Transcript Document
Payment Card Industry (PCI)
Data Security Standards (DSS)
Updates and Trends for 2009
Agenda
What is PCI?
What’s New with PCI v1.2?
Deadlines!
VISA’s CAP
VISA – What to do if compromised…
Recent Breaches
PCI Compliance Trends and Tips
What is PCI?
The Payment Card Industry Data Security Standard (PCI DSS) was
created jointly in 2004 by four major credit-card companies: Visa,
MasterCard, Discover and American Express.
PCI DSS is a widely accepted set of policies and procedures intended to
optimize the security of credit, debit and cash card transactions and
protect cardholders against misuse of their personal information.
Adherence to the PCI DSS aides in securing cardholder payment data
that is stored, processed or transmitted by merchants and processors.
PCI DSS specifies requirements entailing many security technologies
and business processes, and reflects most of the best practices for
securing sensitive information.
PCI DSS is rapidly becoming the recognized standard for securing all
organizational data, not just credit card information, and is currently
being considered as the basis of legislation by several states.
(Source: PCI Security Standards Council)
3
What Is Cardholder Data?
Cardholder data is any Personally Identifiable
Information (PII) associated with the cardholder
Card Holder Data
Primary Account Number (PAN) with:
Expiration date or
Card holder name
Sensitive Authentication Data
CVV or CVC (Card Verification Values)
Track 1 and Track 2 Data (magnetic stripe)
4
Who Must Comply?
PCI data security requirements apply to all merchants and service
providers that store, process or transmit any cardholder data. All
organizations with access to cardholder information must meet the data
security standards.
However, the way in which organizations validate their compliance differs
based on whether they are merchants or service providers and on specific
validation requirements defined by each credit card brand. Each of the
five major credit card companies has its own set of validation
requirements.
Information regarding service provider levels and validation requirements
can be obtained from each individual credit card company’s Web site.
The security requirements apply to all system components, network
components, servers or applications included in, or connected to, the
processing of cardholder data.
5
PCI DSS Version 1.1
The Payment Card Industry Data Security Council released
PCI DSS version 1.1 in September 2006.
The standard is broken into six segments:
Building and maintaining a secure network;
Protecting cardholder data;
Maintaining a vulnerability management program;
Implementing strong access control measures;
Regularly monitor and test networks; and
Maintain an information security policy.
6
What’s New?
Requirement 6.6
(as of June 30, 2008)
Web application firewall or code
review?
It’s your choice, but should they
both be required?
What’s New?
PCI DSS v1.2
(as of October, 2008)
Requirement 1: Clarified configuration
requirements for routers too. Changed
frequency of review to 6 months.
Requirements 2 & 4:
No new WEP implementations after March 31
2009
No WEP in environment after June 30 2010
What’s New?
PCI DSS v1.2
(as of October, 2008)
Requirement 6.6: Web App Firewall/code
review
Requirement 9: Video cameras and off-site
secure storage reviews
What’s New?
PCI DSS v1.2
(con’t)
Requirement 11: Wireless analyzer or wireless
IDS/IPS
Requirement 12: Annual employee
acknowledgement of security policies
Requirement 12.8: Changed to focus on
policies and procedures to manage service
provider, rather than contractual requirements.
Lifecycle Process for Changes to PCI DSS
https://www.pcisecuritystandards.org/pdfs/OS_PCI_Lifecycle.pdf
11
Prioritized Approach
1. Remove Sensitive Data
a. Key area of risk for compromised data
b. If you don’t need it, don’t store it
2. Protect the perimeter, internal, and wireless
networks
a. Controls points of access for most compromises
3. Secure payment applications
a. Weakness in these areas are “easy prey”
https://www.pcisecuritystandards.org/education/prioritized.shtml
12
Prioritized Approach
4. Monitor and control access to systems
a. Who is accessing the network
5. Protect stored cardholder data
a. If you must store it, implement the key controls
6. Finalize remaining compliance efforts, and ensure
all controls are in place
a. Policies, process and procedures
https://www.pcisecuritystandards.org/education/prioritized.shtml
13
What’s New?
PA-DSS*
(October 2008)
Transition from VISA’s PABP
For software vendors
Aligns with PCI DSS
Use of PA-DSS compliant app not required
for PCI DSS compliance
Use of a PA-DSS compliant app does not
guarantee PCI DSS compliance
*PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc.
program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is
to help software vendors and others develop secure payment applications that do not
store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their
payment applications support compliance with the PCI DSS. Payment applications that
are sold, distributed or licensed to third parties are subject to the PA-DSS requirements.
In-house payment applications developed by merchants or service providers that are not
sold to a third party are not subject to the PA-DSS requirements, but must still be
secured in accordance with the PCI DSS.
What’s New?
PCI SSC Quality Assurance Program
Crack down on “easy graders”
2009 training emphasizes testing and
documentation procedures.
No PA-QSA has been able to successfully
certify for PA-DSS (As of December 2008)
What’s New?
Self Assessment Program
February 2008, PCI SSC released
updated SAQ
Four separate SAQ focused on
complexity and risk of the processing
environments
Deadlines!
All deadlines come from the payment brands and
the acquiring banks:
PCI DSS Compliance – All deadlines are past.
Level 4 – Requirements/dates now set by
acquirer and scans “may” be required
Deadlines!
PA-DSS (VISA)
1/1/08 – VNPs must not use known vulnerable
applications
7/1/08 – VNPs must only certify validated apps
to their platforms
10/1/08 – Newly boarded Level 3 and 4
merchants must be PCI DSS compliant or use
validated applications
10/1/09 – VNPs must decertify vulnerable
payment applications
7/1/10 – Acquirers must certify that merchants
and VNPs only use validated applications
VISA’s Compliance Acceleration Program
As of September 2008, only 57% of
Level 3 merchants were compliant
http://usa.visa.com/download/merchants/cisp_pcidss_
compliancestats.pdf)
Compliance acceleration “provide
financial incentives and enforcement
provisions”
Additionally, acquirers must certify
that Level 1 and 2 merchants do not
store prohibited data
VISA – What to do if compromised…
December 2008
Immediately report to VISA suspected or
confirmed loss
Provide proof of PCI compliance within 48 hrs
Provide written incident report to VISA with three
days
VISA will decide if you need to hire a QIRA. The
person needs to be contracted and on-site within 5
days.
VISA – What to do if compromised…
“In addition to the general instructions provided
here, Visa may also require an investigation that
includes, but is not limited to, access to
premises and all pertinent records including
copies of analysis.”
(http://usa.visa.com/merchants/risk_management/cisp_if_compromised.ht
ml)
Breaches – PCI certified entities
Hannaford Bros Grocery
Detected February 27, 2008
4.2 million credit and debit card
numbers
Breaches – PCI certified entities
Hannaford Bros Grocery
Malware on servers – >270
Captured data in transit
Inside job?
Class action suit – within 1 week
Breaches – PCI certified entities
Heartland Payment Systems
Breach occurred in 2008 – Reported January 2009
Alerted by Visa and Mastercard
March 18, 2009 – Visa announced enterprises can
do business with Heartland
http://2008breach.com/Information.asp
Breaches – PCI certified entities
Heartland Payment Systems
Sniffer on the network
Social engineering?
Root kit?
Class action suit filed in just days
Heartland – What went wrong?
Failed to prevent bad code from being
installed
Inadequate cryptographic architecture
Didn’t monitor outbound traffic
Beyond penalties and fines
“Forty percent of consumers change their relationship
with a business affected by a security breach.”
Linda Tucci, “PCI Standard Still Packs Little Punch,” SearchCIO.com
Beyond penalties and fines
Data breaches cost companies $202 per compromised
customer record in 2008.
Since 2005, this number has increased by $64 – a
40% increase.
(Ponemon Institute, February 2009)
Beyond penalties and fines
“More than 88% of all cases in this year’s
study involved insider negligence.”
(The Ponemon Institute, February 2009)
PCI Compliance – Trends and Tips
Follow industry best practices for network and
IT security
Use tools and services geared toward PCI
Compliance
Align with a larger partner for credit card
processing
Joel Dubbin, CISSP. SearchCIO.com
PCI Compliance – Trends and Tips
PCI is not about securing sensitive data, it’s
about eliminating data altogether.
John Kindervag, Forrester Analyst and former QSA
PCI Compliance – Trends and Tips
Virtualization
Servers
- Req 2.2.1 – One primary function per server
Entire box in-scope?
PCI DSS is technology neutral
No guidance for QSAs
PCI Compliance – Trends and Tips
Segmentation
Reduce the cardholder data landscape
Reduces cost of remediation
Reduces exposure
PCI Compliance – Trends and Tips
Outsourcing
(Card data, Service Providers, Shared Hosting,
Managed Services)
Must third party be PCI certified?
Who owns the liability?
What entities does a PCI assessment cover?
PCI Compliance – Trends and Tips
“PCI SWALLOWS ITS OWN TAIL”
“I’m concerned that as long as the payment card
industry is writing the standards, we’ll never see a
more secure system,” (Rep. Bennie) Thompson
said. “We in Congress must consider whether we
can continue to rely on industry-created standards,
particularly if they’re inadequate to address the
ongoing threat.”
http://information-security-resources.com/2009/04/01/payment-cardindustry-swallows-its-own-tail
Useful Links
PCI Security Standards Council- www.pcisecuritystandards.org
The SANS Institute- www.sans.org
The National Institute of Standards and Technology- www.nist.gov
The Center for Internet Security- www.cisecurity.org
Approved QSA Listing-
https://www.pcisecuritystandards.org/resources/qualified_security_a
ssessors.htm
Approved ASV Listinghttps://www.pcisecuritystandards.org/resources/approved_scanning
_vendors.htm
36
Questions
[email protected]