issuers story - pci congress london 23jan14
TRANSCRIPT
AN ISSUER’S STORYKEEPING A HOLISTIC PCI
COMPLIANCE APPROACH ALIVE
Patrick Wheeler, P.E.Architecture, Consultancy & Risk Assessment
23Jan2014v1.1
2
Background …BIO –Patrick Wheeler has been involved in IT Consulting, Business, Engineering and Security for over 20 yrs. He has a Bachelors (BSEE) and an MBA and is a registered professional engineer. His background includes fun job titles like Security Architect, Audit Manager, Inspector, Systems and Security Analyst, Project Manager, Operations Director and VP of Operations.
•His business, IT and best practices focus is on audit, risk and compliance including PCI and security program management as well as internal & external financial & technology audits and security reviews. With a legal support background he has served as an expert witness to courts on various aspects of best practices and industry standards.
•He has been involved in many industries from Government Agencies, Financial Services, and Banking through Fashion and Retail and technology startups. Prior to moving to Europe where he consults in the security field he served in California’s Silicon Valley specializing in security, compliance and operational efficiency topics.
•Personal interests include driving old cars too fast while taking photographs (in a well controlled secure environment). Oh, and waterwheels …
Andre Van Bever ©
Quantum Inserts:
kpatrickwheeler@ yahoo.com
3
Agenda – PCI from an Issuer’s Perspective
DISCLAIMER - Doing the Necessary•This is an effort to share one-person’s experience in this field in the hopes it helps us all…•These are largely my opinions (except where they are not)…•These are not the opinions of my employer (except where they are)…•I may make mistakes and be factually incorrect (except where I ain’t & don’t)…•If I appropriated your images, my thanks (and apologies if I misuse, offend or fail to attribute) …•Patience Please:
• I wilI attempt to speak quickly …• I use a lot of analogies and esoteric references …• I apologize in advance if I stutter or stumble a little bit …
Please let me know afterwards if I can clarify anything… … you can usually find me wherever someone is serving food
• PCI as a Framework- Setting ourselves in context- Setting ourselves up for success- Selling / Framing / Evolving
• Off-Book Benefits• Some of the Opportunities
- Getting plenty of ‘C level’ support- With friends like these
4
– an ‘enterprise’…offers a comprehensive package of financial services to private and professional clients, wealthy individuals, corporate clients, public entities and financial institutions through a multi-channel network.
Key Figures •34,000 employees•More than 15,000 corporate customers•1,286 branches•1.2 million of active users of internet banking•3,950 ATMs
http://www.bnpparibas.com/en/about-us/core-businesses/retail-banking/retail-banking-belgium
5 | 02/05/23
| 5
Issuer’s Security Architect’s Simplification
Issuing Banks
Acquiring Banks
Brick and Mortar Merchants, Card PresentUnattended Payment, Card Present
Internet: Card Not Present
E-Commerce
Processors / Service Providers
PCI Council / Payment Brands
Regulators / Commission
EU
3D Secure ACS Clients / Customers
ATM’s
• A Belgian Historical Footnote
6 | 02/05/23
| 6
Cards – A letter of credit by ‘me’•~ 1888 or 1890, J. C. Fargo took a trip to Europe and returned frustrated and infuriated. … As president of American Express he carried traditional letters of credit, but it difficult to obtain cash anywhere except in major cities … introduced the American Express Traveler's Cheque which was launched in 1891 in denominations of $10, $20, $50, and $100. (according to popular myth, press and wikipedia)
•1961 Japan Credit Bureau established•1958 BankAmericard introduced in California which is to become VISA
•2004-6 Credit Card companies merged their individual security programs to create the Payment Card Industry Security Standards Council (PCI)
It is the fault of the Americans (and Japanese)
•2003 California enacts notification rule for private data breaches, SB1386
•1958 American Express Credit Card introduced in New York
•1966 Interbank Card Associate founded which is to become MasterCard
7
Setting it up …Based on Verbal Interviews …
GAP Analysis Results - Summary Statistics
Remediation Tracks
Possible PCI Violation FindingReporting Deadline SetPotential Data Breach
Gap Remediation PlanningPIN Self Assessment3DS Audit
VISA Year End LetterPCI ‘Program’
BNPP Group 3rd Parties
Threat Portfolio
3x%
StatusOverall
Data Flow, Cryptography, Network Segmentation, Virus Software, Data Storage,
Secure Software Development, Intrusion Detection, Access Controls, Audit Trails, Configuration Hardening
Standards, Policies & Frameworks, Scanning
Percentage Estimated Compliant
1 2 3 4 5 6
Acquiring (ATM) 7 11 15 34 8 16
Issuing (Prod/CMS) 6 6 13 24 4 15 28 % Est. Compliant *
Card not Present (3DS) 3 3 13 24 2 11 319 Gaps Identified
Transversal (I&O+ISRM) 2 25 6 29 13 29* per discussion Colin Whitaker: major UK retail bank with mature PCI program reports 33% compliancy to date
Overall Status
Gap Analysis
100%
100%
100%
100%
Prioritized Approach % CompleteGap Analysis
ADM leads 2 Highest Priority & 1 Average PriorityI&O leads 3 High & 4 Average Priority ProjectsISRM leads 2 Average Priority Project
12 Remediation Tracks over 30 Months
3x
8 | 02/05/23
| 8
Framing – An approach
9 | 02/05/23
| 9
Card Standards: – Payment Card Industry: Security Standards
In 2004/6 Credit Card brands merged individual security programs to create the Payment Card Industry Security Standards Council (PCI) which created the various Security Standards
=
Initially:Targeted
at Merchants
and Payment
Processors
•http://xkcd.com/927/
•https://www.pcisecuritystandards.org/
10 | 02/05/23
| 10
ITILISO / NIST
PCI
Compliance is Not a Security Strategy (but it is d**n important)
COBIT
Good Security leads to compliance, not Vice Versa…
Good Security Management along industry standard principles is a strong basis for compliance
Easy to map ISO/COBIT/ITIL/PCI
Have we any more CAPITAL letters to add?
ISO:27000
CMMI
Infra & AppDev Procedures
Op’l Policies
Architectural Principles
PCI is a very specific low-level list of requirements
? ? ? ? ?
ROC/SAQ
D**n = d a r n
11
PrinciplesTaking advantage of our unique position:• No FIXED ‘certification’ date• Adopt controls more broadly where it brings security benefit (expand, not
reduce, scope)• Prioritised / Risk Based approach• Enterprise approach – no wasted effort/re-use existing solutions
(adopt/adapt/build)
Organisational Matters• Everyone engaged and accountable• Different Metier’s accountable for
specific deliverables with everyone primarily responsible for something
• Business led and directed• A little bit subversive
12
Notable ‘off-book’ successesCryptography – Setting up a Services Framework
Secure Software Development – Revamping a framework
Data Centricity – Tangible example of data as valuable asset
Emerging EU Data Privacy Directive / Belgian Privacy Commission (ahead of the curve)
New Cross–Departmental Ways of Working (silo-busting)
Making Enterprise Security Tangible for a wide-spectrum of business (and IT)
13
Opportunities‘C’ Level Extremely Supportive –
• Pace of change expectations
• Scope ‘management’ and band-wagonning
• Budgets and haircuts
• Quality of deliverables and mid-management reviews
Staff Turnover• Has been beneficial for some careers
Legal / Compliance & Audit• Learning to share a language with legal
• Permanent controls
• Getting ahead of audits where possible
14
My lessons learned
… ‘X’ is a BaFin regulated and monitored payment institute there is no need for any auditing at ‘X’ premises and ‘X’ is not authorized to allow such audits (e.g.PCI-DSS)… http://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Fachartikel/2013/fa_bj_2013_11_it_sicherheit_en.html
(Not) Sun Tzu: Keep your friends close, but your enemies closer …
15
Comments? Thoughts? Questions? - InfoSec Bingo …
‘Buzzword Bingo’… How did I do?• personal plug• corporate plug• confused slides• unrelated images• xkcd• cryptography• lolcat(s)• SunTzu• small snippet of useful information