Slide 1

Download Report

Transcript Slide 1 

PCI 101
Trustwave Corporate Profile
Trustwave is an established company serving a
global client base with industry-leading solutions
Founded in 1995
Approximately 600 employees in 21 locations on six continents
Thousands of customers throughout the world, including 6 of the Fortune Top 10
Chicago is global HQ; London, Sydney and Sao Paolo are regional HQs
Secure Operation Centers in Chicago and Warsaw
Award-winning, patented security technology
2009
SC Magazine “Recommended”
Managed Security Services
Copyright Trustwave 2008
2009
Frost & Sullivan
NAC Best Practices
2010
SC Magazine “Finalist”
Encryption
Confidential
Forrester 9 out of 10 rating
NAC solution
The leader in compliance and data security
MSSP with more than 1,400 devices under management
Monitor more than 18 million events per day
Top 10 global Certificate Authority with more than 40,000 SSL certificates issued
Performed more than 2,000 network and application penetration tests
Conducted more than 740 forensic investigations
Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series
PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40 percent of Payment Apps.
Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); QIRA (2005)
Copyright Trustwave 2008
Confidential
Global Presence
Global Headquarters
Chicago, IL
EMEA Headquarters
London, UK
Toronto, Canada
Pittsburg, PA
Frankfurt, Germany
Dallas, TX
Stockholm, Sweden
Annapolis, MD
Austin,TX
Budapest, Hungary
Boston, MA
Denver, CO
Rennes, France
Beijing, China
Warsaw, Poland
Shanghai, China
Kiev, Ukraine
Bogota’, Columbia
Tokyo, Japan
Belo Horizonte, Brazil
Mumbai, India
Mexico City, Mexico
Dubai, United Arab Emirates
Pretoria, South Africa
APAC
Headquarters
Sydney, Australia
LAC Headquarters
Sao Paolo, Brazil
Santiago, Chile
Copyright Trustwave 2008
Confidential
Payment Card Acceptance
The Payment Card Industry’s Data Security Standard
states:
PCI Data Security Requirements apply to all
members, merchants, and service providers
that store, process or transmit cardholder data
Copyright Trustwave 2008
Confidential
6
The Mandate: Visa Merchant Levels Defined
Level
Merchant Classification Criteria (as of July 18, 2006)
1
Any merchant -regardless of acceptance channel-that:
• Processes over 6 million Visa transactions per year
• In some cases, merchants who suffered a hack or an attack that resulted in
an account data compromise
• Has been identified by any other payment card brand as Level 1
2
Any merchant that processes 1 million to 6 million Visa transactions,
regardless of acceptance channel
3
Any merchant that processes 20,000 to 1 million Visa e-commerce transactions
4
Any merchant that processes fewer than 20,000 Visa e-commerce transactions
or fewer than 1 million Visa transactions regardless of acceptance channel
Copyright Trustwave 2008
Confidential
7
Validation Actions Depend on Level
Merchant
Level
1
2
Copyright Trustwave 2008
Validation Actions
Validated By
Annual On-site PCI DSS
Data Security
Assessment
Qualified Security Assessor
Quarterly Network Scan
Approved Scanning Vendor
Annual PCI DSS SelfAssessment
Questionnaire/Annual
On-site PCI DSS Data
Security Assessment
Merchant/Qualified Security
Assessor
Quarterly Network Scan
Approved Scanning Vendor
Confidential
Deadline
9/30/04 (Visa’s
new level 1
merchants have up
to one year from
identification to
validate)
6/30/05
(Visa’s new level 2
merchants have
until 9/30/07)
8
Validation Actions Depend on Level (cont.)
Merchant
Level
Validation Actions
Validated By
Annual PCI DSS SelfAssessment
Questionnaire
Merchant
3
4
Copyright Trustwave 2008
Deadline
6/30/05
Quarterly Network Scan
Approved Scanning Vendor
Annual PCI DSS SelfAssessment
Questionnaire
Merchant
Quarterly Network Scan
Approved Scanning Vendor
Confidential
Validation
requirements and
dates are
determined by the
merchant’s
acquirer
9
PCI DSS Standard Overview
Six Goals, Twelve Requirements
Install and maintain a firewall
configuration to protect
cardholder data
Do not use vendor-supplied
defaults for system passwords
and other security parameters
Build and
Maintain
a Secure
Network
Protect
cardholder
data
Copyright Trustwave 2008
Regularly test security
systems and processes
Develop and maintain secure
systems and applications
Maintain a
vulnerability
management
program
Implement
strong
access
control
measures
Regularly
monitor
and test
networks
Maintain an
information
security
policy
Restrict access to
cardholder data by
business need-to-know
Encrypt transmission of
cardholder data across open,
public networks
Protect stored
cardholder data
Track and monitor all access
to network resources and
cardholder data
Use and regularly update antivirus software or programs
Assign a unique ID to
each person with
computer access
Restrict physical access
to cardholder data
Confidential
Maintain a policy
that addresses
information
security for
employees and
contractors
Top PCI DSS Violations
Percentage of PCI DSS Violations
100.0%
Requirement 1: Install and
maintain a firewall to
protect cardholder data
Requirement 2: Do not use
vendor-supplied defaults
90.0%
80.0%
Requirement 3: Protect
stored data
70.0%
60.0%
Requirement 6: Develop and
maintain secure systems
and applications
50.0%
40.0%
30.0%
Requirement 8: Assign a
unique ID to each person
with computer access
20.0%
10.0%
0.0%
Req. 1
Req. 2
Req. 3
Req. 4
Req. 5
Req. 6
Req. 7
Req. 8
Req. 9 Req. 10 Req. 11 Req. 12
Violations found in incident response investigations in 2009.
Requirement 10: Track and
monitor access to network
and card data
Requirement 11: Regularly
test security systems and
processes
Requirement 12: Maintain a
policy that addresses
information security
Copyright Trustwave 2008
Confidential
Self Assessment Questionnaire (SAQ) 1.2
SAQ Version
Validation
Type
SAQ 1.2 A
13 Questions
1
Card not present merchants only that outsource all parts of
the credit card transaction. Data is only kept in paper
reports.
SAQ 1.2 B
27 Questions
2
This merchant only accepts payment cards using an imprint
machine and does not keep any card data electronically.
SAQ 1.2 B
27 Questions
3
Merchants who use stand alone, dial out terminal connected
to a phone line or processor. Terminal has NO internet
connection and no data is stored electronically.
SAQ 1.2 C
41 Questions
4
Payment application is connected to the internet but is not
connected to any other system w/in the network. No data is
stored electronically. Service providers who connect remotely
to the application are in compliance with Security Best
Practices.
SAQ 1.2 D
222 Questions
5
Any merchant that does not fit any of the above categories
and any eligible service provider.
Copyright Trustwave 2008
Description of Subject Merchant
Confidential
Resources
PCI Security Standards Council:
https://www.pcisecuritystandards.org/index.shtml
Visa CISP:
http://www.visa.com/cisp
MasterCard SDP:
http://www.mastercard.com/sdp
Copyright Trustwave 2008
Confidential
14
Program Features and Value Proposition
PCI Assistant
External Vulnerability Scans
PCI Wizard
Robust Educational Tools
Security Policy Advisor
Security Awareness Training
24/7/365 Help Desk
Customer Webinars
Merchant Reporting
Copyright Trustwave 2008
Confidential
15
TrustKeeper
• TrustKeeper is Trustwave's compliance portal that merchants will
use to manage, track and validate their compliance status.
• TrustKeeper is the leading portal used by acquiring banks to
monitor PCI DSS compliance status among merchants.
• TrustKeeper offers easy-to-use vulnerability assessment and
management services to help merchants meet all their PCI DSS
compliance requirements.
Copyright Trustwave 2008
Confidential
TrustKeeper Agent
• TrustKeeper Agent is an optional component of TrustKeeper that
installs on Windows PCs or PC based payment terminals.
• TrustKeeper Agent:
– Assists with setting up and managing vulnerability scans
– Collects information needed to answer technical system questions and
reports back to TrustKeeper
– Monitors systems to ensure the security and data storage settings meet the
requirements of the PCI DSS
– Provides information for summarized and detailed reports in TrustKeeper
Copyright Trustwave 2008
Confidential
Welcome Splash Page
Copyright Trustwave 2008
Confidential
18
PCI Wizard Choice
Copyright Trustwave 2008
Confidential
19
PCI Wizard for a Dial-up Merchant
Copyright Trustwave 2008
Confidential
20
Questions and Help Text
How Do I
Choose?
Copyright Trustwave 2008
Confidential
21
Resolve Issues with Remediation Advice
Copyright Trustwave 2008
Confidential
22
Pre-Filled SAQ for Merchant Review
Copyright Trustwave 2008
Confidential
23
Certificate of Compliance
Copyright Trustwave 2008
Confidential
24
Security Policy Advisor
TrustKeeper’s Security Policy Advisor
Copyright Trustwave 2008
Confidential
25
Security Awareness Training
Copyright Trustwave 2008
Confidential
26
TrustKeeper Agent
Copyright Trustwave 2008
Confidential
27