PCI Compliance
PCI Compliance
& The Hospitality
& The Hospitality
Industry
Industry
You Can Checkout Anytime You Like
You Can Checkout Anytime You Like
You Can Checkout Anytime You Like
You Can Checkout Anytime You Like
You Can Checkout Anytime You Like
You Can Checkout Anytime You Like
You Can Checkout Anytime You Like
You Can Checkout Anytime You Like
Orthus are a certified Qualified Security Assessor Orthus are a certified Qualified Security Assessor Company (QSAC) specialising in providing Payment Company (QSAC) specialising in providing Payment Card Industry (PCI) Data Security Standards (DSS) Card Industry (PCI) Data Security Standards (DSS)
compliance solutions to the hospitality sector. compliance solutions to the hospitality sector.
You knew that
You knew that
"Hotel California" is the title song from the Eagles' album of the same name and was released in February 1977. Writing credits for the song are shared by Don Felder, Don Henley and Glenn Frey.
Went Gold (sold over 1m) within 3 months after its release. It won the 1978 Grammy Award for Record of the Year.
Rolling Stone magazine, ranks it as the 49th greatest song of all time.
The Rock and Roll Hall of Fame names it as one of the 500 Songs that shaped rock and roll.
So
So
Did you know?
Did you know?
"The song was actually an angry response to the band having their credit cards ripped off at all of the hotels we stayed at on the off at all of the hotels we stayed at on the road. We were sick of all the fraud man
and thought someone ought to say something."
Lyrics
Lyrics
On a dark desert highway cool wind in my hair
warm smell of colitas rising up through the air. Up ahead in the distance I saw a shimmering light
Translation
Translation
• Dark + Desert Highway + Convertible + Colitas = ? • Paranoia = Security
I saw a shimmering light My head grew heavy and my sight grew dim I had to stop for the night
There she stood in the doorway I heard the mission bell
And I was thinking to myself this could be heaven
or this could be hell
• Stop for the night = Hospitality industry
• She = Acquirer
• Mission bell = Compliance deadline tolling
• Heaven or hell = Implementation of a risk management framework can be difficult or easy
Lyrics
Lyrics
Then she lit up a candle and she showed me the way
There were voices down the corridor I thought I heard them say
Welcome to the Hotel California
Such a lovely place, Such a lovely face Plenty of room at the Hotel California
Translation
Translation
• Candle = Milestones approach • The way = PCI DSS
• 6 goals 12 requirements • Hotel California = Secure
processing, transmittal & storage
Plenty of room at the Hotel California Any time of year, you can find it here Her mind is tiffany-twisted
she got the Mercedes Benz
She got a lot of pretty, pretty boys that she calls friends
How they dance in the courtyard sweet summer sweat
Some dance to remember some dance to forget
processing, transmittal & storage of credit card data
• Plenty of room = scoping
• Any time of year = Validation and annual revalidation
• Tiffany twisted = Acquirer fines • Pretty, pretty boys = Card brands • Dancing = Acquirer relationship
Lyrics
Lyrics
So I called up the captain please bring me my wine
He said we haven't had that spirit here since nineteen sixty nine
And still those voices are calling
Translation
Translation
• Captain = IT Director • Wine = logs & records • Since 1969 = log retention
from far away
Wake you up in the middle of the night Just to hear them say
Welcome to the Hotel California
Such a lovely place Such a lovely face They're living it up at the Hotel California What a nice surprise, bring your alibis
• Since 1969 = log retention • Voices calling = VoIP in scope • Wake you up = incident response
program requirement
• Lovely face = Stevie Nicks
• Bring your alibis = Controls require accountability and evidence
Mirrors on the ceiling Pink champagne on ice
And she said we are all just prisoners here of our own device
And in the master's chambers They gathered for the feast
Translation
Translation
• Mirrors on the ceiling = CCTV
• Pink champagne on ice = Glen Fry room service requirement
• Prisoners of our own devices =
Lyrics
Lyrics
They gathered for the feast
They stab it with their steely knives But they just can't kill the beast Last thing I remember
I was running for the door
I had to find the passage back To the place I was before
Relax said the night man
We are programmed to receive
• Prisoners of our own devices = physical & technical controls or 3rd Party supplier relationships • Master's chambers = board room • The beast = regulation
• Passage back to the place I was before = BC/DR Plans
• Night man = QSA
• Programmed to receive = compensating controls
Lyrics
Lyrics
You can checkout any time you like, But you can never leave
Translation
Translation
• Summary of the industry problem = business
requirement for the retention of
But you can never leave requirement for the retention of
card data
• Reminder that once you
become compliant you have to remain compliant = not a
The Standard
The Standard
First published January 2005, V.1
released September 7, 2006, the PCI DSS is a set of comprehensive
requirements for securing payment data. V2 released November 2010. data. V2 released November 2010.
A multifaceted standard that includes requirements for security management, policies, procedures, network
architecture, software design and other critical protective measures.
6 Goals, 12 Requirements
6 Goals, 12 Requirements
264 Controls
264 Controls
Evidence
Evidence
•• TypesTypes
•• Observation (configuration or process)Observation (configuration or process) •• DocumentationDocumentation
•• Verbal confirmation (interviews)Verbal confirmation (interviews)
•• Technical (monitoring of network traffic)Technical (monitoring of network traffic) •• Technical (monitoring of network traffic)Technical (monitoring of network traffic) •• Required for each and every control !Required for each and every control !
Milestone Approach
Milestone Approach
Risk based prioritisation of implementation of the controls • Milestone 1 – identify what you
have, where you have it and write policies to protect it.
• Milestone 2 – Network integrity • Milestone 3 – Code integrity • Milestone 4 – Logs & records • Milestone 5 – Incidents
Applicable
Applicable
• All systems that process, store or transmit
cardholder data (both credit and debit)
• All systems that connect to them
Scoping
Scoping
X
X
X
X
X
X
Compensating Controls
Compensating Controls
• Alternatives to controls
• Used when a specific control cannot be
implemented due to a business process
• Implement risk-based supplementary control(s)
• Implement risk-based supplementary control(s)
• Designed for the business
• Accepted by the business
• Must be accompanied by supporting evidence
• Accompanied by supporting processes
Deadlines
Deadlines
• Milestones 1-4: – September 31, 2009 • Full compliance: • Full compliance: – September 31, 2010 • Annual revalidationEssence
Essence
• PCI DSS is a data risk management framework. • Framework only serves to identify, minimise and
manage the risk of compromise. manage the risk of compromise.
• Frameworks do not guarantee security. • You still own the risk.
Intent
Intent
Give Give Give Give Give Give Give Give PCI PCI PCI PCI a a a a Chance! Chance! Chance! Chance!10 Rules Data Security
10 Rules Data Security
1.
1. If If Dr. Evil can Dr. Evil can run run his programs his programs on on your network its your network its not
not your your network network anymore.anymore. 2.
2. If Dr. Evil can If Dr. Evil can access data on access data on your network its your network its not not your data any more.
your data any more. 3.
3. If Dr. Evil can access data entering or exiting your If Dr. Evil can access data entering or exiting your network
network its not its not your your network any morenetwork any more.. 3.
3. If Dr. Evil can access data entering or exiting your If Dr. Evil can access data entering or exiting your network
network its not its not your your network any morenetwork any more.. 4.
4. If Dr. Evil can upload programs to your website its If Dr. Evil can upload programs to your website its not your website anymore.
not your website anymore. 5.
5. If Dr. Evil uses your If Dr. Evil uses your network to launch an network to launch an attack attack on on another
10 Rules
10 Rules
6.
6. If If Dr. Evil can Dr. Evil can use use your your network to access your network to access your partners
partners network network its its yyourour problemproblem.. 7.
7. If If Dr. Evil can physically access devices on your Dr. Evil can physically access devices on your network its
network its not not your data anymore.your data anymore. 8.
8. More often than not, More often than not, MiniMini--Me works Me works for for you.you. 8.
8. More often than not, More often than not, MiniMini--Me works Me works for for you.you. 9.
9. Dr. Evil knows Dr. Evil knows where you hide where you hide your your spare keys. spare keys. 10.
Process Not Checklist
Process Not Checklist
Business Messages
Business Messages
• Risk management framework • Regulatory requirement
• Losses impact our clients
• Lost client confidence = Lost £ • Lost client confidence = Lost £ • System down time = Lost £
• Repair costs = Lost £
• Data theft & fraud = Lost £ • Reputation losses = Lost £ • Fines = Lost £
Employee Messages
Employee Messages
• Security of our customer credit card data is critical to our business.
• We have implemented a detailed security program to
protect this data.
• Security is your responsibility.
• Security is your responsibility.
• Security is everyone's responsibility.
• Failure to meet this responsibility will result in disciplinary action.
Partner Messages
Partner Messages
• Protection of our customer's credit card data is
mission critical to us.
• We have implemented a PCI DSS compliance
program and are pending formal certification.
• Regulatory compliance is a shared responsibility.
• Regulatory compliance is a shared responsibility.
• Connectivity to our systems require compliance to
PCI DSS controls as a condition of contract.
• If you cannot provide this service, we will find a partner who will.
Customer Messages
Customer Messages
• Protection of your personal and credit card data is
paramount to our business.
• We implement a strict security program to protect
this data to include rigorous testing of our systems.
• We are currently pending formal certification of our
security practices.
• If you have any question regarding our policies, do
Top 10 Audit Findings
Top 10 Audit Findings
1. Card environment not documented 2. Card data not located or marked 3. No card data security policies
4. No card data security awareness program 5. No 3rd party supplier agreements
5. No 3rd party supplier agreements 6. No data access accountability
7. No security testing conducted
8. No intrusion detection system (IDS) 9. Not encrypting data in storage
Top 10 Challenges
Top 10 Challenges
1. Missed deadlines
2. No budget
3. No "buy in"
4. Never implemented a risk management program
5. Lack of risk management expertise
5. Lack of risk management expertise
6. Processing hard copy card data (faxes, emails)
7. No card data access accountability
8. No network security posture (IDS, logs & records)
9. No existing security testing framework
7 Stages of Your Grief
7 Stages of Your Grief
Denial — “This can't be happening, not to me.”
Anger — "Why me? It's not fair!"; "Who is to blame?“ Bargaining — “What if we just do Milestone 1 this year?" Depression — “We’ll never do it. What's the point?” Depression — “We’ll never do it. What's the point?” Hope — "It's going to be okay I think we can do it“
Panic – “Where in the name of all that’s holy do I begin?” Acceptance – "OK. Bring it on!"
Road Map
Road Map
25.01.2011 CONFIDENTIAL – © Orthus 2010 33
Gap Analysis Remediation
Self or QSA Validation AoC / RoC Pass Scan &
Penetration Testing Monthly
Acquirer Reporting
Final Note
Final Note
You can checkout anytime you like,
You can checkout anytime you like,
You can checkout anytime you like,
You can checkout anytime you like,
You can checkout anytime you like,
You can checkout anytime you like,
You can checkout anytime you like,
You can checkout anytime you like,
but you can never leave…
but you can never leave…
but you can never leave…
but you can never leave…
but you can never leave…
but you can never leave…
but you can never leave…
but you can never leave…
1 Lyric Square, 1 Lyric Square, London London,, W6 0NB, W6 0NB, United Kingdom United Kingdom Phone: +44 (0)203 170 8955 Phone: +44 (0)203 170 8955 Fax: +44 (0)203 008 6161 Fax: +44 (0)203 008 6161 25.01.2011 CONFIDENTIAL – © Orthus 2010 35 www.orthus.com www.orthus.com [email protected] [email protected]