Retour d'expérience PCI DSS

Similar documents
Becoming PCI Compliant

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Josiah Wilkinson Internal Security Assessor. Nationwide

Presented By: Bryan Miller CCIE, CISSP

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Frequently Asked Questions

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

PCI Data Security Standards

PCI DSS Requirements - Security Controls and Processes

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS. Payment Card Industry Data Security Standard.

PCI DSS v2.0. Compliance Guide

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

PCI Requirements Coverage Summary Table

How To Protect Your Business From A Hacker Attack

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Project Title slide Project: PCI. Are You At Risk?

PCI Compliance. Top 10 Questions & Answers

Your Compliance Classification Level and What it Means

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI Compliance Top 10 Questions and Answers

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

PCI DSS. CollectorSolutions, Incorporated

Payment Card Industry Data Security Standards.

PCI Requirements Coverage Summary Table

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

University of Sunderland Business Assurance PCI Security Policy

PCI Compliance: How to ensure customer cardholder data is handled with care

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PCI Security Compliance

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Technical breakout session

PCI Compliance Overview

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

PCI DSS Compliance Guide

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

PCI COMPLIANCE GUIDE For Merchants and Service Members

PCI Data Security and Classification Standards Summary

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Two Approaches to PCI-DSS Compliance

Qualified Integrators and Resellers (QIR) Implementation Statement

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Accepting Payment Cards and ecommerce Payments

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Payment Card Industry (PCI) Data Security Standard

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Payment Card Industry (PCI) Data Security Standard

Enforcing PCI Data Security Standard Compliance

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Why Is Compliance with PCI DSS Important?

What To Do if Compromised. Visa USA Fraud Investigations and Incident Management Procedures

Passing PCI Compliance How to Address the Application Security Mandates

A Rackspace White Paper Spring 2010

How To Protect Your Credit Card Information From Being Stolen

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

How To Ensure Account Information Security

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Payment Card Industry Data Security Standard

How To Protect Visa Account Information

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Achieving PCI-Compliance through Cyberoam

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Achieving Compliance with the PCI Data Security Standard

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

HOW SECURE IS YOUR PAYMENT CARD DATA?

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

74% 96 Action Items. Compliance

Registry of Service Providers

Payment Card Industry - Achieving PCI Compliance Steps Steps

PCI DSS v3.0. Compliance Guide

How to complete the Secure Internet Site Declaration (SISD) form

Transcription:

Retour d'expérience PCI DSS Frédéric Charpentier OSSIR : Retour d'expérience PCI DSS - 1

XMCO PARTNERS : Who are we? Xmco Partners is a consulting company specialized in IT security and advisory Xmco Partners is independent : the company is owned by its founders Our customers are Banks, Telecoms operators, Insurances and Governmental institutions The company is composed of 10 consultants working in a "project mode". OSSIR : Retour d'expérience PCI DSS - 2

XMCO PARTNERS : Consulting and Advisory services Penetration tests Ethical hacking In-depth penetration tests performed by true security experts Network and Application level Security audits ISO 27002 and PCI DSS Technical and organizational assessment. Remediation, follow-up and certification process Vulnerability watch Dedicated vulnerability alerts, support and solutions. Intrusion response and Forensics Specialists of Intrusion Detection, logs correlation and forensics analysis OSSIR : Retour d'expérience PCI DSS - 3

PCI DSS in a nutshell My experiences Vocabulary Roadmap to the compliancy Key points Common difficulties or mistakes Credit card numbers retention Complex points Liability issues Conflict of interests OSSIR : Retour d'expérience PCI DSS - 4

Being PCI compliant means that your acquirer bank agrees that your e-business platform handles customer credit cards with maximum care. To prove that to your bank, an organism named PCI Council have write 224 mandatory controls, organized into 12 main requirements. The e-business company must comply with theses requirements, perform a certification assessment and sent a Report on Compliance to the acquirer bank. If the bank accept the Report on Compliance, depending of the accuracy of the delivered documentation, the platform PCI compliant for one year, until the next assessment. OSSIR : Retour d'expérience PCI DSS - 5

Visa gateway The merchant OSSIR : Retour d'expérience PCI DSS - 6

Visa gateway The merchant PCI platform The merchant OSSIR : Retour d'expérience PCI DSS - 7

PCI DSS in a nutshell My experiences Vocabulary Roadmap to the compliancy Key points Common difficulties or mistakes Credit card numbers retention Complex points Liability issues Conflict of interests OSSIR : Retour d'expérience PCI DSS - 8

An IT system with prepaid card for vehicle renting, refillable with a Visa from Internet. For a private company / a city services provider A B2C/B2B website selling "pay-n-go" insurance contracts over Internet For a insurance company A website is used to sell tickets while physical card reader devices are used to identify the customer regarding its visa's card number. For a train company OSSIR : Retour d'expérience PCI DSS - 9

PCI DSS in a nutshell My experiences Vocabulary Roadmap to the compliancy Key points Common difficulties or mistakes Credit card numbers retention Complex points Liability issues Conflict of interests OSSIR : Retour d'expérience PCI DSS - 10

A CDH device is any system or network equipment which receive/transmit/process/store credit data of your customers, like the Primary Account Number (PAN) An Acquirer is bankcard association member most often your credit card processing partner bank, that initiates and maintains relationships with merchants that accept payment cards A Merchant is defined as a location or store where purchases are made. The merchant is responsible for the security of the credit card information regardless of who they pass off the information to, such as a service provider. PCI Level 1 : Merchants processing over 6 million Visa transactions annually. Certification : Clean ASV scan, filled RoC by a QSA PCI Level 2 : Merchants processing between 1 to 6 Visa transactions annually. Certification : Clean ASV scan, filled SAQ A Service Provider is defined as an entity that handles credit card information on behalf of a merchant, acquirer, issuer, processor, or other service provider. PCI Level 1: VisaNet processors or any service provider that stores, processes and / or transmits over 300,000 transactions per year Certification : Attestation of Compliance Form, filled by a QSA PCI Level 2 : Any service provider that stores, processes and / or transmits less than 300,000 transactions per year Certification : Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ),, filled by a QSA OSSIR : Retour d'expérience PCI DSS - 11

PCI DSS in a nutshell My experiences Vocabulary Roadmap to the compliancy Key points Common difficulties or mistakes Credit card numbers retention Complex points Liability issues Conflict of interests OSSIR : Retour d'expérience PCI DSS - 12

Step 1 : Read the PCI 1.2 document to understand the controls Step 2 : Scope of Assessment for Compliance Step 3 : Get in touch with the PCI representafve of your acquirer and define your auditor Step 4 : Inventory all CDH devices, sonwares, accounts, IP, URLs of the PCI scope Step 5 : Perform an in depth penetrafon tests and remediate all flaws Step 6 : Perform a Gap Analysis PCI assessment with and remediate Remediate Asssess Step 7 : Compliance audit : submit ROC or SAQ to your acquirer Remediate Asssess Step 8 : Stay compliant with quaterly clean vulnerability scans and annual assessment OSSIR : Retour d'expérience PCI DSS - 13

PCI DSS in a nutshell My experiences Vocabulary Roadmap to the compliancy Key points Common difficulties or mistakes Credit card numbers retention Complex points Liability issues Conflict of interests OSSIR : Retour d'expérience PCI DSS - 14

Do not store CDH or have a legitimate business reason to store CDH Apply firewall Best Practices Implement SSL everywhere credit card are transmitted over the public network Apply security fixes Apply OS security Best Practices no default password, nominative account (no root access), strong passwords and authentication, session timeout Perform regular "human" penetration tests and follow OWASP Secure Coding Get a quarterly clean Automated Vulnerability Scans Get accurate logs, Intrusion Detection, WebApp firewall Write a security policy and a security awareness program signed by all impacted people OSSIR : Retour d'expérience PCI DSS - 15

12 main requirements, detailled into 224 controls Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses information security for employees and contractors. OSSIR : Retour d'expérience PCI DSS - 16

PCI DSS in a nutshell My experiences Vocabulary Roadmap to the compliancy Key points Common difficulties or mistakes Credit card numbers retention Complex points Liability issues Conflict of interests OSSIR : Retour d'expérience PCI DSS - 17

A excessively large PCI scope The vendors pressure and their disinformation Misinterpretation of one or multiple requirements Starting a compliancy audit to soon without any self-assessment The PCI project is drive by the CSO instead of the board OSSIR : Retour d'expérience PCI DSS - 18

PCI DSS in a nutshell My experiences Vocabulary Roadmap to the compliancy Key points Common difficulties or mistakes Credit card numbers retention Complex points Liability issues Conflict of interests OSSIR : Retour d'expérience PCI DSS - 19

The following rules must be strictly applied on the PCI platform and its software: The storage of the PIN code, CVV2, the Magnetic stripe data is prohibited. Never stored the PAN without a legitimate business reason The CDH data must never appear clear text in temporary files, logs files, SQL databases Use strong cryptography if storage is needed, prefers one-way hashing if possible Erase CDH data from system memory as soon as possible Programs must use free() functions and memory garbage collector as soon as the CDH are sent to the payment gateway. Mask PAN when displayed Except when the user fills the payment form. The PAN must never be redisplayed by the application to the user even when the payment is refused for errors or technical problems. Never send unencrypted PAN by e-mail even for debugging OSSIR : Retour d'expérience PCI DSS - 20

If your business is bound to store CDH data, PCI Requirement n 3 must be applied : Limit retention time Do not store the CVV2 or the PIN Mask the PAN when re-displayed through back-office application Render PAN, at minimum, unreadable anywhere it is stored (backup, logs...) Use encryption column-level database encryption disk encryption : the encryption key must not be linked to the native operating system access control mechanism Protect cryptographic keys OSSIR : Retour d'expérience PCI DSS - 21

PCI DSS in a nutshell My experiences Vocabulary Roadmap to the compliancy Key points Common difficulties or mistakes Credit card numbers retention Complex points Liability issues Conflict of interests OSSIR : Retour d'expérience PCI DSS - 22

PCI 11.2 : Quarterly ASV scans : stupid false-positives For instance : "Web Server Predictable Session ID Vulnerability (QID:86310)" Sample : #1: Set-Cookie: F5-POOL=1208658112.20480.0000 #2: Set-Cookie: F5-POOL=1208658112.20480.0000 #3: Set-Cookie: F5-POOL=1208658112.20480.0000 PCI 11.4 : Network IDS : efficiency with HTTPS? OSSIR : Retour d'expérience PCI DSS - 23

PCI 6.6 : Web Application Firewall : is a new appliance mandatory? PCI 6.6 : For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: 1 - Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes. 2 - Installing a web-application firewall in front of public-facing web applications PCI 8.3 : Two-factor authentication : is SecurID are mandatory? PCI 8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. OSSIR : Retour d'expérience PCI DSS - 24

PCI DSS in a nutshell My experiences Vocabulary Roadmap to the compliancy Key points Common difficulties or mistakes Credit card numbers retention Complex points Liability issues Conflict of interests OSSIR : Retour d'expérience PCI DSS - 25

The mandatory Insurance covers : CRIME/FIDELITY BOND including employee dishonesty, robbery, fraud, theft, forgery, alteration, mysterious disappearance and destruction. The minimum limit shall be $1,000,000 each loss and annual aggregate. TECHNOLOGY ERRORS & OMISSIONS, CYBER-RISK and PRIVACY LIABILITY INSURANCE covering liabilities for financial loss resulting or arising from acts, errors or omissions in rendering computer or information technology Services, or from data damage/destruction/corruption, including without limitation, failure to protect privacy, unauthorized access, unauthorized use, virus transmission, denial of service and loss of income from network security failures in connection with the Services provided under this Agreement with a minimum limit of two million dollars ($2,000,000) each claim and annual aggregate Security Assessor shall maintain such insurance for five (5) years after the termination of this agreement PCI SSC shall be named as an additional insured under the Commercial General Liability for any claims and losses arising out of, allegedly arising out of or in any way connected to the Security Assessor s performance of the Services under this agreement Security Assessor agrees that it shall ensure that the Workers Compensation/Employer s Liability insurers agree to waive subrogation rights, in favor of PCI SSC, for any claims arising out of or in any way connected to Security Assessor s performance of the Services under this Agreement OSSIR : Retour d'expérience PCI DSS - 26

PCI DSS in a nutshell My experiences Vocabulary Roadmap to the compliancy Key points Common difficulties or mistakes Credit card numbers retention Complex points Liability issues Conflict of interests OSSIR : Retour d'expérience PCI DSS - 27

I want to be ethical I want to be compliant and I pay for it I want to win more project with this customer I have a liability Merchant Auditor QSA OSSIR : Retour d'expérience PCI DSS - 28

I am a customer If you don't accept my RoC I can use another provider I am responsible of the control I want to keep my customer who made more than 6 millions transacfons Merchant Acquirer (Bank) OSSIR : Retour d'expérience PCI DSS - 29

I want to be compliant I want to have customers for my hosfng services My company is also QSA Merchant Hosting Provider also QSA OSSIR : Retour d'expérience PCI DSS - 30

Documents The PCI DSS version 1.2 https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html PCI Data Storage Do s and Don ts https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf Ten Common Myths of PCI DSS https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf fcharpenfer@xmcopartners.com OSSIR : Retour d'expérience PCI DSS - 31

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information