pci compliance - delving deeper in the standard
DESCRIPTION
Presentation on the PCI DSS in greater depth.TRANSCRIPT
Topic Here
PCI Compliance: Delving Deeper in the Standard
John Bedrick, AccuCode
Agenda• About AccuCode
• Payment Card Industry Data Security Standard (PCI DSS) Schedules
• Merchant Levels and Validation Requirements
• PCI DSS Requirements
• Where To Start
• PCI DSS Self-Assessment Questionnaires (SAQ)
• Continuous Compliance
• PCI DSS: Validation Actions
• Overcoming the Top PCI DSS Challenges
• PCI DSS: The Top Violations and Basic Remediation Strategies
• AO:Compliance™ and Next steps on the road to becoming PCI Compliant
• Questions and Answers
AccuCode the Company
• Founded 1995• VAR, Professional & Managed Services, Commercial
Software Products• National leader in application of retail systems, security
& compliance, wireless networking, mobile computing, bar code & RFID technologies
• Fastest Growing Privately Held Company in the U.S.• Trusted Advisor Delivering Guaranteed Outcomes
AccuCode Customers & Partners
AccuCode has hundreds of customers & thousands of end-users!
PartnersManufacturingRetail Transportation
PCI DSS Schedules
Schedule - Version 2.0 PCI DSS & PA-DSS
October 28, 2010 – 2.0 Released
January 1, 2011 – 2.0 Effective
December 31, 2011 – 1.2.1 Retired
July 1, 2012 – Risk Ranking (6.2) sunrise
Merchant Levels and
Validation Requirements
The Mandate: Merchant Levels DefinedVisa, MasterCard, Discover, & JCB
Level Qualification Criteria* Requirements
1 Merchants processing over 6 million transactions annually on one or more card brands individually.
Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)Quarterly network scan by an Approved Scanning Vendor (ASV)Attestation of Compliance (AOC) Form
2 Merchants processing between 1 million and 6 million transactions annually on one or more card brands individually.
Annual Self Assessment Questionnaire (SAQ)Quarterly network scan by an Approved Scanning Vendor (ASV)Attestation of Compliance (AOC) Form
3 Merchants processing between 20,000 and 1 million transactions annually on one or more card brands individually.
Annual Self Assessment Questionnaire (SAQ)Quarterly network scan by an Approved Scanning Vendor (ASV)Attestation of Compliance (AOC) Form
4 Merchants processing between less than 20,000 transactions annually on one or more card brands individually.
Annual Self Assessment Questionnaire (SAQ)Quarterly network scan by an ASVRequirements set by acquirer
*Any merchant can be assigned to a specific level by their acquirer, bank, or by a card brand.
The Mandate: Merchant Levels DefinedAmerican Express (AMEX)
Level Qualification Criteria* Requirements
1 Merchants processing over 2.5 million transactions annually.
Annual Report on Compliance by QSAQuarterly network scan by ASVAttestation of Compliance (AOC) Form
2 Merchants processing between 50,000 and 2.5 million transactions annually.
Annual Self Assessment Questionnaire (SAQ)Quarterly network scan by ASVAttestation of Compliance (AOC) Form
3** Merchants processing less than 50,000 transactions annually.
Annual Self Assessment Questionnaire (SAQ)Quarterly network scan by ASVAttestation of Compliance (AOC) Form
*Any merchant can be assigned to a specific level by their acquirer, bank, or AMEX.**Compliance at this level is strongly suggested, but not mandated.
PCI DSSRequirements
Six Goals, Twelve Requirements
Do not use vendor-supplied defaults for system passwords and other security parameters
Install and maintain a firewall configuration to protect cardholder data
Build and Maintain a Secure Network
Protect cardholder
data
Maintain a vulnerability management
program
Six Goals, Twelve Requirements
Do not use vendor-supplied defaults for system passwords and other security parameters
Install and maintain a firewall configuration to protect cardholder data
Encrypt transmission of cardholder data across open, public networks
Protect stored cardholder data
Build and Maintain a Secure Network
Protect cardholder
data
Maintain a vulnerability management
program
Develop and maintain secure systems and applications
Use and regularly update anti-virus software or programs
Six Goals, Twelve Requirements
Do not use vendor-supplied defaults for system passwords and other security parameters
Install and maintain a firewall configuration to protect cardholder data
Encrypt transmission of cardholder data across open, public networks
Protect stored cardholder data
Build and Maintain a Secure Network
Protect cardholder
data
Maintain a vulnerability management
program
Develop and maintain secure systems and applications
Use and update anti-virus software or programs regularly
Six Goals, Twelve Requirements
Do not use vendor-supplied defaults for system passwords and other security parameters
Install and maintain a firewall configuration to protect cardholder data
Encrypt transmission of cardholder data across open, public networks
Protect stored cardholder data
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Build and Maintain a Secure Network
Protect cardholder
data
Maintain a vulnerability management
program
Restrict physical access to cardholder data
Implement strong access
control measures
Develop and maintain secure systems and applications
Use and regularly update anti-virus software or programs
Six Goals, Twelve Requirements
Do not use vendor-supplied defaults for system passwords and other security parameters
Install and maintain a firewall configuration to protect cardholder data
Encrypt transmission of cardholder data across open, public networks
Protect stored cardholder data
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Build and Maintain a Secure Network
Protect cardholder
data
Maintain a vulnerability management
program
Restrict physical access to cardholder data
Implement strong access
control measures
Regularly test security systems and processes
Track and monitor all access to network resources and cardholder data
Regularly monitor and
test networks
Develop and maintain secure systems and applications
Use and regularly update anti-virus software or programs
Six Goals, Twelve Requirements
Do not use vendor-supplied defaults for system passwords and other security parameters
Install and maintain a firewall configuration to protect cardholder data
Encrypt transmission of cardholder data across open, public networks
Protect stored cardholder data
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Build and Maintain a Secure Network
Protect cardholder
data
Maintain a vulnerability management
program
Restrict physical access to cardholder data
Implement strong access
control measures
Regularly test security systems and processes
Track and monitor all access to network resources and cardholder data
Regularly monitor and
test networks
Maintain a policy that addresses information security for employees and contractors
Maintain an information
security policy
PCI DSS Requirements - SummaryBuild and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data 3. Protect stored cardholder data4. Encrypt transmissions of cardholder data
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
Where to Start
Steps to Validate PCI Compliance
1. Identify your validation type• This determines which Self-assessment Questionnaire (SAQ) you complete
2. Complete the appropriate SAQ
Steps to Validate PCI Compliance
3. Complete and provide evidence of a passing vulnerability scan• This scan must be completed by a PCI SSC Approved Scanning Vendor (ASV)• Scanning applies to any merchant electronically storing cardholder data or
with processing systems with Internet connectivity
4. Complete the relevant Attestation of Compliance (AOC)• Located in the SAQ
5. Submit the SAQ, AOC and any other requested documents to your Bank/Acquirer
PCI DSS Self-Assessment Questionnaires (SAQ)
SAQ 1.2
SAQ Version Validation Type Description of Subject Merchant
SAQ 1.2 A13 Questions
1 Card not present merchants only that outsource all parts of the credit card transaction. Data is only kept in paper reports.
SAQ 1.2 B27 Questions
2 This merchant only accepts payment cards using an imprint machine and does not keep any card data electronically.
SAQ 1.2 B27 Questions
3Merchants who use stand alone, dial out terminal connected to a phone line or processor. Terminal has NO internet connection and no data is stored electronically.
SAQ 1.2 C41 Questions
4
Payment application is connected to the internet but is not connected to any other system w/in the network. No data is stored electronically. Service providers who connect remotely to the application are in compliance with Security Best Practices.
SAQ 1.2 D222 Questions
5 Any merchant that does not fit any of the above categories and any eligible service provider.
Continuous Compliance
Challenges
• The PCI DSS is NOT a checklist and being compliant does not necessarily equate with being secure• Achieving PCI DSS compliance is based on a snapshot of the level of
security at the time of an audit
• PCI DSS is a baseline for security, not the pinnacle
• Many merchants make a last-minute “rush to compliance” in order to satisfy audit criteria• This last minute rush may produce a perfect compliance snapshot—
but not produce ongoing security
Continuous Compliance
The PCI DSS helps businesses address security and risk.• Merchants should:
• Know their risk profile and level of compliance daily
• Be ready to adapt to any requirement changes
• Ensure employees are following security policies at all times
Assessmentf Compliancef Maintaining Compliancef
Creating Continuous Compliance
The process of compliance is ongoing:1. Assess
• Identify gaps• Inventory IT assets and business processes for payment cards
2. Remediate• Fix vulnerabilities
3. Report• Submission of paperwork/records to proper groups, such as acquiring
banks• Paperwork includes audit results, such as Report on Compliance (ROC) or
SAQ• Submit appropriate AOC Form
Assess
RemediateReport
How to Assess
• Study the PCI DSS standards• Inventory IT Assets and processes
• Identify all systems, personnel and processes involved with the transmission, processing or store of cardholder data
• Identify Vulnerabilities• Your SAQ guides the assessment
• Validate with Third-party Experts• Depending on the complexity of the network environment, a Qualified
Security Assessor (QSA) may be required to conduct a proper assessment
How to Remediate
Remediation is the process of fixing vulnerabilities and may include:
• Network scans to analyze infrastructure and identify known vulnerabilities
• Review and remediate vulnerabilities uncovered by an on-site assessment or SAQ process
• Prioritizing remediation to address most to least serious
• Patches, fixes and any changes to processes and workflow
• Re-scanning to confirm remediation
How to Report
• Conduct regular vulnerability scanning• All merchants need to submit quarterly scan reports, completed by an
approved ASV
• Some businesses may need to enlist a QSA to conduct an annual on-site assessment
• Each payment brand has its own reporting guidelines
PCI DSS:Validation Actions
Merchant & Service Provider Levels & Validation ActionsLEVEL CRITERIA
QSA ON-SITE
SECURITY AUDIT
NETWORK SCANS
SELF-ASSESSMENT QUESTIONAIRE
VALIDATE 3RD PARTY PAYMENT
APPLICATION
1
• Any Merchant, regardless of acceptance channel, processing more than 6 million transactions per year
• Any Merchant, that suffered a security breach, resulting in an account compromise.
Required Annually
Required Quarterly
Required *
2 Any Merchant, processing between 1million - 6 million transactions per year.
** = Required Annually after June 30, 2011
Required Quarterly
Required Annually **
Required *
3 Any Merchant, processing between 20,000 - 1 million transactions per year.
Required Quarterly
Required Annually
Required *
4 All other Merchants not in Levels 1 – 3, regardless of acceptance channel.
Required Quarterly
Required Annually
Required *
1All 3rd Party Processors and all Data Storage Entities that store, transmit or process more than 300,000 transactions per year.
Required Annually
Required Quarterly
Required *
2 All Data Storage Entities that store, transmit or process less than 300,000 transactions per year.
Required Quarterly
Required Annually
Required *
* = Any Merchant or Service Provider using 3rd party payment applications are required to validate compliance or use an approved PCI DSS payment application.
ME
RC
HA
NT
SE
RV
ICE
PR
OV
IDE
R
Checklist for Continuous Compliance
Don’t just “get” compliant, stay compliant:
Use the technologies and procedures implemented for compliance to reduce risk, making PCI DSS the basis for your policies
Establish a cycle of risk management analysis and response
Continue to reduce scope where possible
Work towards making the process of staying compliant easier
Compliance is the baseline for your information security program
Overcoming the Top PCI DSS Challenges
Overcoming the Top PCI DSS Challenges
Requirement 1: Install and maintain a firewall to protect cardholder data
• Firewalls are the locks on doors
• Firewall configurations must prohibit unauthorized access to system components in the cardholder data environment
• Deny all connections in and out not specifically required for business functionality
• Install firewall software on each mobile and/or employee-owned computer that connects to the cardholder data environment or to the public Internet
34
Overcoming the Top PCI DSS Challenges
Requirement 2: Do not use vendor-supplied defaults• In 2010, 88% of our cases found third-party vendors introduced
security vulnerabilities, likely due to vendor supplied passwords
• Choose a vendor with a solid security history
• Monitor all vendors to ensure they follow best security practices
• Make sure contracts with vendors also include security control requirements and acceptance of responsibility for loss of CHD in their custody
Overcoming the Top PCI DSS Challenges
Requirement 3: Protect stored data• PAN (primary account number) must be unreadable, including:
• Backup media
• In logs
• On portable digital devices
• Via wireless and public networks
• To render PAN unreadable, use:• Truncation (to first 6 and last 4 characters at a minimum)
• Strong one-way hash functions
• Strong cryptography
• Better yet, get rid of it, you probably don’t need it!
Overcoming the Top PCI DSS Challenges
Requirement 6: Develop and maintain secure systems and applications
• New vulnerabilities pop up every day, along with new ways for hackers to compromise your systems
• Merchants should:• Use payment applications and devices approved by the PCI Security Standards
Council
• Identify and install security patches in a timely manner
• Follow industry best practices if developing own payment apps
• Regularly test the application’s security
Overcoming the Top PCI DSS Challenges
Requirement 8: Assign a unique ID to each person with computer access
• Following this requirement allows actions to be traced to a specific person—vital when a forensic analysis needs to take place
• Each user needs their own password
• For remote access, two-factor authentication is required
• Passwords must be unreadable, in storage and during transmission
• Enforce Role Based Access Control (RBAC). • You should only have access to the systems and information necessary to
perform your function
Overcoming the Top PCI DSS Challenges
Requirement 10: Track and monitor access to network and card data
• System logs are the audit trail when something goes wrong
• Logs must be captured
• Logs must be reviewed at least once daily (automate the exception events as compared to a ‘known good’ baseline)
• Logs must be stored securely for a year (preferably centrally)
• Good log management can be the difference between an annoying event, and a business crippling disaster
Overcoming the Top PCI DSS Challenges
Requirement 11: Regularly test security systems and processes• If you don’t test it, how will you know if it’s broken?
• Testing should be frequent to identify any vulnerabilities• PCI DSS requires quarterly scans
• Vulnerability scanning products/services from an Approved Scanning Vendor (ASV) fulfill this PCI requirement
• What to test:• External network (conducted by an ASV)
• Internal network (may be conducted in-house)
• Wireless network, identifying all wireless devices for purposes of access control
• Any other traffic in the cardholder data environment
Overcoming the Top PCI DSS Challenges
Requirement 12: Maintain a policy that addresses information security
• The written policy determines the controls used to ensure security and compliance with the PCI DSS
• Must address all PCI DSS requirements, as well as:
• Daily procedures
• Usage policies for each technology, such as laptops and e-mail
• Info. security responsibilities for employees and contractors
• Security awareness program for employees
• Employee screening
• Third-party vendor responsibility and accountability
• Incident response plan
PCI DSS:The Top Violations and
Basic Remediation Strategies
98.4%97.5%
83.6%74.6%
8.1% 7.4%
68.9%
90.9%
48.4%
92.6%99.2% 95.1%
Top PCI DSS Violations
Source: Trustwave - 2011 Global Security Report
Remediation Strategies
• Segmentation:• Isolate Point-of-Sale (POS) systems / PCI workstations from rest of the
network environment
• Default Device Configurations:• Change or Remove them (if they exist)
• Firewall / IPS:• Build a secure configuration• Self-managed / Outsourced
• Log Monitoring:• Applies to both POS systems and networking
• Policies and Procedures:• Templates available
Summary
• Make sure your firewall is configured correctly and working properly.
• No vendor-supplied default configurations and/or passwords
• Make PCI data (specifically PAN) inaccessible and/or unreadable
• Use secure applications and check for updates and patches often
• Everyone gets their own UNIQUE User ID and password
• Collect and store the necessary system logs, reviewing daily
• Test at least quarterly to find vulnerabilities (e.g., network scans)
• Write a security policy (update as needed) and educate/train ALL your
employees.
AO:Compliance™ and Next Steps
AO:Compliance Makes PCI Compliance as Easy as:
1•Assess & Analyze
2•Close GAPs
3•Stay Compliant
Next Steps, If You Need Help
• AccuCode and our partners are ready to assist you with getting and staying PCI Compliant.• Go to the AO:Compliance website to find out more information
about our compliance and security offerings www.aocompliance.com
• Contact Us: [email protected]
• If you need help with other technology issues, AccuCode can also assist you with that as well.• Visit the AccuCode website for more information about our
other products and services www.accucode.com
Questions and Answers