Wikis Educause Connect Treasury Institute PCI Compliance Demystified Payment Card Security and IT Controls Explained References 43

44 Web Sites PCI Security Standards Council PCI Auditor Community Site References PCI Compliance Guide The PCI Forum 44

45 Q& A Q & A Thank you for your time!