Understanding and Managing PCI DSS Walt Conway, CPISM
Walt Conway PCI consultant, blogger, trainer, speaker, author Former Visa VP Help schools become PCI compliant Represent Higher Education at PCI Council Recently joined 403 Labs, a QSA firm 2
Agenda: A PCI DSS Deep Dive 1:00 to 2:15 PCI DSS in Context PCI DSS basics Security Outsourcing 2:30 to 3:30 Surviving compliance Recent PCI developments Pretty good practices 3
PCI DSS in Context Some History The Digital Dozen Key Players Merchant Levels Validating Compliance Cardholder Data 4
First, Some PCI Basics PCI DSS: Payment Card Industry Data Security Standard Goal is to protect Cardholder Data (CHD) Primary Account Number (PAN) Also addresses track data, security codes, PINs If you take plastic, PCI applies to you Store, process, or transmit cardholder data P-cards, travel cards may be in scope PCI Compliance is by institution Most schools use Self-Assessment Questionnaire (SAQ) 5
PCI DSS: 6 Goals, 12 Requirements 6
PCI DSS Scope The cardholder data environment can include: Network components (firewall, switches, routers ) Servers (web, database, mail ) Applications (purchased, custom, internal, external) Policies, procedures Anything that stores, transmits, or processes cardholder data is in scope If you don t need it, don t keep it 7
Key Players Global forum to enhance global payment security PCI DSS, PA DSS, PIN PED Approve assessors (QSAs) and scan vendors (ASVs) Develop Self-Assessment Questionnaires i (SAQ) Develop and publish PCI documentation Participating Organizations include NACUBO 8
Key Players Five Payment brands Track compliance and enforce standards (fines, sanctions) Determine event response (forensics) Define merchant levels Acquirers (Merchant Banks) Set merchant level Certify compliance Approve compensating controls 9
Merchant Levels Level Visa and MasterCard Amex 1 > 6 million Visa/MC trans/year Compromise in last year Assigned by Visa/MC > 2.5 million Amex trans/year Assigned by Amex 2 1 to 6 million Visa/MC trans/year 50,000 to 2 million Amex trans/year 3 20,000 to 1 million Visa/MC e-commerce trans/year All other Amex merchants 4 All other Visa/MasterCard merchants 10
Quiz: What s My Merchant Level? 5 million Visa, 3 million M/C, 1 million Amex (9 million total) transactions/year Level 2: levels are set by volume per brand 800,000 card-present trans/year, all Visa Level 4 50,000 e-commerce trans/year, all M/C Level 3 5,000 trans/year transmitted for another merchant Trick question - you may be a Service Provider 11
Cardholder Data 12
Cardholder Data Source: PCI SSC 13
Why Are You Keeping Those Data!?! Policy: Store no PANs on campus anywhere But what about? Recurring payments acquirer has alternatives Chargebacks, refunds let acquirer store PAN data Legal requirements these apply to banks, not you Paper receipts reprogram terminals or upgrade to truncate t both copies POS software stores PANs reconfigure or replace Limiting PCI scope makes your life easier 14
Compliance Validation Level Visa and MasterCard Amex 1 Annual on-site assessment (QSA or Internal Audit) Quarterly network scan (ASV) Report on Compliance (ROC) based on Security Audit Guidelines Annual on-site Security Audit (QSA or Internal Audit) Quarterly network scans (ASV) Security Audit to Trustwave 2 Annual Self-Assessment Quarterly network scan (ASV) Questionnaire (SAQ) Quarterly network scan (ASV) 3 Annual SAQ Quarterly network scan (ASV) 4 As set by acquirer: Annual SAQ Quarterly network scan (ASV) Recommend quarterly network scan (ASV) 15
Merchant Compliance 16
Validating Compliance Validation is by institution Don t confuse Merchant Level and Merchant ID Level is for compliance validation ID is for accounting Acquirer may combine IDs for PCI validation Simplified SAQs Four versions: depends on card environment Limiting PCI scope simplifies validation No electronic CHD stored 17
Self-Assessment Questionnaires (SAQ) For merchants who don t need an on-site security assessment (L2-4) Two parts Attestation of Compliance Requirements Simplified SAQs: you do not keep electronic cardholder data 18 Walter Conway Associates LLC 2009
Which is Right for You? SAQ Validation Type Description SAQ 1 Card-not-present merchants, all cardholder A data functions outsourced 2 Imprint-only merchants, no cardholder data storage 3 Stand-alone terminal merchants, no cardholder data storage 4 Merchants with POS systems connected to the C Internet, no cardholder data storage 5 All other merchants and service providers D B B 19 Walter Conway Associates LLC 2009
Simplified SAQs Your life may have gotten easier SAQ A and B bonus: no scans More incentive not to keep cardholder data Retaining cardholder data means SAQ D Time answering lots of questions If you don t need it, don t keep it 20 Walter Conway Associates LLC 2009
Compliance OMG But we outsourced our e-commerce Staff use PCs to enter MOTO transactions ti P-cards and travel cards don t count If you store the PANs, they can be in scope We didn t know we stored the data Non-compliant POS devices, PCs, servers, 21
Staying Compliant PCI is backward looking Compliance today says s nothing about tomorrow You are one change from being non-compliant Establish and follow policies Educate, train, communicate Get trained and/or get help 22 Walter Conway Associates LLC 2009
Implications of PCI Your costs will go up Cost to get and remain PCI compliant Non-compliance costs more You will change the way you do business Do you want to be in the payment business? Maybe fewer campus merchants take plastic Limiting access to cardholder data Conclusion: PCI is a business issue 23
Security The Bad Guys Dangerous Places: Pwned! Higher Ed top 10 Threats The Insider Threat 24
Security: It s About the Data Five emerging g threats Malware Botnets Cyber warfare VoIP and mobile devices Evolving cyber crime economy Data will continue to be the primary motive behind future cyber crime. 25
PCI DSS Role The purpose of PCI DSS: To protect t cardholder dhld dt data To keep you and your institution out of the headlines PCI is a data protection standard Not a fraud prevention measure PCI does not make you secure 26
Gone Phishing 27
Some Links are Good 28
30 Seconds PWNED! 29
I m Im OK, I have a Mac 30
Are Users Listening? Is Anybody Listening? Source: Psychology Department, North Carolina State University 31
Higher Ed Top 10 Security Threats 1. Malware, botnets 6. Outsource partners 2. Thieves 3. Staff members 4. Professors 7. Social networks 8. Phishing 9. Cell Phones 5. Students 10. Spammers 32
The Insider Threat Well-intentioned staff Just trying to do their jobs Self-interested or malicious staff Intentionally download apps or visit prohibited sites Economy is affecting this group Trusted partners Third-parties with insider privileges 33
The Insider Threat 20% of users changed security settings to access unauthorized websites Over 80% of enterprises show Google application activity, and nearly all evidence peer-to-peer applications 35% of users consciously violate internal security policies (to expedite their work) Over 50% of employees who left their job in 2008 took some company confidential information with them 34
Your Staff and Laptops Managers: 52% have employer-supplied data encryption 56% disengage their laptop encryption 57% write down - and 61% share their passwords IT Security pros: 92% report their organization had lost/stolen laptops 71% resulted in a data breach Question: Would you let a stranger use your laptop to check their email? Source: Ponemon Institute and Absolute Software Corp., 2009 35
Your Staff and USB Drives Personal thumb drives pose risks Found devices a new attack vector Stick phishing, thumb sucking Honey Stick Project Train users or as mom said: Don t put that in your mouth! Question: Do you let staff copy data and work on their home computer? 36
Your Staff and the Web People under the age of 28 are engaging in online behavior that could expose their organizations to data leakage and theft. 60% of young staff "are either unaware of their companies' IT policies or are not inclined to follow them. 37
Security: Why Care? Expense: lawsuits, financial liability, fixing systems Lost productivity Reputation (brand) State laws requiring notification and and often more The number of Higher Ed breaches is too high 38
Security: Why Care? 39
Outsourcing Service Providers vs. Applications PA DSS A Strategy, Not a Panacea 40
Outsourcing Strategic question: Do you want to be in the payments business? Outsourcing some or all processing can simplify your path to PCI compliance Service Providers You use their systems, services Software Application Vendors You buy a software package to run on your system 41
Service Providers They store, transmit, or process cardholder data on your behalf You are still responsible Ensure service providers are PCI compliant Validate, and include PCI compliance in contract Control third-party connections Visa website lists PCI-compliant service providers 42
Software Applications Payment Application Data Security Standard (PA DSS) Compliant third-party applications for merchants, processors Includes payment modules of larger package systems (ERP) PA DSS is for third-party payment application software used in authorization or settlement Not for internally-developed or customized applications Not for back-office or database applications PA DSS does not address functionality Got an RFP coming? Use the list! 43
PA DSS is Mandated 44
Outsourcing To Do List Check all payment vendors for PCI/PA DSS compliance POS, ERP, e-commerce, payment application Confirm your versions are compliant Update contracts to reflect PCI Appendix A Check for vendor training opportunities Compare implementation with vendor implementation guide Schedule upgrades to minimize costs 45
Outsourcing and the Law of Unintended Consequences PCI scope creep You outsource e-commerce payments But mail, phone, fax orders persist (e.g., donations, other MOTO transactions) School staff enter transactions using outsourced system Result: staff PCs may now be in scope for PCI 46
Recent Developments in PCI DSS PCI DSS Version 1.2 The PCI Council s Quality Assurance Program Special Interest Groups 47
PCI DSS v1.2 PCI Version 1.2 effective October 1, 2008 Update lifecycle: 2 years Clarification more than changes Language, terms Eliminate redundancies in previous version Consolidate documentation 48
Build and Maintain a Secure Network Req 1: Firewalls Configuration requirements apply both to firewalls and routers Timing flexibility in reviewing firewall rules, from quarterly to every 6 months Req 2 No vendor default passwords Applies to wireless OK to broadcast SSIDs Replaced WEP references to emphasize strong encryption 49
Protect Cardholder Data Req 3: Protect CHD Terminology (PAN, strong cryptography ) Disk encryption emphasizes local user databases Req 4: Encrypt CHD over open networks No new WEP after March 31, 2009 No WEP at all after June 30, 2010 50
Vulnerability Management Program Req 5: AV software Applies to all system types AV must address all known types of malware Req 6: Develop secure systems Flexibility to use a risk-based approach when installing gpatches 6.6 mandated (public-facing web apps) 51
Strong Access Control Req 7: Restrict access to CHD Clarified language g for testing Req 8: Unique ID to each person Verify passwords are unreadable in storage and communication Req 9: Restrict physical access Visit offsite storage sites at least annually Flexibility in access control mechanisms (e.g., cameras) Requirement to secure media includes paper Clarify media destruction requirements 52
Monitor and Test Networks Req 10: Track all access to CHD Logs must be copied to an internal server Audit trail history must be quickly accessible Req 11: Test systems and processes Guidance on wireless analyzers and wireless IDS/IPS Must use ASV for quarterly vulnerability scans Require internal and external penetration tests, but do not need to use a QSA or ASV for these 53
Security Policies Req 12: Information security policies More examples of technologies covered including remote access, wireless, removable electronic media, email use, internet use, laptops, PDAs Employees acknowledge internal policies i at least annually Require policies to manage and monitor service providers 54
PCI Council Initiatives PA DSS Applies to third-party software Includes payment modules of larger systems Quality Assurance Program Need for consistency: Hashing with Excel, 20 Fence, change encryption algorithm annually List assessors In Remediation Revocation is an option Rely on Merchant feedback 55
Other PCI Council Efforts Unattended Payment Terminals Increasingly used for vending, ticketing Council adopting standards (like PED) Special Interest Group (SIG) efforts Two SIGs today (Pre-authorization Data; Wireless) More coming? (Virtualization, Scope, ) 56
Some PCI-DSS Pretty Good Practices 57
How Schools Address PCI Treasury Institute for Higher Education PCI workshop attendees, May 08 74 responses, Higher Ed institutions nationwide 76% public institutions From <10 to 200+ campus merchants 58 Walter Conway Associates LLC 2009
How Schools Address PCI 50% said Finance leads PCI, rest shared with IT 68% fund PCI compliance centrally (changing?) Between 1 and 1.5 FTE dedicated to PCI 50% or less had key policies in place Schools somewhat satisfied with acquirer support Over 50% experienced a data breach (some fined) 59 Walter Conway Associates LLC 2009
From PCI Workshops Secure top management commitment Develop your pitch: PCI is a business not a security issue Budget adequately: PCI is a program not a project Build a dedicated, multidisciplinary team Inventory data, processes, vendors Ask, interpret, verify, explore where stuff is, where it goes Engage stakeholders, communicate Hold users accountable for behavior (consequences) 60
Have a Strategy Map transaction and data flow Payments Analysis Manage scope: don t retain cardholder data Find and eliminate i prohibited data IPOS, logs, databases, spreadsheets, Search for rogue databases Search for sensitive numbers Easiest path: don t keep cardholder data! 61
Some Pretty Good Practices Think before you act, or PCI Requirement 0 Understand d cardholder data and cardholder data environment Understand PCI before implementing solutions Eliminate storing cardholder data Then tell people about it! 62
Some Pretty Good Practices Get trained Visa has 2-day deep dive Treasury Institute PCI Workshops SPSP training for CPISM/A certification MasterCard website has on-line training Use the PCI SSC resources Audit Guidelines Technical FAQ 63
Some Pretty Good Practices Monitor card alerts and bulletins Monitor PCI and security blogs and forums Keep up to date Ask questions, get expert help Collaborate: share experiences, good and bad 64
Some Pretty Good Practices Raise security awareness on campus Identify repeat offenders who lose (stolen) devices, download malware, etc. Publicize names Consequences 65
Some Pretty Good Practices Develop and promote payment policies Train POS staff (then re-train!) Develop a user manual New merchants Guidelines Responsibilities Costs Merchant agreement 66
Some Pretty Good Practices Find and eliminate track data Reduce potential liability 90% Vendors may not be much help Sensitive number finder can locate rogue databases Upgrade POS terminals to truncate PANs on both paper copies Find rogue payment sites on your campus(es) Google news alert 67
Some Pretty Good Practices Make your acquirer your partner Sets merchant level, l validates compliance Approves compensating controls Some offer PCI training, newsletters, support Advice: Get the name of a Compliance Officer 68
Some Pretty Good Practices Use PA DSS list for all third-party applications Use Visa CISP list for all third-party service providers New service provider levels in 2009 Only Level 1 will be listed on Visa website 69
Some Pretty Good Practices Prepare an Incident Response Plan See PCI Blog (treasuryinstitute.com/blog) tit t March 25 for list of resources and sample plans SANS, NIST, Educause, Test the plan before you have to use it 70
Compliance Action Plan Start with a Payments Analysis Every merchant, application, departmental database, service provider, terminal, website, Expect surprises Adopt a risk-based approach Identify campus merchants posing greatest risk Address them first Plan to visit it each merchant, observe, question Document findings Train, communicate, empower 71
Staying Compliant PCI is backward looking Compliance today says s nothing about tomorrow You are one change from being non-compliant Establish and follow policies Educate, train, communicate ( rinse, lather, repeat ) Get trained and/or get help 72
PCI and Beyond PCI does not make you secure Map your payment data flow Monitor service providers and vendors Use strong passwords for technical support Log tech support and third-party access Upgrade POS equipment and payment apps Beware of rogue wireless networks Perform vulnerability scans monthly Go beyond: apply PCI to all your PII 73
50 Questions Every CFO Should Ask "The guide is revolutionary in its approach and extremely practical in its application. It will assist organizations in taking the necessary multi-dimensional approach to managing their cyber infrastructure by shifting the locus of control to the Chief Financial Officer. Larry Clinton, President, Internet Security Alliance Let the process, and the preparation, wait no longer. Gather the stakeholders. Let the questions begin. 74
Conclusions Take control You can t outsource responsibility PCI training has a very high ROI! Senior management commitment and multidisciplinary team are critical Outsourcing can help with compliance Network with other institutions If you don t need it, don t keep it 75
Higher Education Community Resources The Treasury Institute for Higher Education: www.treasuryinstitute.org PCI blog: www.treasuryinstitute.org/blog NACUBO: www.nacubo.org 76
Additional PCI Resources Society of Payment Security Professionals: www.paymentsecuritypros.com Blogs, PCI forum PCI SSC: pcisecuritystandards.org Standards, FAQ, PA DSS Visa: visa.com/cisp PCI-compliant service providers MasterCard: mastercard.com/us/sd 77
Understanding and Managing PCI DSS YOUR thoughts? Comments? Questions? walt@walterconway.com www.walterconway.com 78