Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

Transcription

1 Customer PCI 3.0 Changes = New Opportunity For You Giles Witherspoon-Boyd SecurityMetrics

2 Who is this guy? Giles Witherspoon-Boyd, PCIP 15 years in technology, 4 years at SecurityMetrics SecurityMetrics Help companies comply with regulatory compliance requirements (PCI, HIPAA, GLBA)

3 Merchant to do s Update 3 rd party contracts* Use PCI DSS validated 3 rd parties* Self assessment (up to 250 questions) Vulnerability scan Unencrypted card data scanning Employee training, implementation Policies and procedures Network/system updates Send compliance report to acquirer Avoid processor fees ($25 - $200/mo)

4 The problem with PCI Businesses feel PCI is too complicated They aren t trained in security They don t have time It changes (PCI 3.0) Too technical Little/no resources from PCI Council Little/no education about new tech Still neglect key areas of security

5 Top vulnerabilities Insecure remote access Lack of industry-standard malware scanning Unencrypted stored payment card data Nonexistent or improperly configured firewall rules Lack of POS environment segmentation Insecure web protocols/lack of dedicated servers Irregular/inadequate vulnerability scanning Lack of new technologies (software patches, hardware)

6 How can you help them through it?

7 Start with baby steps Reduce scope Reduce frustration Educate customer and staff How to protect themselves financially Simplify their network Give them tools

8 Changes and clarifications Table 2: Summary of Changes DSS_v3_Summary_of_Changes.pdf

9 Compliance vs. validation All SAQs state, you must still comply with all applicable PCI DSS requirements in order to be PCI DSS compliant. Validation based on risk Merchants may only have to validate a few PCI requirements, but need to still be compliant in full Risk based on card processing volume and card data handling methods

10 An SAQ A merchant s statement of compliance Acquiring bank asks merchant for completed SAQ Bank s responsibility to track merchant PCI compliance Merchant s responsibility to accurately complete SAQ

11 Learn about the SAQ SAQ A SAQ A EP ved_companies_providers/index.php SAQ B SAQ B IP SAQ C SAQ C VT SAQ D For Merchants SAQ D For Service Providers SAQ P2PE-HW

12 Offer a more complete solution

13 SAQ A & A-EP Ensure redirect to the third party is secure Ensure third party provider is PCI compliant Clearly define roles

14 SAQ B & B-IP Receipts may contain card numbers POS terminal software not kept updated Ensure policies are in place to protect card data

15 SAQ C & C-VT Ensure data is not stored Payment system isolated within its own network environment PA DSS compliant payment software

16 SAQ P2PE-HW

17 SAQ D Anti-malware Detect, clean malware, spyware, adware Only allow access to network and payment systems to those who really need it

18 SAQ D External/internal vulnerability scanning PCI authorized scan vendor for external scanning Work until scans are clean

19 SAQ D Penetration testing Annually or after significant upgrade or modification Documentation of security policies Review regularly Employees sign annually

20 SAQ D Secure encryption for stored data Do you really need to store PAN data? If so, strong encryption and proper key management is needed

21 SAQ D Design network correctly Segment network Set up firewalls correctly Logging Active logging of all systems in the card environment, review daily

22 SAQ D Physical security Restrict access to network jacks, wireless access points, network hardware ID badges, visitors must be authorized, sign log, given physical token of visitor status

23 SAQ D Regular operating system and software updates Install critical security patches within 30 days for OS, POS, and supporting software Track system and software configuration changes

24 SAQ D Remove system defaults Change defaults before adding to cardholder network (passwords, SNMP, wireless safety)

25 Healthcare mandates Security policies Employee training Firewall Etc.

26 Recap Be a trusted advisor Partner with company with core competency of data security Add additional revenue streams

27 Questions?