PCI Compliance. How to Meet Payment Card Industry Compliance Standards. June 5, CliftonLarsonAllen LLP

Transcription

1 PCI Compliance How to Meet Payment Card Industry Compliance Standards June 5, Today s Topic Trends and Industry Security Reports Payment Card Industry (PCI) Data Security Standard(DSS) Lessons Learned and Sound Practices 2 1

2 Our perspective CliftonLarsonAllen Started in 1953with a goal of total client service January 2012 merger Today, industry and service specializedcpa and Advisory firm ranked in the top 10 in the U.S. 3 CliftonLarsonAllen Randy Romes Randy Romes Professional Student Pizza Guy High School Science Teacher Hacker Dad 4 2

3 Cub Scouts, IT Professionals, & Hackers Cub Scouts Be Prepared Camping Trip Preparation SATURDAY Road Trip!!! 5 Cub Scouts, IT Professionals, & Hackers Cub Scouts Camp Tomahawk Daily Routine Sunday Business as Usual 6 3

4 Cub Scouts, IT Professionals, & Hackers Cub Scouts Monday Morning NOT Business as usual Parking X Ecology Camp Sites Main Lodge 7 Secure System Defined: A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford People Rules Confidentiality Integrity Availability ` Tools 8 4

5 Trends 2009 SANS Report SANS study: Client Side Attacks End user workstation (vulnerabilities) Unpatched Applications: Adobe Java Apple Etc Phishing Attacks Website - application vulnerabilities External web sites Organization s web sites Password Attacks: FTP, SSH, Remote Access Application Vulnerabilities: SQL injection PHP issues 9 TrustWave Intrusion Analysis Report Top Methods of Entry Included: Remote Access Applications [45%] Default vendor supplied or weak passwords [90%] 3 rd Party Connections [42%] MPLS, ATM, frame relay SQL Injection [6%] Web application compromises [90%] Exposed Services [4%] Remote File Inclusion [2%] Trojan [<1%] 2 recent Adobe vulnerability cases Physical Access [<1%] SANS Report 10 5

6 TrustWave Intrusion Analysis Report Top Methods of Entry Included: 11 TrustWave Intrusion Analysis Report Most of the compromised systems were managed by a third party Vendor Management 12 6

7 TrustWave Intrusion Analysis Report Incident Response Investigative Conclusions Window of Data Exposure Once inside, attackers have very little reason to think they will be detected The bad guys are inside for 1 ½ YEARSbefore anyone knows! 13 Verizon Report is analysis of intrusions investigated by Verizon and US Secret Service. KEY POINTS: Time from successful intrusion to compromise of data was days to weeks for > 60%. Log files contained evidence of the intrusion attempt, success, and removal of data. Most successful intrusions were not considered highly difficult. 14 7

8 Verizon 2010 and Hackers, Fraudsters, and Victims Opportunistic Attacks 16 8

9 Verizon 2011 Anatomy of a data breach -Opportunities 17 Overview PCI DSS Payment Card Industry (PCI) Data Security Standard (DSS) Industry regulation Major card companies merged various requirements to establish standard for all Each card brand has some differences 18 9

10 Exercise Normally a 5 Minute exercise Describe how your organization stores, process, or transmits credit card information Think in terms of the steps/stages followed Examples: Take orders and payment information over the phone Clients/customers/patients/members make payments online Receive payment information in the mail End Goal is to understand where the card data lives 19 Exercise - QUESTIONS Do you accept CC payment in-person? Yes/No Do you accept CC payment over the phone? Yes/No Do you accept CC payment via a website? Yes/No Do you rely on a 3 rd party/vendor to host or manage any of your data systems? Yes/No 20 10

11 Overview PCI DSS Digital Dozen PCI DSS version Trustwave Report 3 4 PrivacyRights.org 5 6 Trustwave Report Verizon Report 21 PCI DSS - Definitions Lots of Acronyms: ASV: Approved Scanning Vendor Vendor certified by PCI Standards Council to have vulnerability scanning tool/engine that meets DSS requirements CDE: Cardholder Data Environment Possesses cardholder data or sensitive authentication data QSA: Qualified Security Assessor Vendor certified by PCI Standards Council to perform PCI annual audit ROC: Report on Compliance Document to be submitted for annual compliance requirement SAQ: Self Assessment Questionnaire 5 Versions: A, B, C, C-VT, and D 22 11

12 PCI DSS Definitions - ADDITION Lots of Acronyms: PAN: Primary Account Number Cardholder Data PAN Cardholder name Expiration date Service Code Sensitive Authentication Data Full magnetic strip or chip data, CAV2/CVC2/CVV2/CID, PINs PA-DSS DSS for Payment Applications 23 PCI Merchant Levels Merchant Level Merchant Definition Compliance Level 1 Level 2 Level 3 Level 4 More than 6 million V/MC transactions annually across all channels, including e-commerce 1,000,000 5,999,999 V/MC transactions annually 20,000 1,000,000 V/MC e-commerce transactions annually Less than 20,000 e-commerce V/MC transactions annually, and all merchants across channel up to 1,000,000 VISA transactions annually Annual Onsite PCI Data Security Assessment, Quarterly Network Scans, Annual External and Internal Penetration Testing Annual Self Assessment Questionnaire, Quarterly Network Scans, Annual External and Internal Penetration Testing Annual Self Assessment Questionnaire, Quarterly Network Scans, Annual External and Internal Penetration Testing Annual Self Assessment Questionnaire, Quarterly Network Scans, Annual External and Internal Penetration Testing 24 12

13 PCI Service Provider Levels Service Provider Level Level 1 Service Provider Definition VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year. Compliance Annual Onsite PCI Data Security Assessment, Quarterly Network Scans, Annual External and Internal Penetration Testing, Quarterly Wireless Testing* Level 2 Any service provider that stores, processes and/or transmits less than 300,000 transactions per year. Annual Self Assessment Questionnaire, Quarterly Network Scans, Annual External and Internal Penetration Testing, Quarterly Wireless Testing* 25 PCI Self Assessment Questionnaires (SAQs) SAQ INSTRUCTIONS & GUIDELINES Which SAQ do I complete? SAQ A Outsourced all CHD SAQ B Imprint or standalone dial-out terminate only SAQ C-VT Virtual terminals only SAQ C Internet-connected payment application SAQ D All other merchants and service providers Card-not-present, all cardholder data (CHD) functions outsourced Imprint or standalone, dial-out terminals only, no electronic CHD storage Web-based virtual terminals only, no electronic CHD storage POS or payment system connected to Internet, no electronic CHD storage All other merchants and all service providers eligible to complete an SAQ Card-not-present only No CHD on any systems or premises, all outsourced Third parties are PCI DSS compliant No CHD over Internet Only paper is retained No electronic storage of CHD Imprint machine or standalone dial-out terminals only Dial-out terminals not connected to any other systems Dial-out terminals not connected to the Internet, connected via phone line to your processor or acquirer No CHD over Internet Only paper is retained No electronic storage of CHD Third party hosted virtual terminal only, accessed by an Internetconnected web browser Merchant computer not connected to any other systems within environment Isolated in a single location, not connected to other locations or systems within environment (can be achieved with network segmentation) Virtual terminal solution provided and hosted by PCI DSS validated service provider No software installed or hardware attached to merchant computer that captures or stores CHD POS or payment system and Internet on same device and/or same local area network (LAN) Payment application system/internet device not connected to any other systems Single store location Only paper is retained No electronic storage of CHD POS vendor provides secure support No other electronic transmission of CHD Only paper is retained No electronic storage of CHD NO NO NO NO NO Is this my Is this my Is this my Is this my merchant type? merchant type? merchant type? merchant type? YES YES YES YES SAQ A (13 questions) and Attestation SAQ B (29 questions) and Attestation SAQ C-VT (51 questions) and Attestation SAQ C (40 questions) and Attestation SAQ D (288 questions) and Attestation 26 NAVIGATING PCI DSS Understanding the Intent of 2012 CliftonLarsonAllen the Requirements LLP 13

14 PCI DSS Build & Maintain a Secure Network 1 Default password lists: default password 27 PCI DSS Protect Cardholder Data 2 Minimize storage Implement data retention and disposal policies Do NOT store sensitive authentication data Mask displayed PAN Render PAN unreadable where stored Protect cryptographic keys ADDITION: NEVER send unprotected PAN by end user messaging ( , chat, IM, etc ) 28 14

15 PCI DSS Maintain Vulnerability Mgmt Program 3 29 Use anti-virus REALLY??? Secure software development and change control Secure build checklists: CIS offers vendor-neutral hardening resources Microsoft Security Checklists PA-DSS certified applications will have an Implementation Guide PCI DSS Implement Strong Access Controls 4 Principle of minimum access and least privilege Unique IDs ( NO shared IDs) Long/strong passwords, password controls, strong authentication Password protected screen saver time outs (15 min) Limit and monitor physical access Secure storage and tracking of media 30 15

16 PCI DSS Regularly Monitor and Test Networks 5 Process, system, and application logging Secure the audit logs Review and retain audit logs Regular testing: Quarterly*: Wireless testing & Vulnerability scanning Annual*: Penetration testing IDS/IPS and File integrity monitoring 31 PCI DSS Maintain Information Security Policy

17 PCI Prioritized Approach 33 PCI Compliance Requirements Merchants and Service Providers must comply with the entire DSS, regardless of level. Only verification processes and reporting vary ROC: Annual Audit Annual* External and Internal Penetration Testing Quarterly Wireless Scanning Quarterly (ASV) Scanning External and Internal 34 17

18 PCI Compliance Dates PCI Compliance Deadlines are not standard. They change per country, card, brand and acquirer. Visa USA has set: March 31, 2007 The deadline by which level 1 and 2 merchants should demonstrate that they are not storing full track data, CVV2 or PIN data. September 30, 2007 The date by which all level 1 merchants are expected to be fully PCI DSS compliant. December 31, 2007 The date by which all level 2 merchants are expected to be fully PCI DSS compliant. December 21, U.S. Level 4 Merchant Compliance Plan Status Report 35 PCI Scope The PCI DDS security requirements apply to all system components. 'System components' are defined as: any network component, server, or application that is included inor connected tothe cardholder data environment. The cardholder data environmentis that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications

19 Exercise - Segment Your Network What is inscope here? NOTHING Firewalls Servers PCs Everything Why? 37 Segment Your Network What is inscope here? NOTHING Firewalls Servers PCs Everything Why? 38 19

20 The Tale of the Backup Tape Asked to evaluate the security of backup solution Is password protection enough? What can someone do with media if it falls off the truck, or vendor staff can access files? Ah ha! moment Understand How backup software/system works Who has access How staff are using data 39 Stolen Laptops Auditors Laptop stolen from car Documents and data related to audit on the laptop Data files in attachments Laptop does not have full disk encryption Entitiy and the auditor are at the point where they will have to notify those affected by breach of confidentiality 40 20

21 Laptops and Backup Tapes Think about this Sensitive files may be hidden in temporary directories and caught on backup tapes No directories showing here. Only files. 41 Laptops and Backup Tapes Navigate to \..\Temporary Internet Files At command prompt type > dir /a This shows hidden directories 42 21

22 Our CDE Is Segmented Had internal Firewalls, but Also had common Windows Active Directory Domain Common Admin accounts Remote access 43 What can you do today towards PCI Compliance? - Implement strong Information Security Policies and Procedures - Enforce Segregation of Duties Controls - Prevent Security loopholes; enable firewalls; configure IDS/IPS devices properly; minimize and isolate cardholder data storage - Ensure safe web browsing and usage policies - Completion of a Self Assessment Questionnaire as gap assessment - Test systems and processes to validate they behave as expected - Scrutinize your vendor management policies, procedures, and current state Proper Remote Access for staff & Vendors User Awareness Training is CRITICAL Strong Software Change & Patch Management Controls Re-evaluate Payment Processes 44 22

23 Recommended preventative measures for PCI DSS Compliance The following control industry best practices measures should be implemented: Restrict and monitor privileged Users Watch for minor policy violations Implement measures to thwart stolen credentials Monitor and filter egress network traffic Change approach to event monitoring and log analysis Trust but verify; Use pre-screening to eliminate problems before they start; Use segregation of duties controlsand least privilegesrules. Actively monitor illegal content and in-appropriate behavior on user systems; address policy violationsin a timelymanner. Consider 2 factor authentication; implement time-of-use rules; IP blacklisting and restrict administrativeconnections. Segment internal network and isolate cardmember data; filter incoming internet traffic; monitor, understandand controloutbound traffic. Because breaches take a while to discover, be proactive in monitoring logs; ensure adequate tools, staff & processes are in place; a simple script to count log lines/length and send an alert if out of tolerancecan be effective. Share Incident Information Collect, analyze and share incident information with industry groups in order to strengthen your securityprograms. 45 Reminder - PCI Compliance Is An Ongoing Process Four(4)ongoingstepsforadheringtothePCIDSS: Assess identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data. Remediate fixing vulnerabilities and not storing cardholder data unless you need it. Report compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with. Governance- Implement industry best practices 46 23

24 Understand Where Your Data Lives Develop data flow diagrams Payment/data flow Where static data resides Who is mining data and for what purposes Understand how the back up system works 47 Laptops and Backup Tapes Understand who has access to card data, what is needed, and how it is used Understand how staff uses Outlook Understand how Outlook works Understand how PCs are configured 48 24

25 PCI DSS Req. 11 -VALIDATION Regularly test security systems and processes Annual Tests Onsite vs. Self-Assessment Internal and External Penetration Tests (not QSA) Network and Application level testing AND after any significant infrastructure or application modification or upgrade Quarterly Network Scans External must be ASV* Internal does not need to be ASV AND after any significant network change (not ASV) Quarterly Wireless Scans 49 Validation 50 25

26 Cost of Non-Compliance The cost of non-compliance Specifically for PCI compliance, acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively. For prohibited data storage, acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner If you suffer a breach, you automatically become Level 1 with all of it s more stringent compliance requirements More than $200/ compromised record 51 Closing Case Studies Higher Education Institution Completed SAQ in 2009 all the checkboxes were yes Restaurant They sky wasfalling Higher Education Institution Document imaging application platform Defaults Access to vendor data center, and other Institutions 52 26

27 Summary Store, Process, or Transmit Determine Level and SAQ type Prioritized Approach Leverage other compliance activities Understand where your data is 53 Open Discussion and Questions 54 27

28 Thank You Randy Romes CISSP, CRISC, MCP, PCI-QSA Principal CliftonLarsonAllen, LLP Overview PCI Security Useful link to supporting documents: This has the following: Glossary of terms PCI DSS Self-Assessment Questionnaire PCI DSS Security Audit Procedures PCI DSS Security Scanning Procedures PCI DSS Summary of Changes Validation requirements for QSAs and ASVs Feedback Forms 56 28

29 PCI DSS Supplements 57 Example of Action Plan for Non-Compliant Status PCI DSS REQUIREMENT REQUIREMENT DESCRIPTION 1 Install and maintain a firewall configuration to protect cardholder data 2 Do not use vendor supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data X 4 Encrypt transmission of cardholder data across open, public networks 5 Use and regularly update anti-virus software X 6 Develop and maintain secure systems and applications X COMPLIANCE STATUS YES NO X X X REMEDIATION DATE AND ACTIONS IF NON- COMPLIANT 7 Restrict access to cardholder data by business need to know 8 Assign a unique ID to each person with computer access X 9 Restrict physical access to cardholder data X 10 Track and monitor all access to network resources and cardholder data 11 Regularly test security systems and processes X X X Maintain a policy that addresses information security for all personnel X 29

30 PCI Security Standards Council sets the PCI security standards Each payment card brand has its own program for compliance, validation levels and enforcement. More information can be found at each brand s website: Visa Inc: Visa Europe: American Express: Discover Financial Services: JCB International: MasterCard Worldwide: