1 / 28

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards. ISACA January 8, 2013. Cheryl Becker. IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual re-certification

denton-rush
Download Presentation

Payment Card Industry Data Security Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Payment Card IndustryData Security Standards ISACA January 8, 2013

  2. Cheryl Becker • IT Auditor at Cintas Corporation • Internal Audit Department • Internal Security Assessor (ISA) Certification September 2010 • Annual re-certification • Currently responsible for SOX IT and PCI testing as well various Corporate audits • Board of Governors, IIA Cincinnati Chapter

  3. What is PCI DSS? • The PCI DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. • The standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents. • Applies to any entity that stores, processes and/or transmits CHD.

  4. History Lesson • PCI is not government legislation.  It is an industry regulation. • The major Card Brands (Visa, MC, Discover, Amex) decided to create regulations which were initially agreed upon by the Card Brands in 2004. • PCI DSS version 1 is dated December 2004. • On June 30, 2005, the regulations took effect. • The PCI Security Standards Council came into existence in 2006. 

  5. PCI Security Standards Council • The Council became responsible for the development, management, education and awareness of the PCI Data Security Standards. • Each of the Card Brands (Visa, MC, Discover, Amex, JCB) have their own compliance programs in accordance with their own security risk management policies as well as their own definitions of the “levels” and their own penalizing/fining procedures for companies who have a breach.

  6. Merchant Levels Overview • 4 • Little credit card business • Some Card Brands do not have this level • Annual Compliance Validation • 3 • Less than a million credit card transactions • Some Card Brands do not have this level • Annual Self-Assessment

  7. Merchant Levels Overview • 2 • Millions (1+ to <6) credit card transactions • All Card Brands have this level • Must internally audit with a PCI certified Internal Security Assessor (ISA) using PCI DSS • 1 • Many millions (2.5+ to 6+) credit card transactions • All Card Brands have this level • Must audit either using a PCI certified external Qualified Security Assessor (QSA) OR Internal Audit with ISA certification using PCI DSS

  8. PCI ISA Training Program • The PCI SSC Sponsor Company Internal Security Assessor Program is a PCI DSS training and qualification program for eligible internal audit security professionals. The course helps participants improve their organization's understanding of PCI DSS and validate and maintain ongoing compliance through: • Enhancing the quality, reliability, and consistency of internal PCI DSS self-assessments • Supporting the consistent and proper application of PCI DSS measures and controls • Effectively facilitating interactions with QSAs • https://www.pcisecuritystandards.org/index.php

  9. PCI DSS Versioning • Version 2.0 as of October 2010 • Version will be on a three year basis • The PCI documentation (end result) has changed every year

  10. PCI DSS Six Goals • Build and Maintain a Secure Network • Protect Card Holder Data • Maintain a Vulnerability Management Program • Implement Strong Access Control Measures • Regularly Monitor and Test Networks • Maintain an Information Security Policy

  11. 12 Requirements • 1) Install and Maintain a firewall configuration to protect Card Holder Data (CHD) • Firewall and Router configuration standards • Review Network Diagram • Firewall and Router connections are restricted (inbound/outbound traffic) • No direct internet connection to CHD (DMZ) • 2) Do not use vendor supplied defaults • Attempt to sign on with defaults • Hardening standards and system configuration • Non-console admin access is encrypted

  12. 12 Requirements • 3) Protect stored CHD • Retention Policy and Procedures • Quarterly process for deleting stored CHD • Sample incoming transactions, logs, history files, trace files, database schemas and content • Do not store full track, CVV or PIN • Render PAN unreadable (mask/truncate) • Encryption and key management • 4) Encrypt transmission of CHD • Verify encryption and encryption strength • Verify wireless is industry best practice (no WEP)

  13. 12 Requirements • 5) Use and regularly update Antivirus software • All system have AV • AV is current, actively running and logging • 6) Develop and maintain secure systems and applications • Patch management – current within one month • ID new security vulnerabilities with risk rating • Custom code is reviewed prior to release • Change management process • Developers are trained in secure coding techniques

  14. 12 Requirements • 7) Restrict access to CHD by need-to-know • Review access policies • Confirm access rights for privileged users • Confirm access controls are in place • Confirm access controls default with “deny-all” • 8) Assign a unique ID to each user • Verify all users have a unique ID • Verify authentication with ID/PW combination • Verify two-factor authentication for remote access • Verify terminated users are deleted • Inspect configurations for PW controls

  15. 12 Requirements • 9) Restrict physical access to CHD • Access to computer rooms and data centers • Video cameras are in place and video is secure • Network jacks are secure – not in visitor area • Process for assigning badges • Storage locations are secure (offsite media) • 10) Track and monitor all access to network resources • Review audit trails – actions, time, date, user, etc. • Time server updates and distribution • Process to review security logs

  16. 12 Requirements • 11) Regularly test security systems • Test for wireless access points • Internal and external network vulnerability scans • Internal and external penetration testing annually • File integrity monitoring tools are used • 12) Maintain security policies • Policies are reviewed at least annually • Explicit approval is required for access • Auto disconnect for inactivity-internal and remote • Security awareness program is in place • Incident Response Plan

  17. PCI DSS Tests • ~260 tests • PCI DSS gives both the requirement and the test • Every test has to have an answer • Every bullet within each test must have an answer • If the requirement is not in place, a target date and comments must be made • If there are compensating controls, a Compensating Control Worksheet must be completed

  18. PCI Documentation • Attestation of Compliance • Executive Summary Score Report on Compliance • Test Procedures Score Sheet Report on Compliance

  19. Attestation of Compliance • This is the document that is submitted to the appropriate companies • Scanning vendor • Merchant (i.e. Bank) • Card Brand Company (i.e. Amex) • Signed by ISA/QSA and Officers of the Company • Brief overview of Company and Cardholder Data Environment • Not a website copy/paste • My summation of the company (business, DC, locs)

  20. Attestation of Compliance • Brief overview of how the company stores, processes and/or transmits cardholder data • Terminals • Applications • Third parties • State if we are compliant • All 12 Requirements are listed stating “in place” or “not in place” and “special” like N/A • At the bottom explain special – N/A may be ‘not a service provider’

  21. Compensating Control Worksheet • Within the Attestation of Compliance • The “special” column is where to state if it is a compensating control • “NOTE: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance” • Ex: cannot do 7 character pw on mainframe

  22. Executive Summary Score Report on Compliance • Detailed overview of CHDE – explain the flow from ‘swipe’ • Phone orders • Online orders • Monthly charges • Any other way CHD is processed • Network diagram prepared by ISA/QSA • Validate and explain scope – flat vs. segment • Validate myself

  23. Executive Summary Score Report on Compliance • Explain the environment • Personnel • Payment channels • IT Environment • Locations • Explain sampling method • Exclusions and why they were excluded • Wholly-owned Entities • International locations • Wireless Environment

  24. Executive Summary Score Report on Compliance • Service providers • Third-party applications • Individuals interviewed with titles • List of documentation reviewed • My contact information • Quarterly scan information • Findings and observations

  25. Test Procedures Score Sheet Report on Compliance • How each control was tested • Observation – configuration or process • Sampling • Interview with whom • Document reviews

  26. Lessons Learned • Give yourself enough time to complete the final reports • Answer all of the points in each test • Know your scope • Inventory the environment • Use a firewall to segment • If you are getting your QSA/ISA, complete the training and study • Users/coworkers/employees do not understand IT security (i.e. email)

  27. Cheryl Becker • IT Auditor • Cintas Corporation • beckerc@cintas.com

More Related