Agenda: A PCI DSS Deep Dive

Transcription

1 Understanding and Managing PCI DSS Walt Conway, CPISM

2 Walt Conway PCI consultant, blogger, trainer, speaker, author Former Visa VP Help schools become PCI compliant Represent Higher Education at PCI Council Recently joined 403 Labs, a QSA firm 2

3 Agenda: A PCI DSS Deep Dive 1:00 to 2:15 PCI DSS in Context PCI DSS basics Security Outsourcing 2:30 to 3:30 Surviving compliance Recent PCI developments Pretty good practices 3

4 PCI DSS in Context Some History The Digital Dozen Key Players Merchant Levels Validating Compliance Cardholder Data 4

5 First, Some PCI Basics PCI DSS: Payment Card Industry Data Security Standard Goal is to protect Cardholder Data (CHD) Primary Account Number (PAN) Also addresses track data, security codes, PINs If you take plastic, PCI applies to you Store, process, or transmit cardholder data P-cards, travel cards may be in scope PCI Compliance is by institution Most schools use Self-Assessment Questionnaire (SAQ) 5

6 PCI DSS: 6 Goals, 12 Requirements 6

7 PCI DSS Scope The cardholder data environment can include: Network components (firewall, switches, routers ) Servers (web, database, mail ) Applications (purchased, custom, internal, external) Policies, procedures Anything that stores, transmits, or processes cardholder data is in scope If you don t need it, don t keep it 7

8 Key Players Global forum to enhance global payment security PCI DSS, PA DSS, PIN PED Approve assessors (QSAs) and scan vendors (ASVs) Develop Self-Assessment Questionnaires i (SAQ) Develop and publish PCI documentation Participating Organizations include NACUBO 8

9 Key Players Five Payment brands Track compliance and enforce standards (fines, sanctions) Determine event response (forensics) Define merchant levels Acquirers (Merchant Banks) Set merchant level Certify compliance Approve compensating controls 9

10 Merchant Levels Level Visa and MasterCard Amex 1 > 6 million Visa/MC trans/year Compromise in last year Assigned by Visa/MC > 2.5 million Amex trans/year Assigned by Amex 2 1 to 6 million Visa/MC trans/year 50,000 to 2 million Amex trans/year 3 20,000 to 1 million Visa/MC e-commerce trans/year All other Amex merchants 4 All other Visa/MasterCard merchants 10

11 Quiz: What s My Merchant Level? 5 million Visa, 3 million M/C, 1 million Amex (9 million total) transactions/year Level 2: levels are set by volume per brand 800,000 card-present trans/year, all Visa Level 4 50,000 e-commerce trans/year, all M/C Level 3 5,000 trans/year transmitted for another merchant Trick question - you may be a Service Provider 11

12 Cardholder Data 12

13 Cardholder Data Source: PCI SSC 13

14 Why Are You Keeping Those Data!?! Policy: Store no PANs on campus anywhere But what about? Recurring payments acquirer has alternatives Chargebacks, refunds let acquirer store PAN data Legal requirements these apply to banks, not you Paper receipts reprogram terminals or upgrade to truncate t both copies POS software stores PANs reconfigure or replace Limiting PCI scope makes your life easier 14

15 Compliance Validation Level Visa and MasterCard Amex 1 Annual on-site assessment (QSA or Internal Audit) Quarterly network scan (ASV) Report on Compliance (ROC) based on Security Audit Guidelines Annual on-site Security Audit (QSA or Internal Audit) Quarterly network scans (ASV) Security Audit to Trustwave 2 Annual Self-Assessment Quarterly network scan (ASV) Questionnaire (SAQ) Quarterly network scan (ASV) 3 Annual SAQ Quarterly network scan (ASV) 4 As set by acquirer: Annual SAQ Quarterly network scan (ASV) Recommend quarterly network scan (ASV) 15

16 Merchant Compliance 16

17 Validating Compliance Validation is by institution Don t confuse Merchant Level and Merchant ID Level is for compliance validation ID is for accounting Acquirer may combine IDs for PCI validation Simplified SAQs Four versions: depends on card environment Limiting PCI scope simplifies validation No electronic CHD stored 17

18 Self-Assessment Questionnaires (SAQ) For merchants who don t need an on-site security assessment (L2-4) Two parts Attestation of Compliance Requirements Simplified SAQs: you do not keep electronic cardholder data 18 Walter Conway Associates LLC 2009

19 Which is Right for You? SAQ Validation Type Description SAQ 1 Card-not-present merchants, all cardholder A data functions outsourced 2 Imprint-only merchants, no cardholder data storage 3 Stand-alone terminal merchants, no cardholder data storage 4 Merchants with POS systems connected to the C Internet, no cardholder data storage 5 All other merchants and service providers D B B 19 Walter Conway Associates LLC 2009

20 Simplified SAQs Your life may have gotten easier SAQ A and B bonus: no scans More incentive not to keep cardholder data Retaining cardholder data means SAQ D Time answering lots of questions If you don t need it, don t keep it 20 Walter Conway Associates LLC 2009

21 Compliance OMG But we outsourced our e-commerce Staff use PCs to enter MOTO transactions ti P-cards and travel cards don t count If you store the PANs, they can be in scope We didn t know we stored the data Non-compliant POS devices, PCs, servers, 21

22 Staying Compliant PCI is backward looking Compliance today says s nothing about tomorrow You are one change from being non-compliant Establish and follow policies Educate, train, communicate Get trained and/or get help 22 Walter Conway Associates LLC 2009

23 Implications of PCI Your costs will go up Cost to get and remain PCI compliant Non-compliance costs more You will change the way you do business Do you want to be in the payment business? Maybe fewer campus merchants take plastic Limiting access to cardholder data Conclusion: PCI is a business issue 23

24 Security The Bad Guys Dangerous Places: Pwned! Higher Ed top 10 Threats The Insider Threat 24

25 Security: It s About the Data Five emerging g threats Malware Botnets Cyber warfare VoIP and mobile devices Evolving cyber crime economy Data will continue to be the primary motive behind future cyber crime. 25

26 PCI DSS Role The purpose of PCI DSS: To protect t cardholder dhld dt data To keep you and your institution out of the headlines PCI is a data protection standard Not a fraud prevention measure PCI does not make you secure 26

27 Gone Phishing 27

28 Some Links are Good 28

29 30 Seconds PWNED! 29

30 I m Im OK, I have a Mac 30

31 Are Users Listening? Is Anybody Listening? Source: Psychology Department, North Carolina State University 31

32 Higher Ed Top 10 Security Threats 1. Malware, botnets 6. Outsource partners 2. Thieves 3. Staff members 4. Professors 7. Social networks 8. Phishing 9. Cell Phones 5. Students 10. Spammers 32

33 The Insider Threat Well-intentioned staff Just trying to do their jobs Self-interested or malicious staff Intentionally download apps or visit prohibited sites Economy is affecting this group Trusted partners Third-parties with insider privileges 33

34 The Insider Threat 20% of users changed security settings to access unauthorized websites Over 80% of enterprises show Google application activity, and nearly all evidence peer-to-peer applications 35% of users consciously violate internal security policies (to expedite their work) Over 50% of employees who left their job in 2008 took some company confidential information with them 34

35 Your Staff and Laptops Managers: 52% have employer-supplied data encryption 56% disengage their laptop encryption 57% write down - and 61% share their passwords IT Security pros: 92% report their organization had lost/stolen laptops 71% resulted in a data breach Question: Would you let a stranger use your laptop to check their ? Source: Ponemon Institute and Absolute Software Corp.,

36 Your Staff and USB Drives Personal thumb drives pose risks Found devices a new attack vector Stick phishing, thumb sucking Honey Stick Project Train users or as mom said: Don t put that in your mouth! Question: Do you let staff copy data and work on their home computer? 36

37 Your Staff and the Web People under the age of 28 are engaging in online behavior that could expose their organizations to data leakage and theft. 60% of young staff "are either unaware of their companies' IT policies or are not inclined to follow them. 37

38 Security: Why Care? Expense: lawsuits, financial liability, fixing systems Lost productivity Reputation (brand) State laws requiring notification and and often more The number of Higher Ed breaches is too high 38

39 Security: Why Care? 39

40 Outsourcing Service Providers vs. Applications PA DSS A Strategy, Not a Panacea 40

41 Outsourcing Strategic question: Do you want to be in the payments business? Outsourcing some or all processing can simplify your path to PCI compliance Service Providers You use their systems, services Software Application Vendors You buy a software package to run on your system 41

42 Service Providers They store, transmit, or process cardholder data on your behalf You are still responsible Ensure service providers are PCI compliant Validate, and include PCI compliance in contract Control third-party connections Visa website lists PCI-compliant service providers 42

43 Software Applications Payment Application Data Security Standard (PA DSS) Compliant third-party applications for merchants, processors Includes payment modules of larger package systems (ERP) PA DSS is for third-party payment application software used in authorization or settlement Not for internally-developed or customized applications Not for back-office or database applications PA DSS does not address functionality Got an RFP coming? Use the list! 43

44 PA DSS is Mandated 44

45 Outsourcing To Do List Check all payment vendors for PCI/PA DSS compliance POS, ERP, e-commerce, payment application Confirm your versions are compliant Update contracts to reflect PCI Appendix A Check for vendor training opportunities Compare implementation with vendor implementation guide Schedule upgrades to minimize costs 45

46 Outsourcing and the Law of Unintended Consequences PCI scope creep You outsource e-commerce payments But mail, phone, fax orders persist (e.g., donations, other MOTO transactions) School staff enter transactions using outsourced system Result: staff PCs may now be in scope for PCI 46

47 Recent Developments in PCI DSS PCI DSS Version 1.2 The PCI Council s Quality Assurance Program Special Interest Groups 47

48 PCI DSS v1.2 PCI Version 1.2 effective October 1, 2008 Update lifecycle: 2 years Clarification more than changes Language, terms Eliminate redundancies in previous version Consolidate documentation 48

49 Build and Maintain a Secure Network Req 1: Firewalls Configuration requirements apply both to firewalls and routers Timing flexibility in reviewing firewall rules, from quarterly to every 6 months Req 2 No vendor default passwords Applies to wireless OK to broadcast SSIDs Replaced WEP references to emphasize strong encryption 49

50 Protect Cardholder Data Req 3: Protect CHD Terminology (PAN, strong cryptography ) Disk encryption emphasizes local user databases Req 4: Encrypt CHD over open networks No new WEP after March 31, 2009 No WEP at all after June 30,

51 Vulnerability Management Program Req 5: AV software Applies to all system types AV must address all known types of malware Req 6: Develop secure systems Flexibility to use a risk-based approach when installing gpatches 6.6 mandated (public-facing web apps) 51

52 Strong Access Control Req 7: Restrict access to CHD Clarified language g for testing Req 8: Unique ID to each person Verify passwords are unreadable in storage and communication Req 9: Restrict physical access Visit offsite storage sites at least annually Flexibility in access control mechanisms (e.g., cameras) Requirement to secure media includes paper Clarify media destruction requirements 52

53 Monitor and Test Networks Req 10: Track all access to CHD Logs must be copied to an internal server Audit trail history must be quickly accessible Req 11: Test systems and processes Guidance on wireless analyzers and wireless IDS/IPS Must use ASV for quarterly vulnerability scans Require internal and external penetration tests, but do not need to use a QSA or ASV for these 53

54 Security Policies Req 12: Information security policies More examples of technologies covered including remote access, wireless, removable electronic media, use, internet use, laptops, PDAs Employees acknowledge internal policies i at least annually Require policies to manage and monitor service providers 54

55 PCI Council Initiatives PA DSS Applies to third-party software Includes payment modules of larger systems Quality Assurance Program Need for consistency: Hashing with Excel, 20 Fence, change encryption algorithm annually List assessors In Remediation Revocation is an option Rely on Merchant feedback 55

56 Other PCI Council Efforts Unattended Payment Terminals Increasingly used for vending, ticketing Council adopting standards (like PED) Special Interest Group (SIG) efforts Two SIGs today (Pre-authorization Data; Wireless) More coming? (Virtualization, Scope, ) 56

57 Some PCI-DSS Pretty Good Practices 57

58 How Schools Address PCI Treasury Institute for Higher Education PCI workshop attendees, May responses, Higher Ed institutions nationwide 76% public institutions From <10 to 200+ campus merchants 58 Walter Conway Associates LLC 2009

59 How Schools Address PCI 50% said Finance leads PCI, rest shared with IT 68% fund PCI compliance centrally (changing?) Between 1 and 1.5 FTE dedicated to PCI 50% or less had key policies in place Schools somewhat satisfied with acquirer support Over 50% experienced a data breach (some fined) 59 Walter Conway Associates LLC 2009

60 From PCI Workshops Secure top management commitment Develop your pitch: PCI is a business not a security issue Budget adequately: PCI is a program not a project Build a dedicated, multidisciplinary team Inventory data, processes, vendors Ask, interpret, verify, explore where stuff is, where it goes Engage stakeholders, communicate Hold users accountable for behavior (consequences) 60

61 Have a Strategy Map transaction and data flow Payments Analysis Manage scope: don t retain cardholder data Find and eliminate i prohibited data IPOS, logs, databases, spreadsheets, Search for rogue databases Search for sensitive numbers Easiest path: don t keep cardholder data! 61

62 Some Pretty Good Practices Think before you act, or PCI Requirement 0 Understand d cardholder data and cardholder data environment Understand PCI before implementing solutions Eliminate storing cardholder data Then tell people about it! 62

63 Some Pretty Good Practices Get trained Visa has 2-day deep dive Treasury Institute PCI Workshops SPSP training for CPISM/A certification MasterCard website has on-line training Use the PCI SSC resources Audit Guidelines Technical FAQ 63

64 Some Pretty Good Practices Monitor card alerts and bulletins Monitor PCI and security blogs and forums Keep up to date Ask questions, get expert help Collaborate: share experiences, good and bad 64

65 Some Pretty Good Practices Raise security awareness on campus Identify repeat offenders who lose (stolen) devices, download malware, etc. Publicize names Consequences 65

66 Some Pretty Good Practices Develop and promote payment policies Train POS staff (then re-train!) Develop a user manual New merchants Guidelines Responsibilities Costs Merchant agreement 66

67 Some Pretty Good Practices Find and eliminate track data Reduce potential liability 90% Vendors may not be much help Sensitive number finder can locate rogue databases Upgrade POS terminals to truncate PANs on both paper copies Find rogue payment sites on your campus(es) Google news alert 67

68 Some Pretty Good Practices Make your acquirer your partner Sets merchant level, l validates compliance Approves compensating controls Some offer PCI training, newsletters, support Advice: Get the name of a Compliance Officer 68

69 Some Pretty Good Practices Use PA DSS list for all third-party applications Use Visa CISP list for all third-party service providers New service provider levels in 2009 Only Level 1 will be listed on Visa website 69

70 Some Pretty Good Practices Prepare an Incident Response Plan See PCI Blog (treasuryinstitute.com/blog) tit t March 25 for list of resources and sample plans SANS, NIST, Educause, Test the plan before you have to use it 70

71 Compliance Action Plan Start with a Payments Analysis Every merchant, application, departmental database, service provider, terminal, website, Expect surprises Adopt a risk-based approach Identify campus merchants posing greatest risk Address them first Plan to visit it each merchant, observe, question Document findings Train, communicate, empower 71

72 Staying Compliant PCI is backward looking Compliance today says s nothing about tomorrow You are one change from being non-compliant Establish and follow policies Educate, train, communicate ( rinse, lather, repeat ) Get trained and/or get help 72

73 PCI and Beyond PCI does not make you secure Map your payment data flow Monitor service providers and vendors Use strong passwords for technical support Log tech support and third-party access Upgrade POS equipment and payment apps Beware of rogue wireless networks Perform vulnerability scans monthly Go beyond: apply PCI to all your PII 73

74 50 Questions Every CFO Should Ask "The guide is revolutionary in its approach and extremely practical in its application. It will assist organizations in taking the necessary multi-dimensional approach to managing their cyber infrastructure by shifting the locus of control to the Chief Financial Officer. Larry Clinton, President, Internet Security Alliance Let the process, and the preparation, wait no longer. Gather the stakeholders. Let the questions begin. 74

75 Conclusions Take control You can t outsource responsibility PCI training has a very high ROI! Senior management commitment and multidisciplinary team are critical Outsourcing can help with compliance Network with other institutions If you don t need it, don t keep it 75

76 Higher Education Community Resources The Treasury Institute for Higher Education: PCI blog: NACUBO: 76

77 Additional PCI Resources Society of Payment Security Professionals: Blogs, PCI forum PCI SSC: pcisecuritystandards.org Standards, FAQ, PA DSS Visa: visa.com/cisp PCI-compliant service providers MasterCard: mastercard.com/us/sd 77

78 Understanding and Managing PCI DSS YOUR thoughts? Comments? Questions? 78