Date post: | 20-Aug-2015 |
Category: |
Technology |
Upload: | joseph-fung |
View: | 5,395 times |
Download: | 2 times |
April 29, 2008 Lewis Media Website Producer Learning Series1
PCI DSSThe Cost of Non-Compliance
Joseph FungApril 29, 2008
April 29, 2008 Lewis Media Website Producer Learning Series2
Today’s Menu
• PCI Who and When• Impact and Risk• Mitigating the Risk
April 29, 2008 Lewis Media Website Producer Learning Series3
Part I: Who and When
April 29, 2008 Lewis Media Website Producer Learning Series4
The Payment Card Industry
PCI SSC - https://www.pcisecuritystandards.org
Part I: PCI Who & When
• Payment Card Industry (PCI) Security Standards Council – Founded in Dec 2004
• Develop and Maintain the PCI Data Security Standard (DSS)
April 29, 2008 Lewis Media Website Producer Learning Series5
Relationships
Part I: PCI Who & When
Payment Card Industry
Banks
Processors
Merchant(Website Owner)
April 29, 2008 Lewis Media Website Producer Learning Series6
The Timeline
• Sep 2006 PCI DSS Introduced• Jul 2007 Contracts Updated• Dec 2007 PCI DSS Compliance Required• Feb 2008 New Tools Launched
https://www.pcisecuritystandards.org/tech/saq.htm
• ~2010 Additional Requirements Enforced
Part I: PCI Who & When
April 29, 2008 Lewis Media Website Producer Learning Series7
Who is responsible?
Everyone assumes someone else is taking responsibility for education
Part I: PCI Who & When
April 29, 2008 Lewis Media Website Producer Learning Series8
Why are we here?
We want to give our clients the best advice possible.
Part I: PCI Who & When
April 29, 2008 Lewis Media Website Producer Learning Series9
Part II: Impact and Risk
April 29, 2008 Lewis Media Website Producer Learning Series10
Who needs to be compliant?
All Merchants.
Includes Brick & Mortar, Mail order and telephone order and e-commerce
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series11
Will this impact end consumers?No, not really.
Consumers are protected by many systems and vehicles – the end consumer is almost always right.
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series12
What is the value of compliance?• Demonstrate due diligence• Enhance confidentiality, integrity and
authenticity of data• Competitive edge: positive image
and enhanced trustworthiness• Safe Harbor from fees
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series13
What are the consequences?• Class Action Lawsuits• Insurance Claims• Cancelled Merchant Accounts• Card Provider Fines ($50K - $500K)• Government Fines ($5M - $20M)• Damaged Client Relationships
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series14
2 Example (Fictional) Stories
• Jim: Online store using OS Commerce• Kate: Consultant using MOTO
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series15
The Hitch:
Compliance is not easy….there are MANY bases to cover, and most companies do not have the resources for full compliance.
Next….reviewing those bases…
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series16
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series17
*These data elements must be protected if stored in conjunction with the PAN.
** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted).
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series18
PCI DSS Overview
• 12 Requirements in 6 Groups• 3 particularly relevant to e-
commerce• 8 must be addressed by business
owner
Part II: Impact & Risk
https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
April 29, 2008 Lewis Media Website Producer Learning Series19
Build and Maintain a Secure NetworkRequirement 1: Install and maintain
a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series20
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open,public networks
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series21
Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly
update anti-virus softwareRequirement 6: Develop and
maintain secure systems and applications
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series22
Implement Strong Access Control MeasuresRequirement 7: Restrict access to
cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series23
Regularly Monitor and Test NetworksRequirement 10: Track and monitor
all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series24
Maintain an Information Security PolicyRequirement 12: Maintain a policy
that addresses information security
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series25
Special Note on Hosting Providers• Per Requirement 12: All service
providers with access to cardholder data must adhere to the PCI DSS
• Hosting providers must pay special attention to their role in this. They must form traceable silos.
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series26
Making sense of it….
Although we are not responsible for our client’s PCI DSS compliance, there are things we can do to help.
Part II: Impact & Risk
April 29, 2008 Lewis Media Website Producer Learning Series27
Part III: Mitigating the Risk
April 29, 2008 Lewis Media Website Producer Learning Series28
PCI Requirement 3• Use autocomplete=”off”• Star out all but the last 4 digits• Never display the security code• Don’t store the CVV number• Encrypt using the mySql AES
encryption functions • Use TTL for displayed information
Part III: Mitigating the Risk
April 29, 2008 Lewis Media Website Producer Learning Series29
PCI Requirement 4
1. Always pass credit card information via SSL (that includes any information sent to the browser in the Admin side of things)
2. Have a qualified IT consultant secure any wireless networks (using VPNs over public wireless networks)
Part III: Mitigating the Risk
April 29, 2008 Lewis Media Website Producer Learning Series30
PCI Requirement 6
1. Enable automatic updates for software
2. Include scheduled maintenance as part of the project
3. User 3rd-party monitoring systems
Part III: Mitigating the Risk
April 29, 2008 Lewis Media Website Producer Learning Series31
PCI Requirement 7
1. Use software that allows you to restrict access to credit card information (or better yet, don’t store data).
Part III: Mitigating the Risk
April 29, 2008 Lewis Media Website Producer Learning Series32
PCI Requirement 10
1. Test the level of logging you can collect from your host (look for access logs and ssl access logs)
Part III: Mitigating the Risk
April 29, 2008 Lewis Media Website Producer Learning Series33
Best Practices1. Review the PCI DSS Requirements with
your clients that accept payment cards2. Visit the PCI SSC website quarterly, or
subscribe to RSS Feedhttps://www.pcisecuritystandards.org/pcissc_news.xml
3. Require service providers and third parties to demonstrate PCI compliance
4. Store less, better access control, understand the data flow
Part III: Mitigating the Risk
April 29, 2008 Lewis Media Website Producer Learning Series34
Best Practices contd…
5. Perform a thorough scoping project to determine all credit card data flows from transaction to billing
6. Update frequently: compliance is for a specific software version/product and valid for one year
Part III: Mitigating the Risk
April 29, 2008 Lewis Media Website Producer Learning Series35
Best Practices contd…
7. Implement waiver/sign off on understanding PCI Compliance
8. Update processes frequently: compliance is for a specific business/feature and valid for one year
Part III: Mitigating the Risk
April 29, 2008 Lewis Media Website Producer Learning Series36
Best Practices contd…
9. Automate log rotations and saving (some hosting providers delete automatically)
10.Maintain separate development, test, and production environments
11.Don’t rely on WEP protection (use WPA or WPA2)
Part III: Mitigating the Risk
April 29, 2008 Lewis Media Website Producer Learning Series37
Best Practices contd…
12.Never send PANs over email13.Never send PANs over email14.Never send PANs over email
Part III: Mitigating the Risk
April 29, 2008 Lewis Media Website Producer Learning Series38
Bonus Best Practice…
15.Use the Self Assessment Questionnaire as the Gap Analysis, and talk to the client about the Ideals of PCI compliance before the Logistics. Aim to pass the belief, not just the checklist.
Part III: Mitigating the Risk
Get the questionnaire at https://www.pcisecuritystandards.org/tech/saq.htm
April 29, 2008 Lewis Media Website Producer Learning Series39
ConclusionReview PCI Standards
with your clients and let them know the risks.
They are obliged to comply, and we would all like to help them get there.
Part III: Mitigating the Risk
April 29, 2008 Lewis Media Website Producer Learning Series40
Questions/Comments?
Feel free to ask now or email me: [email protected]