Professional Documents
Culture Documents
Visa Public
Visa Public
July 2011
1. 2. 3. 4. 5. 6. 7.
Vulnerable payment applications (e.g., inappropriate storage of full track, CVV2 and PIN data, insecure remote access) Inadequate perimeter security (e.g., improperly managed firewall) Out-of-date system security patches Vendor default settings and passwords (e.g., unsecured wireless) Poorly coded web-facing applications (e.g., no input validation) resulting in SQL injection attack Poor cryptographic key management used for PIN encryption Weak controls over production HSM environment
Visa Public
July 2011
PCI SSC has clarified issuers may store sensitive authentication data
There must be a legitimate business need to store such data Must be protected in accordance with the PCI DSS
Visa Public
July 2011
Visa Public
July 2011
Preventive Measures
Review all external facing applications and systems (production, development, test) Harden all servers and databases Remove risky protocols such as Terminal services, NetBios, etc. Disable direct queries/command shell/stored procedures on databases Implement deny/deny on firewall configuration and block compressed files (i.e., .RAR, .TAR, .ZIP, etc) on outbound traffic Limit administrative access to critical systems Review high-privileged accounts and implement group policies (e.g., SA, database operators, domain users) Segregate payment processing systems from other non-payment networks
6 Visa Public July 2011
Preventive Measures
Transaction monitoring
Velocity controls Transaction limits Real-time fraud checking and alerts
Deploy third-party tool to identify malicious/unauthorized software Review IVR and HSM and consider disabling clear-text HTTP_Get request Deploy Security Information and Event Management (SIEM)
Implement and review security event logs Centralizing tracking and review of logs and network traffic
Deploy Data Loss Prevention (DLP) Segregate Internet-facing networks from internal networks
7 Visa Public July 2011
Check vendor manuals and Internet resources for default, blank, and weak settings - immediately change settings upon installation
Includes changing all passwords, disabling users not needed
Activate necessary security and logging functions Keep anti-virus and anti-spyware software programs up-to-date Ensure ATM software has been validated as compliant with the PCI PADSS Contact ATM vendors and processors to:
Determine potential exposures of deployed ATM base Implement prevention and detection tools Receive specific security alerts and best practices
July 2011
Visa Public
11
Level 1 PIN Security Program entities must validate annually with Visa ATM owners / sponsors must ensure ATMs comply with applicable:
PCI DSS & PA-DSS Requirements PCI PIN & PCI EPP Requirements
ATM owners and their agents should confirm their devices are listed on the PCI SSCs list of Approved PIN Transaction Security Devices* www.pcisecuritystandards.org
Compliant Equipment
Purchase only PCI approved Devices
Install only the compliant EPP firmware version listed with the approved EPP Major area of non-compliance
Require suppliers to sell only PCI approved / compliant products Verify EPP serial numbers and firmware against manufacturers documents and PCI EPP list Bind only compliant PCI approved EPPs into purchase contracts PCI Approved EPPs
60 V1 Expire 21 V2 Expire 1 V3 Expire
Visa Public
Compliant Equipment
Visa Public
July 2011
15
For Visa mandates for use of PCI Approved devices see www.visa.com/cisp - Visa General PIN Entry Device FAQ
Visa Public
July 2011
16
Resources
Visa Websites
www.visa.com/cisp
Visa Documents
Issuers PCI DSS Frequently Asked Questions Issuer PIN Security Guidelines PIN-Entry Device Frequently Asked Questions Personal Identification Number (PIN) Attacks Alert What To Do If Compromised Guide Reminder: Registration and Compliance Requirements for Encryption Support Organizations Joint USSS/FBI Advisory Feb. 2009
www.visaonline.com
Update: Compromise of ATM PIN Transactions, May 2011 Visa Business News
Visa Public July 2011 17
Resources
Visa Client Tools
Incorporate Visa Advanced Authorization risk scores and condition codes in risk decision management systems advancedauth@visa.com Register and use Visas Compromised Account Management System (CAMS) alerts cams@visa.com
Visa Public
July 2011
18
Questions?
Visa Public
July 2011
19