Post on 19-Apr-2018
transcript
PCI Compliance: Tips to Avoid Fraud, Fines and Litigation
Jim Fish, Coalfire SystemsSaskia Ipema, Active Network
2
Coalfire Systems, Inc.
Clients include Fortune 100, retail, government, education, financial, healthcare, and manufacturing
Offices in Denver, CO; Seattle, WA; San Diego, CA; New York, NY and Vancouver, BC with over 40 IT Auditors
Security, Governance, Compliance Mgmt, Audit –GLBA, CIP, SOX, PCI, HIPAA, SAS70 & Government
Application Security: PA-DSS Certification, Code Audits, Penetration Testing, SDL Development
Forensics: E-discovery, Forensic Analysis and Litigation Support
Assessments: IT Risk Assessments, Vulnerability Assessments and Compliance Audits
IT Governance
and Compliance Management
4
AgendaDefinitionsRegulatory LandscapeScary Bedtime Stories … What went wrong?PCI Compliance Process o What are we protectingo PCI compliance requirementso Compliance strategieso Issues
Active’s Hosted Solutions and PCI ComplianceQuestions
5
DefinitionsPCI DSS – Payment Card Industry Data Security StandardPCI SSC – Payment Card Industry Security Standards CouncilPA-DSS – Payment Application Data Security StandardQSA – Qualified Security Assessor ASV – Approved Scan VendorCVV2 – Card Validation Value (3 Digit Number on Visa)CVC2 – Card Validation Code (3 Digit Number on MasterCard)CID – Card Identification Data (4 Digit Number on Amex/Discover)PAN – Primary Account NumberCVC/CVV – Field stored on the magnetic stripeTrack Data – Data stored on the magnetic stripe
6
The Perfect Storm
FinancialLiabilityPCI
Security Standards
EscalatingCyber Breaches
Low tolerance for service
disruptions
State Privacy Laws Customer
Expectation of Privacy
7
Regulation Timeline2008 to Present
Card Processor Int’lHannafordHeartland
Hold onto your hats!!PCI AUDIT THE AUDITORSPayment Application auditsCompliance enforced at all levelsLikely federal regulationState Privacy LawsState Data Breach Laws for CC
2005 - 2006
TJ Maxx ( May 2006)DSW Shoe Warehouse
Converted to PCIRequired Certification of No stored Security ValuesSerious enforcement on Level 1 and 2 merchantsVISA launches ADCR = charge back for fraud on compromised accountsFocus of PCI turns to brick and mortar merchants
2000 - 2004
Data Processors Inc
1st Major Card Data BreachStarted Enforcement of VISA CISPFocus on ProcessorsAlmost caused CC regulationVISA launches CAMS
1970-1980
1980-1999
Computer Security Act of 1987
Regulatory Environment is following major data breach scenarios
Captain Crunch
Changed technology to more than dial tone for long distance calls
8
Organizations must establish basic information security programs
Organizations must proactively manage their confidential
consumer information
Organizations must take steps to know when their defenses have been
breached
In the event of an actual or suspected data privacy breach, organizations have a legal obligation to notify
impacted consumers
State Privacy Laws
9
Compromise Statistics
Over 80% of compromised systems were “card present” or in person transactions90% of all compromised merchants are PCI level 4 merchants ( less than 1 million transactions per year)No fully compliant merchant has ever been compromised50% of the merchants do not survive the breach … or, operate with the same independence
10
Impact of Organized Crime
There is a multi-tiered market for stolen personal information.
The thieves are generally not the ones who use it to commit fraud.
11
Popular MythsWe are the government. There are liability limits that protect us.
Who would want to attack us? There must be better places to target.
PCI is Hard.
PCI will make us Secure.
12
VA Breach Example(5/22/06) VA employee violated VA policy and brought data home on VA laptop which was stolen.
o The database contained the names, social security numbers and dates of birth of as many as 26.5 million veterans and their families
o Laptop was stolen from employee’s homeo The employee notified his superiors immediately, but the VA took nearly
three weeks to warn vets that their information was at risk.(6/29/06): Laptop turned into the FBI, by an unidentified personseeking the $50,000 reward. 2 teens were charged in the theft, charges pending on another suspect.(7/14/06): FBI and VA Inspector General conducted a forensic examination on the laptop and reported that no data had been removed. But experts say there are ways to thwart detection.
13
VA Breach ExampleConsequences:
o 02/06/09 VA agrees to pay $20M o VA had a documented history of
poor security practices:– 2004: VA was cited as failing to comply
with the Federal Information Security Management Act
– 2004: Received failing grades from the House Government Reform Committee on its information and computer security programs
– VA’s delay in notifying vets was likely the key fault in the case.
– VA did not have a data breach plan in place
– Did not provide staff with adequate (if any) training on handling a data breach.
15
Recent BreachesNYPD Pension Fund
o A civilian official of the NYPD’s pension fund has been charged with stealing the identities of 80,000 current and retired cops, sources said. Anthony Bonelliallegedly got into a secret backup-data warehouse on Staten Island last month and walked out with eight tapes packed with Social Security numbers, direct-deposit information for bank accounts, and other sensitive material. Bonelli was the fund's director of communications.
City of Beaumont, TXo Personal information of about 500 current and former Beaumont city workers
accidentally was posted online. The info contained birth dates and SSNs and was posted on the city's website on Jan 14.
City of Muskogee, OKo City discovered a “possible breach of utility billing information” on about 4,500
utility accounts that were closed prior to August 2000. “The disk obviously made it into some surplus property; into a computer box with other things by accident,”City Clerk Pam Bush said.
16
• Notify Clients
• Fines and Penalties
• Increased audit needs
• Fraud liability
• Total Financial Impact
• Reputation Loss
$30 x 1,000 = $30,000
$50,000+
$25,000 x 3 years = $75,000 (minimum)
1,000 accounts x $500 = $50,000
$200,000 or more
PRICELESS!
A hypothetical Department compromises 1,000 accounts
Economics of a Breach
The cost of a breach can easily be 20 times the cost of PCI Compliance. Ponemon Study 2008
17
What are We Protecting?
1. Cardholder Verification Number (CVN)Visa/Discover's Card Verification Value (CVV) MasterCard's Card Validation Code (CVC)
2. Primary Account Number (PAN)
CVN
CVN
PAN
19
The Payment Process
Merchant’sAcquiring Bank
PCI Security Standards Council
Cardholder’sIssuing Bank
1. Authorization Request
3. Authorization Request
5. Settlement (next day)
2. Authorization Processed 4. Account
Processing
6. Cardholder Statement
Payment Server
20
PCI Standards Security CouncilPCI SSC Is…
o An Independent Industry Standard
o Manages the technical and business requirements for how payment data should be stored and protected
o Maintains List of Qualified Assessors
– QSAs, ASVs, PA-QSA and PED
– Labs
PCI SSC Does Not…o Manage or enforce
complianceo Replace the card brands
compliance programs (Visa CISP, MasterCard SDP, AMEX DSOP, etc.)
o Define validation levelso Levy fines
21
Binding Contract
CISP is based on the Payment Card Industry Data Security Standard, with which all members, merchants and service providers must comply according to contracts.
24
Compliance vs. ValidationCompliance
o All merchants must adhere to the PCI standard, regardless of size or number of transactions processed
o Requires a Cyber security program
Validation o Compliance must be
tested and reported to Acquiring Banks based upon transactions volumes or risk levels(Audit of the cyber security program)
25
Merchant Compliance Levels
MerchantLevel 1
MerchantLevel 2
MerchantLevel 3
MerchantLevel 4
Any merchant processing 1 to 6 million VISA or MasterCard transactions per year.
Any merchant processing 20,000 to 1 million VISA or MasterCard e-commerce transactions per year.
Any merchant processing less than 20,000 VISA or MasterCard e-commerce transactions per year, and all other merchants with less than 1 million transactions
Any merchant processing over 6 million VISA or MasterCard transactions per year OR identified as any card brand as a Level 1 merchant.
26
Merchant Validation
MerchantLevel 1
MerchantLevel 2
MerchantLevel 3
MerchantLevel 4
• Annual Self-Assessment Questionnaire (SAQ) • Quarterly Network Scan
• Annual Self-Assessment (SAQ) Questionnaire • Quarterly Network Scan
• Self-Assessment Questionnaire recommended
• Quarterly Network Scan
• Annual, On-site PCI Data Security Assessment • Quarterly Network Scan
• Merchant Executive• Approved Scan Vendor• Attestation of Compliance Form
• Merchant Executive• Approved Scan Vendor• Attestation of Compliance Form
• Merchant Executive• Approved Scan Vendor• Compliance validation
requirements set by acquirer
• Qualified Security Assessor • Approved Scan Vendor• Attestation of Compliance
Form
Validation Action: Validated By:
27
Careful What You SignPart 3a. Confirmation of Compliant Status
Merchant confirms:PCI DSS Self-Assessment Questionnaire D, Version 1.2, was completed according to the instructions therein.
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects.
I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization.
I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times.
No evidence of magnetic stripe (i.e., track) data, CAV2, CVC2, CID, or CVV2 data, or PIN data storage after transaction authorization was found on ANY systems reviewed during this assessment.
Part 3b. Merchant Acknowledgement
Signature of Merchant Executive Officer Date
Merchant Executive Officer Name Title
Merchant Company Represented
28
Service Providers
Service ProviderLevel 1
Service ProviderLevel 2
Any service provider that stores, processes and/or transmits less than 300,000 transactions per year
VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year
29
Service Provider Validation
Service ProviderLevel 1
Service ProviderLevel 2
• Annual PCI Self-Assessment Questionnaire • Quarterly Network Scan
• Annual On-site PCI Data Security Assessment • Quarterly Network Scan
• Service Provider Executive• Approved Scanning Vendor
• Qualified Security Assessor• Approved Scanning Vendor
Validation Action: Validated By:
30
DeadlinesPCI Data Security Standard o No Actual Deadline - merchants have always been
required to comply with card brand rulesPayment Application Data Security Standardo Oct. 1, 2009 - All merchants will be required to start
terminating the use of any noncompliant payment applications that they might still have in their environments.
o July 1, 2010 - Mandates the use of only those payment applications that support the new standards.
31
DeadlinesPin Entry Deviceso July 1, 2010 - Mandates that all deployed POS PEDs
must have passed testing by a PCI recognized laboratory and been approved by the PCI SSC.
32
PCI’s 5 Stage to Acceptance
Denial
Anger
Bargaining
Depression
It isn’t fair• PCI applies to all parties
I’ll do some of it• Compliance is “pass / fail”
I’ll never get there• Many merchants already have
It doesn’t apply to me• PCI compliance is mandatory
Acceptance It’ll be OK• It’s an ongoing business process
33
Compliance ProgramProject Charter• Align team• Assign Responsibility• Scope Environment
Assess• Conduct Testing to PCI DSS• Identify Gaps• Establish a Remediation Roadmap
Remediate• Align to a Project Plan (Time, $)• Policies, Plans and Procedure• Infrastructure changes• Training
Validate Compliance• Final Testing (independent?)• Report to Acquiring Banks• Report to Internal Oversight
34
Customer
Production Environment
Acquiring BankWells Fargo, BoA, Chase,
etc.
Admin Environment
Portal Access to Reconciliation Data (Charge Back / Sales Audit)
Transaction Servers or Payment Gateway
Transaction Record & Archive
Data WarehousePayment Gateway and Transaction Database
Batch Settlement
Application Servers
Back Office & Customer Svc
• Marketing• Customer Service
• Ecommerce• Phone / Fax• Gift Cards
• Fraud• ACCT. / Admin
PhoneFax
Web Server(card not present)
POS Terminals(card present in
stores and parking facilities)
Authorization
Document VaultsPaper records
Where is Your Cardholder Data?
35
SAQ 1• No face-to-face transactions
• Process e-commerce or mail order/telephone orders
• Outsource all cardholder data storage, processing or transmission to a third party service provider
• Only retain paper reports or receipts with cardholder data on your premises
• No electronic storage of cardholder data on your premises
Card not present
13 Questions to Complete
36
SAQ 2
• Imprint only machine used for transactions
• Do not transmit cardholder data over phone line or the Internet
• Only retain paper copies of receipts
• No electronic storage of cardholder data on your premises
Imprint Only
26 Questions to Complete
37
SAQ 3
• Transactions processed via phone line connection to processor
• Can be face-to-face, ecommerce, or mail order/telephone order transactions
• Standalone hardware terminal not connected to any other systems or the Internet
• Only retain paper copies of receipts
• No electronic storage of cardholder data on your premises
26 Questions to Complete
Standalone Hardware Terminal with Dial-up Connectivity
38
SAQ 4• Transactions processed via internet connection to processor
• Also includes merchants where the payment application used to process transactions is on a personal computer connected to the internet for reasons such as email, etc.
• Can be face-to-face, ecommerce, or mail order/telephone order transactions
• Only retain paper copies of receipts
• No electronic storage of cardholder data on your premises41 Questions to Complete
Standalone Hardware Terminal or Software System with Internet Connectivity
39
SAQ 5
• Electronic cardholder data storage on premises.
• Examples would include merchants processing recurring billing transactions that are not outsourced to a third party Servicer or those with their own network connectivity to the card brand companies.
225 Questions to Complete
All Other Merchants Defined as Self-Assessment Questionnaire Eligible
40
Sample Scanning Report Overall Compliance Status FAIL
Live IP Address Scanned Security Risk Rating Compliance Status
11.22.33.44 1.0 Pass
11.22.33.45 1.0 Pass
11.22.33.46 2.0 Pass
11.22.33.47 1.0 Pass
11.22.33.48 1.0 Pass
11.22.33.49 1.0 Pass
11.22.33.50 1.0 Pass
11.22.33.51 4.0 FAIL
11.22.33.52 1.0 Pass
41
PCI Compliance StrategiesInsist on Executive Visibility Confirm you are running a Validated Payment ApplicationRead and Follow Your POS Implementation GuideIf You Don’t Need it, Don’t Store ItSegment your NetworkImplement Quarterly ScanningComplete Your PCI SAQ Update Your Policies and ProceduresImplement Logging and Monitoring Manage Security like your Business Depends on It
42
Questions in plain English (does not mimic the PCI SAQ)Evidence Library for ControlsSchedule automated scanning (monthly or quarterly)
Comparison to Like OrganizationsBased on responses:
Automatically determines the appropriate validation type (A, B, C or D)Presents only those follow-on questions that are appropriate
43
Centrally manage and monitor complex reporting requirements Ability to save, review and go backContextual helpOpportunity to select live Qualified Security Assessor (QSA) assistance
44
ReferencesPCI Security Standards Council
o https://www.pcisecuritystandards.org/
PCI Blog – PCI Answerso http://pcianswers.com/GAO - Report on Continuing Security
Weakness
State Notice of Data Breach Lawso http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm
Rapid SAQ Resourceso https://navis.coalfiresystems.com
Identity Theft Resource Center o www.idtheftcenter.org
45
Summary PCI Compliance is an Ongoing PROCESS - NOT A PROJECT
o This means a new ongoing operating expense
Roles – everyone has a stake in the program successKey Activities
o Map all cardholder processeso Validate with vendors that no unencrypted cardholder data or security values are
stored o Identify all critical locations where cardholder data is processed, stored or
transmittedo Remediate compliance gaps and train all key stakeholderso Provide well documented (i.e. justified with evidence) reports to senior
management and Acquiring Bankso Schedule vulnerability scans
Manage Risk and not just a in the box
46
Active and PCI ComplianceActive is committed to ensuring the highest security and privacy standardsWe have successfully completed a PA-DSS certification with CoalfireSystems, Inc.o Customers can contact your
account manager for more information.
o http://support.theactivenetwork.com
47
Hosted Payment Server Hosted Internet Registration Hosted POSWeb ActiveNet
How Active Hosted Solutions Can Help
With Active, as both the applications provider and merchant, most of the burden is on us:o Mitigate your riskso Save money, time and resources o Reduce reporting requirements
48
Questions?
Jim FishVice President
Jim.Fish@CoalfireSystems.com206.352.6028 ext. 7501
Saskia IpemaDirector, Account Management
ServicesSaskia.Ipema@ActiveNetwork.com