PCI-DSS

Download Report

Transcript PCI-DSS 

PCI-DSS
Erin Benedictson
Information Security Analyst
AAA Oregon/Idaho
What is PCI-DSS?
PCI-DSS stands for Payment Card
Industry Data Security Standard
 This is commonly called “PCI”
 PCI is a council created by American
Express, Discover Financial Services,
JCB International, MasterCard
Worldwide and Visa Inc International

Who Must Comply with
PCI?

All merchants, whether small or large,
need to be PCI compliant. The
payment brands have collectively
adopted PCI DSS as the requirement
for organizations that process, store or
transmit payment cardholder data.
History of PCI
PCI was formed in order to make
compliance simpler
 Up until 2004 there were 4 different
standards to follow:

– CISP(Visa)
– SDS(MC)
– DISC(Discover)
– DSS(AMX)
History of PCI




Each credit card company had their own
standard and they all contained different
requirements(encryption strength, etc)
In 2004 the PCI Security Standards Council
was formed to bring all of these
requirements under 1 umbrella
Level 1 merchants were required to be
compliant by Dec. 31, 2007
Level 2-4 merchants were required to be
compliant by June 30, 2007
Different Levels of PCI




Level 1 - Any merchant who processes over
6,000,000 transactions annually or has
suffered a breach
Level 2 - Any merchant who processes
between 1,000,000 and 6,000,000
transactions annually
Level 3 - Any merchant who processes
between 20,000 - 1,000,000 transactions
annually
Level 4 – Any Merchant who processes
under 20,000 transaction annually
Different Merchant
Level Requirements




Level 1 – Requires a 3rd party PCI approved
Qualified Security Assessor(QSA) to perform a
yearly onsite assessment, yearly penetration tests
and quarterly security scans by an approved PCI
scanning vendor
Level 2 and 3 – Requires merchants to complete a
yearly self assessment questioner(SAQ) and
quarterly security scans by an approved PCI
scanning vendor
Level 4 - Recommended to perform level 2 and 3
requirements but not enforced
All levels are required to be PCI compliant
Non Compliant Risk
and Consequences

Visa – Regardless of level requirements
– 1st Violation

Up to $50,000 USD for rolling 12-month period
– 2nd Violation


Up to $100,000
USD for rolling 12-month period
– 3rd Violation

Visa’s discretion to refuse future transactions until
complaint
Non Compliant Risk
and Consequences

Master Card
– Level 1
 Up
to $25,000 USD annual fee per Merchant
– Level 2
 Up
to $5,000 USD annual fee per Merchant
– Level 3
 Up
to $5,000 USD annual fee per Merchant
12 Main Parts of PCI
1. Install and maintain a firewall
 2. Do not use vendor default
passwords
 3. Protect stored data
 4. Encrypt transmissions of cardholder
data

12 Main Parts of PCI
5. Use and update antivirus software
 6. Develop and maintain secure
systems and applications
 7. Restrict access by need-to-know
 8. Assign unique IDs to all users

12 Main Parts of PCI
9. Restrict physical access to
cardholder data
 10. Track and monitor access to
cardholder data
 11. Regularly test security systems
and processes
 12. Maintain an information security
policy

Breach Risk and
Consequences

Reputation Risk
– What will the impact be on your companies
brand?
– Mandatory involvement of federal law
enforcement in investigation

Financial Risk
– Merchant banks may pass on substantial fines
– Up to $500,000 per incident from Visa alone
– $20 - $90 fine per credit card number that
COULD have been exposed or compromised
– Civil liability and cost of providing ID theft
protection
– Average cost of a security breach is $5,000,000
Breach Risk and
Consequences

Compliance Risk
– Exposure to Level 1 validation
requirements

Operational Risk
– Visa imposed operational restrictions
– Potential loss of card processing
privileges
AAA Oregon/Idaho



Reached level 1 PCI-DSS compliance in
January 2008
The compliance process took about 9
months of planning to reach level 1 status
AAA Oregon/Idaho’s PCI requirement is
level 3.
AAA Oregon/Idaho




In June 2007 AAA Oregon/Idaho was level
3 compliance.
Interruption of compliance requirements
differed between AAA Oregon/Idaho and
our PCI QSA
The cost to become level 1 was under
$30,000. This includes contractors and
equipment purchases
The cost to remain PCI complaint on a
yearly basis is roughly $15,000 this
includes yearly audit, Report on
Compliance(ROC) and monthly scans
The Storage of
Unencrypted Credit
Card Numbers

PCI Section 3
– PCI section 3 requires the storage of
unencrypted credit card numbers to have 2
factors of authentication
– This information needs to be stored in a
DMZ(separate network segment)
– Must be masked within databases
– Responsibly falls on the merchant to keep
information safe, even if it is given to you in an
unsecured fashion
– Section 3 is the main reason companies fail their
PCI-DSS assessment
Data Flow




Data is sent from the merchant through
Apollo in an encrypted file(128 bit SSL)
A MIR file is sent to a Galileo Print Manager
that resides at the merchant, this file arrives
encrypted and is then unencrypted
MIR file then arrives in a repository
unencrypted in a plain text file(this file
contains full Credit Card numbers) for
processing to the merchants GlobalWare
database
Credit card numbers are then masked once
processed into GlobalWare
What We Did…
We placed our GlobalWare server in a
DMZ
 We configured the Galileo Printer
Manager to place the MIR repository
destination in the DMZ on the
GlobalWare server

What We Did…



1- We limited access to the GlobalWare
server inside the DMZ to specific computers
2- We limited access to the GlobalWare
server to specific users within Windows
Active Directory
3- We use PGP(encryption software) to
create a Virtual Encrypted Disk. This
required an AES 256 bit key, but the key can
not be stored locally on the server
What We Did…
4- This encrypted disk shows up as a
shared drive and is left open for MIR’s
to be able to be added and removed
during processing to the database
 The PGP Virtual Encrypted Disk would
be unreadable to anyone without the
encryption key, even if someone stole
the physical server

Other Options…

There are other options to achieve the PCI
section 3 requirements this is just one of the
options we could have used:
– The use of Full Disk Encryption is an option
(meaning the entire server is encrypted) in order
to keep MIR files safe. Many companies like IBM
have this built into their new servers that does
not require the use of PGP.
Verizon Business 2008
Data Breach Report

Breaches by company size –
– 2% 1-10 Employees
– 30% 11-100 Employees
– 22% 101-1,000 Employees
– 26% 1,001-10,000 Employees
– 14% 10,001-100,000 Employees
– 6% 100,001 +
Verizon Business 2008
Data Breach Report
84% of all data breaches were
targeted at credit card data
 70% of all breaches are found by a 3rd
party company(ie.cardholders bank)
 82% of all breaches are from online
data

Some Common PCI
Myths
One vendor and product will make us
compliant
 Outsourcing card processing makes us
compliant
 PCI compliance is an IT project
 PCI will make us secure
 PCI requires us to hire a QSA

Some Common PCI
Myths
PCI is unreasonable and it requires too
much
 We don’t take enough credit cards to
be compliant
 We completed a SAQ so we’re
compliant
 PCI makes us store cardholder data
 PCI is too hard

QUESTIONS?