PCI: The Dark Side. May 2012 Roanoke, VA

Similar documents
Property of CampusGuard. Compliance With The PCI DSS

PCI DSS Presentation University of Cincinnati

PCI DSS 3.0 and You Are You Ready?

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

Frequently Asked Questions

How To Protect Your Business From A Hacker Attack

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

PCI Compliance: How to ensure customer cardholder data is handled with care

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

How To Protect Visa Account Information

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Payment Card Industry Data Security Standards.

Project Title slide Project: PCI. Are You At Risk?

PCI Compliance Top 10 Questions and Answers

PCI Compliance. Top 10 Questions & Answers

PCI Data Security Standards

PCI Compliance Overview

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

Two Approaches to PCI-DSS Compliance

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

PCI Standards: A Banking Perspective

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Josiah Wilkinson Internal Security Assessor. Nationwide

Data Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :

AISA Sydney 15 th April 2009

Customer Card Data Security and You

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Payment Card Industry Data Security Standard

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

SecurityMetrics Introduction to PCI Compliance

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

PCI Security Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

PCI DSS Gap Analysis Briefing

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Adyen PCI DSS 3.0 Compliance Guide

Becoming PCI Compliant

How To Protect Your Data From Being Stolen

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Complying with PCI is a necessary step in safely accepting Payment Cards.

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

SecurityMetrics. PCI Starter Kit

How To Protect Your Credit Card Information From Being Stolen

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

PAI Secure Program Guide

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

An article on PCI Compliance for the Not-For-Profit Sector

PCI Compliance : What does this mean for the Australian Market Place? Nov 2007

Payment Card Industry Data Security Standards Compliance

Payment Card Industry Data Security Standard

Payment Card Industry - Achieving PCI Compliance Steps Steps

PCI DSS Compliance Information Pack for Merchants

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

PCI DSS. CollectorSolutions, Incorporated

P R O G R E S S I V E S O L U T I O N S

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Network Security & Privacy Landscape

Important Info for Youth Sports Associations

PCI Overview. Lee Buttke Director of Consulting QSA, CPISM, CISSP

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

PCI Compliance: Protection Against Data Breaches

PCI DSS Overview and Solutions. Anwar McEntee

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

PCI DSS 3.0 Changes & Challenges P R E S I D E N T/ C O - F O U N D E R F R S EC U R E

Technical breakout session

Introduction to PCI DSS

ICCCFO Conference, Fall Payment Fraud Mitigation: Securing Your Future

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI COMPLIANCE TO BUILD HIGHER CONFIDENCE FOR CARD HOLDER AND BOOST CASHLESS TRANSACTION. Suresh Dadlani, ControlCase

Merchant guide to PCI DSS

PCI Compliance for Healthcare

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

La règlementation VisaCard, MasterCard PCI-DSS

PCI DSS. Payment Card Industry Data Security Standard.

Payment Card Industry (PCI) Data Security Standard

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

PCI Compliance for Cloud Applications

Transcription:

PCI: The Dark Side May 2012 Roanoke, VA

Agenda The problem Who are they? Why? What do they steal? How do they do it? What can they do with it? How can you stop it?

Ron King, Ed Ko, CampusGuard CampusGuard is an information security firm Working exclusively with colleges and universities All things PCI: PCI DSS, PA-DSS, QSA, ASV Also Red Flags, GLB, HIPAA Help schools become PCI compliant

A short story

PCI 101 PCI DSS: Payment Card Industry Data Security Standard Goal is to protect Cardholder Data And to keep you out of the headlines PCI does not make you secure If you take plastic, PCI applies to you Under contract law, not a state or federal regulation PCI scope includes Store, process, or transmit cardholder data Paper, too PCI is a program, not a project Two things you need to accept about PCI: Your costs have gone up You will change the way you do business

PCI Relationships Responsible for managing the PCI DSS and certifying QSAs and ASVs Bank Communicates and educates merchants on PCI DSS and reports compliance status to Card Associations CREDIT CARD SECURITY Responsible for enforcing and monitoring merchant compliance with the PCI DSS Merchant Responsible for safeguarding credit card data and complying with the PCI DSS

PCI DSS: 6 Goals, 12 Requirements Control Objective 1. Build and maintain a secure network Requirements 1. Install and maintain a firewall configuration to protect data 2. Change vendor-supplied defaults for system passwords and other security parameters 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 3. Protect stored data 4. Encrypt transmission of cardholder magnetic-stripe data and sensitive information across public networks 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data to a need-to-know basis 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 5. Regularly monitor and test networks 6. Maintain an information security policy 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security

Merchant Levels Level 1 > 6 million Visa/MC txns/yr > 2.5 million transactions/yr 2 1 to 6 million Visa/MC txns/yr 50,000 to 2.5 million txns/yr 3 20,000 to 1 million Visa/MC ecommerce txns/yr All other Amex Merchants 4 All other Visa/MC merchants N/A

Validation Requirements Level 1 2 3 4 Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan (ASV) Annual penetration test (ASV) At discretion of acquirer Annual SAQ Quarterly network scan (ASV) Annual penetration test (ASV) Annual on-site assessment (QSA) Quarterly network scan (ASV) Annual penetration test (ASV) Quarterly network scan (ASV) Annual penetration test (ASV) Quarterly network scan (ASV) Annual penetration test (ASV) N/A

Higher Ed Is Vulnerable Past 3 Years Higher Education 33% Government Healthcare 6% 8% Financial Services 14% Other 17% 22% Retailers Source: Privacy Rights Clearinghouse

Colleges and Universities are like Cities

Looking something like this Athletics Student Accounts Parking Services Library Theatre Events Foundation Continuing Ed CampusGuard 2009 12 Radio Station Hotel Residential Life Book Store Student Life Reprographics More

Compared with

Higher Education Challenges Many groups, organizations and departments want to offer credit card payments, but they all have: Different needs Resource limitations Lack of payment processing knowledge This poses challenges for IT: Open networks and systems Little or no monitoring of traffic Overloaded IT staff Fiscal constraints CampusGuard 2009 14

Some Data Breach Stats Who is Behind Data Breaches? 92% from external sources 17% caused by insiders <1% implicated business partners 9% involved multiple parties How Do Breaches Occur? 11% aided by significant errors 50% resulted from hacking 49% utilized malware 17% involved privilege misuse 29% occurred via physical attacks What Commonalities Exist? 86% discovered by a third party 89% of victims were not PCI compliant 96% considered avoidable through simple or intermediate controls 83% of victims were targets of opportunity 92% of attacks were not highly difficult Source: Verizon 2011 Data Breach Investigations Report

Penalties can be Huge In the event of a breach the bank can make the merchant responsible for: Fines from card associations Up to $500,000 Cost to notify victims Cost to replace cards Cost for any fraudulent transactions Forensics Level 1 certification Bad Publicity Priceless!

Who are they? 1970 s Phone Phreakers Blue Box Stages Curiosity, bragging rights Control Criminal intent Now Organized Crime (e.g. RBN) Terrorist Groups (to fund their operations)

What do they Steal?

How do they do it? Yourschool.edu intitle:index of apache

How do they do it? Yourschool.edu intitle:index of apache

How do they do it? Internet SQL injection Cross-site scripting Payment Server Cell Phones Dept PCs Printers Laptops

What can they do with it?

What can they do with it?

What can they do with it?

What can they do with it?

What can they do with it?

What can they do with it? Next Step: Manufacturing

What can they do with it?

What can they do with it?

What can they do with it?

What can they do with it? + + = + = $$ ( )

Skimming

Phishing

How can you prevent it? PCI DSS: 6 Objectives and 12 Requirements Control Objective 1. Build and maintain a secure network Requirements 1. Install and maintain a firewall configuration to protect data 2. Change vendor-supplied defaults for system passwords and other security parameters 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 3. Protect stored data 4. Encrypt transmission of cardholder magnetic-stripe data and sensitive information across public networks 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data to a need-to-know basis 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 5. Regularly monitor and test networks 6. Maintain an information security policy 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security

Self-Assessment Questionnaires Card-Not Present, All Cardholder Data Functions Outsourced Imprint Only, No Cardholder Data Storage Standalone Dial Out Terminal, No Cardholder Data Storage Payment Application Systems Connected to the Internet All other methods SAQ A SAQ B SAQ B SAQ C / VT SAQ D (11 questions) (29 questions) (29 questions) (80/51 questions) (286 questions) 11 286 Move as far to the left as possible!

How can you prevent it? Internet Strategic Scope Only payment systems are in scope Better all around Cell Phones Payment Server Dept PCs Printers Laptops

PCI Compliance Discovery and Assessment Remediation Validation Payments Analysis Merchant Discovery Documentation Preliminary Scanning Gap Analysis Correct Problems Compensating Controls ROC or SAQ Submission Quarterly Scanning Penetration Testing Re-Validate every 12 mos

Test Your Institution Use these questions to test the PCI readiness for your institution: Are we PCI Compliant? What level merchant is our institution? Can I see the SAQ? Did we have any NO answers? N/A? Which credit cards do we accept? Can I see copies of our policies/procedures?

Summary The problem is real You are probably doing a lot of things right today Your bank will soon be requiring proof Prevention is key Not a one-time project Help is available

Resources

Ron King, CPISM CampusGuard rking@campusguard.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information