The State of Security and Compliance for E- Commerce and Retail

Transcription

1

2 The State of Security and Compliance for E- Commerce and Retail Current state of security PCI regulations and compliance Does the data you hold require PCI compliance Security and safeguarding against a breach Implementing a framework for security $100 gift card drawing Presented by : Trent Hein: Co-founder and Co-CEO at AppliedTrust Bhu Virdi: Sr Solution Engineer at ViaWest

3 Centered Around You Who Are We Your Trusted Business Partner Headquartered in Colorado Hybrid IT provider Offer comprehensive suite of worldclass data centers & an IaaS portfolio of colocation, cloud, managed services, and security and compliance, all wrapped with a customer centered support experience Expanding footprint with 178,000 square feet of data center capacity in ,000 Oregon 40,000 Calgary, Alberta 29 data centers in 8 regions Industry Leading PUE 760,000+ sf. of raised floor 120 MW power capacity 29 unique telecommunication carriers 18 geographically diverse mirrored operations centers 100% uptime commitment on power and network 100% SLA and satisfaction guarantee 3

4 About AppliedTrust Founded in 2001 by Ned McClain and Trent R. Hein Headquartered in Boulder, Colorado Leader in Secure DevOps, specializing in the areas of IT infrastructure, security, opensource, performance, and high availability Authors of best selling Unix Administration Handbook, Linux Administration Handbook series (translated into more than 20 languages) Certified expertise, including CCIE, CISA, CISSP, CSSLP, GCFA, ITIL, MCITP, MCP, MCSE, PCI QSA, SCADA, RHCT Vendor and technology neutral Serves large and small clients in a variety of industries, including hospitality, healthcare, financial services, recreation, and government 4

5 Point of Sale Attacks - More Than Just Retails Problems In 2014, the most frequently reported type of data breach was Point of Sale (POS) system attacks, representing 28.5% of all breaches. * POS attacks accounted for: 91% of accommodation industry breaches 73% of entertainment industry breaches 70% of retail industry breaches 12% of healthcare industry breaches * Verizon Data Breach Investigation Report, 2015

6 Who is Targeting the Industry and How? VS Malware vs. physical security

7 Where are you Keeping Sensitive Data? Sensitive cardholder data can be stolen from: Compromised card readers Paper stored in a filing cabinet Data in a payment system database Hidden camera recording entry of authentication data Secret tap into your store s wireless or wired network

8 Points of Sensitivity Everything at the end of a red arrow is sensitive cardholder data. Anything on the back side and CID must never be stored. Everything else you store must be for a good business reason, and that data must be protected.

9 Insiders are still a threat. The number of incidents involving insiders remain quite stable over time; 10.6% of all reported incidents in 2014 were related to insiders.* * Verizon Data Breach Investigation Report, 2015

10 A Company s Responsibility The company must protect cardholder data through the entire payment process which includes: Card readers & point of sale systems Networks & wireless access routers Payment card data storage and transmission Payment card data stored in paperbased records Services provided by a third-party contracted by the company

11 What Would a Breach Costs You? Cost of: Fines & Penalties (Fines for breaches resulting from noncompliance range from $5,000 to $125,000 per month until all compliance issues are addressed; even if fully compliant, companies can be fined $50-$90 per cardholder data compromised) Business interruptions Investigations Legal settlements Stricter compliance Customer notifications Loss of: Privilege to accept payment cards Customer and public confidence Revenues Services

12 PCI DSS To reduce crime, credit card companies have created the Payment Card Industry Data Security Standards (PCI DSS). All credit cards enforce PCI DSS All merchants, including the company, must meet PCI DSS Company policies written and reviewed to be compliant with PCI DSS

13 PCI Requirements PCI touches all aspects of how a credit card is Handled Processed Transmitted Stored Staff impacted Front desk Point of Sale Business Managers Financial Administrators IT support Temp or contract staff Vendors/Service Providers Job duties impacted Business practices & procedures Accessing & managing software Setting up and managing and computer networks Document storage and shredding procedures Policies and annual training and awareness program Vendor support and contracts Annual assessments, quarterly audits and ongoing monitoring

14 PCI DSS Goals

15 Now It s Your Job To 1. Protect Card Information Handle, process, transmit, and store card information securely & confidentially 2. Comply with Security Policies Review policies upon hire & annually thereafter Confirm in writing that you received training Perform your job responsibilities as per policy and office procedure

16 PCI DSS v2.0 vs. PCI DSS v.3.0 V3.0 primarily added many new points of additional guidance and clarification within existing requirements. V3.0 also added 19 new requirements, most notably: Requirement (11.3.4) to verify methods used to segment the cardholder data environment (CDE) from other areas. Requirement (2.4) to maintain an inventory of system components in scope for PCI DSS. Requirements (12.8.5, 12.9) for explicit documentation about which PCI DSS requirements are managed by vendors vs. which are managed by the organization itself

17 More Requirement Changes Requirement (5.1.2) to "identify and evaluate evolving malware threats" for "systems considered to be not commonly affected by malicious software." Requirements(9.3, 9.9) that merchants control physical access for on-site personnel; that access be authorized and based on individual job function; that access be revoked immediately upon termination; and that merchants "protect devices that capture payment card data from tampering and substitution." For a detailed summary of all changes: of_changes.pdf

18 VISA Merchant Tiers & Requirements for Audit Level/Tier Merchant Criteria Validation Requirements 1 Merchants processing > 6M Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2 Merchants processing 1M to 6M Visa transactions annually (all channels) Annual Report on Compliance ( ROC ) by Qualified Security Assessor ( QSA ) or Internal Auditor if signed by officer of the company (The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor ( ISA ) certification) Quarterly network scan by Approved Scan Vendor ( ASV ) Attestation of Compliance Form Annual Self-Assessment Questionnaire ( SAQ ) Quarterly network scan by ASV Attestation of Compliance Form 3 Merchants processing 20K to 1M Visa e-commerce transactions annually 4 Merchants processing < 20K Visa e- commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form Annual SAQ recommended Quarterly network scan by ASV if applicable Compliance validation requirements set by merchant bank

19 Cardholder Data Storage Rules Data element Storage rules Cardholder Data Sensitive Authentication Data Primary Account Number (PAN) Cardholder Name Service code Expiration date Full Magnetic Strip CVC2/Cvv2/CID PIN/PIN Block The full 16-digits can Never be stored electronically, per company policy The last 4-digits may be stored electronically The full 16-digits may be stored on paper, but only as absolutely necessary and it must be protected as per PCI Yes, it may be stored on paper or electronically Must be protected as per PCI if stored in conjunction with PAN Yes, it may be stored on paper or electronically Must be protected as per PCI if stored in conjunction with PAN Yes, it may be stored on paper or electronically Must be protected as per PCI if stored in conjunction with PAN Never Never Never

20 Tips to Avoiding Storage Rules The best step you can take is to not store any cardholder data. Just use the last 4-digits Just use the authorization number for voids and refunds Use tokens for recurring credit card payments

21 How We Can Help We help mitigate customer s risk across the entire cyber security risk program lifecycle. We accomplish this by providing technology, products, solutions, managed services and advisory services within a secure infrastructure. With 28 data centers in seven states we have the ability to secure your operation from almost anywhere in the US.

22 PCI DSS Gap Assessment / Penetration Testing / Report on Compliance / Compliance Assistance PCI DSS gap analysis includes collecting and evaluating evidence of control design effectiveness in meeting the PCI DSS and documenting any compliance gaps. This includes: Reviewing the cardholder environment to validate test samples, including all systems that collect, store, process, and transmit cardholder data. Reviewing each PCI-DSS requirement for relevance through interviews and observations. Penetration testing includes network- and application-layer penetrating tests designed to meet PCI DSS Requirement Report on compliance (ROC) includes reviewing the current state of the client environment for PCI DSS compliance per the controls delineated in the standard, and providing a ROC as outlined by the PCI DSS Security Council. Compliance assistance includes assisting with mitigating any areas of non-compliance at level of involvement desired by the client.

23 Take Away Start with a 3 rd Party risk assessment on the whole organization Segment your credit card data Tokenize and encrypt Secure wireless data Patch and update anti-virus Strict access by role and necessity Training across your company on security policies

24 If today s webinar brought up questions on your network s security we are here to help! Contact: And the gift card winner is. 24