PCI Data Security Standard Overview and observations from the field Andrea Del Miglio Practice Manager 28 March 2007
Sample Agenda Slide 1 PCI background information 2 PCI Data Security Standard 1.1 3 Top reasons for non compliance 4 Strategies for achieving compliance 5 Symantec PCI services Andrea Del Miglio Symantec Corporation PCI Data Security Standard 2
PCI Background Information Andrea Del Miglio Symantec Corporation PCI Data Security Standard 3
Payment Card Security Programs: Why? Credit card fraud occurrences have been increasing over the years and the problem is not going away Cardholders need assurances that their purchases will be secure Credit card companies do not control credit card payment transactions from end to end Credit card companies need to protect their brands Credit card companies need some mechanism to share the liability for cardholder data security Andrea Del Miglio Symantec Corporation PCI Data Security Standard 4
Prior Payment Card Security Programs Individual programs existed prior to the PCI standard Visa: Cardholder Information Security Program (CISP) MasterCard: Site Data Protection Program (SDP) American Express What s wrong with this picture? Companies have to follow more than one process to achieve the same end goal Redundancies between programs Different lists of qualified assessors may require companies to contract with more than one independent assessor to complete all the audits Discrepancies between the different security standards Andrea Del Miglio Symantec Corporation PCI Data Security Standard 5
The PCI Data Security Standard PCI Data Security Standard (DSS) was created in December 2004 to create a single security standard Visa managed the DSS and auditing procedures/process MasterCard ran the scanning procedures/process September 2006 the PCI Security Standards Council was created Founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International Took ownership of the PCI DSS and scanning procedures Took ownership of the Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV) program Certifying companies to perform audits Certifying companies to perform security scanning Released new PCI DSS v1.1 impacting all future compliance Andrea Del Miglio Symantec Corporation PCI Data Security Standard 6
The Intent of the PCI DSS Protect cardholder data 1 2 Primary Account Number (PAN) Expiration date Storage, transmission, and display of this data Strictly control payment card track data Raw data extracted from the magnetic 3 strip Track data can be used to duplicate payment cards Track data should never really need to be stored Keep payment card authentication data secure 4 CVV2: Card Verification Value 2 (Visa) CVC2: Card Verification Code (MasterCard) Reduce the overall risk of potential cardholder data compromise 3 1 2 4 Andrea Del Miglio Symantec Corporation PCI Data Security Standard 7
Payment Card Transaction Examples: Typical Visa Transaction Merchant Authorization Request Processor Acquirer (Merchant Bank) Authorization Response VisaNet Cardholder Issuer Processor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 8
Payment Card Transaction Example: Typical Visa E-commerce Transaction Payment Gateway Processor E-Commerce Merchant Authorization Request Acquirer (Merchant Bank) INTERNET Authorization Response VisaNet Cardholder Issuer Processor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 9
Who needs to be compliant? All organizations that handle credit card transactions must be PCI compliant Affects: Merchants: typically accept credit cards directly from customers as a form of payment Service Providers: typically process credit card transactions on behalf of merchants Payment card issuers and transaction acquirers with direct connection to Visa or MasterCard s processing network Sliding scale for compliance requirements Based on volume of credit cards processed annually Merchants: Levels 1-4 Service Providers: Levels 1-3 The higher the transaction volume or the more risky the transactions the more rigorous the compliance requirements become Andrea Del Miglio Symantec Corporation PCI Data Security Standard 10
Merchant Requirements Qualifications Requirements Completed By Level 1 > 6 million transactions annually regardless of channel Has suffered an attack resulting in cardholder data compromise Annual On-Site Audit Quarterly Network Scan QSA or internal auditor if signed by officer of the company Qualified Independent Scan Vendor Others at Visa/MC discretion Level 2 1 million to 6 million Visa transactions Annual Self-Assessment Merchant annually Quarterly Network Scan Qualified Independent Scan Vendor Level 3 20,000 to 1 million e-commerce transactions annually Annual Self-Assessment Quarterly Network Scan Merchant Qualified Independent Scan Vendor Level 4 Fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year Annual Self-Assessment Quarterly Network Scan Merchant Qualified Independent Scan Vendor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 11
Service Provider Requirements Qualifications (applies to either card) Requirements Validated By Level 1 All VisaNet processors (member and non-member) All payment gateways Annual On-Site Audit Quarterly Network Scan QSA Qualified Independent Scan Vendor Level 2 Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually. Annual On-Site Audit Quarterly Network Scan Service Provider Qualified Independent Scan Vendor Level 3 Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually. Annual Self-Assessment Quarterly Network Scan Service Provider Qualified Independent Scan Vendor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 12
Annual PCI Self-Assessment Questionnaire Required for Level 2 and 3 merchants Required for Level 3 service providers Captures Organization information Business description All third-party providers POS hardware/software used Consists of 6 sections 75 individual questions Must answer all questions Yes: compliant with requirement No: non-compliant with requirement N/A: brief written explanation is required Andrea Del Miglio Symantec Corporation PCI Data Security Standard 13
PCI Assessment Process: Level 1 Merchants QDSC completes an onsite PCI assessment QDSC creates Report on Compliance Includes results of quarterly scanning Includes in-place/not in-place results for all 204 individual requirements QDSC provides ROC to merchant Merchant provides ROC to upstream service provider or acquirer Quarterly Scanning Results Merchant Contracts QDSC QDSC Performs Onsite Audit Compliance Decision QDSC Generates ROC Report on Compliance QDSC Provides ROC to Merchant Merchant Provides ROC to Service Provider Andrea Del Miglio Symantec Corporation PCI Data Security Standard 14
PCI Assessment Process: Level 1&2 Service Providers QDSC completes an onsite PCI assessment QDSC creates Report on Compliance Includes results of quarterly scanning Includes in-place/not in-place results for all 204 individual requirements QDSC is required to complete a service provider compliance status form QDSC provides both directly to Visa USA Quarterly Scanning Results Service Provider Contracts QDSC QDSC Performs Onsite Audit Compliance Decision QDSC Generates ROC QDSC Completes Compliance Status Form Report on Compliance Service Provider Compliance Status Form QDSC Provides Directly to Visa Andrea Del Miglio Symantec Corporation PCI Data Security Standard 15
What Can Be Expected During an Onsite Assessment Qualified assessors are 100% dependant on the merchant or service provider PCI DSS is comprehensive, therefore it takes time to complete PCS DSS testing procedures are focused on validation of practices, not blindly accepting statements from customers Requires considerable participation from the merchant or service provider Access to customer resources is a key success factor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 16
PCI Penalty Structure Reactive penalties Penalties are levied after a compromise of cardholder data Penalties effect acquirers and issuers directly due to contractual relationship and network connections to payment card firms Non-compliant merchants and service providers may receive penalties indirectly from their upstream acquirer Penalties Fines: Egregious violations up to $500k Forensics investigation costs Issuer/Acquirer losses Dispute resolution costs Operating restrictions on merchants Operating restrictions on service providers Visa s Compliance Acceleration Program (CAP) Fines for acquirers who have not validated that full track data is not being retained by their Level 1 Merchants by September 30, 2006 Acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively. Acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant. Andrea Del Miglio Symantec Corporation PCI Data Security Standard 17
PCI DSS 1.1 Andrea Del Miglio Symantec Corporation PCI Data Security Standard 18
PCI Data Security Standard v1.1 Build and Maintain a Secure Network 1) Install and maintain a firewall configuration to protect cardholder data 2) Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3) Protect stored cardholder data 4) Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5) Use and regularly update anti-virus software 6) Develop and maintain secure systems and applications Implement Strong Access Control Measures 7) Restrict access to cardholder data by business need-to-know 8) Assign a unique ID to each person with computer access 9) Restrict physical access to cardholder data Regularly Monitor and Test Networks 10) Track and monitor all access to network resources and cardholder data 11) Regularly test security systems and processes Maintain an Information Security Policy 12) Maintain a policy that addresses information security Andrea Del Miglio Symantec Corporation PCI Data Security Standard 19
Requirement 1.1 Firewall Configuration Standards Estabilish configuration standards that include: Configuration standards for all router and firewalls Approval process for all external connections and firewall changes Up-to-date network diagram (including WLANs) Firewall separing network segments (Internet from DMZs from internal network...) Description of groups, roles and responsibilities for logical management of network components Documented list of services/ports necessary for business, with specific justification for protocols not related to HTTP, SSL, SSH and VPN Quarterly review of firewall/router rule set Andrea Del Miglio Symantec Corporation PCI Data Security Standard 20
Requirement 1.2 Firewall Configuration Settings Build a firewall configuration that denies all traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment Audit must verify that only documented protocols are allowed in running configuration (see req. 1.1) Checks must be done for both inbound and outbound traffic Check a sample of: devices between the Internet and the DMZ devices between the DMZ and the internal network Andrea Del Miglio Symantec Corporation PCI Data Security Standard 21
Requirement 1.3-1.5 Network segmentation and firewall rules Restrict connections between publicly accessible servers and any system storing cardholder data: Use a deny-all default policy Restrict inboud IP traffic to servers in DMZ Resctirct egress traffic to necessary protocols Restrict DMZ access from the internal network passing from the Internet Use stateful inspection Secure and synchronize router configuration files Place DB servers in the internal network Segregate WLANs from the cardholder data environment Use personal firewalls on employees PCs Prohibit direct public access between external networks and any system component that stores cardholder data Use RFC 1918 addresses Andrea Del Miglio Symantec Corporation PCI Data Security Standard 22
Requirement 1.3-1.5 Audit procedures Network Architecture: Examine updated network diagram (see req. 1.1) for consistent segregation Firewall Review: Include ALL firewalls Review configuration files for ingress and egress rules for consistency with firewall policies Verify default policy which needs to be deny-all Evaluate protocols to determine necessity Personal firewall on laptops audit configuration of a sample population Andrea Del Miglio Symantec Corporation PCI Data Security Standard 23
Changes in PCI DSS v1.1 Terminology changes More consistent use of terms Attempted to remove vague terms (regularly, periodically, etc.) Provided more guidance Applicability guide for data elements PCI audit scoping Applicability for hosting providers Compensating controls Modified twenty six (26) existing requirements Added four (4) new requirements Andrea Del Miglio Symantec Corporation PCI Data Security Standard 24
New PCI Requirements Requirement 2.4 - Hosting provider applicability Focused on shared hosting providers, not merchants who outsource Focus on proper segmentation of hosted entities Requirement 5.1.1 - Spyware and adware Current anti-virus deployment must detect, remove, and protect against other malicious software, including spyware and adware. Requirement 6.6 Web application security Source code reviews are performed and/or application-layer firewall in front of application(s) Becomes a requirement June 30, 2008 Requirement 12.10 Management of connected entities Focus on service providers and credit card processors Program in place Policies Procedures Documentation Andrea Del Miglio Symantec Corporation PCI Data Security Standard 25
Top reasons for non-compliance Andrea Del Miglio Symantec Corporation PCI Data Security Standard 26
Where is this data coming from? Telecommunications Global retailers Brick and mortar E-commerce Credit card issuers Internet service providers Financial services Cable and content providers Manufacturing Airlines Insurance Entertainment Fulfillment Education State & local government Andrea Del Miglio Symantec Corporation PCI Data Security Standard 27
Top 10 Reasons for Non-compliance 1. Inconsistent host hardening 2. Deficient logging practices 3. Deficient network management 4. Unencrypted cardholder data 5. Deficient security policies 6. Lack of identity management program 7. Deficient data retention practices 8. Poor vendor management (contracts) 9. Deficient encryption management practices 10. Patch management NOTE: Based on volume not security risk or compliance impact Andrea Del Miglio Symantec Corporation PCI Data Security Standard 28
The Top 5- A Closer Look: #1 #1: Inconsistent host hardening PCI DSS maintains focus on infrastructure Decentralized silo-style management Lack of secure build and management process No compliance monitoring program Solution Standardize build policies and process Centralized compliance management solution Centralized access control and logging Andrea Del Miglio Symantec Corporation PCI Data Security Standard 29
The Top 5- A Closer Look: #2 #2: Deficient logging practices Need to be able to identify, quantify, and react to security breaches Servers and applications are not configured to log enough data Logs aren t being centrally or securely stored Inadequate log data retention Missing logs due to configuration errors Solution Configure logging properly Centralized logging & monitoring Log file retention program Outsource security monitoring Andrea Del Miglio Symantec Corporation PCI Data Security Standard 30
The Top 5- A Closer Look: #3 #3: Deficient network management PCI DSS focuses on perimeter network security for the cardholder data environment Network access controls Segmentation Configuration management Organizations lack configuration management procedures for firewall ACLs Organizations don t document firewall configuration and operational procedures Cardholder data isn t treated differently Solution Create detailed firewall configuration and management procedures Isolate cardholder datastores from systems and users that don t require direct access Andrea Del Miglio Symantec Corporation PCI Data Security Standard 31
The Top 5- A Closer Look: #4 #4: Unencrypted cardholder data Encryption is expensive and difficult Legacy systems don t support encryption Organizations don t know where all the data resides Solution Never store data you don t need Application-level encryption, database package encryption, or encryption appliances Destroy sensitive data once unneeded Andrea Del Miglio Symantec Corporation PCI Data Security Standard 32
The Top 5: A Closer Look #5: Deficient security policies PCI validates existence and scope of policies Organizations haven t created all the required policies Policies don t meet PCI requirements Solution Collect all regulatory and industry requirements that impact you Identify commonality Create policies Policy management tools Manually Educate staff Andrea Del Miglio Symantec Corporation PCI Data Security Standard 33
Root Causes for Non-compliance Organizations often unknowingly collect sensitive data Organizations don t understand the extent of their cardholder environment Organizations don t understand who this sensitive data is being shared with Reactive rather than proactive approach to PCI compliance Bottom-up approach to PCI compliance instead of top-down Immature information security programs Andrea Del Miglio Symantec Corporation PCI Data Security Standard 34
Strategies for achieving compliance Andrea Del Miglio Symantec Corporation PCI Data Security Standard 35
Achieve Compliance by Reducing Scope PCI Data Security Standard (DSS) is two years old Organizations cardholder environments pre-date the PCI DSS The more systems that collect, process, and store cardholder data the larger the scope Large scopes typically result in compliance failure Heterogeneous networks and systems Decentralized business process management Infrastructure management by silo More chance to just make a dumb mistake Cardholder data is different from other corporate data and should be managed differently Reduced Scope = Fewer Moving Parts = Path to PCI Compliance Andrea Del Miglio Symantec Corporation PCI Data Security Standard 36
How to Reduce Scope Physical and logical segmentation Isolate credit card systems from all other internal network segments Implement strong network access controls to enforce least privilege access control model Defense in depth Centralization Consolidate cardholder datastores Databases Local file storage Minimize cardholder data footprint to only the systems that have a business need Stop the propagation of cardholder data to non-payment card related systems Standardization Standard method of communicating with business partners Standard encryption services Standard transport services Standard application platforms Operating systems Database applications Application servers Andrea Del Miglio Symantec Corporation PCI Data Security Standard 37
Example Success Stories Data sensitivity driven network architecture and access control model Evolution to a services-based application architecture Eliminated silo business process architectures Eliminated integration points and unnecessary datastores Scalable Complete centralization on mainframe Single access model Single database model Minimal external communication Outsource model Risk and liability managed through contracts Nearly zero cardholder data footprint Specialized encrypted storage solution for all non-database storage Focus on culture and behavior change Andrea Del Miglio Symantec Corporation PCI Data Security Standard 38
Symantec PCI Consulting Services Andrea Del Miglio Symantec Corporation PCI Data Security Standard 39
Symantec Payment Card Industry Services Providing organizations with industry-leading security expertise and proven methodologies to effectively plan, assess and execute PCI data security programs PCI Security Audit Service PCI Security Scanning Service PCI Compliance Readiness Review PCI Payment Application Best Practices Assessment Strategic and Tactical PCI Consulting Andrea Del Miglio Symantec Corporation PCI Data Security Standard 40
Symantec Differentiators People Security experts, not checklist auditors Average PCI consultant has 10 years security experience Comprehensive subject matter expertise Infrastructure security Application security Security program development Management approach Act as Trusted Advisor for all security needs Focus on customer needs Dedicated management team Results Clear and concise feedback Tailored ACTIONABLE recommendations Methodologies Designed to provide real value and increased ROI Designed to assist customers meet their short-term and long-term security goals Company Depth and breadth of security expertise at customer s disposal Executive support Products and services to meet any IT security need Symantec products and services can help you achieve compliance for all PCI requirements Andrea Del Miglio Symantec Corporation PCI Data Security Standard 41
PCI Resources Symantec PCI Services: http://www.symantec.com/pci Symantec Compliance Solutions: http://www.symantec.com/compliance Symantec PCI contacts for Italy: andrea_delmiglio@symantec.com antonio_forzieri@symantec.com PCI Security Standards Council: http://www.pcisecuritystandards.org Andrea Del Miglio Symantec Corporation PCI Data Security Standard 42
T h a n k Y o u! 2007 Symantec Corporation. All rights reserved. THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. Andrea Del Miglio Symantec Corporation PCI Data Security Standard 43