Josiah Wilkinson Internal Security Assessor. Nationwide

Transcription

1 Josiah Wilkinson Internal Security Assessor Nationwide

2 Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges Nationwide 2

3 Overview The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of security requirements for companies who accept credit cards, as defined by VISA and MasterCard and endorsed by other major credit cards. The PCI DSS applies to all merchants and service providers who store, transmit, or process the primary account number (PAN) of credit card transactions. The level of auditing and control required depends upon the annual number of transactions processed. Nationwide 3

4 Merchant Level Level Description Validation Action Validated By 1 *Any merchant-regardless of acceptance channelprocessing over 6,000,000 payment card transactions of a single card brand per year. *Any merchant that has suffered a hack or an attack that resulted in an account data compromise. *Any merchant that the payment card company, at its sole discretion, determines should meet the Level 1 merchant requirements. *Any merchant identified by any other payment card brand as Level 1. 2 *Any merchant-regardless of acceptance channelprocessing 1,000,000 to 6,000,000 payment card transactions of a single card brand per year. Annual on-site PCI data security assessment Pass Quarterly Network Scans Annual on-site PCI data security assessment Qualified Security Assessor or Internal Audit if certified as qualified by the PCI Council and signed by Officer of the company Approved Scanning Vendor Qualified Security Assessor or Internal Audit if certified as qualified by the PCI Council and signed by Officer of the company 3 *Any merchant processing 20,000 to 1,000,000 payment card e-commerce transactions per year. 4 *Any merchant processing fewer than 20,000 payment card e-commerce transactions per year, and all other merchants-regardless of acceptance channelprocessing up to 1,000,000 payment card transactions per year. Pass Quarterly Network Scans Annual PCI Self Assessment Questionnaire Pass Quarterly Network Scans Annual PCI Self Assessment Questionnaire Pass Quarterly Network Scans Approved Scanning Vendor Merchant Approved Scanning Vendor Merchant Approved Scanning Vendor Nationwide 4

5 Governance/Enforcement PCI Security Standards Council Credit Card Brands - Enforce Card Processors VISA Mastercard Provide Standards Credit Card Payment Processors Enforce Merchants Provide Standards Merchants Includes Nationwide and Affiliates JCB (Diner s Club) PCI DSS PCI DSS Discover AMEX Nationwide 5

6 Data Security Standard (DSS) The PCI DSS is a set of granular security requirements based on the following control objectives and subcategories: Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect Stored Cardholder Data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Methods 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security Nationwide 6

7 Scope Requirements apply to all System Components (network component, server, or application) connected to cardholder data environment: v v v Network firewall, switch, router, wireless access points, etc. Server web, database, authentication, mail, proxy, domain name Application all purchased and custom applications Version 2.0 is the current standard released in October of 2010 PCI DSS v 2.0 includes approximately 240 control requirements Nationwide 7

8 Example Requirements Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) Protect any keys used to secure cardholder data against disclosure and misuse Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties Track and monitor all access to network resources and cardholder data Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. Nationwide 8

9 Network Segmentation Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of the corporate network is not a PCI DSS requirement. However, it is recommended as a method that may reduce: The scope of the PCI DSS assessment The cost of the PCI DSS assessment The cost and difficulty of implementing and maintaining PCI DSS controls The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations) Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network. Nationwide 9

10 Penalties for Non-Compliance VISA fines reported as $5,000/month MasterCard fines reported as $25,000 for non-compliance for the first quarter followed by fines of $50,000, $100,000 and $200,000 for each successive quarter In the event that credit card data is breached, $500,000 fine from VISA and $350,000 fine from MasterCard (other fines have not been published/shared) Any breach will instantly move Merchant into Level 1 status and require on-site review by PCI forensic investigators, which must be paid for by the merchant Nationwide 10

11 Keys to Compliance Do not store, transmit or process cardholder data if there is not a valid business need If storage is required, hash or encrypt the credit card as soon as possible in the system Limit your scope through segmenting your cardholder data environment (CDE) /08 Expiration /08 Expiration CARDHOLDER DATA ENVIRONMENT Storage of the magnetic stripe, CVV or PIN data is prohibited Magnetic Stripe XX XXXX /08 Expiration Nationwide 11

12 Nationwide s Approach Established Strong Leadership Support: v PCI Governance and Leadership Team v Legal and Information Risk Management co-sponsors Established Strong External Relationships v Qualified Security Assessor (QSA) v Processor/Acquirer Established Multiple Methods to Detect Credit Card Processes v Quarterly executive certifications v Security Reviews v Firewall Requests v Data Loss Prevention Technology v Business and IT partners Established Method to Reduce Scope Nationwide 12

13 Network Segmentation and Tokenization 13

14 Challenges Non-XML/Web data v Call Recording v IVR Cleanup v Mitigation v New processes Physical security v Badges v QSA visit Nationwide 14

15 Payment Card Industry Overview PCI Governance/Enforcement Recap PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges Nationwide 15

16 Questions? Nationwide 16