Professional Documents
Culture Documents
Jonathan Care
Senior Consulting Manager
PCI QSA PA-QSA CFE CISSP
PCI Overview
+ Started in 2001 as then separate programs
Cardholder Information Security Program (VISA) Site Data Protection (SDP) Program (MasterCard)
transactions)
Any merchant that has suffered a hack. Any merchant that any CC Association, determines should meet the Level 1 merchant. Any merchant identified by any payment card
brand as Level 1)
Merchant Level 2
(*1M to 6M Visa regardless of channel)
Required
Required
Required
Merchant Level 3
(*20K-1M Visa e-commerce transxs)
N/A
Required
Recommended
Required
Recommended
Merchant Level 4
( <20K Visa e-commerce &/or <6M all other transxs)
N/A
Required
Required
N/A
N/A
+ +
Required
Required
the DMZ
+ Lack of log monitoring and intrusion detection system (IDS) data; poor logging tools.
Implications of Trends
What Can You Do?
+ Store less data + Understand the flow of data + Encrypt data + Address application and network vulnerabilities + Improve security awareness and training + Monitor systems for intrusions and anomalies
Future Considerations
+ More application security + Mobile payments on the rise
The Standards
PCI-PED
PCI PED addresses device characteristics impacting security of PIN Entry Device (PED) during financial transactions
PCI PA-DSS
PA-DSS applies to software vendors and others who develop payment applications that store, process or transmit cardholder data as part of authorisation or settlement, where those applications are sold, distributed or licensed to third parties.
PCI DSS
PCI DSS applies to any entity that stores, processes and/or transmits cardholder data, and specifically to those system components included in or connected to the cardholder data environment
Cardholder
Data
CVC2/CVV2/CID/ CAV2
PIN/PIN Block
NO
NO
N/A
N/A
N/A
N/A
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Requirement 12: Maintain a policy that addresses information security. Requirement 9: Restrict physical access to cardholder data. Requirement 6: Develop and maintain secure systems and applications. Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks.
Source: VeriSign Whitepaper on Top Reasons for PCI Failure based on sample of over 100 assessments https://www.verisign.com/cgi-bin/go.cgi?a=w63130157259894009
62%
60% 59% 56% 45%
**Gartner Toolkit Presentation: PCI Compliance Is Hard to Achieve but Worthwhile - 4 May 2007
10
Confidential and Proprietary
10
11
Confidential and Proprietary
11
PCI Terminology
+ + + + + PCI Payment Card Industry PAN Primary Account Number is the payment card number (credit or debit) that identifies the issuer and the particular cardholder account Acquirer - Bankcard association member that initiates and maintains relationships with merchants that accept payment cards Cardholder Data - Full magnetic stripe or the PAN plus any of the following: Cardholder name, Expiration date, Service Code Track Data - Data encoded in the magnetic stripe used for authorization during transactions when the card is presented. Entities must not retain full magnetic stripe data subsequent to transaction authorization. Specifically, subsequent to authorization, service codes, discretionary data, Card Validation Value / Code, and proprietary reserved values must be purged; however, account number, expiration date, name, and service code may be extracted and retained, if needed for business
12
Confidential and Proprietary
12
meet the intent and rigor of the original stated PCI DSS requirement; repel a compromise attempt with similar force; be above and beyond other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement
Compensating Controls can be used for any requirement except for 3.2
If you are using a compensating control for 3.4, you must use the spreadsheet located in Appendix C.
13
Confidential and Proprietary
13
The PCI DSS security requirements apply to all system components A system component is any network component, server or application that is included in or connected to the cardholder data environment The cardholder environment is that part of the network that stores, processes, or transmits cardholder data or sensitive authentication data
14
Confidential and Proprietary
14
15
Confidential and Proprietary
15
5. Return the token to the POS controller and complete the transaction.
16
Confidential and Proprietary
16
Scoping
What data is available to you? What are the business and legal needs? Where do you need to store this? What is the risk associated? Why do you need this? What would you do without it?
17
Confidential and Proprietary
17
12.
18
Confidential and Proprietary
18
19
Confidential and Proprietary
19
20
Confidential and Proprietary
20
21
All external connectivity points and network topology including firewalls, routing schema, VLANs, etc. between compromised systems and surrounding networks A review of the entire debit and or credit processing network to identify all compromised or affected systems
Establish how compromise occurred Identify the type of data stored, sniffed, and transferred out of the network (Visa/Plus/Interlink/Pre-Paid accounts) Recover data deleted by intruder Number of accounts at risk (stored, sniffed, and transferred) Determine the timeframe of compromise Determine transaction dates of compromised cardholder data
22
+ Compromised Entity Investigations (Incident Response and Forensics) + Rapid Compliance Remediation
Assistance with failed PCI assessments GSC has team with several large merchants and service providers to help them overcome audit deficiencies and become PCI compliant
23
Additional Services
+ Vulnerability Management Services
24
VeriSign References
+ White Papers
Top Reasons for PCI Audit Failure Eliminating Card Numbers to Minimize PCI Exposure http://www.verisign.com/products-services/security-services/securityconsulting/resources/index.html
+ Solutions Links
Compliance Solutions - http://www.verisign.com/verisign-businesssolutions/compliance-solutions/index.html PCI Compliance - http://www.verisign.com/verisign-businesssolutions/compliance-solutions/business-partner-solutions/paymentcard-industry/index.html PCI Compliance Solutions Data Sheet http://www.verisign.com/static/036131.pdf
25
PCI References
+ Payment Card Industry Data Security Standards:
Payment Application Best Practice Standards: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_payment_a pplications.html?it=l2|/business/accepting_visa/ops_risk_management/cisp_payment _applications%2Ehtml|Payment%20Applications PCI Approved Applications: http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_V alidated_Payment_Applications.pdf Compromised Entity Program: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_if_compromi sed.html?it=l2|/business/accepting_visa/ops_risk_management/cisp_service_provider s%2Ehtml|If%20Compromised
26
Thank You
VeriSign Security Services