payment card industry (pci) data security standards (dss) updates and trends for 2009
TRANSCRIPT
Payment Card Industry (PCI)Data Security Standards (DSS)
Updates and Trends for 2009
Agenda
What is PCI? What’s New with PCI v1.2? Deadlines! VISA’s CAP VISA – What to do if compromised… Recent Breaches PCI Compliance Trends and Tips
3
What is PCI?
The Payment Card Industry Data Security Standard (PCI DSS) was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.
PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.
Adherence to the PCI DSS aides in securing cardholder payment data that is stored, processed or transmitted by merchants and processors.
PCI DSS specifies requirements entailing many security technologies and business processes, and reflects most of the best practices for securing sensitive information.
PCI DSS is rapidly becoming the recognized standard for securing all organizational data, not just credit card information, and is currently being considered as the basis of legislation by several states.
(Source: PCI Security Standards Council)
4
What Is Cardholder Data?
Cardholder data is any Personally Identifiable Information (PII) associated with the cardholder
Card Holder Data Primary Account Number (PAN) with: Expiration date or Card holder name
Sensitive Authentication Data CVV or CVC (Card Verification Values) Track 1 and Track 2 Data (magnetic stripe)
5
Who Must Comply?
PCI data security requirements apply to all merchants and service providers that store, process or transmit any cardholder data. All organizations with access to cardholder information must meet the data security standards.
However, the way in which organizations validate their compliance differs based on whether they are merchants or service providers and on specific validation requirements defined by each credit card brand. Each of the five major credit card companies has its own set of validation requirements.
Information regarding service provider levels and validation requirements can be obtained from each individual credit card company’s Web site.
The security requirements apply to all system components, network components, servers or applications included in, or connected to, the processing of cardholder data.
6
The Payment Card Industry Data Security Council released PCI DSS version 1.1 in September 2006.
The standard is broken into six segments: Building and maintaining a secure network; Protecting cardholder data; Maintaining a vulnerability management program; Implementing strong access control measures; Regularly monitor and test networks; and Maintain an information security policy.
PCI DSS Version 1.1
What’s New?
Requirement 6.6 (as of June 30, 2008)
Web application firewall or code review?
It’s your choice, but should they both be required?
What’s New?
PCI DSS v1.2 (as of October, 2008)
Requirement 1: Clarified configuration requirements for routers too. Changed frequency of review to 6 months.
Requirements 2 & 4: No new WEP implementations after March 31
2009 No WEP in environment after June 30 2010
What’s New?
PCI DSS v1.2 (as of October, 2008)
Requirement 6.6: Web App Firewall/code review
Requirement 9: Video cameras and off-site secure storage reviews
What’s New?
PCI DSS v1.2 (con’t)
Requirement 11: Wireless analyzer or wireless IDS/IPS
Requirement 12: Annual employee acknowledgement of security policies
Requirement 12.8: Changed to focus on policies and procedures to manage service provider, rather than contractual requirements.
11
Lifecycle Process for Changes to PCI DSS
https://www.pcisecuritystandards.org/pdfs/OS_PCI_Lifecycle.pdf
12
Prioritized Approach
https://www.pcisecuritystandards.org/education/prioritized.shtml
1. Remove Sensitive Dataa. Key area of risk for compromised datab. If you don’t need it, don’t store it
2. Protect the perimeter, internal, and wireless networksa. Controls points of access for most compromises
3. Secure payment applicationsa. Weakness in these areas are “easy prey”
13
Prioritized Approach
https://www.pcisecuritystandards.org/education/prioritized.shtml
4. Monitor and control access to systemsa. Who is accessing the network
5. Protect stored cardholder dataa. If you must store it, implement the key controls
6. Finalize remaining compliance efforts, and ensure all controls are in placea. Policies, process and procedures
What’s New?
PA-DSS* (October 2008)
Transition from VISA’s PABP For software vendors Aligns with PCI DSS Use of PA-DSS compliant app not required
for PCI DSS compliance Use of a PA-DSS compliant app does not
guarantee PCI DSS compliance
*PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS.
What’s New?
PCI SSC Quality Assurance Program
Crack down on “easy graders”
2009 training emphasizes testing and documentation procedures.
No PA-QSA has been able to successfully certify for PA-DSS (As of December 2008)
What’s New?
Self Assessment Program
February 2008, PCI SSC released updated SAQ
Four separate SAQ focused on complexity and risk of the processing environments
https://www.pcisecuritystandards.org/saq/index.shtml
Deadlines!
All deadlines come from the payment brands and the acquiring banks:
PCI DSS Compliance – All deadlines are past.
Level 4 – Requirements/dates now set by acquirer and scans “may” be required
Deadlines!
PA-DSS (VISA) 1/1/08 – VNPs must not use known vulnerable
applications
7/1/08 – VNPs must only certify validated apps to their platforms
10/1/08 – Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use validated applications
10/1/09 – VNPs must decertify vulnerable payment applications
7/1/10 – Acquirers must certify that merchants and VNPs only use validated applications
VISA’s Compliance Acceleration Program
As of September 2008, only 57% of Level 3 merchants were compliant http://usa.visa.com/download/merchants/cisp_pcidss_compliancestats.pdf)
Compliance acceleration “provide financial incentives and enforcement provisions”
Additionally, acquirers must certify that Level 1 and 2 merchants do not store prohibited data
VISA – What to do if compromised…
December 2008
Immediately report to VISA suspected or confirmed loss
Provide proof of PCI compliance within 48 hrs
Provide written incident report to VISA with three days
VISA will decide if you need to hire a QIRA. The person needs to be contracted and on-site within 5 days.
VISA – What to do if compromised…
“In addition to the general instructions provided here, Visa may also require an investigation that
includes, but is not limited to, access to premises and all pertinent records including
copies of analysis.”
(http://usa.visa.com/merchants/risk_management/cisp_if_compromised.html)
Breaches – PCI certified entities
Hannaford Bros Grocery
Detected February 27, 2008
4.2 million credit and debit card numbers
Breaches – PCI certified entities
Hannaford Bros Grocery
Malware on servers – >270
Captured data in transit
Inside job?
Class action suit – within 1 week
Breaches – PCI certified entities
Heartland Payment Systems
Breach occurred in 2008 – Reported January 2009
Alerted by Visa and Mastercard
March 18, 2009 – Visa announced enterprises can do business with Heartland
http://2008breach.com/Information.asp
Breaches – PCI certified entities
Heartland Payment Systems
Sniffer on the network
Social engineering?
Root kit?
Class action suit filed in just days
Heartland – What went wrong?
Failed to prevent bad code from being installed
Inadequate cryptographic architecture
Didn’t monitor outbound traffic
Beyond penalties and fines
“Forty percent of consumers change their relationship with a business affected by a security breach.”
Linda Tucci, “PCI Standard Still Packs Little Punch,” SearchCIO.com
Beyond penalties and fines
Data breaches cost companies $202 per compromised customer record in 2008.
Since 2005, this number has increased by $64 – a 40% increase.
(Ponemon Institute, February 2009)
Beyond penalties and fines
“More than 88% of all cases in this year’s study involved insider negligence.”
(The Ponemon Institute, February 2009)
PCI Compliance – Trends and Tips
Follow industry best practices for network and IT security
Use tools and services geared toward PCI Compliance
Align with a larger partner for credit card processing
Joel Dubbin, CISSP. SearchCIO.com
PCI Compliance – Trends and Tips
PCI is not about securing sensitive data, it’s about eliminating data altogether.
John Kindervag, Forrester Analyst and former QSA
PCI Compliance – Trends and Tips
Virtualization
Servers- Req 2.2.1 – One primary function per server
Entire box in-scope?
PCI DSS is technology neutral
No guidance for QSAs
PCI Compliance – Trends and Tips
Segmentation
Reduce the cardholder data landscape
Reduces cost of remediation
Reduces exposure
PCI Compliance – Trends and Tips
Outsourcing (Card data, Service Providers, Shared Hosting, Managed Services)
Must third party be PCI certified?
Who owns the liability?
What entities does a PCI assessment cover?
PCI Compliance – Trends and Tips
“PCI SWALLOWS ITS OWN TAIL”
“I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,” (Rep. Bennie) Thompson said. “We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.”
http://information-security-resources.com/2009/04/01/payment-card-industry-swallows-its-own-tail
36
Useful Links
PCI Security Standards Council- www.pcisecuritystandards.org
The SANS Institute- www.sans.org
The National Institute of Standards and Technology- www.nist.gov
The Center for Internet Security- www.cisecurity.org
Approved QSA Listing-
https://www.pcisecuritystandards.org/resources/qualified_security_ass
essors.htm
Approved ASV Listing-
https://www.pcisecuritystandards.org/resources/approved_scanning_v
endors.htm
Questions