How to Sell PCI 3.1 to Your Merchants. Matt Brown, Director of Business Development

Transcription

1 How to Sell PCI 3.1 to Your Merchants Matt Brown, Director of Business Development

2 MAC is an organization of Bankcard professionals involved in the risk management side of Card Processing. We have members from Banks, ISOs, Card Associations and others related to the risk management side of the industry. MAC s mission is to strengthen the payment ecosystem through ongoing education, communication and cooperation among acquirers, card brands and enforcement agencies.

3 Matt Brown Matt Brown has worked in data security for five years, and is a Director of Business Development at SecurityMetrics. He assists financial institutions in the customized creation of PCI DSS programs that have led to millions in partner revenue and lowered merchant risk. Brown is a graduate of Brigham Young University and enjoys golf, skiing, and SCUBA diving.

4 About SecurityMetrics Help organizations comply with mandates, avoid security breaches, and prevent data theft since 2000.

5 PCI 3.0 Background

6 The PCI 3.0 update In effect Jan 1, 2014 Merchants had until Jan 1, 2015 to transition Don t need to revalidate until compliance expires Many clarifications, some changes, some new requirements

7 Big changes Additional penetration testing guidance Role-based control to systems Documentation Maintain list of service providers and what PCI req they meet Cardholder data flow diagram

8 PCI 3.1 Background

9 PCI 3.1 update SSL [and early TLS] has been removed as an example of strong cryptography in the PCI DSS, and can no longer be used as a security control after June 30, 2016.

10 PCI 3.1 requirements directly affected Req 2.2.3: Implement additional security features for any required services, protocols, or daemons considered insecure Req 2.3: Encrypt all non-console administrative access using strong cryptography Req 4.1: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks

11 Special rules for POS devices POS devices that aren t susceptible to all known exploits of SSL and TLS may be used, even after June 30, 2016

12 FAQ

13 Why is there a new standard?

14 We want to try to get people out of the habit of thinking of PCI DSS as a once a year event and then not thinking about it, because that s where we see the breaches happen. -Bob Russo, Former PCI Council General Manager SecurityMetrics

15 New PCI versions Increased clarification Additional guidance New hacks happen every day! We must adapt. Technology goes out of date (SSL)

16 How will PCI 3.1 affect me?

17 How to comply with PCI 3.1 If you re using SSL/TLS and you don t have to: STOP If you have to use it: Make a plan to migrate before June 30, 2016 This is called a Risk Mitigation and Migration Plan, and it s required as per PCI 3.1

18 If you can t comply Upgrade to a current, secure version of TLS Encrypt data before sending over SSL (use fieldlevel or application-level encryption) Send data over SSL within secure tunnel

19 How do I know if I m using SSL? Does the POS system you provide them use SSL? Find out from IT Tell merchants to contact all other service providers (gateways, vendors, etc.) and ask them about their software

20 Questions for merchants Can your firewall block SSL? Are your apps and patches up to date? Are you monitoring your systems for suspicious activity?

21 What do new 3.0 penetration test requirements mean for me?

22 New 3.0 pen testing req. (11.3)

23 Use industry-accepted practices NIST Special Publication Open Source Security Testing Methodology Manual OWASP Testing Guide, etc. Conducted by qualified person OSCP, CEH, GIAC, etc.

24 New 3.0 pen testing req. (11.3)

25 What is a critical system? Additional systems outside CDE boundaries that could affect CDE security Security systems Firewalls, intrusion-detection systems/intrusionprevention systems (IDS/IPS), etc. Authentication servers (Active Directory, LDAP, etc.) Assets utilized by privileged users to support and manage the card data environment

26 The old way SecurityMetrics

27 New PCI 3.0 req. SecurityMetrics

28 New 3.0 pen testing req. (11.3)

29 Internal/external penetration testing Internal: Test from perspective internal to your corporate network, but outside of the CDE External: Test from perspective of an open public network (Internet) outside of the CDE

30 Internal pen test SecurityMetrics

31 External pen test SecurityMetrics

32 New 3.0 pen testing req. (11.3)

33 Segmentation pen testing Validation of scope reducing segmentation controls Can tester see CDE from out-of-scope network segment?

34 The segmentation problem

35 Segmentation scope reduction testing

36 SAQ pen test requirement summary SAQ A SAQ A-EP SAQ B SAQ B-IP n/a n/a n/a SAQ C SAQ CVT SAQ D SAQ P2PE n/a n/a External Pen Test Internal Pen Test Segmentation Check

37 Pen testing informational supplement For more answers, see the PCI Council s Informational Supplement

38 Why does SAQ A-EP exist?

39 Background: payment redirection Ecommerce web servers often redirect payment collection to other service providers PCI DSS 2.0 classified this as low risk = SAQ A Then redirection methods got sophisticated (client side redirection, client side encryption, etc.)

40 Simple redirection (low risk) All payment data collected by 3 rd party Customer Web page with 3 rd party link or IFrame 3 rd Party Payment Provider Now merchant can use SAQ A Merchant Website

41 Client side redirection (higher risk) Payment data collected on merchants web page then redirected to a 3 rd party Customer Web page with client side payment collection logic/code 3 rd party payment Provider SAQ A does not protect payment collection logic here, but SAQ A-EP does Merchant website

42 New SAQ A-EP introduced Addresses complex ecommerce redirection Almost an SAQ D External/internal vulnerability scanning, pen testing, etc. SAQ A now only for simple redirect Link button or IFrame Payment data collected by 3 rd party

43 I m supposed to inventory my devices?

44 Req 2.4 Must be more granular in your inventory list of in scope devices and their function POS systems, computers, etc. Document software/firmware versions Don t know how to start? Interview department heads

45 Req 9.9 If you have POS systems, PIN pads, mobile devices, you must: Maintain up-to-date list of all devices (including physical location, serial number, make/model)

46 Req 9.9 Inspect devices to make sure it hasn t been tampered with, making sure serial numbers match, no broken seals Gas station skimmers

47 Req 9.9 Staff awareness training for staff that interact with card devices on a daily basis If staff sees suspicious activity, do they know what to do?

48 Why is PCI valuable? aka Do I really have to do this?

49 PCI is irrelevant. Look at all the breaches happening today!

50 Actually it s not. PCI isn t the ceiling. It s the floor. Fundamental basics of security! Many breaches occur because organizations don t fulfill their PCI compliance requirements. Even if they re certified that doesn t mean they re compliant

51 If I get breached it doesn t really matter Credit card data Merchant processor compromise fine: $5,000 $50,000 Forensic investigation: $12,000 $100,000 Onsite QSA assessments following the breach: $20,000 $100,000 Free credit monitoring for affected individuals: $10-$30/card Card re-issuance penalties: $3 $10 per card Lawyer fees: $5,000+ Breach notification costs: $1,000+ Technology repairs: $2,000+ An increase in monthly card processing fees: + Federal/municipal fines: + Legal fines: + Healthcare data HHS fines: up to $1.5 million/violation/year Federal Trade Commission fines: $16,000/violation Class action lawsuits: $1,000/record State attorney generals: $150,000 $6.8 million Customer loss: 40%

52 Better prepared for other regulations Like HIPAA, SOX, etc. 70 of 254 HIPAA Security Rule validation points covered in PCI

53 Summary

54 Who knows PCI changed? Only 50% of merchants knew about the PCI 3.0 before taking their SAQ. Who knows how many know about PCI 3.1? You can change this!

55 Better communication Better education about PCI in general Explain its necessity Demo why PCI valuable Highlight what s valuable about PCI 3.0 and PCI 3.1 changes (hacking webinar)

56 Use PCI partner PCI partner/program adjustments If your partner isn t communicating about PCI 3.0, ask them to start! Use them as a value-add Make sure merchants understand the value so they take seriously

57 Questions? Matt Brown blog.securitymetrics.com

58 MAC Mission Statement Strengthen the payment ecosystem through ongoing education, communication and cooperation among acquirers, card brands and enforcement agencies. Who we serve: Acquiring Bank Acquiring Savings & Loan Acquiring Credit Union Gateway Provider Internet Service Provider ISO/MSP Merchant Acquirer Processor Risk Management Professional Your membership in MAC is an investment that should not be overlooked. If you are not a member of MAC JOIN TODAY!