PCI DSS Scope Misconceptions. Focusing Compliance Efforts Where it Matters Most

PCI DSS Scope Misconceptions Focusing Compliance Efforts Where it Matters Most M. Yousuf Faisal Principal Consultant GRC & PCI Practice Lead PCI-QSA, PCIP, CISSP, CISM, CISA. 26 September 2014

Agenda > Introduction > Definition of PCI Scope & Scoping Process > Options for Reducing Scope >Common Misconceptions for avoiding Compliance > Overlooked Scope >Q&A Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 2

NTT Com Security Global Information Security & Risk Management Provider Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 3

NTT Com Security Services Pillars: Consulting & Managed Services Technology Services Security Architecture Design Product Selection Global Procurement Global Deployment Global Staging Deployment Project Management Consulting Services Vulnerability Assessment Penetration Testing Code Review Secure Coding Data Loss Prevention SIEM Advisory Regulatory Standards Advisory Compliance Risk Assessment & Audits Security Strategy & Policy Development Security Awareness Managed Security Services Technicalsecurity phone support Remote Monitoring Service Remote Management Service (MSaaS) Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 4

NTT s Global Threat Intelligence Report During 2013 * NTT researched the threats and published the Global Threat Information Report 2014 (GTIR) * We analyzed more than 3 Billion attacks on our customers, over the course of 2013 (that s 97 separate attacks per second) Findings * 95% of losses could be reduced by focused investment * 43% of incident response engagements were the result of malware * 34% of events were the result of botnet activity * The report also details specific case studies, Malware, Zero node, SQL injection RESULTS: On average a typical organization is targeted once every minute of every day including weekends, evenings, and holidays. During this presentation, your internet connected device will be attacked probably a half a dozen times and your organization will be attacked between 20-30 times. Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 5

Importance of PCI DSS Scoping Most Important Step in PCI Journey = Defined Scope For PCI DSS Applicability Overly Broad Scope = Can lead to Extra Cost And would be difficult to achieve compliance with PCI DSS Too Narrow Scope = Non-Compliance / Breach Non-Compliance is inevitable / Higher Chances of Compromise Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 6

PCI DSS Scope Discovery Objectives Introduce the PCI-DSS Process and Requirements and Scoping Approach Determine all systems and processes that handle cardholder data Determine transaction volumes (aggregate and per card brand) / year Determine individuals or job roles with access to cardholder data Determine the locations where cardholder data is stored Map the physical and electronic data flow of cardholder information Determine in-house or third party applications storing, processing, or transmitting cardholder data Determine third parties whom cardholder data is shared with Determine the current extent of the PCI-DSS scope Determine appropriate sampling methods for a PCI Gap Analysis or PCI QSA Assessment Make recommendations for reducing the applicable PCI-DSS scope Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 7

PCI DSS Scoping Defined Cardholder Data Environment (CDE) People Process Transmit Store Technologies Process Transmit Store Cardholder and sensitive authentication data Process Transmit Store Processes The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 8

Identifying PCI DSS Scope Applicability Electronic Physical Phone Personnel E-commerce Backend processing Account records Unstructured data Datacenters Offices/Shops POS Terminals Printouts Hardcopy forms Recorded conversations Processes IT staff Customer service Accounting Payment Teams Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 9

Cardholder Data Flow Diagram (New Req.) Show the flow of cardholder data 1.1.3 > Logical flow, not a network diagram (although a network diagram is likely a good place to start) Processor SFTP Call Center No storage PCI LAN HTTPS Main Firewall Application Server No storage ODBC PCI DB 3 year storage Yousuf Faisal-Public-FINAL-v0.1 26 September 10 2014

Other Flow Diagrams (Examples only) Cardholders Phone Fax E-mail Sales Dept Credit Dept Forms Forms E-mail E-mail Phone Order Entry Dept Data entry Bluth Company application Order packets Forms E-mail server File room (Mid-term storage) R e ta il s to r e Warehouse (Long-term storage) E - m a il s e r v e r E - m a ils S c a n n e d fo r m s P O S te r m in a l R e ta il w o r k s ta tio n S c a n n e d fo r m s E - m a il F a x O m n i M e r c h a n t S e r v ic e s Y o y o d y n e P h o n e C a r d h o ld e r s In p e r s o n R e ta il s to r e P O S t e r m in a l Im p r in ts T r e a s u r y D e p t F ile r o o m ( M id - te r m s to r a g e ) W a r e h o u s e ( L o n g - te r m s to r a g e ) C a r d h o ld e r s P h o n e S t u d io p u ll b in d e r s S e n d s a le fo r m s C lie n t e le b o o k s Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 11

PCI DSS Requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses information security for all personnel Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 12

PCI DSS Process (Levels) Validation Compliance Levels and their requirements are determined by card brands All levels must have 3rd party ASV scans Depending on level either self-assessment or 3rd party QSA assessment required Any organization that stores, processes, or transmits cardholder data Levels don t change compliance requirements Some requirements may not be applicable Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 13

CDE and Beyond (e.g. Flat Network) Web Email DMZ PCI DMZ Online Shop DB LAN DB Active Directory Wi-Fi PCI LAN Call Center IT Users Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 14

CDE and Beyond (e.g. Wireless Intrusion) Web Email DMZ PCI DMZ Online Shop DB LAN DB Active Directory Wi-Fi PCI LAN Call Center IT Users Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 15

CDE and Beyond (e.g. Infected PC) Web Email DMZ PCI DMZ Online Shop DB LAN DB Active Directory Wi-Fi PCI LAN Call Center IT Users Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 16

CDE and Beyond (e.g. Data Exfiltration) Web Email DMZ PCI DMZ Online Shop DB LAN DB Active Directory Wi-Fi PCI LAN Call Center IT Users Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 17

CDE and Beyond (e.g. Network Segmentation) Web Email DMZ PCI DMZ Online Shop DB LAN DB No Direct Public Access Active Directory Wi-Fi PCI LAN Call Center IT Users Cardholder Data Environment Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 18

CDE and Beyond (Connected To System) Web Email DMZ PCI DMZ Online Shop DB LAN DB No Direct Public Access Active Directory 2 Factor Wi-Fi PCI LAN Call Center IT In Scope Users Cardholder Data Environment Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 19

Reducing Scope and Cost Get rid of unnecessary cardholder data If you don t have it nobody can steal it Outsource it to a PCI compliant 3 rd party Make it somebody else s problem P2PE Make sure you can t even decrypt the data Tokenize Data If it s not a credit card number PCI doesn t care anymore Mask displayed cardholder data The less people who see it the better Segment networks It s easier to put your valuables in a safe than protect the whole building Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 20

Data Retention Misconceptions We need to keep records of credit card transactions for [arbitrary long time] Chargebacks: 18 months Lawsuits: 2 years Taxes: 7 years (but you probably don t need the full PANs) Don t guess: ask processors, accountants, and legal We need to keep card numbers on file for recurring transactions or refunds Cards can be authorized for multiple transactions Tokens can be used for refunds Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 21

Outsourcing Misconceptions I don t have any cardholder data so I don t have to worry about PCI A 3 rd party handles cardholder data for me so it s out of scope There are still a number of requirements that apply For example tracking 3 rd party PCI compliance You are still responsible for assessing 3 rd parties Using 3 rd parties who are already PCI compliant can make this much easier Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 22

Service Providers 12.8 Third-party service providers that may have an impact on the security of the cardholder data environment > Store, process, or transmit cardholder data on their behalf > Manage components such as routers, firewalls, databases, hosting/physical security, or server management Parties should clearly identify responsibilities Req. 12.8.5 >The services and system components which are included in the scope of the service provider s PCI DSS assessment inventory helps! > The specific PCI DSS requirements covered by the service provider >Ifeverybodyassumessomebodyelseisdoingitthennobodyisdoingit! Stuart Moen-Public-Draft-v01 27 Jun 2014 23

3 rd Party Management Vulnerability Management > Who is responsible for reviewing risk of vulnerabilities, and who is responsible for remediating residual ones? Service providers: they need to provide written acknowledgement of responsibility > Effective July 2015 > Written acknowledgement to customers about applicable responsibilities > Mirrors requirement 12.8.2 >Good idea to start new contracts now Req 12.9 Stuart Moen-Public-Draft-v01 27 Jun 2014 24

3 rd Party Access 2-factor authentication requirements applies to 3rd parties > Specifically includes vendor access for support or maintenance > Applies to remote network access Req 8.3 Service providers: use unique credentials for each customer > Effective July 2015 > Two Factor Authentication helps here! Req 8.5.1 Stuart Moen-Public-Draft-v01 27 Jun 2014 25

Service Providers (Clarifications) Third-party service providers that may have an impact on the security of the cardholder data environment > Store, process, or transmit cardholder data on their behalf > Manage components such as routers, firewalls, databases, physical security, and/or servers Parties should clearly identify responsibilities > The services and system components which are included in the scope of the service provider s PCI DSS assessment > The specific PCI DSS requirements covered by the service provider > Any requirements which are the responsibility of the service provider s customers toincludeintheirownpcidssreviews Yousuf Faisal-Public-FINAL-v0.1 26 September 26 2014

3rd Party Checkout Processor Internet Users Workstation Webserver Database Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 27

Point to Point Encryption (P2PE) Processor P2PE Certified Terminal Workstation Web / Application server Database Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 28

Encryption Misconceptions P2PE (or E2EE) Use certified terminals and Implement them properly If non-validated terminals or home-grown solutions based on same P2PE principles are used QSA/ISA would have to assess and validate that they are correctly implemented. BACKUPS Backups containing CHD is in scope. Need to be rendered unreadable itself as per PCI Req. 3.4. If transferred to another location / 3 rd Party without decryption keys, may be considered Outof-scope. Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 29

Tokenization (Tokenizing the PAN) Processor Workstation Web / Application server Database Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 30

Scope Clarification on Use of Tokenization Ground Rules Systems that are Always in-scope Token Server. PAN Data Storage / Vault and Key Manager (encrypting the Tokens) Tokenization & De-Tokenization Application. In Addition, Determining Systems in-scope With: Capability to Make Requests to token server If YES so In-scope Suitable Use of Random Tokens (Generation methods e.g. Random token number generators, one-time pads, and unique code books) Systems containing tokenized data placed within CDE if YES so inscope. Recommended approach is to place such systems (tokenized data) outside of CDE using network segmentation. [Yousuf Faisal-Confidential-FINAL-v0.2] 25-09-2014 31

Network Segmentation Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 32

Segmentation Misconceptions Users won t be able to access anything in the CDE You can open nearly any port, you just need to document your justification Certain insecure ports are banned It doesn t have to be PCI related Just remember, anything with access is back in-scope I need VPNs and tokens to access everything in the CDE Network level access needs 2-factor authentication Non-network level access does not 2 passwords is not 2-factor authentication Certificates are a 2 nd factor Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 33

NTTCS 3 Tiered Model for Scoping Tier 1: System components that directly store, process, or transmit cardholder data PCI DSS requirements are applicable Restrict access to these system components as much as possible to limit the scope Tier 2: System components that are allowed to connect with anything in Tier 1 (both inbound & outbound traffic) but do not store, process, or transmit cardholder data Tier 3: System components that are incapable of connecting to any system component in Tier 1 PCI DSS requirements are applicable to the extent that they are relevant and ensure that there is only minimum required connectivity with Tier 1 systems No need to restrict access to these system components beyond what is already required by PCI DSS Out of scope for PCI DSS compliance Should be in Tier 2 if it is discovered that there is any way to connect to Tier 1 components Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 34

Other Options: Open PCI Tool Kit http://itrevolution.com/pci-scoping-toolkit/(registration Required) http://www.isaca.org/groups/professional-english/pci-compliance/groupdocuments/openpciscopingtoolkit.pdf(direct Download) Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 35

Other Options: Open PCI Tool Kit http://itrevolution.com/pci-scoping-toolkit/(registration Required) http://www.isaca.org/groups/professional-english/pci-compliance/groupdocuments/openpciscopingtoolkit.pdf(direct Download) Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 36

Other Impacts of Incorrect Scoping Other Requirements Effected Annual Risk Assessment ASV External Quarterly Scans Internal Quarterly Vulnerability Scans Annual Penetration Testing (or After any Significant Change) & MORE. RESULTS HIGHER COST SPENDING WASTED TIME, EFFORT & RESOURCES NON-COMPLIANCE Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 37

Case Study Reducing Scope Insurance Company Conducted Scope Reduction Pre-Assessment A few applications processing credit cards in-house Required many new controls Many departments had outsourced credit card processing Recommended outsourcing all processing Avoided major network redesign Over 100 compliance requirements no longer applicable Achieved compliance in weeks instead of months Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 38

Common Misconceptions for Avoiding Compliance We only handle Cardholder Data for > PCI Definition Applies For Someone else > An organization that handles cardholder data on behalf of another organization is known as a service provider. > Service Providers have 2 options when confronted with customers with PCI Requirements We don t store cardholder data Only Transmits or Processes CHD > PCI DSS applies to organizations that process or transmit cardholder data in addition to those storing cardholder data. > Layer 2 network providers (such as ISPs or telecoms providing frame relay, ATM, and MPLS links) are exempt Yousuf Faisal-Public-FINAL-v0.1 26 September 39 2014

Common Misconceptions for Avoiding Compliance We Use PA-DSS Compliant Applications And or P2PE Compliant Terminals > Can help reduce the scope of PCI but they do not eliminate it completely. > PA-DSS and P2PE validated solutions are in scope & need to be implemented in PCI compliant manner. > We Only Accept EMV > Systems that only use Chip-and-Pin Cards are still in scope Chip-and-Pin Cards > EMV offers security advantages over cards with magnetic stripe for card-present transactions > EMV still have magnetic strips that can be copied and works same as other cards in Card-notpresent transactions Yousuf Faisal-Public-FINAL-v0.1 26 September 40 2014

Overlooked Scope System Components that Transmits CHD But Do Not Store Cardholder Data (CHD) > PCI DSS applies to system components that process and transmit cardholder data in addition to those that store cardholder data. > Examples such as Web servers, application servers, workstations, thin clients, and mobile devices that transmit cardholder data without storing it are in-scope. Network Infrastructure Transmitting Cardholder Data (CHD) > infrastructure within the CDE is likely transmitting cardholder data and should be considered in-scope as part of the CDE itself. > VLAN is a valid method to create logical segments, actual separation b/w CDE and other networks would still require a firewall or other form of access control list to satisfy PCI DSS Supporting Infrastructure > Other supporting infrastructure, such as password management systems (e.g. Active Directory or RADIUS), DNS services, patching systems, and network time synchronization protocols, will often be on a separate network segment from the systems that directly handle cardholder data but would be considered in-scope for PCI DSS compliance if they are used by system components in the cardholder data environment. Yousuf Faisal-Public-FINAL-v0.1 26 September 41 2014

Overlooked Scope (Contd..) Development In-House Build Applications > Develop internal applications handling CHD will have to consider impact of compliance on their development teams. > PCI Requirement 6 deals with techniques for developing and deploying Secure software. > Many sub-requirements apply to Development Staff including how they write and test their code as well as how the system administration staff deploy that code to the production environment. Individuals who access the CDE without regularly accessing cardholder data > System administrators, network administrators, database administrators, and developers, will access the cardholder data environment > May have access to data, decryption keys, or security settings etc. > Even if the employee is not malicious their workstation could be compromised by malware and their access leveraged in order to affect a breach. As a result these individuals and the workstations they use for access to the CDE fall in-scope for PCI DSS compliance. Yousuf Faisal-Public-FINAL-v0.1 26 September 42 2014

Overlooked Scope (Contd..) Legacy Data Often Forgotten > Many organizations will migrate to newer processing systems without completely retiring legacy systems, instead allowing them to continue running for archival or reference purposes. Although these systems may no longer be in active use they are still in-scope if they contain cardholder data, an attacker who successfully breached them would be able to retrieve cardholder data just the same as if he compromised the new replacement system. Unstructured data Cardholder Data In Unknown Locations Often times employees will create their own work process, such as retrieving data from a database into an Excel file and then emailing that Excel file to another employee for reporting purposes. This represents unstructured data as it is no longer within the structured environment of a database and application. If this unstructured data contains cardholder data then it is in-scope for PCI DSS compliance. Yousuf Faisal-Public-FINAL-v0.1 26 September 43 2014

Overlooked Scope (Contd..) Paper Records > Physical documents containing cardholder data are in-scope for PCI DSS compliance. > Thereareanumber ofrequirementsofnotethatwouldapplytopaperrecordse.g. > Physical security (requirement 9) including the destruction of hard copies (requirement 9.8.1) would be applicable. > Any documents would also have to be stored and destroyed in accordance with the organization s data retention and disposal policy as defined in requirement 3.1. Phone Calls Often Forgotten Cardholder Data being Stored as part of Call Recordings > Personnel and IT infrastructure involved in handling cardholder data via phone are in-scope for PCI DSS compliance. Typical IT concerns would include Voice over IP (VoIP) infrastructure, call recording, and screen recording for quality assurance purposes. > Adequate Segmentation between VOIP and Data and or if Mixed VOIP encryption required. > Recorded account numbers would have to be rendered unreadable (usually encrypted) as per requirements 3.4 while Sensitive Authentication Data would have to be purged as its storage after authorization is complete as per the prohibition set under Requirement 3.2. Yousuf Faisal-Public-FINAL-v0.1 26 September 44 2014

Case Study 2-Level 1 merchant Background > First PCI audit in 2012 > Successfully passed to date > Business relies on payment service providers Betting and gaming compliance requirements Using PCI compliant service providers Key challenges and how mitigated > Expanding client base and ongoing agility requirements > Limited size of security team > Business has to meet peak demands (such as during major sporting events) Established flexibility in their compliance programmes to workaround key business events Initiated monthly governance meetings involving key stakeholders Conducted pre-audit assessments Stuart Moen-Public-Draft-v01 27 Jun 2014 45

KEY TAKEAWAYS HIRE QUALIFIED & EXPERIENCED CONSULTANT OR STAFF SCOPE YOUR ENVIRONMENT APPROPRIATELY VALIDATE THE SCOPE ON A YEARLY BASIS / AFTER ANY CHANGE PLAN AHEAD FOR CHANGES SELF ASSESS OR 3 rd PARTY GAP ANALYSIS SECURITY IS A SHARED RESPONSIBILTY -DOCUMENT ROLES & RESPONSIBILITY MONITOR EMERGING THREATS INCREASE STAFF AWARENESS REGULARLY CREATE GOVERNANCE FRAMEWORKS FOR MORE EFFICIENT AUDITS AND SUSTAINABLE COMPLIANCE. KEEP YOUR FOCUS ON SECURITY & NOT ON COMPLIANCE Stuart Moen-Public-Draft-v01 27 Jun 2014 46

NTT Com Security Proposed Approach Scope Reduction Assessment Data Discovery Scope Remediation Gap Analysis Control Remediation PCI Support Services PCI QSA Assessment or Scope Self-Assessment PCI Support Reduction Scope Data Gap Assessment Year Remediation Discovery Analysis Find areas Services Control 2+ Assistance of non-compliance Look Take Accurately for steps unexpected to reduce determine cardholder the the scope and Maintain Perform Begin work Remediation regularly with an assessment IT, support management, scheduled to data required of current Remediate PCI-DSS outside scope applicability the bounds of PCI-DSS of and the and staff activities to areas recommend such of non- PCI compliance intended activities complete a PCI ASV applicability therefore scope the to and prevent cost make of lastminute and surprises remediation realistic scans, to penetration solutions prepare and Report assess on Compliance (ROC) or for Self- tests, a PCI recommendations application assessment Assessment annually remediation assessment tests, Questionnaire and for reducing wireless (SAQ) suitable the scans for scope submission to processors or card brands PCI QSA Assessment or Self-Assessment Assistance Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 47

PCI Support Services PCI Req. Task NTT Com Security Service 1.1.1 Approval and testing of firewall configurations 10 Track and monitor all access to network resources and cardholder data 1, 6, 11, 12 Various 3.4 Render PAN unreadable in storage 3.5, 3.6 Key management Managed Security Services Firewall Compliance Management Encryption and Key Management 5.1, 5.2 Deploy anti-virus Anti-Virus / Data Protection / Mobile Device Management 6.3, 6.5, 6.6 Develop secure software applications Code Review / WAF / App Sec Yousuf Faisal-Public-FINAL-v0.1 26 September 48 2014

PCI Support Services PCI Req. Task 7, 8 Restrict access to cardholder data by business need to know Assign a unique ID to each person with computer access 10 Track and monitor all access to network resources and cardholder data 11.5 File-integrity monitoring 11.1 Wireless IDS/IPS 11.4 IDS/IPS 11.5 File-integrity monitoring NTT Com Security Service Authenticati on / Identity Management Security Information and Event Management (SIEM) Intrusion Detection/ Prevention Yousuf Faisal-Public-FINAL-v0.1 26 September 49 2014

PCI Support Services PCI Req. Task 11.2 Internal and external network vulnerability scans 11.3, 6.6 * NTT Com Security is an Approved Scanning Vendor (ASV) Network penetration testing Application penetration testing NTT Com Security Service Vulnerability Scanning Penetration Testing 12 Policiesand procedures Policy& 1,2.2 Firewall, router, and system configuration standards Procedure Development 12.6 Security awareness training Training 12.2 AnnualRisk Assessment GRC Risk Insights 12.9 Incident Response GRC Yousuf Faisal-Public-FINAL-v0.1 26 September 50 2014

http://www.nttcomsecurity.com/us/services/consulting -services/pcidss/pci-landing-page/ Q&A Yousuf Faisal-Public-FINAL-v0.1 26 September 2014 51

Thank you M. Yousuf Faisal Principal Consultant - GRC & PCI Practice Lead PCI-QSA, PCIP, CISSP, CISM, CISA. 26 September 2014