Security of Payment Card Data on Cloud-Based Mobile Payment Platforms

Similar documents
Security Issues in Cloud Computing

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Information Security and Risk Management

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Managing Cloud Computing Risk

Cybersecurity: Protecting Your Business. March 11, 2015

Overcoming PCI Compliance Challenges

BMC s Security Strategy for ITSM in the SaaS Environment

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Franchise Data Compromise Trends and Cardholder. December, 2010

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

2012 Data Breach Investigations Report

HOW SECURE IS YOUR PAYMENT CARD DATA?

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Becoming PCI Compliant

External Supplier Control Requirements

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

CSO Cloud Computing Study. January 2012

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Virtualization Impact on Compliance and Audit

PREPARING FOR THE NEW PCI DATA SECURITY STANDARDS

International Journal of Scientific & Engineering Research, Volume 6, Issue 5, May ISSN

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Payment Card Industry Data Security Standards

Cloud definitions you've been pretending to understand. Jack Daniel, Reluctant CISSP, MVP Community Development Manager, Astaro

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

NACS/PCATS WeCare Data Security Program Overview

PCI Requirements Coverage Summary Table

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

SecurityMetrics Introduction to PCI Compliance

How To Become A Pca Compliant Organization

Thoughts on PCI DSS 3.0. September, 2014

2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012

PCI Data Security Standards (DSS)

How To Protect Your Cloud Computing Resources From Attack

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Cloud Computing; What is it, How long has it been here, and Where is it going?

PCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv

PCI DSS 3.1 and the Impact on Wi-Fi Security

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

PCI Requirements Coverage Summary Table

Defending Against Data Beaches: Internal Controls for Cybersecurity

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Cloud Security. Are you on the train or the tracks? ISSA CISO Executive Forum April 18, Brian Grayek CISSP, CCSK, ITILv3

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Top 10 Cloud Risks That Will Keep You Awake at Night

PCI DSS COMPLIANCE DATA

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Version 7.4 & higher is Critical for all Customers Processing Credit Cards!

PCI Compliance in Multi-Site Retail Environments

Cloud Computing Governance & Security. Security Risks in the Cloud

Internet threats: steps to security for your small business

GFI White Paper PCI-DSS compliance and GFI Software products

AISA Sydney 15 th April 2009

Network Access Control and Cloud Security

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Seeing Though the Clouds

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Cloud Database Storage Model by Using Key-as-a-Service (KaaS)

PCI Compliance for Cloud Applications

5/29/2015. Auditing IT Contracts From Afar. Disclaimer. Agenda

Security Issues in Cloud Computing

A HELPING HAND TO PROTECT YOUR REPUTATION

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Safeguarding the cloud with IBM Dynamic Cloud Security

The NIST Definition of Cloud Computing (Draft)

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Frequently Asked Questions

FACING SECURITY CHALLENGES

PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

GAO INFORMATION SECURITY. Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing. Report to Congressional Requesters

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Payment Security Update

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

Achieving PCI Compliance Using F5 Products

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI Compliance Updates

Cloud Security. DLT Solutions LLC June #DLTCloud

John Essner, CISO Office of Information Technology State of New Jersey

Transcription:

Security of Payment Card Data on Cloud-Based Mobile Payment Platforms Randy Gainer ACI Forum on Emerging Payment Systems San Francisco March 22, 2013

Topics to be covered Cloud-based mobile payment solutions What is the cloud? Some benefits of moving to the cloud. Cloud security concerns What are the threats to payment data? How cloud-based solutions address the threats PCI DSS compliance for cloud-based solutions 2

Cloud-based mobile payment solutions Source: Uzma Mahkdumi, Visa, Nov. 15, 2012 3

What is the cloud? 4

What is the cloud? (cont d) 5

What is the cloud? (cont d) Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Special Publication 800-145, The NIST Definition of Cloud Computing, 2 (Sept. 2011). 6

What is the cloud? (cont d) This cloud model is composed of five essential characteristics, three service models, and four deployment models. The essential characteristics are Id. On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service 7

What is the cloud? (cont d) Three service models: Software as a Service (SaaS): consumer uses provider s applications running on provider s cloud infrastructure (servers, storage, and network components). Platform as a Service (PaaS): consumer deploys consumer-created or acquired applications onto provider s cloud infrastructure using provider s programming languages and tools. Infrastructure as a Service (IaaS): consumer deploys and controls its own software on provider s cloud infrastructure. 8

What is the cloud? (cont d) Four deployment models: Private cloud: the cloud infrastructure is provisioned for exclusive use by a single organization. Community cloud: the cloud infrastructure is provisioned for exclusive use by a specific community of consumers. Public cloud: the cloud infrastructure is provisioned for open use by the general public. Hybrid cloud: the cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public). 9

Some benefits of moving to the cloud On-demand self-service : http://aws.amazon.com/ecomomics 10

Some cloud benefits (cont d) Vivek Kundra, White House CIO, 2009-2011: We quickly discovered vast inefficiencies in the $80 billion federal I.T. budget. We also saw an opportunity to increase productivity and save costs by embracing the cloud computing revolution.... [W]e instituted a Cloud First policy. Vivek Kundra, Tight Budget? Look to the Cloud, The New York Times, Op-Ed (Aug. 30, 2011). 11

Cloud security concerns Storing payment credentials in the cloud for a digital wallet is new and relatively untested with scale. There are still many unknowns to be addressed.... [P]ayment data can be compromised in the cloud.... Marianne Crowe and Elisa Tavila, Mobile Phone Technology: Smarter Than We Thought How Technology Platforms are Securing Mobile Payments in the U.S., 16-17, Federal Reserve Bank of Boston (Nov. 16, 2012) ( Crowe & Tavila ), available at http://www.bostonfed.org/bankinfo/payment-strategies/index.htm. 12

Cloud security concerns (cont d) Steve Wozniak, co-founder of Apple: I really worry about everything going to the Cloud. I think it's going to be horrendous. I think there are going to be a lot of horrible problems in the next five years. Stephanie Mlot, Wozniak Slams the Cloud as 'Horrendous, PC Magazine (Aug. 6, 2012), available at http://www.pcmag.com/article2/0,2817,2408125,00.asp. 13

Cloud security concerns (cont d) http://blog.cloudpassage.com/2012/11/30/infographic-security-and-the-cloud-2012/ 14

Threats to payment card data Verizon, 2012 Data Breach Investigations Report ( 2012 Verizon DBIR ), 16 (855 incidents investigated; 174 million records). 15

Threats to payment card data (cont d) Figure 17. Threat action categories over time by percent of breaches and percent of records. 2012 Verizon DBIR, 24. [A]n impressive 61% of all breaches featured a combination of hacking techniques and malware. Id., 23. 16

Threats to payment card data (cont d) 2012 Verizon DBIR, 42. 17

Threats to payment card data (cont d) Trustwave 2013 Global Security Report, 8. 18

Threats to payment card data (cont d) [I]t is more difficult for anti-virus software to detect targeted malware as malicious. While anti-virus products detected at least 60% of all malware samples in our database, when we focused only on samples found during our compromise investigations, anti-virus detected less than 12% as malicious. Trustwave 2012 Global Security Report, 17 (300+ breaches investigated). Targeted malware has become the norm in Trustwave s forensic investigations, especially in credit card breaches. In 2012, almost all POS breach investigations involved targeted malware. Trustwave 2013 Global Security Report, 20 (450+ breaches investigated). 19

Threats to payment card data (cont d) Targeted malware Customized to avoid detection Allows attacker to persistently communicate with, and exercise command and control of, the malware inside the target network Used to find assets on the network to steal Permits an attack to adapt to react to defensive efforts (e.g., installs multiple backdoors to maintain attacker s access). 20

Threats to payment card data (cont d) Targeted malware can be delivered by spear phishing through email, IM, Twitter, or P2P networks with a link to a drive-by web site; by finding a port used by a remote access tool with weak authentication credentials; and by tunneling over an encrypted connection, such as SSL, where security tools can t spot the malware package. 21

Threats to payment card data (cont d) Trustwave 2013 Global Security Report, 15. 22

Threats to payment card data (cont d) Remotely delivered malware targets POS systems. From a DWT animation, available at http://vimeo.com/41021947. 23

Threats to payment card data (cont d) Card information can be copied & stored before it s encrypted. 24

Threats to payment card data (cont d) Another card data vulnerability http://www.paymentsjournal.com/strategy/pci_compliance/6659/12983/ 25

Threats to payment card data (cont d) Look at the recent breach at Global. I am sure the data was encrypted at many points, but the fact remains the data is in the clear on the card itself and must be presented to the brands in the clear. Annmarie Hart, With Swipe Readers, Encryption Is Not Enough, available at http://www.pymnts.com/briefing-room/security-and-risk/mobile-security/magteks-hart-with-swipe-readers-encryption-is-not-enough-transcript-/. 26

Threats to payment card data (cont d) Alleged Global Payments hacker: They finished End2End encryption, but E2E not a full solution; it only defend [sic] from outside threat. The alleged hacker claimed he an his colleagues had been in Global Payments system for 13 months, collecting data monthly. Brian Krebs, Global Payments: Rumor and Innuendo, (April 2, 2012), available at http://krebsonsecurity.com/2012/04/global-payments-rumor-and-innuendo/. 27

Threats to payment card data (cont d) Data theft costs: Global Payments, Inc. Payment card processor, 2012 intrusion Card data for 1.5 million cards stolen $35.9 mil. estimated fraud losses, fines, other charges $60 mil. - investigations, remediation, legal ($2 mil.) insurance recovery $93.9 mil. total (not including potential litigation costs*) Nov. 30, 2012 Global Payments, Inc. Form 10-Q. *A magistrate judge recommended Feb. 5, 2013 that all claims against Global should be dismissed. 28

Threats to payment card data (cont d) Customers claims are usually dismissed unless their information is misused or they incur other damages. If information is misused, some customers claims have been settled: e.g., In re TJX ($12.6 million including fees). Banks, card associations, and state AGs have succeeded in recovering damages from merchants: e.g., In re TJX Banks and Visa settled for reported $40.9 million; Banks and MasterCard settled for reported $24 million; and State AGs settled for $9.75 million. Total: $87.25 million 29

Cloud-based solutions Payment card data is not transferred at the POS. Instead, identifying info. from the customer is connected to her card data in the cloud. Card data can be encrypted when it s stored or processed on cloud platforms. 30

Cloud-based solutions (cont d) Crowe & Tavila, 22. 31

Cloud-based solutions (cont d) Crowe & Tavila, 23. 32

Cloud-based solutions (cont d) The Cloud Security Alliance maintains the Cloud Controls Matrix to assist providers meet audit requirements, including the PCI DSS. See https://cloudsecurityalliance.org/research/ccm/. 33

Cloud-based solutions (cont d) Auditors have confirmed that some cloud providers meet key security requirements. See, e.g., AWS: Risk and Compliance, 6-9 (Jan. 2013), http://media.amazonwebservices.com/aws_risk_and_co mpliance_whitepaper.pdf, describing AWS s SSAE 16 SOC1 and SOC2 certifications, FISMA Moderate authorization, PCI DSS Service Provider Level 1 validation, and other certifications. See also Peak 10 s blog posting about its PCI DSS Level 1 validation (Jan. 2013), http://www.peak10.com/blog/post/peak-10-cloudvalidated-for-payment-card-industry-pci-compliance. 34

Cloud-based solutions (cont d) In other words, auditors have confirmed that AWS and Peak 10 securely operate, manage, and control the components from the host operating system and virtualization layer down to the physical security of the facilities. See, e.g., AWS, Overview of Security Processes, available at http://media.amazonwebservices.com/pdf/aws_security_whitepaper.pdf, 3 (May 2011) ( AWS Security Whitepaper ) 35

Cloud-based solutions (cont d) AWS and Peak 10 have obtained PCI DSS Service Provider Level 1validation for their IaaS services. Figure 1 from Wayne Janson and Timothy Grance, Guidelines on Security and Privacy in Public Cloud Computing, NIST Special Pub. No. 800-144, 5 (Dec. 2011) ( NIST Public Cloud Guidelines ). 36

Cloud-based solutions (cont d) Security responsibility across the cloud service models generally migrates toward the client as the client moves from an SaaS model (least responsibility) to an IaaS model (most responsibility). PCI DSS Cloud Computing Guidelines, 4 (February 2013) 37

Cloud-based solutions (cont d) Shared responsibility AWS Security Whitepaper, 12. 38

Cloud-based solutions (cont d) Instance isolation AWS responsibility AWS responsibility AWS Security Whitepaper, 13 39

Cloud-based solutions (cont d) Meeting PCI DSS Requirements with AWS and CloudPassage (Jan 24, 2013), available at http://vimeo.com/58163237. 40

Cloud-based solutions (cont d) 1. Shared 2. Shared 3. Shared 4. Customer 5. Customer 6. Shared 7. Shared 8. Shared 9. CSP 10. Shared 11. Shared 12. Shared* * See PCI DSS Cloud Computing Guidelines 2.0, Appendix A PCI DSS v2, 5 (Oct. 2010) 41

Cloud-based solutions (cont d) PCI DSS Cloud Computing Guidelines, Appendix A 42

Cloud-based solutions (cont d) Id. 43

Cloud-based solutions (cont d) Id. 44

Cloud-based solutions (cont d) Id. 45

Cloud-based solutions (cont d) Id. 46

Cloud-based solutions (cont d) Instance isolation AWS responsibility AWS responsibility AWS Security Whitepaper, 13 47

Cloud-based solutions (cont d) Cloud customers can confirm that their providers comply with those PCI DSS requirements for which the providers take responsibility by obtaining the providers Attestations of Compliance and audit reports. 48

Cloud-based solutions (cont d) Customers can use guidelines and vendor assistance to help meet PCI DSS requirements for which customers remain responsible, e.g., PCI SSC, PCI DSS Cloud Computing Guidelines (Feb. 2013); PCI SSC, PCI DSS Virtualization Guidelines (June 2011); NIST Public Cloud Guidelines; Lawrence C. Miller, CISSP, Network Security in Virtualized Data Centers for Dummies (2012) ( Miller ); and Meeting PCI DSS Requirements with AWS and CloudPassage (Jan. 24, 2013), available at http://vimeo.com/58163237 ( CloudPassage ). 49

Cloud-based solutions (cont d) Trustwave 2013 Global Security Report: Cloud-based application deployments introduce no fundamentally new application challenges. Rather, the security difficulties are policy- and procedure-driven, not technical. [M]any organizations fail to document those responsibilities when transitioning to a cloud environment. p. 50. PCI DSS Cloud Computing Guidelines: The responsibility for security controls needs to be clearly understood by both the client and CSP. If these security responsibilities are not properly understood, insecure configurations or vulnerabilities could go unnoticed and unaddressed. p. 6. 50

Cloud-based solutions (cont d) PCI Virtualization Guidelines: Appropriate security controls should be identified and implemented in a virtualized environment that provide the same level and depth of security as can be achieved in a physical environment. p. 16. It s also critical that all individual virtual machines are installed and configured securely and according to industry best practices and security guidelines. Disable or remove all unnecessary interfaces, ports, devices and services; Securely configure all virtual network interfaces and storage areas; Establish limits on VM resource usage; Ensure all operating systems and applications running inside the virtual machine are also hardened. p. 18. 51

Cloud-based solutions (cont d) NIST Public Cloud Guidelines, 15: Audit mechanisms and tools should be in place to determine how data is stored, protected, and used, to validate services, and to verify policy enforcement. A risk management program should also be in place that is flexible enough to deal with the continuously evolving and shifting risk landscape. 52

Cloud-based solutions (cont d) Miller, 42: Today s threat landscape renders traditional portbased firewalls and other security solutions largely ineffective. Next-generation firewalls provide key differentiating features to uniquely address the traditional trade-offs between security and other critical requirements, such as performance, flexible integration, and visibility of traffic. A next-generation firewall performs a true classification of data center traffic, based not simply on port and protocol but on an ongoing process of application analysis, decryption, decoding, and heuristics as well. 53

Cloud-based solutions (cont d) CloudPassage: 54

Questions? Randy Gainer (206) 757-8047 randygainer@dwt.com 55

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information