GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS



Similar documents
Security Controls for the Autodesk 360 Managed Services

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Security Whitepaper: ivvy Products

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Autodesk PLM 360 Security Whitepaper

SAS 70 Type II Audits

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

BKDconnect Security Overview

FormFire Application and IT Security. White Paper

UCS Level 2 Report Issued to

Projectplace: A Secure Project Collaboration Solution

Hosted Exchange. Security Overview. Learn More: Call us at

Cloud Contact Center. Security White Paper

IBX Business Network Platform Information Security Controls Document Classification [Public]

Cloud Contact Center. Security White Paper

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Supplier Information Security Addendum for GE Restricted Data

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

SERVICE ORGANIZATION CONTROL 3 REPORT

Five keys to a more secure data environment

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Music Recording Studio Security Program Security Assessment Version 1.1

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Security Issues in Cloud Computing

Domain 1 The Process of Auditing Information Systems

PCI Compliance for Cloud Applications

Adobe Systems Incorporated

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

Enterprise level security, the Huddle way.

Microsoft s Compliance Framework for Online Services

The PNC Financial Services Group, Inc. Business Continuity Program

Understanding Sage CRM Cloud

Birst Security and Reliability

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

A Decision Maker s Guide to Securing an IT Infrastructure

System Security Plan University of Texas Health Science Center School of Public Health

TENDER NOTICE No. UGVCL/SP/III/608/GPRS Modem Page 1 of 6. TECHNICAL SPECIFICATION OF GPRS based MODEM PART 4

White Paper: Librestream Security Overview

Security Overview. BlackBerry Corporate Infrastructure

StratusLIVE for Fundraisers Cloud Operations

You Can Survive a PCI-DSS Assessment

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

Privacy + Security + Integrity

Security in Space: Intelsat Information Assurance

Passing PCI Compliance How to Address the Application Security Mandates

Security Controls What Works. Southside Virginia Community College: Security Awareness

SANS Top 20 Critical Controls for Effective Cyber Defense

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services

Retention & Destruction

Things You Need to Know About Cloud Backup

Powering the Cloud Desktop: OS33 Data Centers

Healthcare Security and HIPAA Compliance with A10

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Controls for the Credit Card Environment Edit Date: May 17, 2007

Supplier Security Assessment Questionnaire

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

have adequate policies and practices for secure data disposal have not established a formal 22% risk management program

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Data Center Infrastructure & Managed Services Outline

External Supplier Control Requirements

Automating Infrastructure A connectivity perspective for BICSI SEA meeting, November 2011

Payment Card Industry Data Security Standard

SERENA SOFTWARE Serena Service Manager Security

The PNC Financial Services Group, Inc. Business Continuity Program

Application Development within University. Security Checklist

Security Policy JUNE 1, SalesNOW. Security Policy v v

Information security controls. Briefing for clients on Experian information security controls

External Supplier Control Requirements

CISM ITEM DEVELOPMENT GUIDE

Security and Managed Services

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

GiftWrap 4.0 Security FAQ

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

HIPAA Compliant Infrastructure Services. Real Security Outcomes. Delivered.

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Data Center Application and Equipment Hosting Services Effective April 1, 2009 Revised March 7, 2011

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Payment Card Industry Compliance

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Qvidian Hosted Customer Technical Portfolio

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

American International Group, Inc. DNS Practice Statement for the AIG Zone. Version 0.2

Business Continuity & Recovery Plan Summary

How To Protect A Web Application From Attack From A Trusted Environment

CounselorMax and ORS Managed Hosting RFP 15-NW-0016

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

KeyLock Solutions Security and Privacy Protection Practices

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

[Insert Company Logo]

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Perceptive Software Platform Services

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

BEST PRACTICES FOR COMMERCIAL COMPLIANCE

Transcription:

GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS A White Paper by i2c, Inc. 1300 Island Drive Suite 105 Redwood City, CA 94065 USA +1 650-593-5400 sales@i2cinc.com www.i2cinc.com

Table of Contents Governance and Security to Ensure Operational Integrity... 3 Processor Compliance with Laws, Regulations, and Operating Rules... 4 Enterprise Risk... 4 Defense-in-Depth Security Best Practice... 4 Data Integrity and Availability... 5 Access Management... 5 Event and Activity Monitoring... 6 Incident Response and Reporting... 6 Physical and Environmental Controls... 6 Disaster Recovery and Business Continuity... 7 Data Disposal... 7 Software Development and Change Management Controls... 7 Separation of Duties and Environments... 7 Integrity of Personnel... 8 02 i2cinc.com

Governance and Security to Ensure Operational Integrity Payment Processors should be dedicated to implementing all measures necessary to safeguard their information systems and infrastructure. These measures in turn should be subject to a system of governance that includes policies, procedures, planning activities, responsibilities, practices and resources for implementing and maintaining a secure system and network operating environment. In particular, the Payment Processor's Management needs to establish an organizational structure that enables them to oversee the function of governance and security, including the planning, design and implementation of internal/external network security and logical access controls, responsibilities, and resource allocations, and policy/procedural documentation. Equally important is the careful oversight of 3rd party relationships to ensure your partners are paying as much attention to security, compliance and governance as you are. Good governance calls for establishing Internal Audit, Compliance, and Information Security groups within the organization that have separate reporting channels to upper Management and/or a Board level Audit Committee. This organizational structure ensures that all security and operational related risks are appropriately addressed and that all internal processes and practices remain in compliance with the organization's defined policies and procedures which in turn should align with applicable external security standards, regulatory laws and payment systems Operating Rules. Internal audits should be performed by an independent Internal Audit group at least quarterly. Issues of non-compliance revealed by these reviews need to be documented and shared with the Management and Audit Committee. Any deviations noted should be addressed timely, and identified gaps followed-up until closed. Payment Processors need to dedicate proper resource to the task of understanding, and complying with all applicable government, industry, association Operating Rules and legal/regulatory requirements that are relevant to each of their operating regions. Such applicable requirements need to be carefully identified, documented, applied, and updated on a regular basis. Policies and procedures should be developed and put into practice that ensure the Payment Processor remains in compliance with these various requirements. Good governance also calls for establishing proper training and awareness programs to communicate important information on security and compliance within the organization. The program should include regular updates that reflect changing policies, rules and regulatory environments. 03 i2cinc.com

Processor Compliance with Laws, Regulations, and Operating Rules Payment Processors' compliance activities need to cover not only the applicable government, industry, association Operating Rules and legal/regulatory requirements pertaining to their operations, but they also need to understand and comply with the applicable rules and regulatory requirements pertaining to their client partners. For example if you process customer data on behalf of a partner whose data is governed by a given regulatory rule, then you as their 3rd party provider must also apply those regulatory rules when handling their data. Processors thus need to work closely with their partners to identify and comply with all such applicable laws and regulations and establish within their organizations internal policies and procedures to ensure compliance with all such requirements. Enterprise Risk Risk management should be incorporated into every Payment Processors' system of governance. Risk management provides a framework for identifying and addressing risks within the organization and provides a process for regular operational review and improvement. An effective risk management process program should adopt an appropriate risk management methodology to identify, evaluate, mitigate and monitor risks pertaining to critical business assets and operations. Defense-in-Depth Security Best Practice Processors need to implement various security and access related controls and safeguards to ensure their networks, systems, and data are adequately secured and protected against internal and external threats and vulnerabilities. Security best practice calls for a defense-in-depth strategy to ensure the protection of information assets and overall risk reduction. A defense-in-depth approach ensures that the failure of any one control does not lead to successful penetration. By thus providing multiple layers of protection, the controls collectively ensure the confidentiality, integrity, and availability of critical system assets and data. This strategy also keeps in mind the need to know and understand the threat landscape and continually modify the security control environment to effectively mitigate the specific risks identified. Public facing applications and user interfaces need to be well tested for vulnerabilities by trained security personnel. Various vulnerability scanning and penetration testing tools are available and recommended. Such scanning and testing should be performed whenever there is a change to the system or application 04 i2cinc.com

or at least semi-annually. OWASP (Open Web Application Security Project) and other security industry resources should always be used to check web applications prior to release to production. These resources and tools help prevent common exploits such as SQL injections, buffer over-flow, cross-site scripting, session hijack, etc. Impact analysis should be performed to identify potential impact of related exploits, and appropriate plans developed to mitigate the risks identified. Corrective and preventive actions should be implemented accordingly. Systems and network teams should regularly maintain patch updates (network, systems, devices, and applications) which should always be tested in a test environment before being scheduled for release production. Data Integrity and Availability To ensure the integrity and high-availability of customer data, Processors should maintain full system and data redundancy across multiple data centers that are geographically dispersed. Such a redundant design can eliminate single points of failure and ensure transparent fail-over capability within each data center as well as across data centers. Transaction data can be replicated in near real-time across data centers should an outage occur, that would allow transaction load to be seamlessly transferred at a moments notice to an alternate data center in a monitored and controlled manner. Additional data protection can be administered through regular ongoing disk image backups that can be electronically replicated to the alternate data center locations. A full redundancy design within each data center should include multiple redundant connections to the Internet and Payment Networks each passing through separate carrier trunks that terminate into redundant high-availability routing equipment at the network edge. Should a telecommunications outage occur on one circuit, immediate and transparent switching between carriers will take place automatically without the need for manual intervention. If one network edge hardware device goes down, its secondary counterpart will take over seamlessly. Each data center should have redundant power service from separate power grids terminating into dual Un-interruptable Power Supplies (UPS), dual power conditioners, and dual Power Distribution Units [PDU] systems. These systems should in turn be backed up by dual site generators. Access Management Access to production networks, systems, and cardholder data should be controlled, restricted and governed by well documented policies and procedures. Any access to the cardholder environment should have controls in place to prevent unauthorized access and to prevent data leakage. Such controls may include firewalls; network (VLAN) segmentation; token-based multi-factor access authentication; controlled terminal access intended to limit the user's ability to transfer data to removable media; and clear-desk, clear-screen policies. 05 i2cinc.com

Event and Activity Monitoring Continual system and network event and activity monitoring is an important safeguard that will help ensure the integrity and availability of Processing services and detect potential unauthorized access attempts real-time. A properly installed and monitored network/host based intrusion detection and prevention systems (IDS/IPS) together with tools that collect and intelligently analyze security and event logs such as a Security Information and Event Monitoring (SIEM) solutions will provide meaningful data on a continual basis for staff to monitor and respond to alert notifications. Restricted access to system and device logs should be maintained. Only independently designated monitoring staff members should be allowed access to these data. File integrity mechanisms should be installed that prevent the erasure of log activity and event data and that detect and report unauthorized access or tampering. Regular activity status reports should be submitted to management from monitoring teams. Incident Response and Reporting Appropriate monitoring and incident response and reporting procedures should be in place, including periodic training and testing to ensure that any security event or outage is properly handled should one occur. In order to ensure prompt and orderly response to security events or outages, incident response and reporting procedures should define potential incident scenarios, alert mechanisms, incident management team members and roles, steps for identification and assessment of the incident, stabilization, chain of custody and evidence preservation, notification of internal Management and external stakeholders, and continued follow-up reporting and notification. For large Processors in particular, monitoring and detection activities should run continually on a 24x7x365 basis using effective tracking, analysis, and automated alert tools. Post-incident root cause analysis should be performed and recorded in a knowledge-base to help avoid similar events in future. Physical and Environmental Controls Payment Processors should establish and maintains appropriate physical and environmental safeguards at its data centers including restricting physical access to authorized individuals. These controls should include automated security access system mechanisms (proximity sensors, multi-factor key-pad and biometric readers, etc.) and should be monitored on a 24x7x365 basis by on-premise security staff. All visitors should be properly logged. Physical entry areas and internal spaces within the data centers should be monitored by surveillance cameras and security personnel should patrol the inner and outer building areas on a regular basis. Real-time monitoring of network operations and infrastructure should be in place to ensures high availability and alignment with expected service levels. The data center facilities should be protected against various physical/environmental events through adequate and effective equipment and facilities such as fire extinguishers, fire detection, fire suppression, 06 i2cinc.com

climate controls, and power management and protection (backup diesel generators, UPS, power conditioners, PDUs, etc.). Disaster Recovery and Business Continuity Payment Processors should establish a well documented business continuity and disaster recovery plan with defined recovery time objectives (RTO) and scenario-based strategies designed to address any type disruption event. Disaster recovery and business continuity teams should be selected and trained on executing the plan. Testing of the DR/BCP plan should be performed at least annually or more often whenever significant changes are made to the operating environment. A business impact analysis should be performed against identified risks with the potential to impact mission critical operations and core business functions. The disaster recovery and business continuity documentation should be reviewed and updated regularly. Data Disposal Payment Processors should adopt and follow proper data retention and disposal procedures. Decommissioned media used to store sensitive information should be cleared of all data stored on it by using secure data erasure tools, and then physically destroyed with proper destruction certification. Papers and CDs should be shredded. Software Development and Change Management Controls For Payment Processors that develop software and technologies as a service to customers, some form of change management controls should be established to minimize potential disruption to normal operations, and preserve system and data integrity. Best practice calls for adopting a System Development Life-Cycle methodology (SDLC) that will help to maintain a structured approach to internal software development and updates. Such a controlled process ensures that all changes are reviewed and approved prior to implementation. Post-implementation monitoring is also a good practice for application and infrastructure changes. The change management process should also include a log and audit trail for tracking details of the changes including what was changed, when, and who made the change. Separation of Duties and Environments Internal controls should be established that ensure proper segregation of duties among staff responsible for handling sensitive client data. Production should be maintained in a separate environment from development and testing environments through use of network VLAN segmentation. A dedicated resource with separate reporting 07 i2cinc.com

structure is recommended as the software promotion gatekeeper, in effect controlling all changes released to the production environment. This group would ideally oversee all production environment changes including IT device configuration changes (may also include version control). They would be responsible for holding all changes until successful testing and proper sign-off and approvals have been verified. Integrity of Personnel To increase staff quality and reduce the potential of a rogue employee abusing their access or authority, background verification checks should be performed on all employees upon hire. Employees should also be required to sign confidentiality agreements. As well, each employee should be required to sign-off and acknowledge their understanding of all company policies including the aforementioned security awareness training. 08 i2cinc.com

i2c, Inc. provides the cloud-based infrastructure financial institutions, corporations, brands and governments need to launch and profitably manage payment and next-generation commerce products. Its global-ready platform encompasses card-based, virtual and mobile payments, loyalty and back office solutions. Headquartered in Silicon Valley, California, i2c supports clients on five continents from six sales and support offices worldwide. www.i2cinc.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information