1 / 37

Payment Card Industry (PCI) Data Security Standards (DSS)

Payment Card Industry (PCI) Data Security Standards (DSS). Updates and Trends for 2009. Agenda. What is PCI? What’s New with PCI v1.2? Deadlines! VISA’s CAP VISA – What to do if compromised… Recent Breaches PCI Compliance Trends and Tips. What is PCI?.

Download Presentation

Payment Card Industry (PCI) Data Security Standards (DSS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Payment Card Industry (PCI)Data Security Standards (DSS) Updates and Trends for 2009

  2. Agenda • What is PCI? • What’s New with PCI v1.2? • Deadlines! • VISA’s CAP • VISA – What to do if compromised… • Recent Breaches • PCI Compliance Trends and Tips

  3. What is PCI? • The Payment Card Industry Data Security Standard (PCI DSS) was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express. • PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. • Adherence to the PCI DSS aides in securing cardholder payment data that is stored, processed or transmitted by merchants and processors. • PCI DSS specifies requirements entailing many security technologies and business processes, and reflects most of the best practices for securing sensitive information. • PCI DSS is rapidly becoming the recognized standard for securing all organizational data, not just credit card information, and is currently being considered as the basis of legislation by several states. • (Source: PCI Security Standards Council)

  4. What Is Cardholder Data? Cardholder data is any Personally Identifiable Information (PII) associated with the cardholder • Card Holder Data • Primary Account Number (PAN) with: • Expiration date or • Card holder name • Sensitive Authentication Data • CVV or CVC (Card Verification Values) • Track 1 and Track 2 Data (magnetic stripe)

  5. Who Must Comply? • PCI data security requirements apply to all merchants and service providers that store, process or transmit any cardholder data. All organizations with access to cardholder information must meet the data security standards. • However, the way in which organizations validate their compliance differs based on whether they are merchants or service providers and on specific validation requirements defined by each credit card brand. Each of the five major credit card companies has its own set of validation requirements. • Information regarding service provider levels and validation requirements can be obtained from each individual credit card company’s Web site. • The security requirements apply to all system components, network components, servers or applications included in, or connected to, the processing of cardholder data.

  6. PCI DSS Version 1.1 The Payment Card Industry Data Security Council released PCI DSS version 1.1 in September 2006. The standard is broken into six segments: • Building and maintaining a secure network; • Protecting cardholder data; • Maintaining a vulnerability management program; • Implementing strong access control measures; • Regularly monitor and test networks; and • Maintain an information security policy.

  7. What’s New? Requirement 6.6(as of June 30, 2008) • Web application firewall or code review? • It’s your choice, but should they both be required?

  8. What’s New? PCI DSS v1.2 (as of October, 2008) • Requirement 1: Clarified configuration requirements for routers too. Changed frequency of review to 6 months. • Requirements 2 & 4: • No new WEP implementations after March 31 2009 • No WEP in environment after June 30 2010

  9. What’s New? PCI DSS v1.2 (as of October, 2008) • Requirement 6.6: Web App Firewall/code review • Requirement 9: Video cameras and off-site secure storage reviews

  10. What’s New? PCI DSS v1.2(con’t) • Requirement 11: Wireless analyzer or wireless IDS/IPS • Requirement 12: Annual employee acknowledgement of security policies • Requirement 12.8: Changed to focus on policies and procedures to manage service provider, rather than contractual requirements.

  11. Lifecycle Process for Changes to PCI DSS https://www.pcisecuritystandards.org/pdfs/OS_PCI_Lifecycle.pdf

  12. Prioritized Approach • Remove Sensitive Data • Key area of risk for compromised data • If you don’t need it, don’t store it • Protect the perimeter, internal, and wireless networks • a. Controls points of access for most compromises • Secure payment applications • a. Weakness in these areas are “easy prey” https://www.pcisecuritystandards.org/education/prioritized.shtml

  13. Prioritized Approach • 4. Monitor and control access to systems • a. Who is accessing the network • 5. Protect stored cardholder data • a. If you must store it, implement the key controls • 6. Finalize remaining compliance efforts, and ensure all controls are in place • a. Policies, process and procedures https://www.pcisecuritystandards.org/education/prioritized.shtml

  14. What’s New? PA-DSS*(October 2008) • Transition from VISA’s PABP • For software vendors • Aligns with PCI DSS • Use of PA-DSS compliant app not required for PCI DSS compliance • Use of a PA-DSS compliant app does not guarantee PCI DSS compliance *PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS.

  15. What’s New? PCI SSC Quality Assurance Program • Crack down on “easy graders” • 2009 training emphasizes testing and documentation procedures. • No PA-QSA has been able to successfully certify for PA-DSS(As of December 2008)

  16. What’s New? Self Assessment Program • February 2008, PCI SSC released updated SAQ • Four separate SAQ focused on complexity and risk of the processing environments https://www.pcisecuritystandards.org/saq/index.shtml

  17. Deadlines! All deadlines come from the payment brands and the acquiring banks: • PCI DSS Compliance – All deadlines are past. • Level 4 – Requirements/dates now set by acquirer and scans “may” be required

  18. Deadlines! PA-DSS (VISA) • 1/1/08 – VNPs must not use known vulnerable applications • 7/1/08 – VNPs must only certify validated apps to their platforms • 10/1/08 – Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use validated applications • 10/1/09 – VNPs must decertify vulnerable payment applications • 7/1/10 – Acquirers must certify that merchants and VNPs only use validated applications

  19. VISA’s Compliance Acceleration Program • As of September 2008, only 57% of Level 3 merchants were complianthttp://usa.visa.com/download/merchants/cisp_pcidss_compliancestats.pdf) • Compliance acceleration “provide financial incentives and enforcement provisions” • Additionally, acquirers must certify that Level 1 and 2 merchants do not store prohibited data

  20. VISA – What to do if compromised… December 2008 • Immediately report to VISA suspected or confirmed loss • Provide proof of PCI compliance within 48 hrs • Provide written incident report to VISA with three days • VISA will decide if you need to hire a QIRA. The person needs to be contracted and on-site within 5 days.

  21. VISA – What to do if compromised… “In addition to the general instructions provided here, Visa may also require an investigation that includes, but is not limited to, access to premises and all pertinent records including copies of analysis.” (http://usa.visa.com/merchants/risk_management/cisp_if_compromised.html)

  22. Breaches – PCI certified entities Hannaford Bros Grocery • Detected February 27, 2008 • 4.2 million credit and debit card numbers

  23. Breaches – PCI certified entities Hannaford Bros Grocery • Malware on servers – >270 • Captured data in transit • Inside job? • Class action suit – within 1 week

  24. Breaches – PCI certified entities Heartland Payment Systems • Breach occurred in 2008 – Reported January 2009 • Alerted by Visa and Mastercard • March 18, 2009 – Visa announced enterprises can do business with Heartland http://2008breach.com/Information.asp

  25. Breaches – PCI certified entities Heartland Payment Systems • Sniffer on the network • Social engineering? • Root kit? • Class action suit filed in just days

  26. Heartland – What went wrong? • Failed to prevent bad code from being installed • Inadequate cryptographic architecture • Didn’t monitor outbound traffic

  27. Beyond penalties and fines “Forty percent of consumers change their relationship with a business affected by a security breach.” Linda Tucci, “PCI Standard Still Packs Little Punch,” SearchCIO.com

  28. Beyond penalties and fines Data breaches cost companies $202 per compromised customer record in 2008. Since 2005, this number has increased by $64 – a 40% increase. (Ponemon Institute, February 2009)

  29. Beyond penalties and fines “More than 88% of all cases in this year’s study involved insider negligence.” (The Ponemon Institute, February 2009)

  30. PCI Compliance – Trends and Tips • Follow industry best practices for network and IT security • Use tools and services geared toward PCI Compliance • Align with a larger partner for credit card processing Joel Dubbin, CISSP. SearchCIO.com

  31. PCI Compliance – Trends and Tips PCI is not about securing sensitive data, it’s about eliminating data altogether. John Kindervag, Forrester Analyst and former QSA

  32. PCI Compliance – Trends and Tips Virtualization • Servers - Req 2.2.1 – One primary function per server • Entire box in-scope? • PCI DSS is technology neutral • No guidance for QSAs

  33. PCI Compliance – Trends and Tips • Segmentation • Reduce the cardholder data landscape • Reduces cost of remediation • Reduces exposure

  34. PCI Compliance – Trends and Tips Outsourcing (Card data, Service Providers, Shared Hosting, Managed Services) • Must third party be PCI certified? • Who owns the liability? • What entities does a PCI assessment cover?

  35. PCI Compliance – Trends and Tips “PCI SWALLOWS ITS OWN TAIL” • “I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,” (Rep. Bennie) Thompson said. “We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.” • http://information-security-resources.com/2009/04/01/payment-card-industry-swallows-its-own-tail

  36. Useful Links • PCI Security Standards Council- www.pcisecuritystandards.org • The SANS Institute- www.sans.org • The National Institute of Standards and Technology- www.nist.gov • The Center for Internet Security- www.cisecurity.org • Approved QSA Listing- https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm • Approved ASV Listing- https://www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm

  37. Questions Eric.Hannagan@jeffersonwells.com

More Related