Solutions for PCI Compliance
John Bedrick, AccuCode
Agenda
• About AccuCode• PCI DSS Requirements – revisited• Common Areas of Failure for PCI Compliance• Some Solutions for Addressing PCI DSS Requirements• Summary• Next Steps• Question and Answer Session
AccuCode the Company
• Founded 1995• VAR, Professional & Managed Services, Commercial
Software Products • National leader in application of retail systems,
security & compliance, wireless networking, mobile computing, bar code & RFID technologies
• Fastest Growing Privately Held Company in the U.S.• Trusted Advisor Delivering Guaranteed Outcomes
AccuCode Customers & Partners
AccuCode has hundreds of customers & thousands of end-users!
PartnersManufacturingRetail Transportation
PCI DSS Requirements - Revisited
PCI DSS Requirements - SummaryBuild and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data 3. Protect stored cardholder data4. Encrypt transmissions of cardholder data
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
Common Areas of Failure For PCI Compliance
98.4%97.5%
83.6%74.6%
8.1% 7.4%
68.9%
90.9%
48.4%
92.6%99.2%
95.1%
PCI DSS Requirement Failures
Source: Trustwave - 2011 Global Security Report
Some Solutions For Addressing PCI DSS Compliance
Firewalls and Routers Install Firewalls between Network and Internet
• Use Stateful Inspection• Use Network Address Translation (NAT)• Install “personal” firewall software on all computer systems
Segmentation – NO “Flat” Networks• Isolate POS & Processing systems from rest of network
• VLANS (Create separate “zones”)• Create a DMZ for further segmentation
Eliminate non-required Ports and Protocols Utilize the Firewalls and Routers IPSec and/or VPN support to protect
network traffic Document the network
• Create network diagrams showing data flows – especially for Card Holder Data (CHD)
Remove From PCI Scope
Card Holder Data• Encrypt CHD if locally stored -- or better yet -- don’t store it at all
• End-to-End Encryption: from “swipe” all the way to Payment Processor• Verify with your POS/Pin Pad Vendors
• End-to-End Encryption? • PA DSS Certified? Check online at:
https://www.pcisecuritystandards.org/approved_companies_providers/index.php
• Don’t forget simple fixes like:• Hardware/Software Storage Encryption (including backups)• Communication Encryption (e.g., SSL, SSH, S-FTP, HTTPS, IPSec,
and VPNs)
Remove From PCI Scope – Cont.
Card Holder Data - Continued • Use “Tokenization”• Hardcopies
• Keep locked up when needed• Shred when no longer needed
Outside Hosting
3rd Party Processing (PCI DSS Compliant?):• Payment Gateways• Aggregators• “Managed” Processing
Managed Technology Can Help
Anti-Virus Software• Monitored and Actionable• Automatically Updated• Always up-to-date• Available at both Network & Computer System level
Firewalls• Can combine multi functions (e.g., UTM)• Monitored and Actionable• Automatically Updated• Always up-to-date• Available at both Network & Computer System level
Managed Technology Can Help – Cont.
Security Information and Event Monitoring (SIEM)• Alerts and Logs are Monitored and Actionable
File Integrity Monitoring (FIM)• Alerts and Logs are Monitored and Actionable
Computer Systems Patch Management• Monitored and Actionable• Automatically Updated• Always up-to-date
Vulnerability Scanning• Can be automatically scheduled to occur
• External, Internal and Wireless• Monitored and Automatic Report Generated and Sent
Access Control
Limiting CHD access to a “Need-to-Know” basis
Monitor areas where CHD might be• POS areas• Server room / Data Center
Provide UNIQUE user IDs / credentials• NO sharing!• Use multi-factor authentication• Enforce STRONG passwords
Access Control – Cont.
Secure the Environment where CHD resides• Lock doors/windows to secure areas• Use safes• Block unused network ports• Lock down wireless network access
Hire right – Train often• Background checks• Reference checks• Security training – alertness training
• Avoid Social Engineering
Monitor and Test, Test, Test Security is only a deterrent – NOT an absolute!
• Locks keep honest people honest• Make it as difficult as possible
Early warnings can reduce your risks and the damages• The earlier you find out the quicker you can respond• Ignorance is NOT bliss
How do you know if things are working correctly?• Would you get into your motor vehicle without knowing the brakes and engine are working correctly?
• Regular inspections and testing provide comfort
Policies and Procedures
Yes, you need them
Yes, they are required• You can hire someone to write them for you• You can get “templates” to help you get started• Or you can write them yourself from scratch
Once created, you must train your staff
After your staff is trained, you must enforce them
No exceptions, and No free passes
Summary
There’s no “silver bullet” for PCI Compliance and Security• But there’s lots of solutions available to help
There’s no “magic wand” to turn you into an instant PCI Compliance and Security expert
• But there’s no reason you shouldn’t try
The “bad guys” are always looking for opportunities to steal from you and your customers
• You need to try and keep at least one step ahead of them• At least make it so hard they go for easy targets
You must do the best you can – and don’t forget that you are not alone• Hire experts to assist you• That’s what we are here for
AO:Compliance™ and Next Steps
AO:Compliance Makes PCI Compliance as Easy as:
1
•Assess & Analyze
2
•Close GAPs
3
•Stay Compliant
Next Steps, If You Need Help
AccuCode and our partners are ready to assist you with getting and staying PCI Compliant.
• Go to the AO:Compliance website to find out more information about our compliance and security offerings www.aocompliance.com
• Contact Us: [email protected]
If you need help with other technology issues, AccuCode can also assist you with that as well.
• Visit the AccuCode website for more information about our other products and services www.accucode.com
PCI Standards: https://www.pcisecuritystandards.org/
Questions and Answers