issuer data security 07272011.pdf.rb
Post on 06-Apr-2018
216 Views
Preview:
TRANSCRIPT
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
1/19
Visa Public
Issuer Data SecurityTrends and Best Practices
July 27, 2011
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
2/19
Visa Public July 2011 2
Issuers Data Security Trends andBest Practices
Issuer Security Environment
PCI DSS Compliance for Issuers
PCI DSS Compliance for ATM Environment
ATM Cash Out Preventive Measures
ATM Malware and Best Practices for PIN Security
PCI PIN and PCI EPP Security Requirements
Resources
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
3/19
Visa Public July 2011 3
Top 7 PCI DSS and PCI PIN Violations
Based on compromises of PIN and cardholder data, Visa
has found the following common issues:
1. Vulnerable payment applications (e.g., inappropriate storage of fulltrack, CVV2 and PIN data, insecure remote access)
2. Inadequate perimeter security (e.g., improperly managed firewall)3. Out-of-date system security patches4. Vendor default settings and passwords (e.g., unsecured wireless)5. Poorly coded web-facing applications (e.g., no input validation)
resulting in SQL injection attack
6. Poor cryptographic key management used for PIN encryption7. Weak controls over production HSM environment
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
4/19
Visa Public July 2011 4
PCI DSS Compliance for Issuers
Issuers are required to be PCI DSS compliant
Issuers that are directly connected to VisaNet and/orprocess on behalf of other Visa clients must validate PCIDSS annually with Visa
Third Party Processors must use a QSA for validation
Individual issuers validation may be performed by a QSA orinternal auditor
PCI SSC has clarified issuers may store sensitiveauthentication data
There must be a legitimate business need to store such data
Must be protected in accordance with the PCI DSS
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
5/19
Visa Public July 2011 5
PCI DSS Compliance for ATMEnvironment
An Issuers ATM network and physical environment mustbe PCI DSS compliant
As a best practice, ATM core processing applications
should adhere to the PA-DSS PCI SSC has clarified ATMs may store sensitive
authentication data
There must be a legitimate business need to store such data
Must be protected in accordance with the PCI DSS
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
6/19
Visa Public July 2011
Preventive Measures
Review all external facing applications and systems (production,development, test)
Harden all servers and databases
Remove risky protocols such as Terminal services, NetBios, etc.
Disable direct queries/command shell/stored procedures on
databases Implement deny/deny on firewall configuration and block
compressed files (i.e., .RAR, .TAR, .ZIP, etc) on outbound traffic
Limit administrative access to critical systems
Review high-privileged accounts and implement group policies(e.g., SA, database operators, domain users)
Segregate payment processing systems from other non-paymentnetworks
6
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
7/19Visa Public July 2011
Preventive Measures Transaction monitoring
Velocity controls
Transaction limits
Real-time fraud checking and alerts
Deploy third-party tool to identify malicious/unauthorized software
Review IVR and HSM and consider disabling clear-text HTTP_Getrequest
Deploy Security Information and Event Management (SIEM)
Implement and review security event logs
Centralizing tracking and review of logs and network traffic
Deploy Data Loss Prevention (DLP)
Segregate Internet-facing networks from internal networks
7
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
8/19Visa Public July 2011
Recent ATM Malware Attacks
Confirmed cases in Russia, Ukraine and Mexico
Modes of Attack
Direct USB injection of malware into ATM by Trusted ESO
Manipulation of ATM patches remotely loaded (Ukraine)
Insecure key loading from back of ATM exposed Key Exchange Key
Non-compliance with PCI PIN Security Requirements
Known cases involved access to a non-hardened Operating SystemWindows XP
Weak administrative user access controls and passwords
Modified chip cards used at ATMs used to:
Write data to chip or print data to paper
Dispense all ATM cash
April 2011 Visa Business Newsdescribing latest attack
8
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
9/19Visa Public July 2011 9
Recommendations to Protect ATMsAgainst Malware Attack
Visa published a list of known malware hash values
Clients should use this information to work with ATMVendors, processors and security teams to identify theexistence of ATM malware
Ensure the integrity of all software maintenance fixes via theuse of checksums, digital signatures, etc.
Equipped ATMs with sensors detecting external intrusion
Operating Systems user management controls must becompliant with the PCI DSS requirements
Configure Operating Systems in accordance with the PCIDSS requirements, including patch management, passwordmanagement and the overall security configuration
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
10/19Visa Public July 2011 10
Recommendations to Protect ATMsAgainst Malware Attack
Implement enhanced access controls, such as one timepasswords, challenge response mechanisms, etc.
Implement the least privilege necessary for system, servicesand software accounts
Utilize hard drive encryption Implement a trusted environment validate software integrity
and authenticity testing upon start-up and at least once per dayto help determine whether the ATM is in a compromised state
Patch and secure necessary systems, services and software Completely disable or remove unused and unnecessary
services and software e.g. RMS
Vet and register with Visa only trusted Plus ESO Agents
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
11/19Visa Public July 2011 11
Recommendations to Protect ATMsAgainst Malware Attack
Use Anti-Malware solutions that can detect and prevent unwantedchanges
White list of executables / executable at the kernel level / lockdown of OS
Check vendor manuals and Internet resources for default, blank, andweak settings - immediately change settings upon installation
Includes changing all passwords, disabling users not needed
Activate necessary security and logging functions
Keep anti-virus and anti-spyware software programs up-to-date
Ensure ATM software has been validated as compliant with the PCI PA-DSS
Contact ATM vendors and processors to:
Determine potential exposures of deployed ATM base
Implement prevention and detection tools
Receive specific security alerts and best practices
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
12/19Visa Public July 2011 12121212
Securing the Visa/Plus Payment System
PCI Data Security Standard(PCI DSS) Compliance
Drive PCI DSS compliance to ensure entities protect cardholder datafrom compromise
PCI PIN Security Requirements
Advance compliance to prevent PIN compromises PCI PIN Transaction SecurityTesting program
Ensuring use of secure cryptographic hardware
Visas Data and PIN security compliance programs helpsecure the overall payment system
-PCI EPP -PCI POS -PCI UPT
-PCI HSM -PCI ATM(pending)
PCI Payment Application Security Standard (PA-DSS)
Promote development and use of secure payment applications andeliminate vulnerable applications
12
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
13/19Visa Public July 2011 13
PCI PIN and PCI EPP SecurityRequirements
PCI PIN Security Requirementstransitioned to PCI Security Standards
Council (SSC) in early 2011
Visa / Plus clients and their agents must be compliant with the:
PCI PIN Security Requirements Key Management
PCI Encrypting PIN PAD(EPP) security requirements Secure Hardware
Level 1 PIN Security Program entities must validate annually with Visa ATM owners / sponsors must ensure ATMs comply with applicable:
PCI DSS & PA-DSS Requirements
PCI PIN & PCI EPP Requirements
Regardless if ATM driving, processing, and maintenance is performed by athird party processor or agent
ATM owners and their agents should confirm their devices are listed onthe PCI SSCs list of Approved PIN Transaction Security Devices*
www.pcisecuritystandards.org
*Dependent on when ATM was deployed / moved
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
14/19Visa Public July 2011 1414
Compliant Equipment
Purchase only PCI approved Devices
Install onlythe compliant EPP firmware version listed with theapproved EPP
Major area of non-compliance
Require suppliers to sell only PCI approved / compliantproducts
Verify EPP serial numbers and firmware againstmanufacturers documents and PCI EPP list
Bind onlycompliant PCI approved EPPs into purchasecontracts
PCI Approved EPPs
60 V1 Expire April 2014
21 V2 Expire April 2017
1 V3 Expire April 2020
14
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
15/19Visa Public July 2011 1515
Compliant Equipment
15
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
16/19
Visa Public July 2011 1616
Compliant Equipment EPP Mandate
Effective 1 October 2005, all newly deployed EPPs,
including replacements or those in newly deployed ATMs,must have passed testing by a PCI-recognized laboratoryand be approved by Visa for new deployments
ATMs nevermoved prior to October 1, 2005 Vendor AttestedATMs deployed on or after October 1, 2005 Pre-PCI Approved
Pre-PCI EPP list on www.visa.com/cisp
ATMs deployed after September 2008 PCI Approved
PCI PTS list on www.pcisecuritystandards.org
For Visa mandates for use of PCI Approved devices seewww.visa.com/cisp - Visa General PIN Entry Device FAQ
16
-
8/2/2019 Issuer Data Security 07272011.PDF.rb
17/19
Visa Public July 2011 17
Resources
Visa Websites www.visa.com/cisp
Visa Documents Issuers PCI DSS Frequently Asked Questions Issuer PIN Security Guidelines PIN-Entry Device Frequently Asked Questions Personal Identification Number (PIN) Attacks Alert
What To Do If Compromised Guide Reminder: Registration and Compliance Requirements for Encryption
Support Organizations Joint USSS/FBI AdvisoryFeb. 2009
Communications and Training
Visa Key Management and PIN Security trainings
Data Security Alerts, Bulletins, Best Practices and Webinars
www.visaonline.com
Update: Compromise of ATM PIN Transactions, May 2011 Visa BusinessNews
http://www.visa.com/cisphttp://www.visaonline.com/http://www.visaonline.com/http://www.visa.com/cisp -
8/2/2019 Issuer Data Security 07272011.PDF.rb
18/19
Visa Public July 2011 18
Resources
Visa Client Tools
Incorporate Visa Advanced Authorization risk scores andcondition codes in risk decision management systemsadvancedauth@visa.com
Register and use Visas Compromised Account ManagementSystem (CAMS) alerts
cams@visa.com
PCI Security Standards Council
www.pcisecuritystandards.org
PCI PIN Transaction Security (PTS)Approved PTS Devices
mailto:advancedauth@visa.commailto:cams@visa.comhttp://www.pcisecuritystandards.org/http://www.pcisecuritystandards.org/mailto:advancedauth@visa.commailto:cams@visa.commailto:advancedauth@visa.com -
8/2/2019 Issuer Data Security 07272011.PDF.rb
19/19
Visa Public July 2011 19
Questions?
19
top related