issuer data security 07272011.pdf.rb

8/2/2019 Issuer Data Security 07272011.PDF.rb

1/19

Visa Public

Issuer Data SecurityTrends and Best Practices

July 27, 2011


2/19

Visa Public July 2011 2

Issuers Data Security Trends andBest Practices

Issuer Security Environment

PCI DSS Compliance for Issuers

PCI DSS Compliance for ATM Environment

ATM Cash Out Preventive Measures

ATM Malware and Best Practices for PIN Security

PCI PIN and PCI EPP Security Requirements

Resources


3/19


Top 7 PCI DSS and PCI PIN Violations

Based on compromises of PIN and cardholder data, Visa

has found the following common issues:

1. Vulnerable payment applications (e.g., inappropriate storage of fulltrack, CVV2 and PIN data, insecure remote access)

2. Inadequate perimeter security (e.g., improperly managed firewall)3. Out-of-date system security patches4. Vendor default settings and passwords (e.g., unsecured wireless)5. Poorly coded web-facing applications (e.g., no input validation)

resulting in SQL injection attack

6. Poor cryptographic key management used for PIN encryption7. Weak controls over production HSM environment


4/19


PCI DSS Compliance for Issuers

Issuers are required to be PCI DSS compliant

Issuers that are directly connected to VisaNet and/orprocess on behalf of other Visa clients must validate PCIDSS annually with Visa

Third Party Processors must use a QSA for validation

Individual issuers validation may be performed by a QSA orinternal auditor

PCI SSC has clarified issuers may store sensitiveauthentication data

There must be a legitimate business need to store such data

Must be protected in accordance with the PCI DSS


5/19


PCI DSS Compliance for ATMEnvironment

An Issuers ATM network and physical environment mustbe PCI DSS compliant

As a best practice, ATM core processing applications

should adhere to the PA-DSS PCI SSC has clarified ATMs may store sensitive

authentication data

There must be a legitimate business need to store such data

Must be protected in accordance with the PCI DSS


6/19

Visa Public July 2011

Preventive Measures

Review all external facing applications and systems (production,development, test)

Harden all servers and databases

Remove risky protocols such as Terminal services, NetBios, etc.

Disable direct queries/command shell/stored procedures on

databases Implement deny/deny on firewall configuration and block

compressed files (i.e., .RAR, .TAR, .ZIP, etc) on outbound traffic

Limit administrative access to critical systems

Review high-privileged accounts and implement group policies(e.g., SA, database operators, domain users)

Segregate payment processing systems from other non-paymentnetworks

6


7/19Visa Public July 2011

Preventive Measures Transaction monitoring

Velocity controls

Transaction limits

Real-time fraud checking and alerts

Deploy third-party tool to identify malicious/unauthorized software

Review IVR and HSM and consider disabling clear-text HTTP_Getrequest

Deploy Security Information and Event Management (SIEM)

Implement and review security event logs

Centralizing tracking and review of logs and network traffic

Deploy Data Loss Prevention (DLP)

Segregate Internet-facing networks from internal networks

7


8/19Visa Public July 2011

Recent ATM Malware Attacks

Confirmed cases in Russia, Ukraine and Mexico

Modes of Attack

Direct USB injection of malware into ATM by Trusted ESO

Manipulation of ATM patches remotely loaded (Ukraine)

Insecure key loading from back of ATM exposed Key Exchange Key

Non-compliance with PCI PIN Security Requirements

Known cases involved access to a non-hardened Operating SystemWindows XP

Weak administrative user access controls and passwords

Modified chip cards used at ATMs used to:

Write data to chip or print data to paper

Dispense all ATM cash

April 2011 Visa Business Newsdescribing latest attack

8


9/19Visa Public July 2011 9

Recommendations to Protect ATMsAgainst Malware Attack

Visa published a list of known malware hash values

Clients should use this information to work with ATMVendors, processors and security teams to identify theexistence of ATM malware

Ensure the integrity of all software maintenance fixes via theuse of checksums, digital signatures, etc.

Equipped ATMs with sensors detecting external intrusion

Operating Systems user management controls must becompliant with the PCI DSS requirements

Configure Operating Systems in accordance with the PCIDSS requirements, including patch management, passwordmanagement and the overall security configuration




Implement enhanced access controls, such as one timepasswords, challenge response mechanisms, etc.

Implement the least privilege necessary for system, servicesand software accounts

Utilize hard drive encryption Implement a trusted environment validate software integrity

and authenticity testing upon start-up and at least once per dayto help determine whether the ATM is in a compromised state

Patch and secure necessary systems, services and software Completely disable or remove unused and unnecessary

services and software e.g. RMS

Vet and register with Visa only trusted Plus ESO Agents




Use Anti-Malware solutions that can detect and prevent unwantedchanges

White list of executables / executable at the kernel level / lockdown of OS

Check vendor manuals and Internet resources for default, blank, andweak settings - immediately change settings upon installation

Includes changing all passwords, disabling users not needed

Activate necessary security and logging functions

Keep anti-virus and anti-spyware software programs up-to-date

Ensure ATM software has been validated as compliant with the PCI PA-DSS

Contact ATM vendors and processors to:

Determine potential exposures of deployed ATM base

Implement prevention and detection tools

Receive specific security alerts and best practices



Securing the Visa/Plus Payment System

PCI Data Security Standard(PCI DSS) Compliance

Drive PCI DSS compliance to ensure entities protect cardholder datafrom compromise

PCI PIN Security Requirements

Advance compliance to prevent PIN compromises PCI PIN Transaction SecurityTesting program

Ensuring use of secure cryptographic hardware

Visas Data and PIN security compliance programs helpsecure the overall payment system

-PCI EPP -PCI POS -PCI UPT

-PCI HSM -PCI ATM(pending)

PCI Payment Application Security Standard (PA-DSS)

Promote development and use of secure payment applications andeliminate vulnerable applications

12



PCI PIN and PCI EPP SecurityRequirements

PCI PIN Security Requirementstransitioned to PCI Security Standards

Council (SSC) in early 2011

Visa / Plus clients and their agents must be compliant with the:

PCI PIN Security Requirements Key Management

PCI Encrypting PIN PAD(EPP) security requirements Secure Hardware

Level 1 PIN Security Program entities must validate annually with Visa ATM owners / sponsors must ensure ATMs comply with applicable:

PCI DSS & PA-DSS Requirements

PCI PIN & PCI EPP Requirements

Regardless if ATM driving, processing, and maintenance is performed by athird party processor or agent

ATM owners and their agents should confirm their devices are listed onthe PCI SSCs list of Approved PIN Transaction Security Devices*

www.pcisecuritystandards.org

*Dependent on when ATM was deployed / moved



Compliant Equipment

Purchase only PCI approved Devices

Install onlythe compliant EPP firmware version listed with theapproved EPP

Major area of non-compliance

Require suppliers to sell only PCI approved / compliantproducts

Verify EPP serial numbers and firmware againstmanufacturers documents and PCI EPP list

Bind onlycompliant PCI approved EPPs into purchasecontracts

PCI Approved EPPs

60 V1 Expire April 2014



14



Compliant Equipment

15


16/19


Compliant Equipment EPP Mandate

Effective 1 October 2005, all newly deployed EPPs,

including replacements or those in newly deployed ATMs,must have passed testing by a PCI-recognized laboratoryand be approved by Visa for new deployments

ATMs nevermoved prior to October 1, 2005 Vendor AttestedATMs deployed on or after October 1, 2005 Pre-PCI Approved

Pre-PCI EPP list on www.visa.com/cisp

ATMs deployed after September 2008 PCI Approved

PCI PTS list on www.pcisecuritystandards.org

For Visa mandates for use of PCI Approved devices seewww.visa.com/cisp - Visa General PIN Entry Device FAQ

16


17/19


Resources

Visa Websites www.visa.com/cisp

Visa Documents Issuers PCI DSS Frequently Asked Questions Issuer PIN Security Guidelines PIN-Entry Device Frequently Asked Questions Personal Identification Number (PIN) Attacks Alert

What To Do If Compromised Guide Reminder: Registration and Compliance Requirements for Encryption

Support Organizations Joint USSS/FBI AdvisoryFeb. 2009

Communications and Training

Visa Key Management and PIN Security trainings

Data Security Alerts, Bulletins, Best Practices and Webinars

www.visaonline.com

Update: Compromise of ATM PIN Transactions, May 2011 Visa BusinessNews
http://www.visa.com/cisphttp://www.visaonline.com/http://www.visaonline.com/http://www.visa.com/cisp


18/19


Resources

Visa Client Tools

Incorporate Visa Advanced Authorization risk scores andcondition codes in risk decision management [email protected]

Register and use Visas Compromised Account ManagementSystem (CAMS) alerts

[email protected]

PCI Security Standards Council

www.pcisecuritystandards.org

PCI PIN Transaction Security (PTS)Approved PTS Devices
mailto:[email protected]:[email protected]://www.pcisecuritystandards.org/http://www.pcisecuritystandards.org/mailto:[email protected]:[email protected]:[email protected]


19/19


Questions?

19