Transcript The Compromised Magstripe

The Payment Card Industry (PCI) Data Security Standard:
What it is and why you might find it useful
Fred Hopper, CISSP
TASK - 27 March 2007
+
My Background and Perspective
IT Infrastructure Support, Network Management, Info Security
and Corporate Security
Previous roles at Davis + Henderson and Canadian Standards
Association
Head of Corporate Security for Metaca Corporation - one of
Canada’s leading manufacturers and personalizers of
Financial, Loyalty, ID, Satellite TV, Telco, Health, and Insurance
cards.
2
+
Payment Card Security – History
Companies who manufacture and personalize cards for other
organizations (e.g. banks) are called Card Vendors
Card Vendor security has historically focused on the physical
security of the product rather than data security.
3
+
The First Credit Card
The First Supper - Frank X. McNamara (1950)
4
+
5
Later Diners Club Cards
+
6
American Express
+
Today’s Risks
Most significant risk these days is with the compromise and
misuse of the data rather than the physical card itself
Card Vendors have had to meet detailed Logical (i.e.
Information) Security requirements in recent years, with
detailed standards and annual audits
Current weak points in system – some merchants and third
party data processors.
7
+
8
Today’s Risks
+
Card Skimming and Background for PCI DSS
Until the 1990’s, magstripe reading and encoding hardware
and the knowledge to use it were hard to come by. Personal
computers and inexpensive hardware changed everything.
Improvements and miniaturization in electronics in recent
years has also been reflected in skimming equipment
Features of current equipment include flash memory, internal
clocks, firmware supporting timestamps, databases, Bluetooth
Password protected access to memory and features to protect
data from law enforcement and rival skimming gangs.
9
+
10
Skimming Hardware
+
11
Skimming Hardware
+
12
Skimming Hardware
+
13
Skimming Hardware
+
14
Skimming Hardware
+
15
Skimming Hardware
+
16
Skimming Hardware
+
17
Skimming Software
+
18
Counterfeiting Supplies
+
Important Card Data
Financial card dimensions, location of magnetic stripe, and
data encoding and layout all covered in ISO standards
www.magtek.com
19
+
20
Important Card Data
+
Important Card Data
For processing transactions it is necessary for merchant to
present multiple fields to acquiring financial institutions – e.g.
PAN, expiry date, CVV/CVC, PVV or Pin Offset.
21
+
Payment Card Data
Skimming is still a lot of work and risk, why not just try to get
card track data in bulk?
Carding sites exist to trade in stolen card numbers – e.g.
Carderplanet, Mazafuka, Shadowcrew, Darkprofits
Where do these numbers come from? At lot of them are stolen
from Merchants and Data Processors who store data more
data than they need and do so insecurely, and are
subsequently compromised
Payment card industry has been aware of this problem for
years and has been responding in various ways, one of which
is the Payment Card Industry Data Security Standard (PCI
DSS).
22
+
Payment Card Security Standards Prior to 2004
Each card association had different rules
Visa: Account Information Secuity (AIS) and Cardholder
Security Information Program (CISP)
MasterCard: Site Data Protection (SDP)
American Express: Data Security Standard (DSS)
Discover: Discover Information Security Compliance Program
(DISC).
23
+
Formation of the PCI Security Standards Council
Visa, MasterCard, American Express, Discover and JCB
decided to standardize on a common set of data security
requirements for merchants and data processors – the PCI
Data Security Standard (PCI DSS)
PCI Security Standards Council was formed in 2004 as an
independent organization in order to maintain and promote the
PCI DSS
Version 1.0 of the PCI DSS was published in January 2005
Version 1.1 published in September 2006
www.pcisecuritystandards.org .
24
+
Scope of PCI DSS
If your shop handles financial card data:
PCI DSS requirements are applicable if a Primary Account
Number (PAN) is stored, processed or transmitted
PCI DSS security requirements apply to all “system
components” – defined as “any network component, server or
application that is included in or connected to the cardholder
data environment”
Failure to comply will eventually result in surcharges, fines
and substantially increased liability in the event of a data
breach
If a PAN is not stored, processed or transmitted then PCI DSS
requirements do not apply.
25
+
Scope of PCI DSS
If your shop does not handle financial card data:
Strictly speaking, PCI DSS requirements do not apply to your
organization
You may still want to utilize PCI DSS in order to protect
personal information (NPPI), commercially sensitive
information, trade secrets, etc.
Q: Why use PCI DSS instead of other InfoSec standards (e.g.
ISO 17799?)
A: It’s concise (16 pages), easy to interpret and was developed
through consensus by organizations who knew it would be a
challenge to obtain compliance from it’s target audience. In
other words, it is well thought out, well documented and
attainable.
26
+
PCI DSS Requirements
The PCI Data Security Standard is comprised of 12 general
requirements designed to:
Build and maintain a secure network
Protect cardholder data
Ensure the maintenance of vulnerability management
programs
Implement strong access control measures
Regularly monitor and test networks
Ensure the maintenance of information security policies
Does this sound familiar?…..
27
+
28
PCI DSS vs. CISSP CBK
PCI DSS Control Objective
CISSP CBK Domains
Build and Maintain a Secure
Network
Telecommunications and
Network Security
Protect Cardholder Data
Cryptography
Maintain a Vulnerability
Management Program
Applications and System
Development Security
Implement Strong Access
Control Measures
Access Control Systems and
Methodology + Physical
Security
Regularly Monitor and Test
Networks
Operations Security
Maintain an Information
Security Policy
Security Management Practices
+
Control Objectives (1 of 6)
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to
protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for
system passwords and other security parameters.
29
+
30
Sample of Format Used
+
Control Objectives (2 of 6)
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data
across open, public networks.
31
+
Control Objectives (3 of 6)
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and
applications.
32
+
Control Objectives (4 of 6)
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business
need-to-know
Requirement 8: Assign a unique ID to each person with
computer access
Requirement 9: Restrict physical access to cardholder data.
33
+
Control Objectives (5 of 6)
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network
resources
Requirement 11: Regularly test security systems and
processes.
34
+
Control Objectives (6 of 6)
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information
security.
35
+
Conclusion
PCI DSS is out there and if your systems process payment
card numbers, you must be compliant
Even of you do not process payment card numbers, the PCI
DSS provides an excellent information security framework for
your organization’s Information Security Management System.
36
Questions and Answers
Fred Hopper
Director, Corporate Security, IT and Quality
Metaca Corporation
[email protected]