pci-dss: a step -by-step payment card security approach · pci-dss myths • a pa-dss-compliant...
TRANSCRIPT
PCI-DSS: A Step-by-Step Payment Card Security Approach
Amy Mushahwar & Mason Weisz
The PCI-DSS in a Nutshell • It mandates security processes for handling,
processing, storing and transmitting payment card data.
• ALL merchants or merchant service providers that accept, transmit, or store any cardholder data must comply.
• This is a contractual standard. Payment processor contracts and merchant rules bind you to PCI-DSS compliance.
• The PCI-DSS acts as a floor, not a ceiling—many PCI-compliant entities are breached.
2
Why is compliance important? • It’s the law in some states (i.e., Washington,
Minnesota, Nevada and Massachusetts) • Fines for non-compliance
• MasterCard: $25,000 – $200,000 depending on # of past violations • Visa: $5,000 – $25,000/monthly depending on merchant’s level • American Express: 0.75% of each non-compliant transaction • Discover: $20,000 – $50,000 per violation plus up to $50,000 per
month of non-compliance • Fines for data breaches during non-compliance period
• MasterCard: $100,000 for each violation of a PCI requirement • Visa: $500,000 per incident
• Chargebacks for fraudulent transactions • Reputational harm • Costs of investigating, remedying and litigating breaches
3
Lawsuits Abound Parties to litigation
4
PCI-DSS Myths • A PA-DSS-compliant vendor will make us
compliant. • We outsource card processing, so PCI-DSS
couldn’t possibly apply. • Outsourcing card processing makes us compliant. • Becoming compliant with PCI-DSS is an IT project. • PCI-DSS compliance makes us secure. • We don’t take enough cards to be subject to the
PCI-DSS.
5
Be Aware of Other Payment Card Standards
• Payment Application Data Security Standard (PA DSS) • Applies to software vendors and others who develop
payment applications that store, process, or transmit cardholder data and are used by third parties.
• PCI Personal Identification Number (PIN) Security Requirements • Complete set of requirements for secure management,
processing, and transmission of PIN data. • Applies to online and offline transactions at ATMs and
point-of-sale terminals. • Card Brand Merchant Rules
6
What Rules Apply?
Merchant card rules apply to identification and authorization
when a customer uses a payment card.
Payment card data can be sent directly to the processor through a dedicated telephone circuit or VPN tunnel to
minimize the PCI-DSS compliance. The PIN security rules also apply here at the Pin pad.
When a card is swiped on a point of sale (POS) terminal, the card data may be transmitted, processed or cached by the merchant, and PCI-DSS rules apply. Careful! Malware attacks have exploited centralized processing systems.
7
What Rules Apply?
When a website connects to a payment processor, the PCI-DSS applies to the website, and the PA-DSS may
apply for any payment applications.
8
What Rules Apply?
Both the PCI-DSS and the PA-DSS can apply to mobile transactions.
9
Mobile Payments
Find the requirements here: https://www.pcisecuritystandards.org/ documents/accepting_mobile_payments_ with_a_smartphone_or_tablet.pdf
10
What Rules Apply?
For call centers, PCI-DSS call recordings and clean room rules apply to workers who receive 16-digit account
numbers voiced over the phone.
11
The Different Levels of PCI Compliance
12
Six PCI-DSS Areas
1. Build and Maintain a Secure Network • Install and maintain a firewall configuration to protect
cardholder data • Do not use vendor-supplied defaults for
system passwords and other security parameters
2. Protect Cardholder Data • Protect stored cardholder data • Encrypt transmission of cardholder data across open,
public networks
13
Six PCI-DSS Areas
3. Maintain a Vulnerability Management Program • Protect against malware and regularly update anti-virus
software or programs • Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures • Restrict access to cardholder data by business need-to-
know • Identify and authenticate access to system components • Restrict physical access to cardholder data
14
Six PCI-DSS Areas
5. Regularly Monitor and Test Networks • Track and monitor all access to network resources and
cardholder data • Regularly test security systems and processes
6. Maintain an Information Security Policy • Maintain a policy that addresses information security
for all personnel
15
How to Approach Compliance: An Overview
• Assemble the team and require ownership of the issue • Interview personnel and conduct scans to locate
cardholder data in your environment • Emphasize security and risk, not just security • Conduct data store analysis: decommissioning,
encryption and tokenization • Implement thoughtful network segmentation • Implement policy and programmatic changes to your IT
standards • Conduct training and awareness activities
16
Prioritized Approach Tool
17
Data Store Analysis: Decommissioning
• Retire systems and databases with payment card information that are not needed or not actively in use
• Make sure data is securely erased if drives will be re-purposed or end-of-life drives are disposed
18
Data Store Analysis: Tokenization & Encryption
• Tokenization: Don’t store PAN, if possible • Encrypt Data in Motion: PCI-validated
point-to-point encryption (P2PE) • Encrypt Data at Rest: But encryption is not
a magic bullet
19
Practice Point: Internal vs. External Vulnerability Scanning
• External: looks for holes in network firewalls where outsiders can get in (pen testing)
• Internal: operates inside business’s firewalls to identify real and potential vulnerabilities inside the network
• Both are necessary! • Pen testing is not enough!
20
Practice Point: Policy and Programmatic Changes to IT Standards
• Review your company’s policies and procedures to ensure they are compliant with the PCI-DSS
• The technical requirements are considerable • But there are many policy and programmatic
requirements • There are also technology requirements that must be
documented • Don’t underestimate the time that policy,
programmatic, and documentation requirements will take!
• We can provide attendees with a complimentary informal summary of these requirements
21
Incident Response • Document and rehearse an IR plan before the breach.
• Central reporting point, monitored 24/7/365 • Obligation to report a very broad range of events/conditions • Universal awareness of reporting obligation • Designated response team that preserves privilege
• Immediately contain the breach. • Do not access compromised systems. • Do not turn the compromised systems off or reboot. • Preserve all evidence and logs. • Document all actions taken, including dates and individuals
involved. • Block suspicious IPs from inbound and outbound traffic. • Be on high alert and monitor all systems with cardholder data.
22
Incident Response: PCI Notice Issues
• Determine whether notice must or should be given: • To your merchant bank card processors (review contract) • To the payment card brands (rules vary) • To others pursuant to law (e.g., regulators, individuals)
• Key questions include: • What data was compromised, by whom, and how? • Was the data encrypted, and was the encryption key breached? • What is the risk of harm?
• Determine notice strategy, content and timing. • Provide evidence of PCI-DSS, PA-DSS, or PIN Security compliance
status to merchant bank card processor within 48 hours of the notification.
• Provide all compromised payment card accounts to your merchant bank card processor within 10 business days.
23
Post-Breach Card Brand Investigation
• Document the following: • The facts of the breach and the method of its detection • Remediation steps • Chain of custody
• Card brands will notify you if hiring a PCI Forensic Investigator (PFI) is necessary.
• The payment card processor or any of the payment card brands may require validation of subsequent PCI compliance and incident remediation by a Qualified Security Assessor (QSA).
24