HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP, CISA, CISM, PCI QSA Senior Manager IT Security Practice Leader SLIDE 2 MOSS ADAMS LLP 2 1
OBJECTIVES You will leave this session with an understanding of: The background, history, compliance, and audit requirements of Payment Card Industry (PCI) Data Security Standards (DSS) Highlights of the changes from 2010 (v1.2) to 201 1 (v2.0) Key compliance tips Leveraging PCI DSS audit to achieve audit efficiencies with other compliance and/or regulatory audits SLIDE 3 MOSS ADAMS LLP 3 BACKGROUND & HISTORY MOSS ADAMS LLP 4 2
CARD BREACHES ARE ON THE RISE 2010 Security Breaches Food and Beverage 57% Retail 18% Hospitality 10% Financial 6% Government 6% Education 1% Construction 1% Entertainment 1% Source: Trustwave s Global Security Report 2010 MOSS ADAMS LLP 5 NOTABLE CARD BREACHES TJX Companies 2007 Hackers compromised wireless network to steal information on approximately 94 million card transactions. Heartland Payment Systems 2008 Hackers attacked system used to process card transactions. Inserted malware. Up to 100+ million transactions compromised. Lush Cosmetics 2010 Ecommerce website hacked. 5,000 card transactions accessed. Led to shutdown of their ecommerce operations. Sony PS Network 2011 Hackers accessed an old database containing consumer info and credit card info. Millions of customers information stolen. MOSS ADAMS LLP 6 3
PCI OVERVIEW PCI Security Standards Council (PCI SSC or the Council) founded in 2006 is responsible for the development, management, education, and awareness of the PCI Security Standards. PCI Data Security Standard (PCI DSS) is a comprehensive set of international security requirements for protecting cardholder data. Payment Application Data Security Standard (PA DSS) is a set of requirements for software vendors to develop secure payment applications. PCI PIN Transaction Security (PCI PTS) is a set of requirements for device vendors and manufacturers for all personal identification number (PIN) terminals, including POS devices, encrypting PIN pads, and unattended payment terminals. SLIDE 7 MOSS ADAMS LLP 7 PCI OVERVIEW Not a government regulation, but an industry regulation. Purpose is to help pprevent credit card fraud and maintain public confidence in payment cards. Applies to all entities that process, store, or transmit payment card information need to comply (Primary Account Number PAN is the deciding factor.) CaArd transaction players: card brands, merchants, service providers, acquirers, and issuers. Effective compliance dates varies depending on merchant level or service provider level and card brand. All deadline enforcement will come from the acquiring bank. Card brands have their own compliance programs and are responsible for compliance tracking, enforcement, penalties, and fees. MOSS ADAMS LLP 8 4
THE PAYMENT CARD TRANSACTION Payment Brand Network Issuer (Consumer Bank) Service Provider Acquirer (Merchant Bank) Cardholder Merchant MOSS ADAMS LLP 9 THE ACQUIRER S ROLE Acquirers are responsible for: o Ensuring their merchants are PCI DSS compliant o Managing merchant communications o Working with their Level 1 merchants until full compliance has been validated: Merchants are NOT COMPLIANT UNTIL ALL REQUIREMENTS have been met and validated Acquirer is responsible for providing Visa their merchants compliance status o Any liability that may occur as a result of noncompliance MOSS ADAMS LLP 10 5
ROLES OF THE QSA AND ASV QSA Qualified Security Assessor o Certified to validate compliance with PCI DSS o Qualified Security Assessor companies have been qualified to have their employees assess compliance to the PCI DSS standard o Qualified Security Assessors are employees of these organizations who have been certified to validate an entity s adherence to the PCI DSS ASV Approved Scanning Vendor o Approved Scanning Vendors are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers. MOSS ADAMS LLP 11 PCI DSS REQUIREMENTS MOSS ADAMS LLP 12 6
MERCHANT LEVELS Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit, and prepaid) from a merchant Doing Business As (DBA). MOSS ADAMS LLP 13 SERVICE PROVIDERS * Level 2 service providers may choose to validate as a Level 1 service provider in order to be listed on Visa s Global List of Validated Service Providers. MOSS ADAMS LLP 14 7
VALIDATION REQUIREMENTS *Network scanning is applicable to any internet facing system. ** Validation requirements are determined by the merchant s acquirer. MOSS ADAMS LLP 15 SELF-ASSESSMENT QUESTIONNAIRES (SAQS) MOSS ADAMS LLP 16 8
HIGHLIGHTS OF CHANGES V1.2 V2.0 MOSS ADAMS LLP 17 HIGHLIGHTS OF CHANGES V1.2 TO V2.0 v1.2.1, which had been in effect since July of 2009, was superseded by v2.0 on October 28, 2010 Aligned PCI DSS better with PA DSS and other industry best practices No new requirements; only added guidance or clarifications Clarifications on intent t and wording of requirements or test procedures with example(s) MOSS ADAMS LLP 18 9
HIGHLIGHTS OF CHANGES V1.2 TO V2.0 Added guidance on test procedures and new technologies, such as virtualization and private cloud adoption Recognition of small merchant environments be more flexible Eliminate redundant sub requirements MOSS ADAMS LLP 19 HIGHLIGHTS OF CHANGES V1.2 TO V2.0 - EXAMPLES Virtualization req 2.2.1 o In scope and out of scope virtual machines can co exist as long as there is only one primary function per virtual system component. Storage of Sensitive Authentication Data (SAD) req 3.2 o V2.0 allows the storage of SAD if there is sufficient business justification and the data is stored securely. This is only for card issuers and companies that support issuing i processing. MOSS ADAMS LLP 20 10
HIGHLIGHTS OF CHANGES V1.2 TO V2.0 - EXAMPLES Risk based approach for addressing vulnerabilities req 6.2 & 12.1.2 o Assign risk ranking to vulnerabilities o Also impact reg 6.5.6 and 11.2 o Implementation date July 1, 2012 MOSS ADAMS LLP 21 HIGHLIGHTS OF CHANGES V1.2 TO V2.0 - EXAMPLES Expansion of definition of personnel req 9.2 o This requirement now applies to on site personnel and not just employees Support centralized auditing req 10.5 o Audit data must be able to be moved to a centralized log server, such as syslog ng, g, Windows Event Logs. o External facing technologies (for example, wireless, firewalls, DNS, mail) are offloaded or copied onto a secure centralized internal log server or media. MOSS ADAMS LLP 22 11
KEY COMPLIANCE TIPS MOSS ADAMS LLP 23 KEY COMPLIANCE TIPS If the cardholder data is not needed, don t keep it! Know what is on your network (run discovery tools: Cornell Spider, PANbuster, Vericept) Maintain a central repository for security related activities throughout the year (vulnerability scan results, system/device reviews, diagrams, etc.) Develop security configuration standards for all your server types and devices. (e.g., DCs, web, database, firewall, etc.) Maintain a data retention policy and stick to it! MOSS ADAMS LLP 24 12
KEY COMPLIANCE TIPS (CONT.) Encrypt databases/files prior to committing them to backup tape/removable media Install A/V on your database servers that store cardholder data (or document compensating controls) Segment ( cocoon ) your CDE and use two factor authentication for remote access (internal pen testing is not necessary) Institute a verification step for non face to face password resets (e.g., employee ID) MOSS ADAMS LLP 25 KEY COMPLIANCE TIPS (CONT.) In virtualized environments, limit the number of mixed mode servers (use separate partitions for each virtual host) Implement POS systems with point to point encryption (P2PE) functionality (reduces scope) Conduct quarterly vulnerability scans and address vulnerabilities immediately Look to information security best practice frameworks for guidance (ISO 27002, NIST 800, COBIT) MOSS ADAMS LLP 26 13
PREPARING FOR A PCI-DSS ASSESSMENT Gather Documentation: Security yp policies, change control records, operational procedures, network diagrams, PCI DSS letters, and notifications Schedule Resources: Obtain dedicated participation of a project manager and key people from IT, business operations, human resources, and legal Describe the Environment: Organize information i about the cardholder data environment, including cardholder data flows and locations of cardholder data repositories MOSS ADAMS LLP 27 LEVERAGING PCI DSS AUDIT MOSS ADAMS LLP 28 14
LEVERAGING PCI DSS AUDIT Documentation collected for PCI DSS requirements can be repurposed for other audits: o Test results completed for PCI requirements can be used or relied upon by SAS 70/SSAE16 auditors o Policies and templates developed for PCI compliance such as information security policies and user request forms can be used for systems without cardholder data o Security awareness training and acceptable use policies can fill possible gaps in existing Human Resources polices MOSS ADAMS LLP 29 LEVERAGING PCI DSS AUDIT Description of Good Practices PCI DSS v2 ISO 27002 HIPAA COBIT (SOX) Install and maintain a firewall configuration to protect data 1 11.4.5 164.312 (e) (1) DS5.11 Use and regularly update anti virus software or programs 5 10.4 164.308 (a) (5) DS5.9 Assign a unique ID to each 8 1121 11.2.1 164.312 (a) (1) DS5.4 person with computer access Regularly test security systems and processes 11 10.10.1 164.312 (b) AI2.3 MOSS ADAMS LLP 30 15
LEVERAGING PCI DSS AUDIT PCI requirements can be used to drive existing internal projects: o In some areas, PCI requirements may be more stringent than existing practices and used to enforce stronger security. For example, two factor authentication required for remote access and prohibited weak wireless encryption such as WEP. o Communication of scheduled QSA assessment dates can force deadlines and uniform practices for unresponsive or isolated departments. MOSS ADAMS LLP 31 REFERENCE MATERIALS PCI Website: www.pcisecuritystandards.org PCI DSS v2.0: www.pcisecuritystandards.org/documents/pa dss_v2.pdf SLIDE 32 MOSS ADAMS LLP 32 16
QUESTIONS? Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, PCI Practice Leader (310) 295 3852 francis.tam@mossadams.com Kevin Villanueva, CISSP, CISA, CISM, PCI QSA Senior Manager, IT Security Practice Leader (206) 302 6542 kevin.villanueva@mossadams.com SLIDE 33 MOSS ADAMS LLP 33 PRESENTER Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing g Director, PCI Practice Leader Francis has been consulting since 1993 and began his career in a Big 4 firm directing hundreds of projects ranging in size from small advisory based projects to multi year projects. Francis expertise in technology security consulting includes SAS 70/SSAE 16 audits, payment card industry (PCI) data security standards d (DSS) security audits, network vulnerability assessment, IT governance, IT planning, risk management, systems selection and configuration, policy development, organizational analysis and development, and business process reengineering. SLIDE 34 MOSS ADAMS LLP 34 17
PRESENTER Kevin Villanueva, CISSP, CISA, CISM, PCI QSA Senior Manager, IT Security Practice Leader Kevin has over 14 years of experience providing IT security consulting services to a variety of clients. His areas of practice include information security audits, system security assessments, penetration testing, PCI DSS compliance, disaster recovery risk assessment and planning, security policy and procedures development, and project management. In addition, he has designed and conducted technology assessments based on ISO 27002, NIST 800, CoBIT and SysTrust standards and has served as technical counsel on dozens of technology security projects. SLIDE 35 MOSS ADAMS LLP 35 18