Achieving Certified PCI Compliance? Tuesday, May 6, 2008 9:45 am 10:45 am
COPYRIGHT NOTICE The copyright law of the United States t (Title 17, United States t Code) governs the making of photocopies or other reproduction of copyrighted material. Under certain conditions specified in the law, libraries and archives are authorized to furnish a photocopy or other reproduction. One of these specified conditions is that the photocopy or reproduction is not to be "used for other purpose than private study, scholarship hi or research." If a user makes a request for, or later uses, a photocopy or reproduction for purposes in excess of "fair use," that person may be liable for copyright infringement. DISCLAIMER The opinions of the contributors expressed herein do not necessarily state or reflect those of the National Association of Convenience Stores. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, shall not constitute or imply an endorsement, recommendation, or support by the National Association of Convenience Stores. The National Association of Convenience Stores makes no warranty, express or implied, nor does it assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process described in these materials.
Delivering fully managed, PCI compliant networks to C-Store/Petroleum, Retail, Restaurant, Healthcare and Financial customers by integrating secure, nationwide broadband access to a pure MPLS+ core without public Internet infrastructure for transport DAN GLENNON SVP, Marketing and Strategy 615.445.8442 dan.glennon@cybera.net 1.866.4CYBERA WWW.CYBERA.NET
Barrie VanBrackle Partner Manatt, Phelps & Phillips, LLP
PCI S IMPACT MERCHANT AGREEMENT 1) From the legal perspective: p As a merchant accepting credit/debit cards, you are required to be in compliance with the payment card industry data security standards, d as set forth in your merchant agreement RAMIFICATIONS OF NON COMPLIANCE: a) termination of agreement (MATCH list) b) fines/penalties
MERCHANT AGREEMENT, con. 2) if you are not in compliance with PCI, and a data breach occurs, in addition to obligations under your merchant agreement, what obligations do you have under state law? RAMIFICATIONS OF NON COMPLIANCE: a) fines/penalties under state law (which may track PCI requirements for example, Texas Identity Theft and Enforcement and Protection Act, which requires businesses to (1) implement and maintain reasonable procedures to protect and safeguard from unlawful use or disclosure any sensitive personal information that it collected or maintained in the regular course of business and (2) destroy or arrange for the destruction of its customer records containing sensitive personal information within its control that were not retained by it). b) potential for fines/penalties under federal (FTC) law
MERCHANT AGREEMENT, con. 3)occurrences of being considered certified compliant and still have a data breach/pci violations a) potential of mitigating factors b) ability to negotiate with ih acquiring bank/service provider/state/ftc /FTC
George Medairy Director Corporate IT Sheetz, Inc
The Keys to Ahi Achieving i PCI Compliance Knowledge Pi Prioritizationiti Communication Security is an Ongoing Process I will be at the Conference I would be glad to discuss in more detail any questions you have.
Knowledge is a Key Know your Systems Know the Regulations Know your Challenges From card swipe to authorization, YOU are responsible for protecting the card data. There are 12 main sections, 207 subsections and 250 testing procedures for the 2007 version of PCI. There is more than 1 way to solve every problem. Challenge your team and auditors to achieve compliance.
Put First Things First Encryption/Storage Protection Documentation When in doubt encrypt it ALL. If you do not need it, DO NOT STORE IT. If you store it keep it encrypted. Firewall and SEGMENT whenever and wherever possible. Document every process.
Communicate Executives Staff Members A Compelling Event for CHANGE Compliance is a BIG DEAL. The fines can be very large. The CEO and other Management should be kept in the loop of ALL remediation efforts. Your entire team will most likely be involved. Get them engaged early and make it a priority. Most of us can use a compelling event to make change happen. USE this event to make positive change in your environment. Blame VISAfor the upheaval!
Security is an Ongoing Process Create a Security Team Work on it Every Day Maintain Momentum Remediation efforts can be extensive. 1 or more dedicated individuals are required. This is NOT a part time position. Remediation efforts can be expensive. You can NOT afford to fall out of compliance after spending time and money to get there. Once started, these efforts can make your IT shop much better at other initiatives.
Achieving PCI Compliance Partner with the Right VENDORS A partial list of the various vendors we have used to assist us with PCI related tasks: ISS (Internet Security Systems IBM) auditors Secure State Consulting Services RS2 Access Control / Badging Cisco Systems networking Tipping Point Intrusion Prevention Systems Checkpoint/Nokia Firewalls Solutionary Intrusion Detection Systems TripWire Change Control TruComply Knowledge Database Documentation Repository BitArmor File level Encryption CA Spectrum Network Analysis Documentation Kaspersky Anti Virus E DMZ Access Control Authentication Patch Link Patching Applications Security Metrics Penetration Testing
Lynn Call Vice President, CIO Maverik, Inc.
Simplify the Process Reasons for Maverik s Success Narrow the scope -- Get educated ll hb d d d d f k Purge all prohibited credit card data from your network If the data is not present It s not in scope!
Simplify the Process Reasons for Maverik s Success Secure the right partners. Identify weaknesses inside of your organization (SWAT Analysis) and secure 3 rd party experts in those areas. Maverik s Weaknesses: Policy management (TruComply) py) Centralized Logging and IDS (Trigeo) File Integrity (Tripwire) Firewall and VPN (Cisco) Ability to self scan (Nessus)
Simplify the Process Reasons for Maverik s Success Get Executive Team Buy In Help them understand the consequences of non compliance. Assign a project manager and assemble your team. Have a representative from all areas of your company Create a partnership with your audit firm. Schedule weekly meetings and lean on them for support. They can be a huge asset if used properly (TrustWave)
Simplify the Process Be Prepared dfor a Few Large Scale Implementations ti that t will illtake Time: POS System Upgrade (Radiant Systems) Back office System (Radiant Systems) Credit Appliance (Radiant EPC II & III) Centralized Credit Switch (ISD) IDS, Version Control, etc. at each site Summary: Simplify the process by doing the following. Narrow your scope. Purge all unnecessary data. Understand your weaknesses and secure 3 rd party experts in those areas. Assemble your team and rely heavily on your audit partner.
Payment Card Security in the Convenience Store Industry Jeff Wakefield Vice President of Marketing Integrated Systems
100% Degree of Security 0% Retail Restaurants Gas Stations Organized Crime Focus Using a credit card at a gas station could pose more of a risk for data theft than shopping online, as point of sale of (POS) terminals at the pump have emerged as a weak link in the security chain Gartner Group
Fuel Island Vulnerability: Are You Protected? Organized crime rings are increasingly targeting merchants to obtain magnetic stripe data ( track data ) and Personal Identification Numbers ( PINs ).Recently,these PINs). these attacks have focused on Automated Fuel Dispensers ( AFDs ) typically found at gasoline stations. Visa Business Review
Cardholder Security s Biggest Problem The Payment System Requires Sensitive Data We Are Building Higher Walls & Wider Moats As Long As The Gold ldis There, Criminals Ci i Will Target Retail Locations An Industry wide Initiativeis is Required to Eliminate Data That Has Criminal Value
Payment System Vulnerabilities PIN Pad Tampering Skimmers Overhead Cameras Rogue Applications Wireless Access To Corporate Network Network Access SQL Injection Unencrypted Data Network Access Chargeback Files Automated Fuel Dispensers Wireless Terminals Web Site Host Servers Merchant Acquirers Card Issuers Payment Terminals PIN Pad Tampering Skimmers Overhead Cameras Rogue Applications POS Terminals Credit Card Data MSR Track Data TLog Files Reports Data Unauthorized Network Access Passwords Store Servers Network Intrusion Unsecured Ports Credit Card Data MSR Track Data TLog Files Reports Data Unauthorized Network Access Passwords
End to End Encryption is Required Automated Fuel Dispensers Wireless Terminals Web Site Host Servers Merchant Acquirers Card Issuers Payment Terminals Store Servers POS Terminals All PAN and Track Data is encrypted through out your system = Increased Security = No Compromises = Safe Consumer Info = Reduced PCICostsCosts
TDES Required at the Fuel Dispenser C Store Contains the Debit Encryption Key; becomes obsolete when TDES is implemented at the AFD XDebit Security Module Site Controller Pump Interface Module Network or Processor POS TDES DCR TDES DCR POS D Box Centralizes all communications to and from the fuel dispenser DCRs Legend TDES Method of Encryption Required TDES DCR TDES DCR Underground d Fuel Storage Underground Tanks Fuel Storage Underground Tanks Fuel Storage Tanks Fuel Island Fuel Island
PIN Pad Security Best Practices 1. Weekly Visual Terminal Inspections 2. Serial Number Validation 3. Monitor Pin Pad Problems 4. Secure Terminal Storage 5. Terminal Asset Tracking 6. Repair Technician Verification & Log 7. Mount PIN Pads Securely to Counter 8. Electronic Serial Number Validation 9. Change Default PIN Pad Password 10. Purchase From Authorized Sources 11. Use Authorized Repair Centers 12. Develop a Response Plan!
Protect Your Customers Protect Your Business Assume You Have Been Targeted Implement a Layered Approach To Security Install PCI PED & TDES Payment Terminals and Fuel Payment Systems Encrypt Card Data As Soon As It Enters Your System at the Mag Stripe Reader
Thank you Barrie VanBrackle Lynn Call Manatt, Phelps & Phillips,LLP Maverik, Inc. bvanbrackle@manatt.com lcall@maverik.com George Medairy Sheetz, Inc gmedairy@sheetz.com Jeff Wakefield VeriFone, Inc. jeff_w7@verifone.com