1 / 26

The Pain of PCI Lessons Learned and How to Ease the Pain Thomas Lewis, QSA

The Pain of PCI Lessons Learned and How to Ease the Pain Thomas Lewis, QSA. Welcome and Agenda. Agenda Why should you care about security or PCI What happens if I don’t care or comply How do I prove compliance Recent breach studies and lessons learned. 90%.

aradia
Download Presentation

The Pain of PCI Lessons Learned and How to Ease the Pain Thomas Lewis, QSA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Pain of PCILessons Learned and How to Ease the PainThomas Lewis, QSA

  2. Welcome and Agenda Agenda • Why should you care about security or PCI • What happens if I don’t care or comply • How do I prove compliance • Recent breach studies and lessons learned

  3. 90% Of organizations have experienced a computer security incident in the last 12 months. Cybercrime statistics from 12th Annual Computer Crime and Security Survey

  4. 71% Of organizations have no external insurance coverage to cover computer security incidents losses. Cybercrime statistics from 12th Annual Computer Crime and Security Survey

  5. $1B Cybercrime profits – that have surpassed those of drug smuggling in a year. Cybercrime statistics from 12th Annual Computer Crime and Security Survey

  6. $234,244 Annual average loss due to security incidents per respondent Cybercrime statistics from 2009 CSI Computer Crime and Security Survey

  7. 64.3% Suffered a significant Malware infection Cybercrime statistics from 2009 CSI Computer Crime and Security Survey

  8. Incidents Increase DownEconomy Conventional wisdom would state security is more important in a down economy when issues are more prevalent. Cybercrime statistics from 12th Annual Computer Crime and Security Survey

  9. 80% Of cyber attacks are preventable according to the National Security Agency (NSA) by performing configuration management and good network monitoring. Senate Panel, Nov 2009

  10. Why should I care? • What is PCI? • Who has to comply? • When does this impact me? • How much does this cost? • What happens if I don’t care or comply?

  11. What is Protected? What is the Protected Cardholder Data? • The Full Contents of the Magnetic Stripe • The Credit Card Account Number • Also known as the: PAN or Primary Account Number • What is and what is not a PAN (first 6 and up to last 4 digits not a PAN) • Cardholder Name • The Card Security Code (aka: CVV2, CVC2 or CID) • The Expiration Date

  12. How do I prove compliance (Shown from least painful to most painful) • Self Assessment Questionnaire (SAQ) • Results from an Approved Scanning Vendor (ASV) • Qualified Security Assessor (QSA) Report on Compliance (RoC)

  13. Okay, PCI has been around for awhile what have we learned?

  14. Lessons Learned (Same stuff different day) PCI Compliance is simply about Risk Mgmt • If there is a breach all parties suffer (Merchant, QSA, Processor, Merchant Bank, Card Brand) • Tackle the big risks first and then work your way down to the lower risk items • Follow the Prioritized Approach to Compliance • Learn from past breaches what is working for the bad guys and stop it (Verizon Report)

  15. Lessons Learned IF YOU DON’T NEED IT, DON’T KEEP IT!!! • Most organizations do not need full “protected cardholder data” • Masking (first 6 and last 4 digits = no PAN) • Tokenization • Outsource that part of the process (some of the processors have end-to-end security options) • You will be Sad if you keep SAD (Sensitive Authentication Data)

  16. Lessons Learned • If you do have to have Cardholder Data, limit it aggressively and protect it aggressively • Isolate your Cardholder Data Environment as much as humanly possible to reduce your Risks and the Costs of compliance • The Blocking and Tackling of Information Security will go tremendously far in reducing your risks (more to follow)

  17. Lessons Learned Verizon Report Shows several issues leading to successful breaches including: • Use of outdated and non-compliant payment applications and devices • Improperly segmented networks (flat networks) • Insecure remote access (vendor and employee access) • Unprotected web applications vulnerable to SQL injection attacks • Failure to update or change default passwords • No implementation or monitoring of intrusion detection or anti-virus • Malware installed to capture passwords and cardholder data

  18. Lessons Learned Additional information from the Verizon Report shows: • Large (Level 1) merchant and processor breaches account for majority of compromised accounts, yet small (Level 4) merchants account for over 85% of compromise events • Attack methods include intercepting cardholder data in transit through the use of packet sniffers, memory parsers and other malware • Once intruders gain entry to steal cardholder data, identification of the incident is difficult to detect • Effective monitoring controls are not being used which makes detection nearly impossible

  19. PCI SSC’s Prioritized Approach • Remove Sensitive Data • Key area of risk for compromised data • Protect the perimeter, internal, and wireless networks • Controls points of access for most compromises • Secure payment applications • Weakness in these areas are “easy prey” . • Monitor and control access to systems • Who is accessing the network 5. Protect stored cardholder data • If you must store it, implement the key controls 6. Finalize remaining compliance efforts, and ensure all controls are in place • Policies, process and procedures

  20. Recent Positive Observations PCI SSC Quality Assurance Program • Crack down on “easy graders” • 2009 training emphasizes testing and documentation procedures • Better consistency between QSAs with guidance to merchants Compensating Controls better understood and permitted • Must be thoroughly documented and tested by a QSA

  21. LBMC’s Approach LBMC and ClientPlanning Meeting Off-Site Documentation Review Readiness Results Review Cycle Remediation (if needed) PCI Full Scope Audit PCI Report on Compliance (ROC)

  22. Useful Resources • Better Business Bureau (BBB) • http://www.bbb.org/us/corporate-engagement/security/ • Download a copy of: Security & Privacy - Made Simpler™ - A document “targeting Small Business Owners with ‘digestible’ information about securing their customer and employee data. Seven (7) major corporations partnered with the BBB on this initiative.”

  23. Useful Resources • PCI Security Standards Council • Main • http://www.pcisecuritystandards.org • FAQ’s • https://www.pcisecuritystandards.org/about/faqs.htm#q1 • Site Map • https://www.pcisecuritystandards.org/map/index.htm

  24. Useful Resources • Visa • Main CISP Page • http://usa.visa.com/merchants/risk_management/cisp.html • Merchant Information • http://usa.visa.com/merchants/risk_management/cisp_overview.html • MasterCard • Main Security Page • http://www.mastercard.com/us/merchant/security/index.html

  25. Questions?

  26. LBMC Contacts Contact Names for more information: • Marcie Angle; mangle@lbmc.com; 615.690.1993 • Thomas Lewis; tlewis@lbmc.com; 615.309.2296 Contact us for a no obligation free consultation

More Related