Академический Документы
Профессиональный Документы
Культура Документы
AGENDA
What is the PCI SSC? Why does payment security matter?
Open, global forum Founded 2006 Responsible for PCI Security Standards
Development Management Education Awareness
PCI Standards
Founders
Organization
Board of Advisors
Financial Institutions
Bank of America Banrisul S.A Barclaycard National Australia Bank Royal Bank of Scotland JPMorgan Chase & Co
Merchants
Exxon Mobil Corporation McDonalds Corporation Lufthansa Systems Passenger Services Tesco Stores Ltd Wal-Mart Stores, Inc.
Processors
Chase Paymentech Solutions First Data Corporation Global Payments Inc TSYS Acquiring Solutions
Advisory Board
Community Meeting
Security Scans
On-Site Audits
SelfAssessment Questionnaire
Ground Rules
PCI SSC.
Is an Independent Industry Standard Manages the technical and business requirements for how payment data should be stored and protected Maintains List of Qualified PCI Assessor Community
QSAs, ASVs, PA-QSA and PED Labs
Council Resources Security standards and supporting documents Quick Reference Guide Searchable Frequently Asked Questions List of approved QSAs, ASVs, PA-QSAs, PED Labs Education and outreach - e.g., fact sheets, case studies Participating membership, meetings, collaboration A global voice for the industry
Changing a mindset
Risky Behavior
81% store payment card numbers 73% store payment card expiration dates 53% store customer data from magnetic stripe on card 16% store other personal data
Source: Forrester Consulting, September 2007
Value of Compliance
Cost of Complying
Upgrading payment systems and security Verifying compliance via assessment
Cost of a Breach
Crisis upgrades Repeat assessments Notification Brand reputation loss
Sustaining compliance
May cost millions for complex or older systems
PCI Compliance Cost Analysis: A Justified Expense. A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex. January 2008 [This study utilized data from several sources including level 1 and level 2 merchants with 2,000 2,500 retail locations.]
Top Violations Common Audit / Forensic Results Bad or no firewall Unprotected stored data Insecure systems and applications
Forensics Statistics
> 80% Payment Cards vs. Others
Consumer data:
Incident Detection 70% via third party detection or notification 13% employee detection 11 % unusual system behavior 6% log monitoring 2% routine internal audit Payment card information -Credit / Debit -Card-present / CNP Personal Check information
Inside Jobs vs. Intrusions 20% Inside ~74% were external sources
Attack vector (by records) 79% Web Application (SQL injection) 27% Remote Access 26% End User Systems 11% Network Devices
Identity-related data:
Name, address, email Social security, Social insurance IRS / tax return information
2008 saw only a single instance in which a wireless network was exploited
Time span of Breach Compromise to Discovery 8% - hours 16% - days 25% - weeks 49% - months
Company-proprietary:
Financial records HR / employee data Product strategy & roadmap Trade secrets & technology
The typical breached organization had met less than a third of the requirements of the PCI DSS
According to Verizons 2009 Data Breach Investigations Report (DBIR) 75% of compromises were discovered at least weeks after the compromise. Post-breach reviews resulted in the discovery that:
Breached organizations only had 11% compliance level for Req 3 (Protect card holder data). only 5% compliance level for Req 10 (track & monitor all access to network resources and cardholder data)
Data security is not all about prevention; it also requires detection and monitoring!
Denial
Anger
20
It doesnt apply to me
PCI compliance is mandatory
It isnt fair
PCI applies to all parties in the payment process Compliance is pass / fail
Bargaining
Depression Acceptance
Ill do some of it
Itll be OK
Twelve Requirements
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors
Self-Assessment Questionnaire
Self-Assessment Questionnaire
SAQ Validation Type Description SAQ
Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants Imprint-only merchants with no cardholder data storage Stand alone dial-up terminal merchants, no cardholder data storage Merchants with payment application systems connected to the Internet, no cardholder data storage
A
<11 Questions
2 3
B
21 Questions
B
21 Questions
C
38 Questions
5
3/31/2010
All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ
D
Full DSS
Data Element Primary Account Number (PAN) Cardholder Data Cardholder Name [1] Service Code 1 Expiration Date 1 Sensitive Authentication Data [2] Full Magnetic Stripe Data [3] CAV2/CVC2/CVV2/CID PIN/PIN Block
[1]These
data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted. [2]Sensitive authentication data must not be stored after authorization (even if encrypted). [3]Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.
Payment Application-DSS
Payment Application Data Security Standard
PTS Requirements
Device Characteristics Device Management
Physical security
Logical security
During manufacturing
Between manufacturing and initial key loading Addresses lifecycle of how PED is produced, controlled, transported, stored and used
Spring 2010
PTS standard currently out with Participating Organizations for final review Due to release to market on April 30 2010
Point of Interaction
(tbd)
Fuel
Other?
POI Device
PIN Pad
Display
Card Reader
Cabinet
O/S
Secure controller
Additional Displays
Additional keypads
Crypto Module
Resources
Council Resources Security standards and supporting documents Quick Reference Guide Searchable Frequently Asked Questions List of approved QSAs, ASVs, PA-QSAs, PED Labs Education and outreach - e.g., fact sheets, webinars Participating membership, meetings, collaboration A global voice for the industry
Standards Training First PCI SSC Standards Training Merchant training endorsed by PCI SSC
Objective: Arm merchants with everything they need to know to best prepare for an onsite PCI DSS inspection or to perform the assessment internally
Training
Expanded Communications
More opportunity for interaction with PCI SSC - 3347 webinar registrants in 2009 - 359 open mic questions - PST, ET, GMT, CET timed opportunities - Replays and questions posted online
Whats Next?
April 2010
May 2010
June 2010
July 2010
Aug. 2010
Sept. 2010
Oct. 2010
May 2010 Draft DSS provided to Board of Advisors for review and feedback
Standards Lifecycle
Feedback Hundreds of pieces of feedback through: Online FAQ submissions Regular inquiries Lifecycle feedback form Speaking engagements Open Mics SIGs Initial Feedback Considerations: Clarifications within the Standard More Detailed Guidance Evolving Requirements
Feedback Demographics
Australia Canada Finland France Germany Global Great Britain India Ireland Italy Latvia Mexico New Zealand South Africa Spain Sweden Switzerland The Netherlands United States
Feedback Demographics
ASV
Financial Institution Merchant
Other
POS Vendor Processor QSA
Feedback Examples
Should cardholder data discovery tools/methods be used to find "unknown" cardholder data? What is acceptable "strong cryptography? What about attack trends targeting cardholder data in volatile memory?
Feedback Examples
Which SAQ is applicable to me? What constitutes a payment application and when is PADSS applicable? Access controls for cashiers
There are a variety of competing interests among stakeholders vendors, merchants, acquirers, assessors
Sounds simple? Some people like things just the way they are
The 90 day rule for password changes works
Feedback falls into 3 main categories and the SSC is considering numerous points for the next iteration of the standard Guidance, clarification, and evolution Feedback analysis period closes April 30, 2010
April 2010
May 2010
June 2010
July 2010
Aug. 2010
Sept. 2010
Oct. 2010
May 2010 Draft DSS provided to Board of Advisors for review and feedback
Community Meetings
Merchants
Acquirers
Community Meeting
Service Providers
Brands
Orlando, Florida
September 21 23, 2010
Summary Focus on security, not compliance Understand the process of PCI standards development Join us as a Participating Organization Play an active role in shaping standards through a Special Interest Group Share the PCI SSC roadmap with internal stakeholders
Thank You!