• No results found

Troy Leach May 6, 2009

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Troy Leach May 6, 2009"

Copied!
77
0
0

Loading.... (view fulltext now)

Download now ( 77 Page )

Full text

(1)

The PCI Security Standards Council

The PCI Security Standards Council

Troy Leach May 6, 2009

(2)

About the Council

• Open, global forum • Founded 2006

• Responsible for PCI Security Standards – Development – Management – Management – Education – Awareness * 2

(3)

PCI Standards

(4)

Founders

(5)

Organization

(6)

Drivers Industry Best P ti Community Meeting Advisory Board Practices eet g Proactive feedback from POs and Assessor Community

PCI Data Security Standard Approved Scanning Vendors (ASVs) and Qualified Security Assessors

Community Security Assessors

(QSAs) Security Scans Self-Assessment Questionnaire On-Site Audits ADC Forensics Results * 6

(7)

New Highlights

• Global growth

500+ organizationsg

Participated in 33 events worldwide

Community meetings with 700+ global attendees

(8)

New Highlights (cont.)

• Global help

164 QSAs (of these, 74 are ASVs)Q ( , ) Total QSA people trained: 1,063 Regional assessors:

• Asia Pacific: 29 • Canada: 16Canada: 16 • CEMEA: 28

• Latin America & Caribbean: 27 United States: 87

• United States: 87 • Europe: 57

(9)

New Highlights (cont.)

• Standards & Tools

Released PCI DSS Version 1 2 Released PCI DSS Version 1.2 Lifecycle process

New devices for PED

PA DSS listings on Web site Quick Reference Guide

P i i i d A h Prioritized Approach Standards Training

(10)

PCI Standard Lifecycle

(11)

Ground Rules

I I d d t I d t

PCI SSC….

PCI SSC Does Not…

M D i C li

• Is an Independent Industry Standard

• Manages the technical and

• Manage or Drive Compliance

– Each brand continues to maintain its own compliance

Manages the technical and

business requirements for how payment data should be stored and protected

p programs

• Identifies stakeholders that need to validate compliance

and protected

• Maintains List of Qualified PCI Assessor Community

to validate compliance

• Definitions of Validation Levels • Fines and Fees

– QSAs, ASVs, PA-QSA and PED Labs

(12)

Council Resources

• Security standards and supporting documents Q i k R f G id

• Quick Reference Guide

• Searchable Frequently Asked Questionsq y

• List of approved QSAs, ASVs, PA-QSAs, PED Labs • Education and outreach - e.g., fact sheets, case studies • Participating membership, meetings, collaboration • A global voice for the industryA global voice for the industry

(13)

PCI Quick Reference Guide

(14)

PCI DSS Prioritized Approach

What is it?

• Guidance for organizations to prioritize their PCI DSSGuidance for organizations to prioritize their PCI DSS implementation efforts

What are the benefits?

• Provides a roadmap that an organization can use to address risks in priority order

• Enables merchants, of any size, to demonstrate progress on PCI DSS compliance process to key stakeholders – banks acquirers QSAs and others

banks, acquirers, QSAs and others

(15)

PCI DSS Prioritized Approach

How was it created?

• Payment brands’ examination of account data

Payment brands examination of account data

compromise events

• Feedback from PCI SSC Board of Advisors,

,

Council leadership and the Technical Working

Group

• Feedback from several QSAs and forensics

investigators

f 1 C SS f

– Asked to identify the top 15 PCI DSS requirements for protecting cardholder data

(16)

PCI DSS Prioritized Approach

Objectives of Prioritized Approach

• Prioritize efforts based on the risk associated withPrioritize efforts based on the risk associated with handling cardholder data

– Security efforts can first focus on certain PCI DSS requirements • Reduce risk associated with account data compromise by:

– Not retaining magnetic stripe datag g p – Minimize and secure storage of PAN

(17)

PCI DSS Prioritized Approach

Six Security Milestones

Milestone One - If you don’t need it, don’t store it.

Th i t t f Mil t O i t iti th ti ti d t d

The intent of Milestone One is to remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised – if sensitive authentication data and other

cardholder data had not been stored, the effects of the compromise would have been greatly reduced

have been greatly reduced.

Milestone Two - Secure the perimeter.

The intent of Milestone Two is to protect the perimeter, internal, and wireless networks This milestone targets a key area that represents the point of

networks. This milestone targets a key area that represents the point of access for most compromises: vulnerabilities in networks or at wireless access points.

Milestone Three Secure applications

Milestone Three - Secure applications.

The intent of Milestone Three is to secure applications. This milestone focuses on applications, as well as application processes and application servers, since application weaknesses are a key access point used to compromise systems and obtain access to cardholder data

(18)

PCI DSS Prioritized Approach

Milestone Four - Control access to your systems.

The intent of Milestone Four is to protect the cardholder data environment through monitoring and access control since this is the key method to detect the who what when and how about who is accessing your network

the who, what, when and how about who is accessing your network.

Milestone Five - Protect stored cardholder data.

For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers Milestone Five determined that they must store Primary Account Numbers, Milestone Five targets key protection mechanisms for that stored data.

Milestone Six - Finalize remaining compliance efforts, and ensure all

controls are in place controls are in place.

The intent of Milestone Six is to complete PCI DSS requirements and finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment.

(19)

PCI DSS Prioritized Approach

(20)

Standards Training Update

First PCI SSC Standards Training Merchant training endorsed by PCI SSC

Objective: Arm merchants with

everything they need to know to best prepare for an onsite PCI DSS

prepare for an onsite PCI DSS

inspection or to perform the assessment internally

Focus: Four key modules

– PCI Program – defining the payment card industry

– Scoping a PCI DSS Assessmentp g – PCI DSS v1.2 Requirements – Compensating Controls

(21)
(22)

Threat Landscape

Implementing the Standard

is a Journey… Not a Destination

Risky Behavior

81% store payment card numbers • 81% store payment card numbers • 73% store payment card expiration

dates

• 53% store customer data from magnetic stripe on card

• 16% store other personal data

Source: Forrester Consulting, September 2007

(23)

Value of Compliance

• Upgrading payment

Cost of Complying Cost of a Breach

• “Crisis” upgrades systems and security

• Verifying compliance via

• Repeat assessments • Notification

Verifying compliance via assessment

S t i i li

• Brand reputation loss • Shareholder and

• Sustaining compliance

May cost millions for

Shareholder and consumer lawsuits

May cost 20 times the

y

complex or older systems price of compliance

“PCI Compliance Cost Analysis: A Justified Expense.”

*

A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex. January 2008

[This study utilized data from several sources including level 1 and level 2 merchants with 2,000 – 2,500 retail locations.]

(24)

Top Violations

Common Audit / Forensic Results

Bad or no firewall Bad or no firewall

Unprotected stored data

Insecure systems and applications No unique user IDsq

No tracking or monitoring of access No regular tests of security

No security policy

(25)

The Five Stages of Grief

25

••Denial

Denial

PCI compliance is mandatoryIt doesn’t apply to me

••Anger

Anger

PCI applies to all parties in the It isn’t fair payment process

••Bargaining

Bargaining

Compliance is “pass / fail”I’ll do some of it

••Depression

Depression

Many merchants already haveI’ll never get there

It’ll be OK

PCI doesn’t introduce any new, alien concepts

••Acceptance

Acceptance

(26)
(27)

PCI Data Security Standard

(28)

The PCI Data Security Standard

Six Goals

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data 2 Do not use vendor supplied defaults for system passwords and other

Twelve Requirements

Network 2. Do not use vendor-supplied defaults for system passwords and other

security parameters

Protect Cardholder Data 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data

Regularly Monitor and Test g y 10. Track and monitor all access to network resources and cardholder data

Networks 11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for employees and contractors

* 28

(29)

Slide 28

SC1 This will likely tie in to the risk-based approach.

(30)

PCI Data Security Standard

Principles Driving Version 1.2

• More clarity on requirementsMore clarity on requirements • More flexibility

• Manage evolving risks and threats • Incorporate new best practices

• Clarify scoping and reporting

• Eliminate redundant sub-requirements • Eliminate redundant sub-requirements • Consolidate documentation

(31)

PCI Data Security Standard

Summary of Changes in Version 1.2

• Consolidate PCI DSS andConsolidate PCI DSS and assessment procedures • Consistent use of termsConsistent use of terms

• Enhance Report on Compliance • Clarify compensating controls

• Add Attestation of Compliance forms • Add flowchart for scoping and

sampling

(32)

PCI DSS 1.2 Changes

Build and Maintain a Secure Network

Requirement 1: Install and

maintain a firewall configuration to protect cardholder data

• Clarified requirements for routers and firewalls

• Added flexibility for review y time

(33)

PCI DSS 1.2 Changes

Build and Maintain a Secure Network

Requirement 2: Do not use vendor-supplied defaults for system passwords and other system passwords and other security parameters

• Clarified requirement for q wireless

• Deleted references to WEP • Removed requirement to

disable SSID broadcast

(34)

PCI DSS 1.2 Changes

Protect Cardholder Data

Requirement 3: Protect stored Requirement 3: Protect stored cardholder data

• Used consistent terms (“PAN” andUsed consistent terms ( PAN and “strong cryptography”)

• Clarified requirement for diskClarified requirement for disk encryption

(35)

PCI DSS 1.2 Changes

Protect Cardholder Data

Requirement 4: Encrypt Requirement 4: Encrypt

transmission of cardholder data across open, public networks

• Wireless must use strong encryption

• New implementations of WEP not allowed after March 31, 2009 • Current WEP must be

discontinued after June 30, 2010

(36)

PCI DSS 1.2 Changes

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus

ft

software

• Required for all operating systems

systems

• Must address all known types of malicious software types of malicious software

(37)

PCI DSS 1.2 Changes

Maintain a Vulnerability Management Program

Requirement 6: Develop and maintain secure systems and

li ti

applications

• May use risk-based approach to prioritize approach to prioritize patching

• Mandatory protection for all y p public-facing Web

applications

(38)

PCI DSS 1.2 Changes

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to know

to-know

• Clarified testing procedures

R i t 8 A i i

Requirement 8: Assign a unique ID to each person with computer access

• Clarified password testing procedures

Cl ifi d th ti ti • Clarified user authentication

(39)

PCI DSS 1.2 Changes

Implement Strong Access Control Measures

Requirement 9: Restrict physical access to cardholder data

•Visit off-site storage locations at least annually

•More flexibility for use ofMore flexibility for use of surveillance cameras

•Electronic and paper media with cardholder data must be protected •Clarified media destruction

(40)

PCI DSS 1.2 Changes

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and

dh ld d t cardholder data

• Clarified processing of log files • Clarified immediate availability ofClarified immediate availability of

audit trail history

(41)

PCI DSS 1.2 Changes

Regularly Monitor and Test Networks

Requirement 11: Regularly test security systems and Requirement 11: Regularly test security systems and processes

• New guidance on wireless security systemsg y y

• ASVs must be used for quarterly external vulnerability scans

• External and internal penetration tests required

• Not required to use QSA or ASV for penetration tests

(42)

PCI DSS 1.2 Changes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for

l d t t

employees and contractors

• More examples of critical employee-facing technologiesg g

• New timeframe for employee acknowledgement of policy

• Clarified requirements for policies related to service providers

(43)

Self-Assessment Questionnaire

(44)

Self-Assessment Questionnaire SAQ SAQ Validation Type Description SAQ

Card-Not-Present (e-commerce or MO/TO) 1

( )

merchants, all cardholder data functions

outsourced. This would never apply to face-to-face merchants

A

<11 Questions

2 Imprint-only merchants with no cardholder data storage

B

21 Questions

3 Stand alone dial-up terminal merchants, no B 3

cardholder data storage 21 Questions

4

Merchants with payment application systems connected to the Internet, no cardholder data

t

C

38 Questions

storage 38 Questions

5

All other merchants (not included in

descriptions for SAQs A, B or C above) and all service providers defined by a payment brand

D

4/27/2009 43

service providers defined by a payment brand as eligible to complete an SAQ

Full DSS

(45)

PCI DSS Applicability Information

Data Element Storage Permitted Protection Required Rendered Unreadable Cardholder

Primary Account Number

(PAN) Yes Yes Yes

Cardholder Name [1] Yes Yes 1 No

Data Cardholder Name Yes Yes No

Service Code 1 Yes Yes 1 No

Expiration Date 1 Yes Yes 1 No

Sensitive Authentication

Data [2]

Full Magnetic Stripe Data [3] No N/A N/A

CAV2/CVC2/CVV2/CID No N/A N/A

PIN/PIN Block No N/A N/A

[1]These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored processed or transmitted

PANs are not stored, processed, or transmitted.

[2]Sensitive authentication data must not be stored after authorization (even if encrypted). [3]Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.

(46)

Payment Application DSS

(47)

Payment Application DSS

Fourteen Requirements…Protecting Payment Application Transactions Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2) or PIN block data

Provide secure password features Provide secure password features Protect stored cardholder data Log Application Activity

Develop Secure Applications Develop Secure Applications Protect wireless transmissions

Test Applications to address vulnerabilities Facilitate secure network implementation Facilitate secure network implementation

Cardholder data must never be stored on a server connected to the Internet Facilitate secure remote software updates

Facilitate secure remote access to application Facilitate secure remote access to application Encrypt sensitive traffic over public networks Encrypt all non-console administrative access

Maintain instructional documentation and training programs for customers resellers

* 46

Maintain instructional documentation and training programs for customers, resellers, and integrators

(48)

PIN Entry Device

(49)

PIN Entry Device PED Requirements Device Characteristics Physical security Device Management During manufacturing • Physical security • Logical security • During manufacturing • Between manufacturing

and initial key loading • Addresses lifecycle of

how PED is produced, controlled, transported, , p , stored and used

(50)

PIN Entry Device

Devices Covered by PED Standards In Place

• Point of sale used for secure PIN entry

• Attended by clerk

Standards Under Consideration i 2009

in 2009

• Unattended payment terminals (UPTs such as fuel pumps, kiosks) (UPTs such as fuel pumps, kiosks) • Hardware / host security modules

(HSMs as non-cardholder interfaces

*

or embedded devices)

(51)

Special Interest Groups

• Board of Advisors Chair Special Interest Groups

– Why participate on a SIG?Why participate on a SIG?

• Opportunity to leverage Participating Organizations’ expertise • SIGs analyze and address specific industry challenges

• SIGs determine own deliverables

• Recommend changes, clarifications, improvements, best practices etc

practices, etc.

– SIGs dissolve after deliverable is achieved New SIGs can be proposed at any time – New SIGs can be proposed at any time

(52)

Special Interest Groups

• Two Current SIGs

– Pre-Authorization

• Pending Deliverables:

– Definition of pre-authorization f

– Define pre-authorization issues by industry

– Best practices for handling pre-authorization data

– Wireless

• Pending DeliverablesPending Deliverables

– DSS’ accommodation of wireless network methods – Wireless network guidance

(53)
(54)

Organizational Structure

(55)

Organizational Structure

(56)

Executive Committee

• Seana Pitt, American Express

• Suzanne Smits Discover Financial Services • Suzanne Smits, Discover Financial Services • Lib de Veyra, JCB International (Chair)

• Bruce Rutherford, MasterCard Worldwide

L J h Vi I

• Lance Johnson, Visa Inc.

(57)

Board of Advisors

(58)

Board of Advisors

• Provide feedback – Set strategy

– Emerging security issues – Additional standards

– Evolving the current standard(s)Evolving the current standard(s)

– Set agenda/programs for Community Meetings • Time commitments

– Face-to-face meetings (as needed) – Conference calls (regularly scheduled)

SME li d

• SME, panelists, moderator (Community Meetings/Webinars) • Regional and business category market feedback • Ad hoc working groups

• Ad hoc working groups

(59)

Board of Advisors

Representatives on Board of Advisors

Financial Institutions Merchants • Bank of America

• JP Morgan Chase and Co.

• Citibank N.A., Global Consumer Group • Commonwealth Bank of Australia

• British Airways, plc

• Exxon Mobil Corporation • McDonalds Corporation • Microsoft

Commonwealth Bank of Australia • The Royal Bank of Scotland

Microsoft

• Tesco Stores Ltd. • Wal-Mart Stores, Inc.

Processors

• Chase Paymentech Solutions • First Data Corporation

• Interac Association

Associations & Vendors • APACS

• EPC

• PayPal Inc • Interac Association

• Moneris Solutions Corporation • SERVICIOS ELECTRONICOS

GLOBALES S.A. DE C.V. TSYS Acquiring Solutions

• PayPal, Inc. • VeriFone, Inc.

*

• TSYS Acquiring Solutions

(60)

Organizational Structure

(61)

Management Committee

• Michael Mitchell, American Express

• Gina Gobeyn Discover Financial Services (Chair) • Gina Gobeyn, Discover Financial Services (Chair) • Lib de Veyra, JCB International

• John Verdeschi, MasterCard Worldwide

R S il Vi I

• Ross Snailer, Visa Inc.

(62)

Organizational Structure

(63)

Working Group Chairs

PCI DSS and PA-DSS

•Michael Nott, American Express

PED

•Leon Fell, Visa Inc.

M k ti

Marketing

•Jennifer Mack, MasterCard Worldwide

(64)

Council Staff

• Bob Russo – General Manager T L h T h i l Di t • Troy Leach – Technical Director

• Ella Nevill – Marketing & Communications Directorg • Paul Caloca – QA Program Manager

• James Barrows – QA Program

• Jeff Foresman – Standards Trainer

(65)
(66)

Community Meetings Acquirers Vendors

Community

Community

Community

Community

Meeting

Meeting

* 65

(67)

Community Meetings

Two Meetings in 2009 – Responsive to Industry!

•Las Vegas NV September 22 – 24 2009Las Vegas, NV, September 22 24, 2009

•European Meeting, Prague, October 26 – 28, 2009 We had very successful Community Meetings in 2008!

Join us as a Participating Organization to get involved in setting global PCI standards!

(68)
(69)

Global Growth

More than 500 organizations have been accepted

North America: 411 North America: 411 Europe: 78 Europe: 78 o t e ca o t e ca Asia Pacific: 12 Asia Pacific: 12 Central Europe / Middle East /

Central Europe / Middle East /

Latin America / Latin America / Africa: 14 Africa: 14 Caribbean: 6 Caribbean: 6 * 68

(70)

Participating Organizations

A Seat at the Table…

• Financial institutions • Merchants • GatewaysGateways • Processors • Service providers • Service providers • EFT networks • Associations • Associations • Vendors * 69

(71)

Participating Organizations

Associations Associations

Financial Institutions Financial InstitutionsProcessorsMerchantsMerchantsMerchantsMerchantsMerchantsProcessorsProcessorsProcessorsOtherPOS VendorsPOS VendorsOtherOtherOtherOtherOtherMerchants

For a full list: For a full list:

www.pcisecuritystandards.org/join/participating_organizations.htm

*

For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm

For a full list: For a full list: For a full list: For a full list: For a full list: For a full list: For a full list: For a full list: For a full list: For a full list: www.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htmwww.pcisecuritystandards.org/join/participating_organizations.htm

(72)

Growing Ecosystem

• 164 QSA companies (74 of these are ASVs) • 1000+ QSAs trained • 1000+ QSAs trained • 147 ASVs • 100+ PA-QSAs trained 8 PED l b • 8 PED labs * 71

(73)

Participating Organizations

Privileges of Membership

• Vote and run for Advisory Board

• Comment on standards and documentation before public release

Att d C it ti

• Attend Community meetings • Attend Webinars

• Recommend initiatives and standardsRecommend initiatives and standards • Get early notice of new press releases • Get monthly bulletiny

• Soon: exclusive private Web site for PO and assessor community

(74)

Need More Information?

(75)

Compliance is a Journey

Compliance/Security

Compliance/Security

Compliance/Security

Compliance/Security

Requires Vigilance

Requires Vigilance

“All The Time”

“All The Time”

All The Time

All The Time

(76)

Security is Only as Good as the Weakest Link

(77)

Thank You!

Thank You!

References

Download now ( PDF - 77 Page - 18.50 MB )

Related documents

University of Peloponnese, School of Agriculture and Food, Antikalamos, Kalamata, Greece

Interaction between treatments and soil types on chlorophyll and carotenoids leaf concentration in August (a, b) and December (c, d) in the experimental olive plants (Duncan,

Solutions. Enterprise. Archiving. for & IM Record Management. The Message Archiver The Compliance Reviewer

The Email Archiver , Global Relay’s flagship service, is an email archival system with unlimited storage for the long- term preservation, access, management and retrieval of email..

*Sanja Schuller-Petrovic, *Susanne Siedler, *Thomas Kern, {Johann Meinhart, Kurt Schmidt & 1 Friedrich Brunner

2 We determined the intracellular accumulation of guanosine 3':5'-cyclic monophosphate cyclic GMP; a measure of nitric oxide production) and the release of endothelin and

Attacks on WebView in the Android System

Unfortunately, since failPicture() is a public method in CameraLauncher , which is already binded to WebView, the method is accessible to the JavaScript code within We- bView, from

National Alliance of Methadone Advocates

At a blockade dose of 80 mg/day the methadone- maintained patient is protected from respiratory depression and will not experience drug craving or hunger or any euphoric effects

A slow-forming isopeptide bond in the structure of the major pilin SpaD from Corynebacterium diphtheriae has implications for pilus assembly

Like other most major pilins, SpaD also contains within its N-terminal D1 domain the canonical YPKN pilin motif that contains the lysine residue, Lys179, used to form

OPTIMIZING IP TRAFFIC OVER SATELLITE SOLVING THE PERFORMANCE, CAPACITY AND COST CHALLENGES OF SATELLITE COMMUNICATIONS

Expand also offers several “plug- ins” that add advanced caching techniques and packet aggregation capabilities to optimize CIFS and accelerate specific applications such as

Short- And Long-Term Value-At-Risk, Skewness, Kurtosis and Coherent Risk Measure

Figure 10 shows that for one year horizon the VaR(UL) and VaR(L) are almost identical near the very short term horizon and then VaR(L) evaluated by Engle (2011) decreases faster