Transcript Document
Payment Card Industry (PCI) Data Security Standards (DSS) Updates and Trends for 2009 Agenda What is PCI? What’s New with PCI v1.2? Deadlines! VISA’s CAP VISA – What to do if compromised… Recent Breaches PCI Compliance Trends and Tips What is PCI? The Payment Card Industry Data Security Standard (PCI DSS) was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express. PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. Adherence to the PCI DSS aides in securing cardholder payment data that is stored, processed or transmitted by merchants and processors. PCI DSS specifies requirements entailing many security technologies and business processes, and reflects most of the best practices for securing sensitive information. PCI DSS is rapidly becoming the recognized standard for securing all organizational data, not just credit card information, and is currently being considered as the basis of legislation by several states. (Source: PCI Security Standards Council) 3 What Is Cardholder Data? Cardholder data is any Personally Identifiable Information (PII) associated with the cardholder Card Holder Data Primary Account Number (PAN) with: Expiration date or Card holder name Sensitive Authentication Data CVV or CVC (Card Verification Values) Track 1 and Track 2 Data (magnetic stripe) 4 Who Must Comply? PCI data security requirements apply to all merchants and service providers that store, process or transmit any cardholder data. All organizations with access to cardholder information must meet the data security standards. However, the way in which organizations validate their compliance differs based on whether they are merchants or service providers and on specific validation requirements defined by each credit card brand. Each of the five major credit card companies has its own set of validation requirements. Information regarding service provider levels and validation requirements can be obtained from each individual credit card company’s Web site. The security requirements apply to all system components, network components, servers or applications included in, or connected to, the processing of cardholder data. 5 PCI DSS Version 1.1 The Payment Card Industry Data Security Council released PCI DSS version 1.1 in September 2006. The standard is broken into six segments: Building and maintaining a secure network; Protecting cardholder data; Maintaining a vulnerability management program; Implementing strong access control measures; Regularly monitor and test networks; and Maintain an information security policy. 6 What’s New? Requirement 6.6 (as of June 30, 2008) Web application firewall or code review? It’s your choice, but should they both be required? What’s New? PCI DSS v1.2 (as of October, 2008) Requirement 1: Clarified configuration requirements for routers too. Changed frequency of review to 6 months. Requirements 2 & 4: No new WEP implementations after March 31 2009 No WEP in environment after June 30 2010 What’s New? PCI DSS v1.2 (as of October, 2008) Requirement 6.6: Web App Firewall/code review Requirement 9: Video cameras and off-site secure storage reviews What’s New? PCI DSS v1.2 (con’t) Requirement 11: Wireless analyzer or wireless IDS/IPS Requirement 12: Annual employee acknowledgement of security policies Requirement 12.8: Changed to focus on policies and procedures to manage service provider, rather than contractual requirements. Lifecycle Process for Changes to PCI DSS https://www.pcisecuritystandards.org/pdfs/OS_PCI_Lifecycle.pdf 11 Prioritized Approach 1. Remove Sensitive Data a. Key area of risk for compromised data b. If you don’t need it, don’t store it 2. Protect the perimeter, internal, and wireless networks a. Controls points of access for most compromises 3. Secure payment applications a. Weakness in these areas are “easy prey” https://www.pcisecuritystandards.org/education/prioritized.shtml 12 Prioritized Approach 4. Monitor and control access to systems a. Who is accessing the network 5. Protect stored cardholder data a. If you must store it, implement the key controls 6. Finalize remaining compliance efforts, and ensure all controls are in place a. Policies, process and procedures https://www.pcisecuritystandards.org/education/prioritized.shtml 13 What’s New? PA-DSS* (October 2008) Transition from VISA’s PABP For software vendors Aligns with PCI DSS Use of PA-DSS compliant app not required for PCI DSS compliance Use of a PA-DSS compliant app does not guarantee PCI DSS compliance *PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS. What’s New? PCI SSC Quality Assurance Program Crack down on “easy graders” 2009 training emphasizes testing and documentation procedures. No PA-QSA has been able to successfully certify for PA-DSS (As of December 2008) What’s New? Self Assessment Program February 2008, PCI SSC released updated SAQ Four separate SAQ focused on complexity and risk of the processing environments Deadlines! All deadlines come from the payment brands and the acquiring banks: PCI DSS Compliance – All deadlines are past. Level 4 – Requirements/dates now set by acquirer and scans “may” be required Deadlines! PA-DSS (VISA) 1/1/08 – VNPs must not use known vulnerable applications 7/1/08 – VNPs must only certify validated apps to their platforms 10/1/08 – Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use validated applications 10/1/09 – VNPs must decertify vulnerable payment applications 7/1/10 – Acquirers must certify that merchants and VNPs only use validated applications VISA’s Compliance Acceleration Program As of September 2008, only 57% of Level 3 merchants were compliant http://usa.visa.com/download/merchants/cisp_pcidss_ compliancestats.pdf) Compliance acceleration “provide financial incentives and enforcement provisions” Additionally, acquirers must certify that Level 1 and 2 merchants do not store prohibited data VISA – What to do if compromised… December 2008 Immediately report to VISA suspected or confirmed loss Provide proof of PCI compliance within 48 hrs Provide written incident report to VISA with three days VISA will decide if you need to hire a QIRA. The person needs to be contracted and on-site within 5 days. VISA – What to do if compromised… “In addition to the general instructions provided here, Visa may also require an investigation that includes, but is not limited to, access to premises and all pertinent records including copies of analysis.” (http://usa.visa.com/merchants/risk_management/cisp_if_compromised.ht ml) Breaches – PCI certified entities Hannaford Bros Grocery Detected February 27, 2008 4.2 million credit and debit card numbers Breaches – PCI certified entities Hannaford Bros Grocery Malware on servers – >270 Captured data in transit Inside job? Class action suit – within 1 week Breaches – PCI certified entities Heartland Payment Systems Breach occurred in 2008 – Reported January 2009 Alerted by Visa and Mastercard March 18, 2009 – Visa announced enterprises can do business with Heartland http://2008breach.com/Information.asp Breaches – PCI certified entities Heartland Payment Systems Sniffer on the network Social engineering? Root kit? Class action suit filed in just days Heartland – What went wrong? Failed to prevent bad code from being installed Inadequate cryptographic architecture Didn’t monitor outbound traffic Beyond penalties and fines “Forty percent of consumers change their relationship with a business affected by a security breach.” Linda Tucci, “PCI Standard Still Packs Little Punch,” SearchCIO.com Beyond penalties and fines Data breaches cost companies $202 per compromised customer record in 2008. Since 2005, this number has increased by $64 – a 40% increase. (Ponemon Institute, February 2009) Beyond penalties and fines “More than 88% of all cases in this year’s study involved insider negligence.” (The Ponemon Institute, February 2009) PCI Compliance – Trends and Tips Follow industry best practices for network and IT security Use tools and services geared toward PCI Compliance Align with a larger partner for credit card processing Joel Dubbin, CISSP. SearchCIO.com PCI Compliance – Trends and Tips PCI is not about securing sensitive data, it’s about eliminating data altogether. John Kindervag, Forrester Analyst and former QSA PCI Compliance – Trends and Tips Virtualization Servers - Req 2.2.1 – One primary function per server Entire box in-scope? PCI DSS is technology neutral No guidance for QSAs PCI Compliance – Trends and Tips Segmentation Reduce the cardholder data landscape Reduces cost of remediation Reduces exposure PCI Compliance – Trends and Tips Outsourcing (Card data, Service Providers, Shared Hosting, Managed Services) Must third party be PCI certified? Who owns the liability? What entities does a PCI assessment cover? PCI Compliance – Trends and Tips “PCI SWALLOWS ITS OWN TAIL” “I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,” (Rep. Bennie) Thompson said. “We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.” http://information-security-resources.com/2009/04/01/payment-cardindustry-swallows-its-own-tail Useful Links PCI Security Standards Council- www.pcisecuritystandards.org The SANS Institute- www.sans.org The National Institute of Standards and Technology- www.nist.gov The Center for Internet Security- www.cisecurity.org Approved QSA Listing- https://www.pcisecuritystandards.org/resources/qualified_security_a ssessors.htm Approved ASV Listinghttps://www.pcisecuritystandards.org/resources/approved_scanning _vendors.htm 36 Questions [email protected]