Auditing PCI Compliance Tim Marley CPA, CIA, CISA, GSNA, CISSP, CIPP, CISM, PCI ISA, PCIP IT Audit Director, University of Oklahoma September 30, 2015 Introductions Introductions Me Harold s MIS, October 2005 (PCI DSS 1.0) OU IT Security, January 2009 (PCI DSS 1.2) CPISM/CPISA, August 2009 PCI ISA, September 2011 (PCI DSS 2.0) OU Internal Audit, November 2011 You Certified/trained in PCI compliance? Currently auditing PCI compliance? Familiar with PCI compliance? Pondering what the PCI stands for? 1
Quick overview Conceptually Chronologically Visa CISP 10/1999 PCI DSS 1.1 PCI SSC founded 9/2006 PCI DSS 1.2 10/2008 PCI DSS 1.2.1 7/2009 PCI DSS 3.0 11/2013 Home Depot 56M 9/2014 PCI DSS 1.0 12/2004 TJX 45M 12/2006 Heartland 130M 1/2009 PCI DSS 2.0 10/2010 Target 42M 12/2013 PCI DSS 3.1 4/2015 2
What s special about higher ed? E-commerce (hosted) Small shop 3
Point Of Sale Complex Enterprise 4
Campus Multiple Campuses Internal Cloud Services Athletics Concessions Multiple Processors Approach Determine your validation requirements 5
Audit by merchant or by campus/university? Who owns the compliance responsibility? How many owners do you have? How many merchants do you have? How complex is your environment? How mature is your compliance effort? By process 1. Operational audit - compliance owner CFO, CIO, Bursar, treasurer, cashier, registrar, IT, etc. Appropriate signature on the validation submission to the processor/acquiring bank Policy and procedures Efficiencies Effectiveness* 2. *Compliance audit merchants and compliance owner Split into logical populations, SAQ A, B, C, etc. for sampling purposes Perform a risk analysis/assessment similar to the annual audit plan? Achieve economies of scale Merchant audit process Verify: the scope for the cardholder data environment. the correctness of the validation form/media, etc. (i.e. did they use the proper SAQ if applicable) the accuracy and completeness of the merchant s submission. compliance with applicable organizational policies. 6
Validation SAQ A A EP B B IP C VT C P2PE D Description Card not present merchants (e commerce or mail/telephone order), that have fully outsourced all cardholder data functions to PCI DSS compliant third party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. Not applicable to faceto face channels. E commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn t directly receive cardholder data but that can impact the security of the payment transaction. No storage, processing, or transmission of cardholder data on merchant s systems or premises. Applicable only to e commerce channels. Merchants using only: Imprint machines with no electronic cardholder data storage, and/or Standalone, dial out terminals with no electronic cardholder data storage. Not applicable to e commerce channels. Merchants using only standalone, PTS approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage. Not applicable to e commerce channels. Merchants who manually enter a single transaction at a time via a keyboard into an Internet based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third party service provider. No electronic cardholder data storage. Not applicable to e commerce channels. Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e commerce channels. Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC listed P2PE solution, with no electronic cardholder data storage. Not applicable to e commerce merchants. SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types. Validation https://www.pcisecuritystan dards.org/documents/saq_i nstrguidelines_v3 1.pdf PCI DSS 3.1 12 High level requirements 1. Install and maintain a firewall configuration to protect cardholder data. (23 reqs) 2. Do not use vendor-supplied defaults for system passwords and other security parameters (12 reqs) 3. Protect stored cardholder data (22 reqs) 4. Encrypt transmission of cardholder data across open, public networks (4 reqs) 5. Protect all systems against malware and regularly update anti-virus software or programs (6 reqs) 6. Develop and maintain secure systems and applications (28 reqs) 7. Restrict access to cardholder data by business need to know (10 reqs) 8. Identify and authenticate access to system components (23 reqs) 9. Restrict physical access to cardholder data (27 reqs) 10. Track and monitor all access to network resources and cardholder data (32 reqs) 11. Regularly test security systems and processes (16 reqs) 12. Maintain a policy that addresses information security for all personnel (39 reqs) 7
Each requirement may have multiple tests SAQ Description # Tests w/responses A Card not present ~14 A EP E commerce ~143 B Imprint machines, and/or Standalone, dial out terminals ~41 B IP Standalone, PTS approved payment terminals ~87 C VT Virtual payment terminal solution ~78 C Payment application systems, no electronic cardholder data storage. ~144 P2PE PCI SSC listed P2PE ~35 D SAQ D for Merchants: All other merchants not included above. ~332 SAQ D Testing SAQ D Testing 8
SAQ D Testing Organizational Policy By campus standards Assign responsibilities Business Units Bursar Human Resources IT Support IT Security/Compliance CSIRT Organizational Policy 9
Organizational Policy Education PCI SSC Internal Security Assessor (ISA) Improve your understanding of PCI DSS and how it can help protect your customer data and your business Help your organization build internal expertise Facilitate interaction with a QSA for your organization Enhance payment card data security and manage compliance costs Earn CPE credits https://www.pcisecuritystandards.org/training/isa_training.php 10
PCI SSC Internal Security Assessor (ISA) ISA Eligibility Requirements The ISA candidate must be a full-time employee of a Sponsor Company that is in Good Standing at the time when the application for the employee s ISA qualification is considered by PCI SSC (the Application Time ); PCI SSC must have on file an executed and effective Sponsor Attestation from the ISA s Initiating Sponsor Company; and https://www.pcisecuritystandards.org/documents/isa_qualification_requirements_v2.0.pdf PCI SSC Internal Security Assessor (ISA) Initial ISA Qualification Requirements All applicable ISA Eligibility Requirements must continue to be satisfied, the ISA candidate must continue to be a full-time employee of its Initiating Sponsor Company, and the Initiating Sponsor Company must continue to be in Good Standing; The ISA candidate must successfully complete all required initial ISA Program training and legitimately pass, of his or her own accord, each examination conducted as part of that training; The ISA candidate must read and agree to adhere to the PCI SSC Code of Professional Responsibility; and The ISA candidate must accept the ISA Attestation as part of the training and exam process. https://www.pcisecuritystandards.org/documents/isa_qualification_requirements_v2.0.pdf PCI SSC Internal Security Assessor (ISA) Recommended ISA Experience ISA training is intended for individuals who already possess significant relevant technical and security audit and assessment experience. Candidates will ideally possess the following or equivalent experience: Sufficient information security knowledge and experience to conduct technically complex security assessments; Emphasis on internal information systems and security audit work as Sponsor Company employee; Strong understanding of payment processes, related systems, and PCI DSS; Annual information systems audit training to support applicable continuing professional education requirements (for example, 20 hours of such training annually and 120 hours of such training over the immediately preceding rolling three-year period); and https://www.pcisecuritystandards.org/documents/isa_qualification_requirements_v2.0.pdf 11
PCI SSC Internal Security Assessor (ISA) Recommended ISA Experience 20 hours of such training annually and 120 hours of such training over the immediately preceding rolling threeyear period); and The following additional qualifications: University or undergraduate degree; Five years applicable work experience; One year of experience performing information security audits similar to QSA Assessments, or three separate such audits, or other equivalent as determined by the Sponsor Company; Demonstrated expertise in at least three relevant areas including network security, application security and consultancy, system integration; and One or more of the following industry-recognized professional certifications (possessing one certification from each list is recommended, but not required): List A Information Security Certified Information System Security Professional (CISSP) Certified Information Security Manager (CISM) List B Audit Certified Information Systems Auditor (CISA) GIAC Systems and Network Auditor (GSNA) https://www.pcisecuritystandards.org/document Certified ISO 27001, Lead Auditor, Internal Auditor s/isa_qualification_requirements_v2.0.pdf International Register of Certificated Auditors (IRCA) Information Security Management System (ISMS) Auditor PCI SSC Internal Security Assessor (ISA) Pre-requisite course curriculum Online training that concludes with a 50 question multiple-choice exam Understanding the PCI SSC and its role Defining the processes involved in card processing PCI roles and responsibilities Understanding cardholder data Defining network segmentation PCI DSS assessments CANDIDATES MUST PASS THIS EXAM BEFORE SCHEDULING 2-DAY ISA TRAINING https://www.pcisecuritystandards.org/training/isa_training course highlights.php PCI SSC Internal Security Assessor (ISA) ISA course contents PCI DSS requirements and testing procedures Report on Compliance (ROC) documentation QA-ROC review Compensating controls ISA course options Instructor-led elearning https://www.pcisecuritystandards.org/training/isa_training course highlights.php 12
Recent changes 3.0 and 3.1 3.0 (98 changes) 74 clarifications 5 additional guidance 19 evolving requirements 3.1 (36 changes) 30 clarifications 4 additional guidance 4 evolving requirements Key changes in 3.0 1.1.2/1.1.3 Clarified what the network diagram must include and added new requirement at 1.1.3 for a current diagram that shows cardholder data flows. 13
Key changes in 3.0 2.4 new requirement to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards. Key changes in 3.0 5.3 New requirement to ensure that anti-virus solutions are actively running (formerly in 5.2), and cannot be disabled or altered by users unless specifically authorized by management on a per-case basis. Key changes in 3.0 11.3 new requirement to implement a methodology for penetration testing. 14
Key changes in 3.0 11.3.4 new requirement, if segmentation is used to isolate the CDE from other networks, to perform penetration tests to verify that the segmentation methods are operational and effective. Key changes in 3.0 12.8.5 - new requirement to maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity. Key changes in 3.0 12.9 new requirement for service providers to provide the written agreement/acknowledgment to their customers as specified at requirement 12.8. 15
Key changes in 3.1 2.2.3, 2.3, & 4.1 Removed SSL as an example of a secure technology. Added note that SSL and early TLS are no longer considered to be strong cryptography and cannot be used as a security control after June 30, 2016. Tools/resources Official resources and references pcisecuritystandards.org Documents Library Training News and Events PCI NA Community Meeting Get Involved Participating Organization Special Interest Groups (SIGs) 16
Less official resources and references treasuryinstitute.org/pci-dssworkshop-2016 Continuing education Higher education only Focus on implementations, case studies and shared experiences Vendors Caveat Emptor Look for higher ed experience QUESTIONS Tim Marley CPA, CIA, CISA, GSNA, CISSP, CIPP, CISM, PCI ISA, PCIP IT Audit Director, University of Oklahoma tim.marley@ou.edu www.ou.edu/audit twitter: @timmarley desk 405.325.5418 cell 405.613.8500 17