John Verdeschi Vice President Payment Systems Integrity March 31, 2009 Trends in Data Security and The PCI SSC s Prioritized Approach
March 31, 2009 Trends in Data Security The PCI SSC Prioritized Approach MasterCard PCI Merchant Education Program
Data Security Legislation 44 states with data security legislation Minnesota Plastic Card Security Act establishes PCI Data Security Standard as law Many states are focused on financial liability and customer notification Washington state bill was passed establishing financial liability for data breaches but exempts businesses who comply with industry standards March 31, 2009 3
Data Security Indicators U.S. Government proposed budget for 2009 $71 B IT budget for over 30 agencies $7.3 B on cyber security or 10% False Sense of Security? *69% of companies are either very confident or extremely confident about their security situation i *46% of same companies had no formal information security strategy * Source: The 2007 Technology, Media and Telecommunications (TMT) Survey March 31, 2009 4
Data Let s Security focus on Gone what s Mainstream important! March 31, 2009 5
Know your data! Component Storage Permitted Protection Required Encryption Required** Cardholder Data PAN YES YES YES Expiration Date* YES YES NO Service Code* YES YES NO Cardholder Name* YES YES NO Sensitive Authentication ti ti Data FllM Full Magnetic Sti Strip NO N/A N/A CVC2/CVV/CID NO N/A N/A PIN NO N/A N/A March 31, 2009 6
Fundamentals of a Data Storage Strategy t Policy Sensitive authentication data: Never store it! PAN: only store it if absolutely necessary Payment Applications: ensure they are PA-DSS compliant Governance The decision to store PAN is not a data security department responsibility, it is usually determined by business owners Tactics Consolidate and segment data stores to minimize impact and data security costs March 31, 2009 7
PCI Data Security Standard Designed to prevent account data compromises when properly implemented PCI DSS helps to Prevent, Detect and React to intrusions and data compromise situations Intrusions are inevitable since environments and threats are dynamic Early detection and reaction limits scope of breach and can prevent account compromise Good data storage policies are critical to limiting risk March 31, 2009 8
What it means to be PCI DSS compliant PCI DSS Compliance is a snapshot in time Quarterly Network Scans Annual Onsite Assessments for Level 1 merchants, TPPs and large DSEs Annual Self Assessments for Level 2, 3 merchants and smaller DSEs How are alleged PCI DSS Compliant entities breached? Some possibilities: Entity did not maintain compliance after the assessment Scope of Assessment established by the QSA and the merchant/service provider was not comprehensive enough Errors on either the part of the assessor or the merchant PCI SSC focused on driving quality in assessments March 31, 2009 9
Staying PCI Compliant Maintaining compliance requires Governance: organizational commitment is required for continued funding and resources, and to enforce policy. Accountability: assigning ownership and responsibility for compliance maintenance Communication: ensuring top to bottom awareness that promotes organizational vigilance March 31, 2009 10
March 31, 2009 Trends in Data Security The PCI SSC Prioritized Approach MasterCard PCI Merchant Education Program
The Prioritized Approach for PCI DSS What is it? Guidance for organizations to prioritize their PCI DSS implementation efforts Introduced by the PCI SSC on March 3, 2009 What are the benefits? Enables entities to prioritize resources and funding in the implementation of PCI DSS Helps to systematically reduce risk Promotes objective and measurable progress indicators Provides ability for merchants and service providers to demonstrate compliance progress to key stakeholders March 31, 2009 12
Prioritized Approach for PCI DSS 1.2 How was it created? Based on findings from forensics examinations in account data compromise events cases Feedback from PCI SSC Board of Advisors, Council leadership and the Technical Working Group Feedback from several QSAs who were asked to identify the most important 15 PCI DSS requirements March 31, 2009 13
Prioritized Approach Tools for PCI DSS 12 1.2 Reference Guide March 31, 2009 14
Prioritized Approach Tools for PCI DSS 1.2 Worksheet Reporting Tool March 31, 2009 15
Prioritized Approach for PCI DSS 1.2 Six Security Milestones March 31, 2009 16
Prioritized Approach for PCI DSS 1.2 Milestone One - If you don t need it, don t store it. The intent of Milestone One is to remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised if sensitive authentication data and other cardholder data had not been stored, the effects of the compromise would have been greatly reduced. Milestone Two - Secure the perimeter. The intent of Milestone Two is to protect the perimeter, internal, and wireless networks. This milestone targets a key area that represents the point of access for most compromises: vulnerabilities in networks or at wireless access points. March 31, 2009 17
Prioritized Approach for PCI DSS 1.2 Milestone Three - Secure applications. The intent of Milestone Three is to secure applications. This milestone focuses on applications, as well as application processes and application servers, since application weaknesses are a key access point used to compromise systems and obtain access to cardholder data. Milestone Four - Control access to your systems. The intent of Milestone Four is to protect the cardholder data environment through h monitoring i and access control since this is the key method to detect the who, what, when and how about who is accessing your network. March 31, 2009 18
Prioritized Approach for PCI DSS 1.2 Milestone Five - Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protection mechanisms for that stored data. Milestone Six - Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone Six is to complete PCI DSS requirements and finalize all remaining i related policies, i procedures, and processes needed d to protect the cardholder data environment. March 31, 2009 19
Prioritized Approach for PCI DSS 1.2 Important Note and Disclaimer In order to achieve PCI DSS compliance, ALL PCI DSS requirements must be successfully implemented, regardless of the order in which they are satisfied or whether the organization seeking compliance follows the PCI DSS Prioritized Approach. The Prioritized Approach does not, and is not intended in any manner to, modify or abridge the PCI DSS or any of its requirements. All information published by PCI SSC for the Prioritized Approach is subject to change without notice. PCI SSC is not responsible for errors or damages of any kind resulting from the use of the information contained therein. PCI SSC makes no warranty, guarantee, or representation as to the accuracy or sufficiency of the information provided as part of the Prioritized Approach, and PCI SSC assumes no responsibility or liability regarding the use or misuse of such information. March 31, 2009 20
Reporting using the Prioritized Approach As of Q2 2009, MasterCard will be revising the Acquirer Submission and Compliance Status Form (V3.1) The new fields represent the six milestones within the Prioritized Approach Available on the www.mastercard.com/sdp website. Required by Q4 2009 March 31, 2009 21
March 31, 2009 Trends in Data Security The PCI SSC Prioritized Approach PCI 360 Merchant Education Program
PCI Education Delivery Options & Timeframes The PCI Merchant Education Program (PCI 360) offers several training options to acquirers: On-Site In-person training for acquiring banks and merchants Live Web Meetings Real-time online interface and teleconference. On-Demand Webinar Series Pre-recorded content available through an online interface. Over 5000 webinars viewed to date www.webcasts.com/mastercardpci March 31, 2009 23
Content Library An Introduction to the PCI Security Standards Council Reducing Your Risk: A Look into PCI Vulnerability Scanning Presented by Bob Russo, PCI Security Standards Council A Detailed Look at PCI DSS Requirements Presented by Andrew Henwood, One-Sec/Trustwave A Merchant s Journey Towards Compliance Presented by Alexander Grant, British Airways Understanding Account Data Compromise Presented by Bryan Sartin, Cybertrust/Verizon Business Preparing for a Successful PCI Assessment, Lessons from the Field Presented by Michael Walter, Arsenal Security Group Security and the Payments System Presented by Jeremy King & John Verdeschi, MasterCard A look into the new Self Assessment Questionnaire Presented by Jennifer Mack, MasterCard Worldwide Presented by John Bartholomew, SecurityMetrics Compliance Validation and Beyond Encryption Presented by Sally Ramadan, MasterCard Worldwide Presented by Gerard Onorato, Verizon Business Network Segmentation Presented by Mark Lippman, Arsenal Security Group Maximizing Internal Preparation for PCI Now Available! Presented by Mathieu Gorge, Vigitrust Data Storage Presented by Mark Lippman, Arsenal Security Group PCI DSS Requirements Version 1.2 Presented by Trustwave www.webcasts.com/mastercardpci March 31, 2009 24
More Information and Additional Resources The PCI SSC www.pcisecuritystandards.org PCI 360 pci_education@mastercard.com t d The SDP website www.mastercard.com/sdp co SDP Program information Level definitions and compliance requirements SDP Submission Form sdp@mastercard.com with questions Global Security Bulletins Available via MOL Site Data Reflection Articles available upon request Academy of Risk Management Classes March 31, 2009 25