1 / 25

The Payment Card Industry: (PCI) Compliance 101

The Payment Card Industry: (PCI) Compliance 101. Name: John Cebulski Title: Security Engineer Contact: jcebulski@us.checkpoint.com. Today’s Agenda. Modern history of PCI PCI Data Security Standard v1.1 Version 1.1 updates Compensating controls General roles and responsibilities

adie
Download Presentation

The Payment Card Industry: (PCI) Compliance 101

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Payment Card Industry:(PCI) Compliance 101 Name: John Cebulski Title: Security Engineer Contact: jcebulski@us.checkpoint.com

  2. Today’s Agenda • Modern history of PCI • PCI Data Security Standard v1.1 • Version 1.1 updates • Compensating controls • General roles and responsibilities • PCI compliance validation process • Network scanning • Company audit • Report of compliance • Why worry about PCI DSS? • The challenges of PCI compliance • Customer challenges of PCI compliance • Devices affected • Results of PCI challenges • Companies in the PCI spotlight • Tips for facing the compliance challenge

  3. Modern History of the Payment Card Industry • Mid-1980s • Rapid growth in payment card industry, fraud increases • Individual companies begin early fraud detection and prevention efforts • 1990s • Sophistication of networks increases • Fraud anddetectiontechnologies grow • Fraud continues to increase • 1999: Gramm-Leach-Bliley Act • 2000s • 2000: Visa Cardholder Information Security and Account Information Security programs • 2000: MasterCard: Site Data Protection program • Early 2000s: Major fraud disclosures* • 2002: Sarbanes–Oxley Act • 2005: MasterCard and Visa jointly release PCI Data Security Standard 1.0 • 2006: PCI Security Standards Council, PCI 1.1 released

  4. Drivers for PCI Data Security Standardization Date Organization Offense June 2004 Ukrainian Roman Vega aka ‘BOA’ Caught with more than 80,000 credit card accounts September 2004 Carderplanet.com Credit card hacking site October 2004 Shadowcrew Sales of stolen and counterfeit IDs As of May 2007—still running Cardersmarket.com Buys and sells payment card data • Increased fraud • Fraud is big business!! • 2005* • 9.3 million US victims • $54.4 billion total fraud costs in one year • Regulatory requirements • Increased pressure • Vague implementation guides • Confusing payment card efforts • Overlapping requirements and duplicated activities • Increased confusion on part of merchants and providers *Source: Javelin Strategy & Research, January 2006

  5. PCI Data Security Standard v1.1 Today • PCI Compliance for VISA • PCI DSS • Visa’s Cardholder Information Security Program (CISP) • http://usa.visa.com/merchants/risk_management/cisp.html • PCI Compliance for MasterCard • PCI DSS • MasterCard’s Site Data Protection Program (SDP) • http://www.mastercard.com/us/sdp/index.html If a Primary Account Number (PAN) is stored, processed, or transmitted, the PCI DSS requirements APPLY. • Six Categories • 12 Sections • Many subsections • PCI DSS is only part of compliance

  6. What’s New to the PCI Landscape? COMPLIANCE TIMEFRAME • Level 1 Merchant/Service Provider deadline: • September 30, 2007 • Level 2 Merchant/Service Provider deadline: • December 31, 2007 • Level 3 Merchant/Service Provider deadline: • Contact acquirer or card vendor • Level 4 Merchant deadline: • Summary of PCI compliance plan, via acquirer, by July 30, 2007 New to PCI 1.1 (Sept. 2006) • Clarification of vague language • Application firewalls required by June 30, 2008 (6.6) • Malicious software, like spyware and adware, are included in antivirus capabilities (5.1.1) • New “compensating controls” section (Appendix B) • Penetration testing to include application and network layers (11.3) VISA and MasterCard Compliance • “Leading the Charge” for PCI compliance • Emphasis on Level 1, 2, and 3 Merchants • Acquirers should have submitted a summary of their L4 Merchants’ PCI compliance plan by July 30, 2007

  7. Example: Compensating Control Source: Appendix C Compensating Controls WS

  8. PCI Today—Roles • PCI Security Standards Council • Independent body • Eliminates competing and overlapping brand-specific requirements • Members include American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa Int’l • Defines security and process requirements and other general security guidelines • Certifies Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) and maintains certification lists DEFINE • Participating Organizations (accept credit/debt card payments) • Merchants, Service Providers • Any organization that stores, processes, or transmits cardholder data • Merchant or Service Provider Categorization • Levels • 1–4 for Merchants • 1–3 for Service Providers • Varying levels of audits, scans, and assessments based on level status • Acquirers (banks that process transactions) • Enforcement arm • Can levy stiff fines • Prohibit processing of credit card transactions • Manage Merchant’s compliance programs • MasterCard's SDP program • Payment Card Brands • Enforcement arm (and acquirers) • Can levy stiff fines • Prohibit process of credit card transactions • To what degree mustthey be compliant? • QSAs and ASVs • Assess and validate compliance • Reports given to customers • Listed on the council Web site ENFORCE AUDIT IMPLEMENT www.pcisecuritystandards.org

  9. PCI Compliance Validation • Audits and Self-Assessments • Network Scans • Report on Compliance

  10. PCI Compliance Validation

  11. PCI Compliance Validation:What can I expect from an audit? Company XYZ is audited by QSA QSA completes audit based on PCI Audit Procedures Company XYZ keeps audit and submits to Card Vendor or Acquirer Company passes audit Company receives report From QSA with “Open Items” and “Target Resolution Dates” QSA reassesses

  12. PCI Compliance Validation Network Scanning as explained in PCI DSS v1.1 • Performed by a certified auditor • Externally facing IP addresses • Scan of ALL 65,535 ports • Severity Levels 3–5 must be remedied • Technical report with vulnerabilities and steps for resolution • PCI-approved compliance statement to Vendor or Acquirer

  13. PCI Report on Compliance and Visa:Level 1–3 Merchants • Level 1 Merchants (via Acquirer) • On-site PCI data security assessment completed by QSA • Letter signed by a merchant officer • Confirmation of report accuracy form completed by QSA • Acquirer accepts ROC and submits confirmation ROC form and acceptance letter to Visa • Level 1, 2, and 3 Merchants • Acquirers responsible for ensuring quarterly network security scans for Level 1, 2, and 3 Merchants • Quarterly network security scans may be required of Level 4 Merchants as specified by their acquirers • Level 2 and Level 3 Merchants • Must complete the annual PCI self-assessment questionnaire • Level 4 Merchants may be required by their acquirers to complete the PCI self-assessment questionnaire

  14. PCI Report on Compliance and Visa:Service Providers • Level 1 and Level 2 Service Providers • Annual self-assessment questionnaire • Annual on-site PCI data security assessment • Supply to the acquirer, serving as a template for the ROC • Employ a QSA to complete the Report on Compliance • Level 1, 2, and 3 Service Providers • ASV performs a quarterly network scan on the Internet-facing network perimeter systems • Level 3 Service Providers • Complete the annual PCI self-assessment questionnaire

  15. Why Worry About PCI DSS? • Reduce the risk of incidents • Prevent a “CNN moment” • Negative publicity • Loss of revenue • Placed in higher Level, requiring more frequent compliance measures • Fines and penalties levied • From acquirer to acceptor • Barred from processing credit card transactions • Higher processing fees

  16. The PCI Challenge for Merchants and Service Providers • All or Nothing:99 percent compliance is still failing. PCI DSS v1.1 begins to address this issue (Compensating Controls) and is the new standard as of January 1, 2007. • Cost Effective and Unified:Purchasing and integrating point solutions takes time and effort. Many companies do not have the in-house staff to address this challenge. TCO must be addressed. • Performance Becomes a Concern • Multiple Standard Requirements

  17. The PCI Challenge: One of Many • Gramm-Leach-Bliley • Sarbanes-Oxley Act of 2002 • U.K .Public Records Office DOD 5015.2 Growing lists of regulations can deplete resources • E.U. Data Protection Directive • CA SB 1386, 1950 • FDA 21 CFR 11 • Homeland Security Act EU data protection • U.S. Patriot Act COSO/COBIT • HIPAA HIPAA Basel II • Basel II Terrorism Businesspartners Physical security BS7799 Privacy PCI DSS Sarbanes - Oxley Audits • Computer Security Act Business continuity ISO17799 Investment • Foreign Corrupt Practices Act SB1386 Liability GLBA Industry regulation • SEC Rules 17a-3 and 17a-4 Informationsecurity Operational risk Data Storage Data retention • EPA • Computer Fraud and Abuse Act Credit risk Compliance • FISMA Intellectualproperty Reputation • Fair and Accurate Credit Transactions Act (FACT) • Customs C-TPAT • NASD 3110 • TREAD Act • IASB/FASB • Canada’s PIPEDA

  18. The PCI Challenge:Devices affected The PCI DSS v1.1 requirements apply to ALL “system components,” defined as any network component, server, or application included in, or connected to, the cardholder data environment “Network component” refers to firewalls, network appliances, routers, switches, wireless access points, and other network and security components Servers include, but are not limited to authentication, database, domain name service (DNS), email, network time protocol (NTP), proxy, and Web servers Applications include all purchased and custom applications, including internal and external (Web) applications

  19. The PCI Challenge - Result A Very Complicated, Sprawling Network to Manage • Firewalls, OS servers, routers, switches, IPS, antivirus, Web servers, policies, and rules • Gigabytes to terabytes of data in different formats

  20. Companies in the PCI Spotlight • Bank of America • BJ’s Wholesale Club • Cardsystems Solutions • ChoicePoint (NOT CHECK POINT) • CitiGroup • DSW SHOW Warehouse • Hotels.com • LexisNexis • Wachovia • Polo–Ralph Lauren • Source: Qualys http://www.qualys.com/forms/wp/pci/?lsid=6880 Fines 2005 Visa levied fines of $3.4 million 2006 Visa levied fines of $4.6 million Source: Visa (USA) SAN FRANCISCO –December 12, 2006

  21. Tips for Facing the PCI Challenge • Build/leverage relationships with VARs and other resellers • Attend seminars and guest speaking engagements • Nuggets of information • Network with peers • Use existing regulatory compliance programs • ISO 27001 certifications and Sarbanes-Oxley audits look at many of the same requirements as PCI DSS v1.1 • PCI DSS offers areas of cross compliance with HIPAA and SOX • Books and periodicals (the ol’ Amazon.com search) • Take the “plunge,” register for vendor white papers • Valuable nuggets contained within vendor • Utilize PCI security standards resources • www.pcisecuritystandards.org • Self-assessments • Review scanning and audit procedures

  22. Resources and Research • PCI Security Council Web site • www.pcisecuritystandards.org • PCI DSS v1.1, What’s new in v1.1, Scanning and Auditor validation requirements • Qualys • White paper: Winning the PCI Compliance Battle • www.qualys.com/forms/wp/pci/?lsid=6880 • Check Point • www.checkpoint.com/securitycafe/readingroom/general/pci_compliance.html • Still Secure • www.stillsecure.com/pci/index.php?rf=pcihp • PCI Compliance: A Technology Overview (management best practices) • www.pcicomplianceguide.org • A 5-step guide for PCI compliance • SANS • www.sans.org • Using SIM systems for PCI compliance

  23. THANK YOU!! Questions?

  24. Appendix and Links • See below

  25. Regulatory Cross Compliance HIPAA 164.308 Administrative Safeguards Security and access management Secure incident handling HIPAA 164.312 Technical Safeguards Access and audit control, integrity Sarbanes-Oxley sections 404, 409, 302 Effective controls on data privacy Real-time disclosure CEO and CFO responsibilities for secure certification PCI Data Security Standard Section 10 Tracking and monitoring all access to cardholder data Implement audit trails Record, secure, and review various audit trails for system components PCI Data Security Standard section 11 Use NIDS, NIPS, HIDS, HIPS to monitor and alert to compromises Require SIEM solutions that can effectively tie in point product data back

More Related