SlideShare a Scribd company logo

SFISSA - PCI DSS 3.0 - A QSA Perspective

Download as PPTX, PDF
M
Mark Akins

This document provides an overview of PCI compliance from the perspective of a Qualified Security Assessor (QSA). It discusses the history and organizations involved in establishing the PCI Data Security Standard (DSS). It outlines the 12 requirements of the DSS, including changes in version 3.0. It also summarizes the PCI compliance process and roles of various entities like merchants, banks, and QSAs.

1 of 51
Downloaded 128 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
A QSA Perspective By Mark Akins, PCI QSA, CISSP, CISA
Introduction • 1st Secure IT, LLC is a Qualified Security Assessor Company (QSAC) headquartered in Coral Springs, with offices in Boston and Mexico City. • Qualified Security Assessors are the authority on the PCI Data Security Standard.
Agenda PCI Program Overview PCI DSS Introduction What’s New in Version 3.0 PCI DSS Compliance & Validation • Merchant / Service Provider Levels • Self-Assessment Questionnaires • Validation by Assessment (ROC) Scoping Gap Analysis Remediation Emerging Technologies Questions
Before 2004, each of the major card brands had their own security program. • Visa US - Cardholder Information Security Program ( CISP ) • MasterCard - Site Data Protection ( SDP ) • Amex - Data Security Operating Policy ( DSOP ) • Discover - Information Security & Compliance ( DISC ) • JCB - Data Security Program ( DSP ) As you can imagine, these disparate programs made compliance difficult for merchants and service providers. PCI Program Overview
• PCI DSS version 1 is dated December 2004. • On June 30, 2005, the regulations took effect. • The PCI Security Standards Council came into existence in 2006. • The Council became responsible for the development, management, education and awareness of the PCI Data Security Standards. Current Version of the PCI DSS is 3.0 soon to be 3.1 PCI Program Overview
• Although PCI DSS Compliance is universally agreed to and accepted, each of the Card Brands (Visa, MC, Discover, Amex, JCB) still maintain their own compliance programs in accordance with their own security risk management policies for compliance, validation levels and enforcement. • Additionally, each Card Brand has their own penalizing/fining procedures for companies who experience a data breach. PCI Program Overview
What are the various PCI programs and how do they relate? PCI Program Overview SOFTWARE DEVELOPERS PCI PA-DSS Payment Application Standard MANUFACTURERS PCI PTS PIN Transaction Security Ecosystem of payment devices, applications, infrastructure and users MERCHANTS & SERVICE PROVIDERS PCI DSS Data Security Standard PCI Security & Compliance
PCI Program Overview Acquiring Banks Communicates and educates merchants on PCI DSS and reports merchant levels and compliance status to Card Brands Merchants & Service Providers Responsible for safeguarding credit card data and complying with the PCI DSS PCI Security & Compliance Responsible for enforcing and monitoring merchant compliance with the PCI DSS Responsible for managing the various PCI programs and certifying QSAs Who is responsible for PCI Compliance?
PCI DSS Introduction What is PCI DSS? • PCI DSS stands for Payment Card Industry Data Security Standard. This standard is a set of controls used to protect Cardholder Data when stored processed or transmitted. • Defined and evolved by the Payment Card Industry Security Standards Council (PCI SSC) with input from the Card Brands and participating organizations. • The current version is 3.0 but expecting emergency revision to 3.1 due to flaws in SSLv3 (Poodle).
PCI DSS Introduction What is PCI DSS? • All entities (merchants, processors, acquirers, issuers, or service providers) that store, process or transmit cardholder data are required to comply with the PCI DSS. • Standards are on a 3 year Lifecycle. • Version 3.0 was published in November 2013. • 2014 was a Transition year and 2016 is the final year for PCI 3.0 • 2016 is also a Transition year and the new 4.0 standard should be published in November of this year.
PCI DSS Introduction What is Cardholder Data (CHD)? Primary Account Number (PAN) Expiration Date Chip / Magnetic Strip Data CAV2/CVC2/CVV2 Security Code Cardholder Name
PCI DSS Introduction Can I store Cardholder Data (CHD)? Data Element Storage Permitted Protection Required Cardholder Data Primary Account Number (PAN) Yes Yes Cardholder Name Yes *Yes Service Code Yes *Yes Expiration Date Yes *Yes Sensitive Authentication Data Full Magnetic Stripe or Equivalent Chip Data No N/A CAV2/CVC2/CVV2/CID No N/A PIN/PIN Block No N/A * These data elements must be protected if stored in conjunction with the PAN.
PCI DSS Introduction Is PCI Compliance a Law?  In 2007 Minnesota established the “Plastic Card Security Act” which states that any company that is breached and is found to have been storing “prohibited” PCI Sensitive Authentication Data (e.g., magnetic stripe , CVV codes, track data etc.) are required to reimburse banks and other entities for costs associated with blocking and reissuing cards. This law also opens up these companies to private lawsuits.  Massachusetts introduced a law, 201 CMR 17.00, which pulls some important concepts from the PCI DSS. For example, the law has requirements around limiting data collected, requiring written security policies and data encryption. This law applies to any company who has customer data (or handles it) from customers based in Massachusetts.
PCI DSS Introduction Is PCI Compliance a Law?  In 2010 Washington State established “Wash. H.B. 1149” which amended the Washington’s breach notice law. Similar to the Minnesota Plastic Card Security Act as it provides issuing banks a legal mechanism to collect the costs to reissue payment cards after a payment card security breach. • In 2009 Nevada amended its data privacy law and passed Senate Bill 227 (SB 227). The SB 227 Amendment added two significant (but mutually exclusive) data security obligations: (1) a requirement to comply with the Payment Card Industry Data Security Standard (“PCI”); and (2) requirements to encrypt personal information in certain contexts.
PCI DSS Introduction PCI DSS 3.0 Pyramid
PCI DSS Introduction PCI DSS has Control Objectives 1) Build and Maintain a Secure Network 2) Protect Card Holder Data 3) Maintain a Vulnerability Management Program 4) Implement Strong Access Control Measures 5) Regularly Monitor and Test Networks 6) Maintain an Information Security Policy
PCI DSS Introduction PCI DSS has 12 Requirements 1) Install and Maintain a firewall configuration to protect CHD  Firewall and Router configuration standards  Review Network Diagram  Firewall and Router connections are restricted (inbound/outbound traffic)  No direct internet connection to CHD (DMZ) 2) Do not use vendor-supplied defaults for system passwords and other security parameters  Attempt to sign on with defaults  Hardening standards and system configuration  Non-console admin access is encrypted
PCI DSS Introduction PCI DSS has 12 Requirements 3) Protect stored CHD  Retention Policy and Procedures  Quarterly process for deleting stored CHD  Sample incoming transactions, logs, history & trace files, database schemas and content  Do not store full track, CVV or PIN  Render PAN unreadable (mask/truncate)  Encryption and key management 4) Encrypt transmission of CHD across open, public networks  Verify encryption and encryption strength (No SSL3)  Verify wireless is industry best practice (no WEP)
PCI DSS Introduction PCI DSS has 12 Requirements 5) Protect all systems against malware and regularly update anti-virus software or programs  All system have AV (Linux Malware Review)  AV is current, actively running and logging 6) Develop and maintain secure systems and applications  Configuration change management  Patch management – current within one month  ID new security vulnerabilities with risk rating  Custom code is reviewed prior to release  Change management process  Developers are trained in secure coding techniques
PCI DSS Introduction PCI DSS has 12 Requirements 7) Restrict access to CHD by need-to-know  Review access policies  Confirm access rights and controls for privileged users  Confirm access controls default with “deny-all” 8) Identify and authenticate access to system components  Verify all users have a unique ID  Verify authentication with ID/PW combination  Verify two-factor (MFA) authentication for remote access  Verify terminated users are deleted  Inspect configurations for PW controls
PCI DSS Introduction PCI DSS has 12 Requirements 9) Restrict physical access to CHD  Access to computer rooms and data centers  Video cameras are in place and video is secure  Network jacks are secure – not in visitor area  Process for assigning badges  Storage locations are secure (offsite media) 10) Track and monitor all access to network resources  Review audit trails – actions, time, date, user, etc.  Time server updates and distribution  Process to review security logs
PCI DSS Introduction PCI DSS has 12 Requirements 11) Regularly test security systems and processes  Test for wireless access points  Internal and external network vulnerability scans  Internal and external penetration testing annually  File integrity monitoring tools are used 12) Maintain a policy that addresses information security  Policies are reviewed at least annually  Explicit approval is required for access  Auto disconnect for inactivity-internal and remote  Security awareness program is in place  Risk Assessment and Incident Response Plan
Organization of Changes Additional Guidance Clarifications Evolving Requirements What’s New in Ver. 3.0
Additional Guidance: Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic. Only 1 update fell into this category (ASV Scanning) Allows multiple scan reports to be merged together to obtain a compliant scan What’s New in Ver. 3.0
Clarifications: 116 of the changes to the PCI DSS fell into this category. There were 25 requirements that were re-ordered. 1 requirement was collapsed and combined with another. There were 63 language changes and 9 Testing procedure changes. Additionally there were 6 New Sub- Requirements added to clarify the intent of 4 upper level requirements: What’s New in Ver. 3.0
Evolving Requirements: These changes are designed to keep the Standards fresh to emerging threats or changes in Technology. There were 24 total changes with 18 new requirements in this category. What’s New in Ver. 3.0
Evolving Requirements: Policies, Procedures & Training for protecting Card swipe devices (4 New Requirements) (6/30/2015) Protect card swipe devices from tampering or substitution Maintain an up-to-date list of card swipe devices Periodically inspect devices to detect tampering or substitution Train personnel to be aware of tampering scenarios What’s New in Ver. 3.0
Evolving Requirements: Enhancement of Penetration Testing to include a methodology and testing of Network Segmentation (2 New Requirements) (6/30/2015) Must have a defined methodology that is based on an industry best practice, covers the entire cardholder data environment, includes testing from inside, outside, network and application perspectives, performed at least annually and takes into account new vulnerabilities and threats since the last test If Network segmentation is used to reduce scope the penetration test must validate that the segmentation methods are operational and effective What’s New in Ver. 3.0
Evolving Requirements: Enhancement of Service Provider management (6/30/2015) (2 New Requirements) Must acknowledge in writing to their customers that they are responsible for the security of cardholder data that they transmit, process or store on behalf of the customer or to the extent that they could impact the security of the customers cardholder data environments identify which requirements the Service Provider is managing and which the Entity is managing (Requirements Matrix) What’s New in Ver. 3.0
The Compliance road map is determined based on the merchant or service providers “Level” The merchant or service providers “Level” is based on the cardholder transaction volume within a 12-month period All merchants will fall into one of four merchant levels All service providers will fall into one of two service provider levels Merchant / Service Provider Levels
Merchant Levels According to Visa and MasterCard Merchant Levels Merchant Level Merchant Criteria 1 • Any merchant that has suffered a hack or an attack that resulted in an account data compromise • Any merchant having more than six million total combined Visa, MasterCard and Maestro transactions annually • Any merchant that Visa or MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system 2 • Any merchant with more than one million but less than or equal to six million total combined Visa, MasterCard and Maestro transactions annually 3 • Any merchant with more than 20,000 combined Visa, MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually 4 • All other merchants
Validation Requirements According to Visa and MasterCard Merchant Levels Merchant Level Validation Validated By 1 • Annual Onsite Assessment • Quarterly Network Scan conducted by an ASV • Qualified Security Assessor (QSA) • Approved Scanning Vendor (ASV) 2 • Annual Self-Assessment • Onsite Assessment at Merchant Discretion • Quarterly Network Scan conducted by an ASV • Qualified Security Assessor (QSA) • Approved Scanning Vendor (ASV) • Internal Auditor (ISA) 3 • Annual Self-Assessment • Quarterly Network Scan conducted by an ASV • Merchant or QSA • Approved Scanning Vendor (ASV) 4 • Annual Self-Assessment • Quarterly Network Scan conducted by an ASV • Merchant or QSA • Approved Scanning Vendor (ASV)
Service Provider Levels According to Visa and MasterCard Service Provider Levels Service Provider Level Merchant Criteria 1 • All MasterCard Third Party Processors(TPPs) • All VisaNet Processors • Any service provider that stores, processes and/or transmits over 300,000 Visa or MasterCard transactions per year 2 • Any service provider that stores, processes and/or transmits less than 300,000 Visa transactions per year
Validation Requirements According to Visa and MasterCard Service Provider Levels Service Provider Level Validation Validated By 1 • Annual Onsite Assessment • Quarterly Network Scan conducted by an ASV • Qualified Security Assessor (QSA) • Approved Scanning Vendor (ASV) 2 • Annual Self-Assessment • Onsite Assessment at Service Provider Discretion • Quarterly Network Scan conducted by an ASV • Qualified Security Assessor (QSA) • Approved Scanning Vendor (ASV)
PCI DSS 3.0 SAQs *Ecommerce Payment Application not outsourced and must be PA-DSS compliant Self-Assessment Questionnaire SAQ Description ASV Scan A Ecommerce Card Not Present – Entire site or payment page is fully outsourced No A-EP Ecommerce Card Not Present – Payment page is partially outsourced or payment page direct post Yes B Face to Face / MOTO with Payment Terminal not connected to Internet No B-IP Face to Face / MOTO with Payment Terminal connected to Internet Yes C-VT Face to Face / MOTO with Internet Virtual Terminal – Segmented and manually keyed (not swiped) No C Face to Face / MOTO / Ecommerce connected to Internet – No CHD Storage* Yes D Face to Face / MOTO / Ecommerce connected to Internet – CHD Storage* Yes HW-P2PE Point of Sale managed with Point to Point Encryption – No CHD Storage No D - SP Level 2 Service Providers - Face to Face / MOTO / Ecommerce Yes
Report on Compliance (ROC) Methodology Annual Scoping Engagement Validation by Assessment Gap Assessment Implement / Remediate PCI DSS Validation and ROC Maintain PCI DSS Compliance INCLUDES FOUR QUARTERLY PASSING ASV SCANS Four Steps to Compliance
PCI DSS 3.0 (Page 10) Annual Scoping Engagement
Annual Scoping Engagement Identify and document the existence of all cardholder Data Accurately Defined & Documented CDE Clear Guidance on how to reduce risk and scope Segmentation Scope Reduction Data Purging
Free Credit card scanning software ccsrch: http://sourceforge.net/projects/ccsrch/ Sensitive Number Finder (SENF): http://www.utexas.edu/its/products/senf/ Spider from Cornell: http://www2.cit.cornell.edu/security/tools/ Scoping
Gap Assessment Offsite Scope Review Delivery of GAP report Pre Visit Document Request & Review Onsite Gap Assessment The PCI DSS GAP Assessment is also an important part of a PCI DSS Report On Compliance Assessment and is actually about 80% of the work necessary to complete the ROC
Implement / Remediate Implement New Technologies Security and Functionality Testing Adjustment of Working Practices Define Policies and Procedures Having identified the PCI DSS gaps in your CDE, create the appropriate remediation plan and implement the technical "compliant" solutions to close those gaps.
The PCI DSS ROC remediation plan should take into account that most QSAs mandate a 60 day window for remediation. Otherwise the merchant would have to re- perform the GAP audit. Additionally the remediation phase should also include any necessary remediation for the annual penetration test, external Approved Scanning Vendor (ASV) scans, and internal vulnerability scans. Implement / Remediate
Compensating Control Litmus Test (1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. Implement / Remediate
Implement / Remediate
PCI DSS Validation and ROC Review of GAPs and Remediation ROC and AOC Delivery Final Audit with Evaluation of Compensating Controls Generation of Report on Compliance (ROC) With Remediation complete the QSA will now revalidate your CDE and issue a Report on Compliance (ROC).
Chip & PIN– or EMV (Europay, MasterCard, Visa)  Contact and Contactless - Near Field Communication  Required vs. Encouraged  Liability Shift in the U.S. effective October 1, 2015 • Merchants not using EMV will take the financial hit on fraudulent, card- present transactions.  Benefit - Physical Cards are less likely to be used fraudulently.  Benefit – Works well with Mobile Wallets  Compliance Reduction • As of October 2012, if more than 75% of merchant transactions originate from EMV-compliant POS terminals that support both contact and contactless transactions, the merchant may apply for relief from the audit requirement for PCI compliance. Emerging Technologies
Point to Point Encryption  P2PE is not the same as E2EE • P2PE is a subset of E2EE. This is because the major difference between P2PE and E2EE is that P2PE does not allow the merchant to be a manager of the encryption keys.  Benefit • Major PCI DSS Scope Reduction.  Downside • Once you decide on a given P2PE solution, you are pretty much stuck with it and the processor providing it. That is because most processors offering P2PE are only offering one P2PE solution. To change processors you will likely have to replace your terminals and possibly other equipment to switch to the new processor. • Unless a validated solution, it requires Acquiring Bank & QSA approval. Emerging Technologies
Mobile Payments Mobile Payment Applications • 3 categories of Mobile Payment Applications • Only Category 1 (PTS-approved) and 2 (purpose-built and bundled) devices will be considered for PA-DSS. • Category 3 devices (smartphones/iPod touch) are becoming more prominent. Does not mean Category 3 applications cannot be used, but need to be custom built for merchants or delivered as part of a service. The solution provider is responsible for PCI DSS Compliance. PCI SSC published and FAQ for mobile applications • This guide educates merchants on the risk factors that need to be addressed in order to protect card data when using mobile devices to accept payments. Emerging Technologies
Cloud Computing  PCI Compliance is possible, but know what you are getting into  Identify a couple options for Cloud Service Providers (CSP)  Make sure the CSP is PCI validated (Ask for their current AOC)  Insist on getting a responsibility document from the CSP Emerging Technologies
Tokenization A Token is surrogate value which is substituted for the actual data (ex: credit card number) while the actual data is encrypted and stored elsewhere. (Typically with the service provider) Benefits • Reduces Scope of PCI DSS by not storing CHD (Data Devaluation) • Tokens have no value since the original data values cannot be mathematically derived from tokens. Downside • Using payment processor specific tokenization, for instance, locks organizations into a particular payment processor. Emerging Technologies
Thank You! Questions? Mark Akins 1st Secure IT, LLC PCI QSA, CISA, CISSP makins@1stsecureit.com

More Related Content

PPTX
PCI DSS Business as Usual
Kimberly Simon MBA
 
PPTX
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
PCI DSS and PA DSS
Kimberly Simon MBA
 
PDF
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Olivia Grey
 
PPTX
PCI DSS 3.2
Kimberly Simon MBA
 
PDF
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
PDF
1. PCI Compliance Overview
okrantz
 
PPTX
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
PCI DSS Business as Usual
Kimberly Simon MBA
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
PCI DSS and PA DSS
Kimberly Simon MBA
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Olivia Grey
 
PCI DSS 3.2
Kimberly Simon MBA
 
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
1. PCI Compliance Overview
okrantz
 
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 

What's hot (20)

PDF
PCI-DSS_Overview
sameh Abulfotooh
 
PPTX
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 
PDF
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
PDF
Pci standards, from participation to implementation and review
isc2-hellenic
 
PDF
Pci dss v2
LeviKnight
 
PPTX
PCI DSSand PA DSS
Kimberly Simon MBA
 
PPTX
PCI DSS Simplified: What You Need to Know
AlienVault
 
PPTX
Card Data Discovery and PCI DSS
Kimberly Simon MBA
 
PDF
PCI DSS Essential Guide
Kim Jensen
 
PPTX
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
PPTX
PCI DSS and PA DSS
Kimberly Simon MBA
 
PPTX
PCI DSS Compliance
Saumya Vishnoi
 
PPT
Experience for implement PCI DSS
Nhat Phan Canh
 
PPTX
An Introduction to PCI Compliance on IBM Power Systems
HelpSystems
 
PDF
Pci dss v3-2-1
leon bonilla
 
PPTX
PCI DSS v3 - Protecting Cardholder data
InMobi Technology
 
PPTX
Introduction to PCI DSS
Saumya Vishnoi
 
DOCX
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
himalya sharma
 
PPTX
Continual Compliance Monitoring
Kimberly Simon MBA
 
PPTX
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
PCI-DSS_Overview
sameh Abulfotooh
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
Pci standards, from participation to implementation and review
isc2-hellenic
 
Pci dss v2
LeviKnight
 
PCI DSSand PA DSS
Kimberly Simon MBA
 
PCI DSS Simplified: What You Need to Know
AlienVault
 
Card Data Discovery and PCI DSS
Kimberly Simon MBA
 
PCI DSS Essential Guide
Kim Jensen
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
PCI DSS and PA DSS
Kimberly Simon MBA
 
PCI DSS Compliance
Saumya Vishnoi
 
Experience for implement PCI DSS
Nhat Phan Canh
 
An Introduction to PCI Compliance on IBM Power Systems
HelpSystems
 
Pci dss v3-2-1
leon bonilla
 
PCI DSS v3 - Protecting Cardholder data
InMobi Technology
 
Introduction to PCI DSS
Saumya Vishnoi
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
himalya sharma
 
Continual Compliance Monitoring
Kimberly Simon MBA
 
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
Ad

Similar to SFISSA - PCI DSS 3.0 - A QSA Perspective (20)

PPTX
PCI DSS & PA DSS Version 3.0
ControlCase
 
PDF
PCI DSS and PA DSS Version 3.0 Changes
ControlCase
 
PPTX
PCI DSS & PA DSS Version 3.0 Changes Webinar
ControlCase
 
PDF
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
PPTX
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
PPTX
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
PPTX
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
PDF
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
PPTX
Making Compliance Business as Usual
ControlCase
 
PDF
a Guide for quick pci dss and payment security
suridhalder
 
PDF
Credit Card Processing for Small Business
Mark Ginnebaugh
 
PDF
PCI Certification and remediation services
Tariq Juneja
 
PPTX
PCI DSS 4.0 Webinar Final.pptx
ControlCase
 
PPTX
PruebaJLF.pptx
JoseLuna802663
 
PDF
Adventures in PCI Wonderland
Michele Chubirka
 
PPT
Verderber Rothke What’s New With PCI
Ben Rothke
 
PPTX
Payment Card Industry Compliance for Local Governments CSMFO 2009
Donald E. Hester
 
PPTX
Payment Card Acceptance PCI Compliance for Local Governments 2012
Donald E. Hester
 
PPTX
Chapter 15: PCI Compliance for Merchants
Nada G.Youssef
 
PPTX
Securing Your Customers' Credit Card Information
Skoda Minotti
 
PCI DSS & PA DSS Version 3.0
ControlCase
 
PCI DSS and PA DSS Version 3.0 Changes
ControlCase
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
ControlCase
 
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
Payment Card Industry CMTA NOV 2010
Donald E. Hester
 
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
Making Compliance Business as Usual
ControlCase
 
a Guide for quick pci dss and payment security
suridhalder
 
Credit Card Processing for Small Business
Mark Ginnebaugh
 
PCI Certification and remediation services
Tariq Juneja
 
PCI DSS 4.0 Webinar Final.pptx
ControlCase
 
PruebaJLF.pptx
JoseLuna802663
 
Adventures in PCI Wonderland
Michele Chubirka
 
Verderber Rothke What’s New With PCI
Ben Rothke
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Donald E. Hester
 
Payment Card Acceptance PCI Compliance for Local Governments 2012
Donald E. Hester
 
Chapter 15: PCI Compliance for Merchants
Nada G.Youssef
 
Securing Your Customers' Credit Card Information
Skoda Minotti
 
Ad

SFISSA - PCI DSS 3.0 - A QSA Perspective

  • 1. A QSA Perspective By Mark Akins, PCI QSA, CISSP, CISA
  • 2. Introduction • 1st Secure IT, LLC is a Qualified Security Assessor Company (QSAC) headquartered in Coral Springs, with offices in Boston and Mexico City. • Qualified Security Assessors are the authority on the PCI Data Security Standard.
  • 3. Agenda PCI Program Overview PCI DSS Introduction What’s New in Version 3.0 PCI DSS Compliance & Validation • Merchant / Service Provider Levels • Self-Assessment Questionnaires • Validation by Assessment (ROC) Scoping Gap Analysis Remediation Emerging Technologies Questions
  • 4. Before 2004, each of the major card brands had their own security program. • Visa US - Cardholder Information Security Program ( CISP ) • MasterCard - Site Data Protection ( SDP ) • Amex - Data Security Operating Policy ( DSOP ) • Discover - Information Security & Compliance ( DISC ) • JCB - Data Security Program ( DSP ) As you can imagine, these disparate programs made compliance difficult for merchants and service providers. PCI Program Overview
  • 5. • PCI DSS version 1 is dated December 2004. • On June 30, 2005, the regulations took effect. • The PCI Security Standards Council came into existence in 2006. • The Council became responsible for the development, management, education and awareness of the PCI Data Security Standards. Current Version of the PCI DSS is 3.0 soon to be 3.1 PCI Program Overview
  • 6. • Although PCI DSS Compliance is universally agreed to and accepted, each of the Card Brands (Visa, MC, Discover, Amex, JCB) still maintain their own compliance programs in accordance with their own security risk management policies for compliance, validation levels and enforcement. • Additionally, each Card Brand has their own penalizing/fining procedures for companies who experience a data breach. PCI Program Overview
  • 7. What are the various PCI programs and how do they relate? PCI Program Overview SOFTWARE DEVELOPERS PCI PA-DSS Payment Application Standard MANUFACTURERS PCI PTS PIN Transaction Security Ecosystem of payment devices, applications, infrastructure and users MERCHANTS & SERVICE PROVIDERS PCI DSS Data Security Standard PCI Security & Compliance
  • 8. PCI Program Overview Acquiring Banks Communicates and educates merchants on PCI DSS and reports merchant levels and compliance status to Card Brands Merchants & Service Providers Responsible for safeguarding credit card data and complying with the PCI DSS PCI Security & Compliance Responsible for enforcing and monitoring merchant compliance with the PCI DSS Responsible for managing the various PCI programs and certifying QSAs Who is responsible for PCI Compliance?
  • 9. PCI DSS Introduction What is PCI DSS? • PCI DSS stands for Payment Card Industry Data Security Standard. This standard is a set of controls used to protect Cardholder Data when stored processed or transmitted. • Defined and evolved by the Payment Card Industry Security Standards Council (PCI SSC) with input from the Card Brands and participating organizations. • The current version is 3.0 but expecting emergency revision to 3.1 due to flaws in SSLv3 (Poodle).
  • 10. PCI DSS Introduction What is PCI DSS? • All entities (merchants, processors, acquirers, issuers, or service providers) that store, process or transmit cardholder data are required to comply with the PCI DSS. • Standards are on a 3 year Lifecycle. • Version 3.0 was published in November 2013. • 2014 was a Transition year and 2016 is the final year for PCI 3.0 • 2016 is also a Transition year and the new 4.0 standard should be published in November of this year.
  • 11. PCI DSS Introduction What is Cardholder Data (CHD)? Primary Account Number (PAN) Expiration Date Chip / Magnetic Strip Data CAV2/CVC2/CVV2 Security Code Cardholder Name
  • 12. PCI DSS Introduction Can I store Cardholder Data (CHD)? Data Element Storage Permitted Protection Required Cardholder Data Primary Account Number (PAN) Yes Yes Cardholder Name Yes *Yes Service Code Yes *Yes Expiration Date Yes *Yes Sensitive Authentication Data Full Magnetic Stripe or Equivalent Chip Data No N/A CAV2/CVC2/CVV2/CID No N/A PIN/PIN Block No N/A * These data elements must be protected if stored in conjunction with the PAN.
  • 13. PCI DSS Introduction Is PCI Compliance a Law?  In 2007 Minnesota established the “Plastic Card Security Act” which states that any company that is breached and is found to have been storing “prohibited” PCI Sensitive Authentication Data (e.g., magnetic stripe , CVV codes, track data etc.) are required to reimburse banks and other entities for costs associated with blocking and reissuing cards. This law also opens up these companies to private lawsuits.  Massachusetts introduced a law, 201 CMR 17.00, which pulls some important concepts from the PCI DSS. For example, the law has requirements around limiting data collected, requiring written security policies and data encryption. This law applies to any company who has customer data (or handles it) from customers based in Massachusetts.
  • 14. PCI DSS Introduction Is PCI Compliance a Law?  In 2010 Washington State established “Wash. H.B. 1149” which amended the Washington’s breach notice law. Similar to the Minnesota Plastic Card Security Act as it provides issuing banks a legal mechanism to collect the costs to reissue payment cards after a payment card security breach. • In 2009 Nevada amended its data privacy law and passed Senate Bill 227 (SB 227). The SB 227 Amendment added two significant (but mutually exclusive) data security obligations: (1) a requirement to comply with the Payment Card Industry Data Security Standard (“PCI”); and (2) requirements to encrypt personal information in certain contexts.
  • 15. PCI DSS Introduction PCI DSS 3.0 Pyramid
  • 16. PCI DSS Introduction PCI DSS has Control Objectives 1) Build and Maintain a Secure Network 2) Protect Card Holder Data 3) Maintain a Vulnerability Management Program 4) Implement Strong Access Control Measures 5) Regularly Monitor and Test Networks 6) Maintain an Information Security Policy
  • 17. PCI DSS Introduction PCI DSS has 12 Requirements 1) Install and Maintain a firewall configuration to protect CHD  Firewall and Router configuration standards  Review Network Diagram  Firewall and Router connections are restricted (inbound/outbound traffic)  No direct internet connection to CHD (DMZ) 2) Do not use vendor-supplied defaults for system passwords and other security parameters  Attempt to sign on with defaults  Hardening standards and system configuration  Non-console admin access is encrypted
  • 18. PCI DSS Introduction PCI DSS has 12 Requirements 3) Protect stored CHD  Retention Policy and Procedures  Quarterly process for deleting stored CHD  Sample incoming transactions, logs, history & trace files, database schemas and content  Do not store full track, CVV or PIN  Render PAN unreadable (mask/truncate)  Encryption and key management 4) Encrypt transmission of CHD across open, public networks  Verify encryption and encryption strength (No SSL3)  Verify wireless is industry best practice (no WEP)
  • 19. PCI DSS Introduction PCI DSS has 12 Requirements 5) Protect all systems against malware and regularly update anti-virus software or programs  All system have AV (Linux Malware Review)  AV is current, actively running and logging 6) Develop and maintain secure systems and applications  Configuration change management  Patch management – current within one month  ID new security vulnerabilities with risk rating  Custom code is reviewed prior to release  Change management process  Developers are trained in secure coding techniques
  • 20. PCI DSS Introduction PCI DSS has 12 Requirements 7) Restrict access to CHD by need-to-know  Review access policies  Confirm access rights and controls for privileged users  Confirm access controls default with “deny-all” 8) Identify and authenticate access to system components  Verify all users have a unique ID  Verify authentication with ID/PW combination  Verify two-factor (MFA) authentication for remote access  Verify terminated users are deleted  Inspect configurations for PW controls
  • 21. PCI DSS Introduction PCI DSS has 12 Requirements 9) Restrict physical access to CHD  Access to computer rooms and data centers  Video cameras are in place and video is secure  Network jacks are secure – not in visitor area  Process for assigning badges  Storage locations are secure (offsite media) 10) Track and monitor all access to network resources  Review audit trails – actions, time, date, user, etc.  Time server updates and distribution  Process to review security logs
  • 22. PCI DSS Introduction PCI DSS has 12 Requirements 11) Regularly test security systems and processes  Test for wireless access points  Internal and external network vulnerability scans  Internal and external penetration testing annually  File integrity monitoring tools are used 12) Maintain a policy that addresses information security  Policies are reviewed at least annually  Explicit approval is required for access  Auto disconnect for inactivity-internal and remote  Security awareness program is in place  Risk Assessment and Incident Response Plan
  • 23. Organization of Changes Additional Guidance Clarifications Evolving Requirements What’s New in Ver. 3.0
  • 24. Additional Guidance: Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic. Only 1 update fell into this category (ASV Scanning) Allows multiple scan reports to be merged together to obtain a compliant scan What’s New in Ver. 3.0
  • 25. Clarifications: 116 of the changes to the PCI DSS fell into this category. There were 25 requirements that were re-ordered. 1 requirement was collapsed and combined with another. There were 63 language changes and 9 Testing procedure changes. Additionally there were 6 New Sub- Requirements added to clarify the intent of 4 upper level requirements: What’s New in Ver. 3.0
  • 26. Evolving Requirements: These changes are designed to keep the Standards fresh to emerging threats or changes in Technology. There were 24 total changes with 18 new requirements in this category. What’s New in Ver. 3.0
  • 27. Evolving Requirements: Policies, Procedures & Training for protecting Card swipe devices (4 New Requirements) (6/30/2015) Protect card swipe devices from tampering or substitution Maintain an up-to-date list of card swipe devices Periodically inspect devices to detect tampering or substitution Train personnel to be aware of tampering scenarios What’s New in Ver. 3.0
  • 28. Evolving Requirements: Enhancement of Penetration Testing to include a methodology and testing of Network Segmentation (2 New Requirements) (6/30/2015) Must have a defined methodology that is based on an industry best practice, covers the entire cardholder data environment, includes testing from inside, outside, network and application perspectives, performed at least annually and takes into account new vulnerabilities and threats since the last test If Network segmentation is used to reduce scope the penetration test must validate that the segmentation methods are operational and effective What’s New in Ver. 3.0
  • 29. Evolving Requirements: Enhancement of Service Provider management (6/30/2015) (2 New Requirements) Must acknowledge in writing to their customers that they are responsible for the security of cardholder data that they transmit, process or store on behalf of the customer or to the extent that they could impact the security of the customers cardholder data environments identify which requirements the Service Provider is managing and which the Entity is managing (Requirements Matrix) What’s New in Ver. 3.0
  • 30. The Compliance road map is determined based on the merchant or service providers “Level” The merchant or service providers “Level” is based on the cardholder transaction volume within a 12-month period All merchants will fall into one of four merchant levels All service providers will fall into one of two service provider levels Merchant / Service Provider Levels
  • 31. Merchant Levels According to Visa and MasterCard Merchant Levels Merchant Level Merchant Criteria 1 • Any merchant that has suffered a hack or an attack that resulted in an account data compromise • Any merchant having more than six million total combined Visa, MasterCard and Maestro transactions annually • Any merchant that Visa or MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system 2 • Any merchant with more than one million but less than or equal to six million total combined Visa, MasterCard and Maestro transactions annually 3 • Any merchant with more than 20,000 combined Visa, MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually 4 • All other merchants
  • 32. Validation Requirements According to Visa and MasterCard Merchant Levels Merchant Level Validation Validated By 1 • Annual Onsite Assessment • Quarterly Network Scan conducted by an ASV • Qualified Security Assessor (QSA) • Approved Scanning Vendor (ASV) 2 • Annual Self-Assessment • Onsite Assessment at Merchant Discretion • Quarterly Network Scan conducted by an ASV • Qualified Security Assessor (QSA) • Approved Scanning Vendor (ASV) • Internal Auditor (ISA) 3 • Annual Self-Assessment • Quarterly Network Scan conducted by an ASV • Merchant or QSA • Approved Scanning Vendor (ASV) 4 • Annual Self-Assessment • Quarterly Network Scan conducted by an ASV • Merchant or QSA • Approved Scanning Vendor (ASV)
  • 33. Service Provider Levels According to Visa and MasterCard Service Provider Levels Service Provider Level Merchant Criteria 1 • All MasterCard Third Party Processors(TPPs) • All VisaNet Processors • Any service provider that stores, processes and/or transmits over 300,000 Visa or MasterCard transactions per year 2 • Any service provider that stores, processes and/or transmits less than 300,000 Visa transactions per year
  • 34. Validation Requirements According to Visa and MasterCard Service Provider Levels Service Provider Level Validation Validated By 1 • Annual Onsite Assessment • Quarterly Network Scan conducted by an ASV • Qualified Security Assessor (QSA) • Approved Scanning Vendor (ASV) 2 • Annual Self-Assessment • Onsite Assessment at Service Provider Discretion • Quarterly Network Scan conducted by an ASV • Qualified Security Assessor (QSA) • Approved Scanning Vendor (ASV)
  • 35. PCI DSS 3.0 SAQs *Ecommerce Payment Application not outsourced and must be PA-DSS compliant Self-Assessment Questionnaire SAQ Description ASV Scan A Ecommerce Card Not Present – Entire site or payment page is fully outsourced No A-EP Ecommerce Card Not Present – Payment page is partially outsourced or payment page direct post Yes B Face to Face / MOTO with Payment Terminal not connected to Internet No B-IP Face to Face / MOTO with Payment Terminal connected to Internet Yes C-VT Face to Face / MOTO with Internet Virtual Terminal – Segmented and manually keyed (not swiped) No C Face to Face / MOTO / Ecommerce connected to Internet – No CHD Storage* Yes D Face to Face / MOTO / Ecommerce connected to Internet – CHD Storage* Yes HW-P2PE Point of Sale managed with Point to Point Encryption – No CHD Storage No D - SP Level 2 Service Providers - Face to Face / MOTO / Ecommerce Yes
  • 36. Report on Compliance (ROC) Methodology Annual Scoping Engagement Validation by Assessment Gap Assessment Implement / Remediate PCI DSS Validation and ROC Maintain PCI DSS Compliance INCLUDES FOUR QUARTERLY PASSING ASV SCANS Four Steps to Compliance
  • 37. PCI DSS 3.0 (Page 10) Annual Scoping Engagement
  • 38. Annual Scoping Engagement Identify and document the existence of all cardholder Data Accurately Defined & Documented CDE Clear Guidance on how to reduce risk and scope Segmentation Scope Reduction Data Purging
  • 39. Free Credit card scanning software ccsrch: http://sourceforge.net/projects/ccsrch/ Sensitive Number Finder (SENF): http://www.utexas.edu/its/products/senf/ Spider from Cornell: http://www2.cit.cornell.edu/security/tools/ Scoping
  • 40. Gap Assessment Offsite Scope Review Delivery of GAP report Pre Visit Document Request & Review Onsite Gap Assessment The PCI DSS GAP Assessment is also an important part of a PCI DSS Report On Compliance Assessment and is actually about 80% of the work necessary to complete the ROC
  • 41. Implement / Remediate Implement New Technologies Security and Functionality Testing Adjustment of Working Practices Define Policies and Procedures Having identified the PCI DSS gaps in your CDE, create the appropriate remediation plan and implement the technical "compliant" solutions to close those gaps.
  • 42. The PCI DSS ROC remediation plan should take into account that most QSAs mandate a 60 day window for remediation. Otherwise the merchant would have to re- perform the GAP audit. Additionally the remediation phase should also include any necessary remediation for the annual penetration test, external Approved Scanning Vendor (ASV) scans, and internal vulnerability scans. Implement / Remediate
  • 43. Compensating Control Litmus Test (1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. Implement / Remediate
  • 45. PCI DSS Validation and ROC Review of GAPs and Remediation ROC and AOC Delivery Final Audit with Evaluation of Compensating Controls Generation of Report on Compliance (ROC) With Remediation complete the QSA will now revalidate your CDE and issue a Report on Compliance (ROC).
  • 46. Chip & PIN– or EMV (Europay, MasterCard, Visa)  Contact and Contactless - Near Field Communication  Required vs. Encouraged  Liability Shift in the U.S. effective October 1, 2015 • Merchants not using EMV will take the financial hit on fraudulent, card- present transactions.  Benefit - Physical Cards are less likely to be used fraudulently.  Benefit – Works well with Mobile Wallets  Compliance Reduction • As of October 2012, if more than 75% of merchant transactions originate from EMV-compliant POS terminals that support both contact and contactless transactions, the merchant may apply for relief from the audit requirement for PCI compliance. Emerging Technologies
  • 47. Point to Point Encryption  P2PE is not the same as E2EE • P2PE is a subset of E2EE. This is because the major difference between P2PE and E2EE is that P2PE does not allow the merchant to be a manager of the encryption keys.  Benefit • Major PCI DSS Scope Reduction.  Downside • Once you decide on a given P2PE solution, you are pretty much stuck with it and the processor providing it. That is because most processors offering P2PE are only offering one P2PE solution. To change processors you will likely have to replace your terminals and possibly other equipment to switch to the new processor. • Unless a validated solution, it requires Acquiring Bank & QSA approval. Emerging Technologies
  • 48. Mobile Payments Mobile Payment Applications • 3 categories of Mobile Payment Applications • Only Category 1 (PTS-approved) and 2 (purpose-built and bundled) devices will be considered for PA-DSS. • Category 3 devices (smartphones/iPod touch) are becoming more prominent. Does not mean Category 3 applications cannot be used, but need to be custom built for merchants or delivered as part of a service. The solution provider is responsible for PCI DSS Compliance. PCI SSC published and FAQ for mobile applications • This guide educates merchants on the risk factors that need to be addressed in order to protect card data when using mobile devices to accept payments. Emerging Technologies
  • 49. Cloud Computing  PCI Compliance is possible, but know what you are getting into  Identify a couple options for Cloud Service Providers (CSP)  Make sure the CSP is PCI validated (Ask for their current AOC)  Insist on getting a responsibility document from the CSP Emerging Technologies
  • 50. Tokenization A Token is surrogate value which is substituted for the actual data (ex: credit card number) while the actual data is encrypted and stored elsewhere. (Typically with the service provider) Benefits • Reduces Scope of PCI DSS by not storing CHD (Data Devaluation) • Tokens have no value since the original data values cannot be mathematically derived from tokens. Downside • Using payment processor specific tokenization, for instance, locks organizations into a particular payment processor. Emerging Technologies
  • 51. Thank You! Questions? Mark Akins 1st Secure IT, LLC PCI QSA, CISA, CISSP makins@1stsecureit.com