Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007



Similar documents
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS Reporting WHITEPAPER

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

PCI Compliance. Top 10 Questions & Answers

PCI Compliance Top 10 Questions and Answers

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI DSS Top 10 Reports March 2011

Becoming PCI Compliant

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

PAI Secure Program Guide

PCI Compliance: How to ensure customer cardholder data is handled with care

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

PCI Data Security Standards

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

Josiah Wilkinson Internal Security Assessor. Nationwide

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Using Skybox Solutions to Achieve PCI Compliance

Two Approaches to PCI-DSS Compliance

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Did you know your security solution can help with PCI compliance too?

GFI White Paper PCI-DSS compliance and GFI Software products

Project Title slide Project: PCI. Are You At Risk?

PCI DSS Requirements - Security Controls and Processes

PCI Security Compliance

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

PCI Data Security Standards (DSS)

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Thoughts on PCI DSS 3.0. September, 2014

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

See page 16. Thomas A. Vallas

PCI DSS. Payment Card Industry Data Security Standard.

PCI Compliance: Protection Against Data Breaches

Achieving Compliance with the PCI Data Security Standard

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

How To Protect Visa Account Information

Presented By: Bryan Miller CCIE, CISSP

Best Practices for PCI DSS V3.0 Network Security Compliance

PCI Requirements Coverage Summary Table

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) v1.2

How To Protect Your Business From A Hacker Attack

New PCI Standards Enhance Security of Cardholder Data

Passing PCI Compliance How to Address the Application Security Mandates

Continuous compliance through good governance

Overcoming PCI Compliance Challenges

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

March

Franchise Data Compromise Trends and Cardholder. December, 2010

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

An article on PCI Compliance for the Not-For-Profit Sector

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Frequently Asked Questions

How To Protect Your Data From Being Stolen

Introduction. PCI DSS Overview

ASDI Full Audit Guideline Federal Aviation Administration

PCI Requirements Coverage Summary Table

Need to be PCI DSS compliant and reduce the risk of fraud?

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

How To Protect Your Credit Card Information From Being Stolen

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

University of Sunderland Business Assurance PCI Security Policy

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Your Compliance Classification Level and What it Means

Data Security for the Hospitality

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Property of CampusGuard. Compliance With The PCI DSS

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

HOW SECURE IS YOUR PAYMENT CARD DATA?

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Enforcing PCI Data Security Standard Compliance

PCI DSS. CollectorSolutions, Incorporated

Payment Card Industry Data Security Standard

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Technology Innovation Programme

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

AlienVault for Regulatory Compliance

PCI Data Security Standard 3.0

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

Transcription:

Security Testing: The Easiest Part of PCI Certification Core Security Technologies September 6, 2007 Agenda Agenda The PCI Standard: Security Basics and Compliance Challenges Compliance + Validation = PCI Certification PCI Requirements for Security Testing CORE IMPACT How It Helps with PCI Certification Customer Case Study PCI Deadlines and Clarifications Why You Should Care Now Next Steps & Questions 1

About the Speaker About Tom Kellermann VP, Security Awareness Represents Core in government and industry security working groups Certified Information Security Manager (CISM) Previously Senior Data Risk Management Specialist for the Treasury of the World Bank Co-author of E-safety and Soundness: Securing Finance in a New Age, E-security: Risk Mitigation in Financial Transactions and Mobile Risk Management Security Basics and Compliance Challenges PCI Standard Recap: It s Basic Security Keep customer records secure as merchants and processors store, transmit and manage credit and debit card data. Mandates basic security best practices that include implementing and ensuring the effectiveness of: Firewalls Passwords and other security parameters Encryption and other data protection measures Anti-virus applications Security patches Data access control and tracking measures Security testing applications, including scanning and pen testing IPS, IDS and other defensive applications End-user awareness and incidentresponse programs A diligent company that makes proper use of security defenses and implements basic security policies can meet most of the requirements prior to even reviewing itself for PCI compliance. 2

Security Basics and Compliance Challenges Easier said than done? There s a lot to do Some guidelines are phrased in a confusing fashion Interpretation is often up for debate, particularly among audit firms Multiple levels of merchants and service provides Confusion about who is responsible for doing what Where s the low-hanging fruit? Testing security defenses and end-user security awareness is one of the easiest things you can do to comply with and validate a broad swath of PCI requirements. Compliance + Validation = PCI Certification Compliance vs. Validation Merchant Level II? Service Provider Level 1? There is no difference in compliance requirements. The confusion is between compliance and validation. Compliance» Implementing the security measures and policies outlined in the Standard Validation» Proving that you are compliant You must do BOTH to achieve PCI certification 3

Compliance + Validation = PCI Certification Visa PCI Validation Requirements Merchant Level Service Provider Level Annual On-Site PCI Assessment by a QSA (or internal if signed by officer) Validation Requirements Annual PCI Self- Assessment Questionnaire Quarterly Network Scan by an ASV 1 1 & 2 2, 3 & 4* 3 Notes for Merchants: Any merchant that has an account data compromise may be escalated to Level 1. Compliance validation is required for Level 1, 2 and 3 merchants, and may be required for Level 4 merchants. *Specific validation requirements for Level 4 vendors are set by the acquiring banks. Compliance + Validation = PCI Certification Self Assessment or Third-Party Assessment Either way, you need to confirm that your defensive infrastructure and security policies are in-place and working. In both cases, performing your own security testing and specifically penetration testing helps with compliance and validation. 4

PCI Requirements for Security Testing Security assurance (aka testing and proving) permeates the PCI Standard over 40 occurrences of test, ensure and assure. Requirement 1: Firewalls 1.1.1 Test network connections and firewall changes. Requirement 2: System passwords and security parameters 2.2 Assure that system configuration standards address vulnerabilities. Requirement 5: Anti-virus software 5.1.1 Ensure that anti-virus programs can detect, remove, and protect against malware. 5.2 Ensure that anti-virus mechanisms are current, running, and generating audit logs. Requirement 6: Secure systems and applications 6.1 Ensure that system components and software have the latest security patches. 6.3.1 Test all security patches and system and software configuration changes. PCI Requirements for Security Testing Requirement 11: Regularly test security systems and processes 11.1 Test security controls, limitations, network connections, and restrictions to assure the ability identify and stop unauthorized access attempts. 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. 11.3 Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). 11.4 Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-todate. Requirement 12: Maintain an end-user information security policy 12.9.2 Implement an incident response plan and test it annually. 5

CORE IMPACT CORE IMPACT: Automated Penetration Testing Safely test your systems, end users and end-user applications against real-world data breach attempts see your security from an attacker s point of view. identify real vulnerabilities in operating systems and OS services measure end-user response to social engineering attacks test and tune information security defensive infrastructure validate the security of system upgrades, modifications and patches establish an audit trail of your vulnerability management practices Evaluate security defenses and policies on an ongoing basis with Rapid Penetration Tests (RPT) that integrate pen testing best practices into a wizard-driven interface. Full reporting and audit trails provide info required by PCI auditors. CORE IMPACT IMPACT allows you to test, ensure and assure the effectiveness of all the security defenses and policies in the requirements we mentioned previously 6

CORE IMPACT Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1.1 Establish firewall configuration standards that include a formal process for approving and testing all external network connections and changes to the firewall configuration. (IMPACT assists with Reqs 1.2 and 1.3 as well) CORE IMPACT Requirement 2: Do not use vendorsupplied defaults for system passwords and other security parameters 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industryaccepted system hardening standards 7

CORE IMPACT Requirement 5: Use and regularly update anti-virus software or programs 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. CORE IMPACT Requirement 6: Develop and maintain secure systems and applications 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. 6.3.1 Test all security patches and system and software configuration changes before deployment (IMPACT also assists with Req 6.2) 8

CORE IMPACT Requirement 11: Regularly test security systems and processes 11.1 Test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and to stop any unauthorized access attempts 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). CORE IMPACT Requirement 11: Regularly test security systems and processes 11.3 Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). 9

CORE IMPACT Requirement 11: Regularly test security systems and processes 11.4 Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date. CORE IMPACT Requirement 12: Maintain a policy that addresses information security for employees and contractors 12.6 Implement a formal security awareness program to make all employees aware of the importance of cardholder data security. 12.9.2 Implement an incident response plan and test it annually. 10

CORE IMPACT It also tests a number of other things that the Standard implicitly assumes should be tested and effective, such as: the cardholder data access restriction (section 7) tracking and monitoring mandates (section 10) Customer Case Study Case Study: Level 2 Merchant Seeking Security Testing Solution for PCI Processes millions of card transactions per year IT Security Manager wanted a way to verify his company s security posture and determine where vulnerabilities were and how they could be compromised - and to help determine how to fix weaknesses. Specifically, he wanted to: validate and confirm the vulnerabilities identified in GFI LANGuard network scans verify that the company s anti-virus solutions are working confirm that the latest OS patches are in-place get metrics on end-user security awareness test the functionality of their intrusion prevention system 11

Customer Case Study Other pen testing options He considered bringing in third-party consultants, but he wanted to keep test results in the family IT people are often apprehensive about revealing security weaknesses outside the organization test regularly to stay on top of infrastructure changes and ahead of new threats He considered manual testing using publicly available exploits, but Downloading exploits off the Internet isn t exactly the most responsible thing to do. he needed a commercial solution Customer Case Study Justification He saw PCI as an easy way to justify the purchase of something that he needed to do anyway, (in his words) since pen testing directly fulfills requirement 11.3 and supports compliance with many other requirements By helping him prevent data breaches, the product would also help his company maintain the company s level 2 merchant status. If the company suffered a breach, they would likely be moved to Level 1 and have to undergo annual on-site PCI assessments (in addition to incurring financial penalties). 12

Customer Case Study Business Case Fulfillment of PCI requirements / Help prevent data breaches Commercial-grade product that s developed by professionals All exploits are thoroughly tested, guaranteed to be safe, and regularly updated Used by hundreds of major organizations and government agencies Recommended by people at conferences he attended For auditors: a clear, complete record of his testing practices and proof that security measures are working Rapid Penetration Tests would allow self-sufficient testing without extra staff It was a no-brainer Why You Need to Care Now Upcoming deadlines and fines Acquiring banks that fail to ensure compliance by Sept. 30, 2007 will be assessed fines starting at $5,000 a month for each noncompliant merchant. The fines increase to $25,000 per month for each noncompliant merchant after Dec. 31, 2007. Who is responsible for what Acquiring banks (financial institutions that grant retailers and other entities the approval they need to accept credit cards) are responsible for ensuring that merchants comply with the standard and that the merchants use service providers that comply. Acquiring banks are bound by the compliance validation dates and face penalties for missed deadlines and non-compliant merchants. If you are a merchant, your acquiring bank will most likely pass these penalties on to you. 13

Why You Need to Care Now The Interchange Rate Penalty Oct. 1, 2007: non-compliant merchants will no longer qualify for the best available tiered interchange rates from Visa. Interchange rates apply to each transaction and is paid to card issuers by acquirers, which ordinarily pass the fees to merchants with a markup. Visa and Interlink transactions submitted by noncompliant merchants will be downgraded one interchange tier starting October 1. Why You Need to Care Now The Interchange Rate Penalty: Effect on Profits of a Billion-Dollar Company Reduction in profits from debit card transactions Current Tier 1 interchange rate:.62% New rate for non-compliant merchants:.81% Profit reduction for a billion-dollar company (33% of transactions being debit card-based): $627,000 per year Reduction in profits from credit card transactions Current Tier 1 interchange rate: 1.43% New rate for non-compliant merchants: 1.47% Profit reduction for a billion-dollar company (33% of transactions being credit card-based): $132,000 per year Total Profit Reduction: $759,000 per year Would reduce a 6% overall profit to 4.735% (doesn t incl. other fines) 14

Recognition We have reviewed, tested, and played with many products and applications over the years, but none of them compare to CORE IMPACT. - informit.com, May 4, 2007 CORE IMPACT was a blast to test and a product I am certain would benefit organizations that choose to engage it. - ISSA, May 4, 2007 CORE IMPACT 6.0 is an amazing tool to validate your security posture. - Information Security Magazine, January 16, 2007 "We rate CORE IMPACT as Lab Approved and we will be adding it to our test bench for the coming year." - SC Magazine, January 7, 2007 Wall Street Journal Technology and Innovation Award: Runner-Up, IT Security and Privacy September 2006 eweek Excellence Awards: Vulnerability Assessment and Remediation May 2006 "After using IMPACT it seems obvious to us that manual penetration is obsolete." By Earl Geer "Organizations concerned with maintaining a tight security profile will appreciate Core Security Technologies' CORE IMPACT 6..." By Cameron Sturdevant Info Security Hot Company February 2006 Sample IMPACT Customers Banking and Financial Services Retail Media / Entertainment / Travel Manufacturing 15

Sample IMPACT Customers Federal / State / Local Government Energy and Utilities Professional Services Telecommunications Sample IMPACT Customers Technology Healthcare Education 16

Next Steps See a CORE IMPACT demonstration Enter your name, company, email and phone in the Webex question window if you d like to see a product demo. Get more information about Security Testing and PCI All attendees will receive links to a Security Testing for PCI resources kit and a recorded version of this webcast. Questions Any questions? Contact us: Tom Kellermann, VP of Security Awareness tom.kellermann@coresecurity.com Mike Yaffe, Director of Product Marketing mike.yaffe@coresecurity.com Phone: +1 (617) 399-6980 www.coresecurity.com 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information