You Can Checkout Anytime You Like

35  Download (0)

Full text

(1)

PCI Compliance

PCI Compliance

& The Hospitality

& The Hospitality

Industry

Industry

You Can Checkout Anytime You Like

You Can Checkout Anytime You Like

You Can Checkout Anytime You Like

You Can Checkout Anytime You Like

You Can Checkout Anytime You Like

You Can Checkout Anytime You Like

You Can Checkout Anytime You Like

You Can Checkout Anytime You Like

(2)

Orthus are a certified Qualified Security Assessor Orthus are a certified Qualified Security Assessor Company (QSAC) specialising in providing Payment Company (QSAC) specialising in providing Payment Card Industry (PCI) Data Security Standards (DSS) Card Industry (PCI) Data Security Standards (DSS)

compliance solutions to the hospitality sector. compliance solutions to the hospitality sector.

(3)

You knew that

You knew that

"Hotel California" is the title song from the Eagles' album of the same name and was released in February 1977. Writing credits for the song are shared by Don Felder, Don Henley and Glenn Frey.

Went Gold (sold over 1m) within 3 months after its release. It won the 1978 Grammy Award for Record of the Year.

Rolling Stone magazine, ranks it as the 49th greatest song of all time.

The Rock and Roll Hall of Fame names it as one of the 500 Songs that shaped rock and roll.

(4)

So

So

(5)

Did you know?

Did you know?

"The song was actually an angry response to the band having their credit cards ripped off at all of the hotels we stayed at on the off at all of the hotels we stayed at on the road. We were sick of all the fraud man

and thought someone ought to say something."

(6)

Lyrics

Lyrics

On a dark desert highway cool wind in my hair

warm smell of colitas rising up through the air. Up ahead in the distance I saw a shimmering light

Translation

Translation

• Dark + Desert Highway + Convertible + Colitas = ? • Paranoia = Security

I saw a shimmering light My head grew heavy and my sight grew dim I had to stop for the night

There she stood in the doorway I heard the mission bell

And I was thinking to myself this could be heaven

or this could be hell

• Stop for the night = Hospitality industry

• She = Acquirer

• Mission bell = Compliance deadline tolling

• Heaven or hell = Implementation of a risk management framework can be difficult or easy

(7)

Lyrics

Lyrics

Then she lit up a candle and she showed me the way

There were voices down the corridor I thought I heard them say

Welcome to the Hotel California

Such a lovely place, Such a lovely face Plenty of room at the Hotel California

Translation

Translation

• Candle = Milestones approach • The way = PCI DSS

• 6 goals 12 requirements • Hotel California = Secure

processing, transmittal & storage

Plenty of room at the Hotel California Any time of year, you can find it here Her mind is tiffany-twisted

she got the Mercedes Benz

She got a lot of pretty, pretty boys that she calls friends

How they dance in the courtyard sweet summer sweat

Some dance to remember some dance to forget

processing, transmittal & storage of credit card data

• Plenty of room = scoping

• Any time of year = Validation and annual revalidation

• Tiffany twisted = Acquirer fines • Pretty, pretty boys = Card brands • Dancing = Acquirer relationship

(8)

Lyrics

Lyrics

So I called up the captain please bring me my wine

He said we haven't had that spirit here since nineteen sixty nine

And still those voices are calling

Translation

Translation

• Captain = IT Director • Wine = logs & records • Since 1969 = log retention

from far away

Wake you up in the middle of the night Just to hear them say

Welcome to the Hotel California

Such a lovely place Such a lovely face They're living it up at the Hotel California What a nice surprise, bring your alibis

• Since 1969 = log retention • Voices calling = VoIP in scope • Wake you up = incident response

program requirement

• Lovely face = Stevie Nicks

• Bring your alibis = Controls require accountability and evidence

(9)

Mirrors on the ceiling Pink champagne on ice

And she said we are all just prisoners here of our own device

And in the master's chambers They gathered for the feast

Translation

Translation

• Mirrors on the ceiling = CCTV

• Pink champagne on ice = Glen Fry room service requirement

• Prisoners of our own devices =

Lyrics

Lyrics

They gathered for the feast

They stab it with their steely knives But they just can't kill the beast Last thing I remember

I was running for the door

I had to find the passage back To the place I was before

Relax said the night man

We are programmed to receive

• Prisoners of our own devices = physical & technical controls or 3rd Party supplier relationships • Master's chambers = board room • The beast = regulation

• Passage back to the place I was before = BC/DR Plans

• Night man = QSA

• Programmed to receive = compensating controls

(10)

Lyrics

Lyrics

You can checkout any time you like, But you can never leave

Translation

Translation

• Summary of the industry problem = business

requirement for the retention of

But you can never leave requirement for the retention of

card data

• Reminder that once you

become compliant you have to remain compliant = not a

(11)
(12)

The Standard

The Standard

First published January 2005, V.1

released September 7, 2006, the PCI DSS is a set of comprehensive

requirements for securing payment data. V2 released November 2010. data. V2 released November 2010.

A multifaceted standard that includes requirements for security management, policies, procedures, network

architecture, software design and other critical protective measures.

(13)

6 Goals, 12 Requirements

6 Goals, 12 Requirements

(14)

264 Controls

264 Controls

(15)

Evidence

Evidence

•• TypesTypes

•• Observation (configuration or process)Observation (configuration or process) •• DocumentationDocumentation

•• Verbal confirmation (interviews)Verbal confirmation (interviews)

•• Technical (monitoring of network traffic)Technical (monitoring of network traffic) •• Technical (monitoring of network traffic)Technical (monitoring of network traffic) •• Required for each and every control !Required for each and every control !

(16)

Milestone Approach

Milestone Approach

Risk based prioritisation of implementation of the controls • Milestone 1 – identify what you

have, where you have it and write policies to protect it.

• Milestone 2 – Network integrity • Milestone 3 – Code integrity • Milestone 4 – Logs & records • Milestone 5 – Incidents

(17)

Applicable

Applicable

• All systems that process, store or transmit

cardholder data (both credit and debit)

• All systems that connect to them

(18)

Scoping

Scoping

X

X

X

X

X

X

(19)

Compensating Controls

Compensating Controls

• Alternatives to controls

• Used when a specific control cannot be

implemented due to a business process

• Implement risk-based supplementary control(s)

• Implement risk-based supplementary control(s)

• Designed for the business

• Accepted by the business

• Must be accompanied by supporting evidence

• Accompanied by supporting processes

(20)

Deadlines

Deadlines

• Milestones 1-4: – September 31, 2009 • Full compliance: • Full compliance: – September 31, 2010 • Annual revalidation

(21)

Essence

Essence

• PCI DSS is a data risk management framework. • Framework only serves to identify, minimise and

manage the risk of compromise. manage the risk of compromise.

• Frameworks do not guarantee security. • You still own the risk.

(22)

Intent

Intent

Give Give Give Give Give Give Give Give PCI PCI PCI PCI a a a a Chance! Chance! Chance! Chance!

(23)

10 Rules Data Security

10 Rules Data Security

1.

1. If If Dr. Evil can Dr. Evil can run run his programs his programs on on your network its your network its not

not your your network network anymore.anymore. 2.

2. If Dr. Evil can If Dr. Evil can access data on access data on your network its your network its not not your data any more.

your data any more. 3.

3. If Dr. Evil can access data entering or exiting your If Dr. Evil can access data entering or exiting your network

network its not its not your your network any morenetwork any more.. 3.

3. If Dr. Evil can access data entering or exiting your If Dr. Evil can access data entering or exiting your network

network its not its not your your network any morenetwork any more.. 4.

4. If Dr. Evil can upload programs to your website its If Dr. Evil can upload programs to your website its not your website anymore.

not your website anymore. 5.

5. If Dr. Evil uses your If Dr. Evil uses your network to launch an network to launch an attack attack on on another

(24)

10 Rules

10 Rules

6.

6. If If Dr. Evil can Dr. Evil can use use your your network to access your network to access your partners

partners network network its its yyourour problemproblem.. 7.

7. If If Dr. Evil can physically access devices on your Dr. Evil can physically access devices on your network its

network its not not your data anymore.your data anymore. 8.

8. More often than not, More often than not, MiniMini--Me works Me works for for you.you. 8.

8. More often than not, More often than not, MiniMini--Me works Me works for for you.you. 9.

9. Dr. Evil knows Dr. Evil knows where you hide where you hide your your spare keys. spare keys. 10.

(25)

Process Not Checklist

Process Not Checklist

(26)

Business Messages

Business Messages

• Risk management framework • Regulatory requirement

• Losses impact our clients

• Lost client confidence = Lost £ • Lost client confidence = Lost £ • System down time = Lost £

• Repair costs = Lost £

• Data theft & fraud = Lost £ • Reputation losses = Lost £ • Fines = Lost £

(27)

Employee Messages

Employee Messages

• Security of our customer credit card data is critical to our business.

• We have implemented a detailed security program to

protect this data.

Security is your responsibility.

Security is your responsibility.

Security is everyone's responsibility.

• Failure to meet this responsibility will result in disciplinary action.

(28)

Partner Messages

Partner Messages

• Protection of our customer's credit card data is

mission critical to us.

• We have implemented a PCI DSS compliance

program and are pending formal certification.

• Regulatory compliance is a shared responsibility.

• Regulatory compliance is a shared responsibility.

• Connectivity to our systems require compliance to

PCI DSS controls as a condition of contract.

• If you cannot provide this service, we will find a partner who will.

(29)

Customer Messages

Customer Messages

• Protection of your personal and credit card data is

paramount to our business.

• We implement a strict security program to protect

this data to include rigorous testing of our systems.

• We are currently pending formal certification of our

security practices.

• If you have any question regarding our policies, do

(30)

Top 10 Audit Findings

Top 10 Audit Findings

1. Card environment not documented 2. Card data not located or marked 3. No card data security policies

4. No card data security awareness program 5. No 3rd party supplier agreements

5. No 3rd party supplier agreements 6. No data access accountability

7. No security testing conducted

8. No intrusion detection system (IDS) 9. Not encrypting data in storage

(31)

Top 10 Challenges

Top 10 Challenges

1. Missed deadlines

2. No budget

3. No "buy in"

4. Never implemented a risk management program

5. Lack of risk management expertise

5. Lack of risk management expertise

6. Processing hard copy card data (faxes, emails)

7. No card data access accountability

8. No network security posture (IDS, logs & records)

9. No existing security testing framework

(32)

7 Stages of Your Grief

7 Stages of Your Grief

Denial — “This can't be happening, not to me.”

Anger — "Why me? It's not fair!"; "Who is to blame?“ Bargaining — “What if we just do Milestone 1 this year?" Depression — “We’ll never do it. What's the point?” Depression — “We’ll never do it. What's the point?” Hope — "It's going to be okay I think we can do it“

Panic – “Where in the name of all that’s holy do I begin?” Acceptance – "OK. Bring it on!"

(33)

Road Map

Road Map

25.01.2011 CONFIDENTIAL – © Orthus 2010 33

Gap Analysis Remediation

Self or QSA Validation AoC / RoC Pass Scan &

Penetration Testing Monthly

Acquirer Reporting

(34)

Final Note

Final Note

You can checkout anytime you like,

You can checkout anytime you like,

You can checkout anytime you like,

You can checkout anytime you like,

You can checkout anytime you like,

You can checkout anytime you like,

You can checkout anytime you like,

You can checkout anytime you like,

but you can never leave…

but you can never leave…

but you can never leave…

but you can never leave…

but you can never leave…

but you can never leave…

but you can never leave…

but you can never leave…

(35)

1 Lyric Square, 1 Lyric Square, London London,, W6 0NB, W6 0NB, United Kingdom United Kingdom Phone: +44 (0)203 170 8955 Phone: +44 (0)203 170 8955 Fax: +44 (0)203 008 6161 Fax: +44 (0)203 008 6161 25.01.2011 CONFIDENTIAL – © Orthus 2010 35 www.orthus.com www.orthus.com info@orthus.com info@orthus.com

Figure

Updating...

References