Payment Card Industry (PCI)Data Security Standards (DSS)

Updates and Trends for 2009

Agenda

What is PCI? What’s New with PCI v1.2? Deadlines! VISA’s CAP VISA – What to do if compromised… Recent Breaches PCI Compliance Trends and Tips

3

What is PCI?

The Payment Card Industry Data Security Standard (PCI DSS) was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.

PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.

Adherence to the PCI DSS aides in securing cardholder payment data that is stored, processed or transmitted by merchants and processors.

PCI DSS specifies requirements entailing many security technologies and business processes, and reflects most of the best practices for securing sensitive information.

PCI DSS is rapidly becoming the recognized standard for securing all organizational data, not just credit card information, and is currently being considered as the basis of legislation by several states.

(Source: PCI Security Standards Council)

4

What Is Cardholder Data?

Cardholder data is any Personally Identifiable Information (PII) associated with the cardholder

Card Holder Data Primary Account Number (PAN) with: Expiration date or Card holder name

Sensitive Authentication Data CVV or CVC (Card Verification Values) Track 1 and Track 2 Data (magnetic stripe)

5

Who Must Comply?

PCI data security requirements apply to all merchants and service providers that store, process or transmit any cardholder data. All organizations with access to cardholder information must meet the data security standards.

However, the way in which organizations validate their compliance differs based on whether they are merchants or service providers and on specific validation requirements defined by each credit card brand. Each of the five major credit card companies has its own set of validation requirements.

Information regarding service provider levels and validation requirements can be obtained from each individual credit card company’s Web site.

The security requirements apply to all system components, network components, servers or applications included in, or connected to, the processing of cardholder data.

6

The Payment Card Industry Data Security Council released PCI DSS version 1.1 in September 2006.

The standard is broken into six segments: Building and maintaining a secure network; Protecting cardholder data; Maintaining a vulnerability management program; Implementing strong access control measures; Regularly monitor and test networks; and Maintain an information security policy.

PCI DSS Version 1.1

What’s New?

Requirement 6.6 (as of June 30, 2008)

Web application firewall or code review?

It’s your choice, but should they both be required?

What’s New?

PCI DSS v1.2 (as of October, 2008)

Requirement 1: Clarified configuration requirements for routers too. Changed frequency of review to 6 months.

Requirements 2 & 4: No new WEP implementations after March 31

2009 No WEP in environment after June 30 2010

What’s New?

PCI DSS v1.2 (as of October, 2008)

Requirement 6.6: Web App Firewall/code review

Requirement 9: Video cameras and off-site secure storage reviews

What’s New?

PCI DSS v1.2 (con’t)

Requirement 11: Wireless analyzer or wireless IDS/IPS

Requirement 12: Annual employee acknowledgement of security policies

Requirement 12.8: Changed to focus on policies and procedures to manage service provider, rather than contractual requirements.

11

Lifecycle Process for Changes to PCI DSS

https://www.pcisecuritystandards.org/pdfs/OS_PCI_Lifecycle.pdf

12

Prioritized Approach

https://www.pcisecuritystandards.org/education/prioritized.shtml

1. Remove Sensitive Dataa. Key area of risk for compromised datab. If you don’t need it, don’t store it

2. Protect the perimeter, internal, and wireless networksa. Controls points of access for most compromises

3. Secure payment applicationsa. Weakness in these areas are “easy prey”

13

Prioritized Approach

https://www.pcisecuritystandards.org/education/prioritized.shtml

4. Monitor and control access to systemsa. Who is accessing the network

5. Protect stored cardholder dataa. If you must store it, implement the key controls

6. Finalize remaining compliance efforts, and ensure all controls are in placea. Policies, process and procedures

What’s New?

PA-DSS* (October 2008)

Transition from VISA’s PABP For software vendors Aligns with PCI DSS Use of PA-DSS compliant app not required

for PCI DSS compliance Use of a PA-DSS compliant app does not

guarantee PCI DSS compliance

*PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS.

What’s New?

PCI SSC Quality Assurance Program

Crack down on “easy graders”

2009 training emphasizes testing and documentation procedures.

No PA-QSA has been able to successfully certify for PA-DSS (As of December 2008)

What’s New?

Self Assessment Program

February 2008, PCI SSC released updated SAQ

Four separate SAQ focused on complexity and risk of the processing environments

https://www.pcisecuritystandards.org/saq/index.shtml

Deadlines!

All deadlines come from the payment brands and the acquiring banks:

PCI DSS Compliance – All deadlines are past.

Level 4 – Requirements/dates now set by acquirer and scans “may” be required

Deadlines!

PA-DSS (VISA) 1/1/08 – VNPs must not use known vulnerable

applications

7/1/08 – VNPs must only certify validated apps to their platforms

10/1/08 – Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use validated applications

10/1/09 – VNPs must decertify vulnerable payment applications

7/1/10 – Acquirers must certify that merchants and VNPs only use validated applications

VISA’s Compliance Acceleration Program

As of September 2008, only 57% of Level 3 merchants were compliant http://usa.visa.com/download/merchants/cisp_pcidss_compliancestats.pdf)

Compliance acceleration “provide financial incentives and enforcement provisions”

Additionally, acquirers must certify that Level 1 and 2 merchants do not store prohibited data

VISA – What to do if compromised…

December 2008

Immediately report to VISA suspected or confirmed loss

Provide proof of PCI compliance within 48 hrs

Provide written incident report to VISA with three days

VISA will decide if you need to hire a QIRA. The person needs to be contracted and on-site within 5 days.

VISA – What to do if compromised…

“In addition to the general instructions provided here, Visa may also require an investigation that

includes, but is not limited to, access to premises and all pertinent records including

copies of analysis.”

(http://usa.visa.com/merchants/risk_management/cisp_if_compromised.html)

Breaches – PCI certified entities

Hannaford Bros Grocery

Detected February 27, 2008

4.2 million credit and debit card numbers

Breaches – PCI certified entities

Hannaford Bros Grocery

Malware on servers – >270

Captured data in transit

Inside job?

Class action suit – within 1 week

Breaches – PCI certified entities

Heartland Payment Systems

Breach occurred in 2008 – Reported January 2009

Alerted by Visa and Mastercard

March 18, 2009 – Visa announced enterprises can do business with Heartland

http://2008breach.com/Information.asp

Breaches – PCI certified entities

Heartland Payment Systems

Sniffer on the network

Social engineering?

Root kit?

Class action suit filed in just days

Heartland – What went wrong?

Failed to prevent bad code from being installed

Inadequate cryptographic architecture

Didn’t monitor outbound traffic

Beyond penalties and fines

“Forty percent of consumers change their relationship with a business affected by a security breach.”

Linda Tucci, “PCI Standard Still Packs Little Punch,” SearchCIO.com

Beyond penalties and fines

Data breaches cost companies $202 per compromised customer record in 2008.

Since 2005, this number has increased by $64 – a 40% increase.

(Ponemon Institute, February 2009)

Beyond penalties and fines

“More than 88% of all cases in this year’s study involved insider negligence.”

(The Ponemon Institute, February 2009)

PCI Compliance – Trends and Tips

Follow industry best practices for network and IT security

Use tools and services geared toward PCI Compliance

Align with a larger partner for credit card processing

Joel Dubbin, CISSP. SearchCIO.com

PCI Compliance – Trends and Tips

PCI is not about securing sensitive data, it’s about eliminating data altogether.

John Kindervag, Forrester Analyst and former QSA

PCI Compliance – Trends and Tips

Virtualization

Servers- Req 2.2.1 – One primary function per server

Entire box in-scope?

PCI DSS is technology neutral

No guidance for QSAs

PCI Compliance – Trends and Tips

Segmentation

Reduce the cardholder data landscape

Reduces cost of remediation

Reduces exposure

PCI Compliance – Trends and Tips

Outsourcing (Card data, Service Providers, Shared Hosting, Managed Services)

Must third party be PCI certified?

Who owns the liability?

What entities does a PCI assessment cover?

PCI Compliance – Trends and Tips

“PCI SWALLOWS ITS OWN TAIL”

“I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,” (Rep. Bennie) Thompson said. “We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.”

http://information-security-resources.com/2009/04/01/payment-card-industry-swallows-its-own-tail

36

Useful Links

PCI Security Standards Council- www.pcisecuritystandards.org

The SANS Institute- www.sans.org

The National Institute of Standards and Technology- www.nist.gov

The Center for Internet Security- www.cisecurity.org

Approved QSA Listing-

https://www.pcisecuritystandards.org/resources/qualified_security_ass

essors.htm

Approved ASV Listing-

https://www.pcisecuritystandards.org/resources/approved_scanning_v

endors.htm

Questions

Eric.Hannagan@jeffersonwells.com