PCI DSS

(Payment Card Industry

Data Security Standard)
Kelly Handerhan, Instructor
PAYMENT CARD INDUSTRY DATA SECURITY
STANDARD (PCI DSS) AGENDA

• PCI DSS: Why, What, How, and Who?

• Why do we need the PCI DSS?
• What is PCI DSS and what does it do?
• How does PCI-DSS protect financial and personal
information?
• Who is affected by PCI DSS and to whom does it apply?
• A word on Social Engineering
• Wrap-Up
WHY WE NEED THE PCI DSS?
• Why do we need a standard to protect payment card information?
To Prevent:
• Fraud losses estimated to be in the BILLIONS
• Identity Theft
• Legal costs, settlements and judgments
• Higher subsequent costs of compliance
• Lost customer confidence
• Lost sales
• Cost of reissuing new payment cards
• Loss of ability to process payment cards
WHERE IS DATA VULNERABLE?
• Data in a payment system database
• Compromised card readers and PoS Systems
• Paper records improperly stored
• Hidden camera recording entry of authentication data
• Secret tap into your store’s wireless or wired network
• ATMs modified to contain software or hardware shims
• Residual Information in RAM of systems that accept payment
card information (RAM Scraping)
• EVERYWHERE!!! Where there’s a will there’s a way!
 WELL-KNOWN ATTACKS
• In 2012, about 40 million sets of PCI were compromised by a hack of Adobe
Systems.
• In July 2013, press reports indicated four Russians and a Ukrainian were indicted in
New Jersey for what was called “the largest hacking and data breach scheme ever
prosecuted in the United States.”
• Between 27 November 2013 and 15 December 2013 a breach of systems at Target
Corporation exposed data from about 40 million credit cards. The information stolen
included names, account number, expiry date and Card security code
• From 16 July to 30 October 2013, a hacking attack compromised about a million sets
of payment card data stored on computers at Neiman-Marcus.
• On September 8, 2014, The Home Depot confirmed that their payment systems were
compromised and released a statement saying a total of 56 million credit card
numbers were disclosed as a result.
SOURCES AND TYPES OF ATTACKS
INFORMATION TO PROTECT

https://www.pcisecuritystandards.org/smb/why_secure.html
 SOURCES OF RISK

Risky Behavior A survey of businesses in the U.S. and Europe

reveals activities that may put cardholder data at risk.
81% store payment card numbers 73% store payment card
expiration dates
71% store payment card verification codes
57% store customer data from the payment card magnetic
stripe
16% store other personal data
Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC
TOOLS TO ENSURE PROPER PROTECTION OF PCI

• PCI SSC: The PCI Security Standards Council offers robust and
comprehensive standards and supporting materials to enhance
payment card data security
• PCI Data Security Standard (PCI DSS), which provides an
actionable framework for developing a robust payment card data
security process -- including prevention, detection and appropriate
reaction to security incidents.
• Qualified Security Assessors: QSAs are approved by the Council to
assess compliance with the PCI DSS
• Self-Assessment Questionnaire: The “SAQ” is a validation tool for
organizations that are not required to undergo an on-site assessment
for PCI DSS compliance
WHAT IS PCI DSS?
• Payment Card Industry Data Security Standard
• The goal of the PCI Data Security Standard (PCI DSS) is to
protect cardholder data that is processed, stored or
transmitted by merchants.
• The security controls and processes required by PCI DSS
are vital for protecting cardholder account data, including
the PAN – the primary account number printed on the front
of a payment card.
WHAT ARE THE GOALS AND REQUIREMENTS?

https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
BUILD AND MAINTAIN A SECURE NETWORK
Historically, thieves had to have physical access to a building to steal
financial records. Now information is stored on networks, and often
transmitted across the internet. Protection of networks transmitting
cardholder data is a prime concern.
1. Install and maintain a firewall and router configuration to protect
cardholder data
• Standards for configuration and testing
• “Deny all” from untrusted networks
• Prohibit direct public access between the Internet and any
system component in the cardholder data environment
• Personal firewall software must be installed on mobile devices
and/or employee owned computers used to access the
organization’s network
BUILD AND MAINTAIN A SECURE NETWORK
CONTINUED
2. Do not use vendor-supplied defaults for system passwords
and other security parameters
• Most vendor defaults are simple and easy to guess
• Frequently designed for ease-of-use
• Passwords and other default settings should be
changed before connected installing on network.
• Define and apply system base-lines and standard
configurations addressing known vulnerabilities
• Encrypt all non-console administrative access
 PROTECT CARDHOLDER DATA
In general, no cardholder data should ever be stored unless it is necessary to meet
the needs of the business, and then it should be rendered unreadable if possible.
3. Protect stored cardholder data
• Limit storage and retention
• Don’t store sensitive authentication information after authorization
• Mask the PAN (Primary Account Number) when displayed (1 st six or
Last 4)
• If stored, the PAN should always be unreadable
• Protect keys used for encryption
• Document and manage all key management processes and procedures
PROTECT CARDHOLDER DATA CONTINUED
4. Encrypt Transmission of Cardholder Data
• Use strong cryptography and transport protocols like
SSL/TLS or IPSEC for transmission over open, public
networks (Internet, wireless, etc)
• Never send PANs unencrypted by end-user messaging
technologies
MAINTAIN A VULNERABILITY MANAGEMENT
PROGRAM
Vulnerability Management is the process of systematically and
continuously finding weaknesses in an organization’s payment
card infrastructure. Security procedures, system design
implementation, and internal controls are included.
5. Use and regularly update anti-virus software or programs
• Deploy anti-virus software on all systems affected by
malicious software
• Ensure that all anti-virus software is current, actively
running and capable of generating audit logs
MAINTAIN A VULNERABILITY MANAGEMENT
PROGRAM CONTINUED
6. Develop and maintain secure systems and applications
• Ensure all system components and software have the latest vendor-
supplied patches (critical patches installed within a month)
• Establish a process to identify new vulnerabilities (Alert services,
vulnerability scans/services)
• Develop software applications in accordance with PCI DSS based on
industry best practices and incorporate information security
throughout the software development life cycle
• Follow Change Control procedures for all changes to system
components
• Develop web-based applications based on secure coding guidelines
• Ensure all public web-facing applications are protected
IMPLEMENT STRONG ACCESS CONTROL
MEASURES
Access control allows merchants to allow or restrict the use of
cardholder data. Should include physical and technical
controls
7. Restrict access to cardholder data by business need-to-
know
• Allow access only as job requires access
• Establish access control system for components with
multiple users. Default to “deny all” unless
specifically allowed
IMPLEMENT STRONG ACCESS CONTROL
MEASURES
8. Assign a unique ID to each person with computer access
• Assign all users a unique user name before allowing them
access
• Require authentication by password, passphrase, or two-factor
authentication
• Implement two-factor authentication for remote access to the
network by employees administrators and third parties.
• Render all passwords unreadable for storage and transmission
• Ensure proper user authentication and password management
for non-consumer users and administrators on all system
components
 IMPLEMENT STRONG ACCESS CONTROL
MEASURES
9. Restrict Physical Access to Cardholder data.
• Use facility controls to limit and monitor physical access in the data environment
• Develop procedures to help personnel easily distinguish between employees and
visitors
• Ensure all visitors are authorized before allowing entry to sensitive areas
• Use a visitor log to maintain a physical audit trail
• Store media back-ups in a secure location
• Physically secure all paper and electronic media containing cardholder data
• Control internal/external distribution of any kind of media containing cardholder
data
• Ensure that management approves moving secured media
• Maintain strict control over storage and accessibility of media
• Destroy media containing cardholder data when no longer needed
REGULARLY MONITOR AND TEST NETWORKS
Physical and wireless networks connect all endpoints and servers in the payment
infrastructure. Vulnerabilities in these devices must be tested and monitored to
prevent exploitation
10. Track and monitor all access to network resources and cardholder data
• Link all access to an individual user
• Implement audit trails
• Record audit trail entries for each event including user id, type of event,
date and time, success/failure, identity or name of affected date
Synchronize all critical system clocks and times
• Secure audit trails to prevent alteration
• Review logs for security functions (at least) daily
• Retain audit trail history for at least one year with 3 months being
immediately available for analysis
REGULARLY MONITOR AND TEST NETWORKS
11. Regularly test security systems and processes
• Test for unauthorized wireless access points at least
quarterly
• Run internal and external network vulnerability scans
• Perform internal and external penetration testing
• Use Network IDS/IPS to monitor all traffic in cardholder
data environment
• Deploy file integrity checkers to alert personnel to
unauthorized modification of critical system files,
configuration files or content files
MAINTAIN AN INFORMATION SECURITY
POLICY
A strong security policy sets expectation for an organization’s employees
and informs them security-related duties.
12. Maintain a policy that addresses information security for employees
and contractors
• Establish, publish, maintain, and distribute a security policy
that addresses all PCI DSS requirements
• Develop daily operational security procedures that are
consistent with requirements of PCI DSS
• Develop usage policies for critical employee-facing
technologies to define proper usage including remote access,
wireless, removable media, laptops, handheld devices, etc
• Ensure the policy and procedures clearly define information
security responsibilities for all employees and contractors
MAINTAIN AN INFORMATION SECURITY
POLICY CONTINUED
• Assign to an individual or team information security
responsibilities
• Implement a formal security awareness program to make all
employees aware of the importance of cardholder data
security
• Screen employees prior to hiring
• If cardholder data is shared with service providers, then
require them to implement PCI DSS policies and procedures
• Implement an Incident Response Plan
AND FINALLY…A WORD ON SOCIAL ENGINEERS
• Don’t forget to consider social engineering. Don’t be
tricked!
• Leads to Identity Theft, Fraud, and Compromise
• According to a 2012 report from Verizon’s Data Breach
Investigation report, 7 percent of all breaches now involve
social engineering, but the number grows to 22 for larger
organizations.
• Compromises companies’ sensitive information’
• Often allows an attacker access to a sensitive system
TYPES OF SOCIAL ENGINEERING
• According to Tripwire.com there are five types of social
engineering attacks that are on the rise.
• Phishing
• Pretexting
• Baiting
• Quid Pro Quo
• Tailgating
PHISHING
• Based on the idea that if you cast a large enough net, you are
bound to catch some phish.
• Frequently attacks come through emails asking a user to respond
with information, click on an infected link, or visit a compromised
website.
• Be suspicious of unsolicited emails
• Don’t click on links. Go to the website through it’s known URL
• Don’t download attachments that aren’t digitally signed
• Report suspected phishing attempts to your security team
• If it sounds too good to be true, it probably is.
PRETEXTING
• An attacker uses the pretext that they have a legitimate need for the information.
For example, a credit card company calls and tells you that there has been a
problem with your card. They then ask for your card number and other information
• A “service rep” calls and needs to reset your password because your system has
been compromised
• An urgent need to gain access to a sensitive room due to a “gas leak” or some
other environmental issue
• These attacks often use urgency as a tool to add pressure to the victim.
• Follow company policy. When in doubt refer to a supervisor to make the decision.
• Be skeptical.
• Don’t allow intimidation to work. No legitimate individual should force you to
violate the company security policy
• Never disclose password information
BAITING
• Promising something good in exchange for an action or
information
• A USB stick found in the parking lot might have
interesting information on it.
• Download this gaming app, when it actually contains
malware
• Scan all downloaded items
• Avoid downloads from untrusted sources
• Avoid downloads that haven’t been digitally signed.
QUID PRO QUO
• Similar to Baiting, but offers a service rather than a good in
exchange for information or an action
• I will help you with a bug in your system if you’ll just turn
off your anti-virus program
• Allow me remote access to your system so I can show you
how to install this file
• When in doubt follow policy and check with your IT Security
department.
PIGGYBACKING/TAILGATING
• Entering a building directly behind someone who has used
their credentials for access.
• Often facilitated by users holding door open for someone
behind them.
• Takes advantage of the fact that many people strive to be
courteous
• Ask to see credentials, and if credentials can’t be provided,
escort to security
MITIGATE SOCIAL ENGINEERING
• Require multifactor authentication
• Trust no one!
• Follow company policy
• When in doubt, call your security team
• If you make a mistake and divulge more information
than intended, notify your security team
PAYMENT CARD INDUSTRY DATA SECURITY
STANDARD (PCI DSS) WRAP-UP

• PCI DSS: Why, What, How, and Who?

• Why do we need the PCI DSS?
• What is PCI DSS and what does it do?
• How does PCI-DSS protect financial and personal
information?
• Who is affected by PCI DSS and to whom does it apply?
• A word on Social Engineering
• Wrap-Up
SOURCES AND DISCLAIMERS
• The majority of material for this presentation was provided courtesy of
the Payment Card Industry Security Standards Council via
https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
• NOTE: This presentation is not and shall not be considered legal
advice. Cybrary is providing you with general information about the
rules and general information regarding the Payment Card Industry
Data Security Standard. Please make sure that for legal questions
specific to your company, ensure you are working with your own legal
counsel who can best represent your organization.