pci-dss for idrbt

46
PCI DSS & PII Shanmugavel Sankaran FixNix InfoSec Solutions Pvt Ltd

Upload: chief-nixer

Post on 24-Dec-2014

717 views

Category:

Technology


3 download

DESCRIPTION

preso prepared for IDRBT PCI DSS training

TRANSCRIPT

Page 1: PCI-DSS for IDRBT

PCI DSS & PII

Shanmugavel Sankaran FixNix InfoSec Solutions Pvt Ltd

Page 2: PCI-DSS for IDRBT

Session Etiquette

•  Please turn off all cell phones. •  Please keep side conversations to a minimum. •  If you must leave during the presentation, please do so

as quietly as possible.

2

Page 3: PCI-DSS for IDRBT

3

What is PCI?

"   The Payment Card Industry Data Security Standard (PCI DSS) was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.

"   PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.

"   Adherence to the PCI DSS aides in securing cardholder payment data that is stored, processed or transmitted by merchants and processors.

"   PCI DSS specifies requirements entailing many security technologies and business processes, and reflects most of the best practices for securing sensitive information.

"   PCI DSS is rapidly becoming the recognized standard for securing all organizational data, not just credit card information, and is currently being considered as the basis of legislation by several states.

•  (Source: PCI Security Standards Council)

Page 4: PCI-DSS for IDRBT

4

What Is Cardholder Data?

Cardholder data is any Personally Identifiable Information (PII) associated with the cardholder

§  Card Holder Data §  Primary Account Number (PAN) with: §  Expiration date or §  Card holder name

§  Sensitive Authentication Data §  CVV or CVC (Card Verification Values) §  Track 1 and Track 2 Data (magnetic stripe)

Page 5: PCI-DSS for IDRBT

Who Must Comply?

"   PCI data security requirements apply to all merchants and service providers that store, process or transmit any cardholder data. All organizations with access to cardholder information must meet the data security standards.

"   However, the way in which organizations validate their compliance differs

based on whether they are merchants or service providers and on specific validation requirements defined by each credit card brand. Each of the five major credit card companies has its own set of validation requirements.

"   Information regarding service provider levels and validation requirements

can be obtained from each individual credit card company’s Web site. "   The security requirements apply to all system components, network

components, servers or applications included in, or connected to, the processing of cardholder data.

5

Page 6: PCI-DSS for IDRBT

What is PCI?

•  Payment Card Industry Data Security Standard

•  PCI Scope includes: –  Storing, processing and transmitting of cardholder data AND any

connected system

•  Continuous program – not a one time project!

6

Page 7: PCI-DSS for IDRBT

PCI Version 2.0

•  Has changed the way we do business

•  Costs have increased

•  Documentation, Documentation!

7

Page 8: PCI-DSS for IDRBT

What’s New in PCI 2.0?

•  Scoping?

•  Wireless Networks

•  Storing Hashed Data

•  Self-Assessment Questionnaire C-VT

8

Page 9: PCI-DSS for IDRBT

PCI Security Standards Council

•  Global Forum

•  PCIDSS, PA-DSS, PCI PTS

•  Approve QSAs, ASVs

•  Develop and publish PCI documentation including SAQs

•  Training

9

Page 10: PCI-DSS for IDRBT

Payment Brands, Acquirers and Processors

•  Payment Brands –  Track compliance and enforce standards –  Determine event response –  Define merchant levels

•  Acquirers and Processors –  Set merchant level –  Determine compliance –  Approve compensating controls

10

Page 11: PCI-DSS for IDRBT

Updates from Feedback on the PCI Standards

•  Request change to existing requirement/testing procedure (34%)

•  Request clarification (27%)

•  Request for additional guidance (19%)

•  Feedback only – no change requested (12%)

•  Request for new requirement/testing procedure (7%) PCI SSC Press Release Dated 9/5/12 "PCI Security Standards Council Releases Summary of Feedback on PCI Standards"

11

Page 12: PCI-DSS for IDRBT

Following Topics Most Frequently mentioned Suggestions:

•  PCI DSS Req 11.2 – Prescribing use of specific tools, requiring ASCs to perform internal scans and define “significant change”

•  PCI DSS Scope of Assessment – Detailed guidance on scoping and segmentation

•  PCI DSS Req 12.8 – Clarify terms “service provider” and “shared”, and provide more prescriptive requirements regarding written agreements that apply to service providers

12

Page 13: PCI-DSS for IDRBT

Following Topics Most Frequently mentioned Suggestions (Con’t):

•  PCI DSS SAQs – Suggestions for updating; either too complex or not detailed enough

•  PCI DSS Req 3.4 – Further clarification and guidance since encryption and key management are complex requirements, and truncation/hashing and tokenization is not a convenient method to store and retrieve data

•  PCI DSS Req 8.5 – Updating password requirements including expanding authentication beyond just passwords

13

Page 14: PCI-DSS for IDRBT

PCI SCC Releases

•  PCI Mobile Payment Acceptance Security Guidelines

–  Offer software developers and mobile device manufacturers guidance on designing appropriate security controls to provide solutions for merchants to accept mobile payments securely

PCI SSC Press Release Dated 9/13/12

14

Page 15: PCI-DSS for IDRBT

PCI SSC Releases (Con’t)

•  Point-to-Point Encryption (P2PE) Resources

–  Program Guide and SAQ to support implementation of hardware-based P2PE solutions

PCI SSC Press Release Dated 6/28/12

15

Page 16: PCI-DSS for IDRBT

New PCI Professional Program (PCIP)

•  PCI SSC’s 1st Individual Accreditation Program

•  Designed to build greater level of PCI expertise across the industry

•  Minimum 2 years IT or IT related experience and base level of knowledge and awareness in information technology, network security and architecture and payment industry participants

PCI SSC Press Release Dated 9/6/12

16

Page 17: PCI-DSS for IDRBT

PCI DSS Risk Assessment Guidelines

The supplement outlines the relationship between PCI DSS and risk assessments, including various industry risk methodologies and key components of a risk assessment. Key components include developing a risk assessment team, building a risk assessment methodology, risks introduced by third parties, risk reporting and critical success factors. Key recommendations include: •  Formalized risk assessment methodology suited to the

culture and requirements of the organization •  Continuous risk assessment •  Risk assessment cannot be used to avoid PCI DSS

compliance

PCI DSS Press Release Dated 11/16/12

17

Page 18: PCI-DSS for IDRBT

Info Supplement – E-commerce Guidelines

This supplement was released to provide guidance to merchants using electronic commerce (e-commerce) to sell goods and services in their quest to obtain PCI Compliance. •  Merchants may develop their own payment software, use

a third-party software, or a combination. •  Merchants may use various technologies: payment

processing applications, application-programming interfaces (APIs), inline frames (iFrames), or hosted payment pages.

•  Merchants may maintain different levels of control and responsibility for managing the supporting IT infrastructure.

PCI SSC Information Supplement Dated 1/2013

18

Page 19: PCI-DSS for IDRBT

Info Supplement – E-commerce Guidelines (Con’t)

Key Considerations: •  No option completely removes PCI DSS responsibilities.

NOT even outsourcing!

•  Payment applications should be PA-DSS compliant. Check them against the PCI SSC’s list of Validated Payment Applications. –  For in-house developed application, use PA-DSS as a

best-practice.

•  Documentation! Document relationships between the merchant and third parties in regards to PCI DSS!

19

Page 20: PCI-DSS for IDRBT

PCI DSS Cloud Computing Guidelines

•  The Guidelines and Information Supplement provides a overview of the cloud environment explaining common deployment and service models and how implementations may differ.

•  Roles and responsibilities between the provider and customer across the different models are explained as well as guidance on how to determine and Document these responsibilities.

•  PCI DSS considerations and compliance challenges are discussed including scoping, segmentation and validating compliance in the cloud environment.

•  Other security considerations are explored on the business and IT side in using cloud technologies.

PCI DSS Press Release Dated 2/7/13.

20

Page 21: PCI-DSS for IDRBT

PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users

•  Document provides a high level introduction and overview of mobile payments and security risks of mobile devices. This “unique, complex and evolving mobile environment underscores the need for all parties in the payment chain to work together to ensure mobile acceptance solutions are deployed securely.”

•  Key areas: –  Objectives and Guidance for the Security of a Payment

Transaction –  Guidelines for Securing the Mobile Device –  Guidelines for Securing the Payment Acceptance Solution

Appendices provided PCI DSS Press Release Dated 2/14/13.

21

Page 22: PCI-DSS for IDRBT

Merchant Issues on Campus

•  CDE – Cardholder Data Environment (where does the data reside – everywhere?)

•  Call Centers – Voice Recording

•  VOIP – Voice Over Internet Protocol

•  Service Providers

•  Remote Events

22

Page 23: PCI-DSS for IDRBT

Merchant Issues on Campus (Con’t)

•  Bookstores

•  Medical practices

•  Patient collections

•  Conferences

•  Pledge drives

23

Page 24: PCI-DSS for IDRBT

Merchant Issues on Campus (Con’t)

•  Food service

•  Kiosks

•  Paper forms

•  Unrelated third parties –  Does this make you a service provider?

Treasury Institute for Higher Education 2012 PCI Workshop - Walt Conway, QSA 403 Labs

24

Page 25: PCI-DSS for IDRBT

What is PII?

PII (Personally Identifiable Information) is any information about an individual that can be used to distinguish or trace an individual’s identity or can be linked to an individual. Examples:

–  Name: full name, mother’s maiden name, alias –  Personal ID number: SS number, Passport, driver’s

license or credit card numbers –  Medical, educational, financial and employment

information

25

Page 26: PCI-DSS for IDRBT

Personally Identifiable Information (PII)

The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past several years. Individual Harm Organizational Harm

–  Identity theft - Loss of public trust

–  Embarrassment - Legal liability

–  Blackmail - Remediation cost ($$$)

26

Page 27: PCI-DSS for IDRBT

Risk-Based Approach to Guarding the Security of PII

If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.

McGeorge Bundy

fmr US National Security Advisor

•  Identify all PII residing in the data environment

•  Minimize the use, collection, and retention of PII

•  Categorize PII by confidentiality impact level

•  Apply appropriate safeguards based on confidentiality level

•  Develop an incident response plan to handle PII breaches

•  Exercise a coordinated effort in managing PII issues

27

Page 28: PCI-DSS for IDRBT

Identify ALL PII Residing in Your Environment

•  An organization cannot properly protect PII it does not know about!

•  Be sure to consider your environment: –  Databases –  Shared network drives –  Backup tapes –  Contractor sites

28

Page 29: PCI-DSS for IDRBT

Minimize PII Used, Collected and Stored

•  The likelihood of harm caused by a breach involving PII is greatly reduced if an organization minimizes the amount of PII it uses, collects and stores.

•  Best Practices:

–  Review current holdings of PII and ensure they are accurate, relevant, timely and complete

–  Reduce PII holdings to the minimum necessary for proper performance of business functions

–  Develop a schedule for periodic review of PII holdings –  Establish a plan to eliminate the unnecessary

collection and use of SSNs

29

Page 30: PCI-DSS for IDRBT

Categorize PII by Confidentiality Impact Level

•  All PII is not created equal.

•  PII should be evaluated to determine its PII confidentiality impact level – low, moderate, or high – The impact level indicates the potential harm that

could result to the individuals and/or the organization if the PII were inappropriately accessed, used, or disclosed.

30

Page 31: PCI-DSS for IDRBT

Develop an Incident Response Plan for PII Breaches •  Breaches involving PII are hazardous to both individuals

and organizations •  Harm to individuals and organizations can be contained

and minimized through the development of an effective IRP for breaches involving PII, including: –  Determining when and how individuals should be

notified –  How a breach should be reported –  Whether to provide remedial services, like credit

monitoring, to affected individuals

31

Page 32: PCI-DSS for IDRBT

Encourage a Concerted Effort Regarding PII Issues •  Protecting the confidentiality of PII requires knowledge of

information systems, information security, privacy as well as legal requirements.

•  Organizations should encourage close coordination among their chief privacy officers, chief information officers, chief information security officers and legal counsel when making decisions related to PII policies

32

Page 33: PCI-DSS for IDRBT

PCI Compliance – Trends and Tips

§  Follow industry best practices for network and IT security

§  Use tools and services geared toward PCI Compliance

§  Align with a larger partner for credit card processing

Joel Dubbin, CISSP. SearchCIO.com

Page 34: PCI-DSS for IDRBT

PCI is not about securing sensitive data, it’s

about eliminating data altogether.

John Kindervag, Forrester Analyst and former QSA

PCI Compliance – Trends and Tips

Page 35: PCI-DSS for IDRBT

Virtualization §  Servers

- Req 2.2.1 – One primary function per server

§  Entire box in-scope?

§  PCI DSS is technology neutral

§  No guidance for QSAs

PCI Compliance – Trends and Tips

Page 36: PCI-DSS for IDRBT

Segmenta(on  

§  Reduce  the  cardholder  data  landscape  

§  Reduces  cost  of  remedia(on  

§  Reduces  exposure  

PCI Compliance – Trends and Tips

Page 37: PCI-DSS for IDRBT

Outsourcing (Card data, Service Providers, Shared Hosting, Managed Services)

§  Must third party be PCI certified?

§  Who owns the liability?

§  What entities does a PCI assessment cover?

PCI Compliance – Trends and Tips

Page 38: PCI-DSS for IDRBT

“PCI SWALLOWS ITS OWN TAIL”

•  “I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,” (Rep. Bennie) Thompson said. “We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.”

•  http://information-security-resources.com/2009/04/01/payment-card-

industry-swallows-its-own-tail

PCI Compliance – Trends and Tips

Page 39: PCI-DSS for IDRBT

39

Page 40: PCI-DSS for IDRBT

40

Page 41: PCI-DSS for IDRBT

41

Page 42: PCI-DSS for IDRBT

42

Page 43: PCI-DSS for IDRBT

43

Page 44: PCI-DSS for IDRBT

44

Page 45: PCI-DSS for IDRBT

45

•  PCI Security Standards Council- www.pcisecuritystandards.org •  The SANS Institute- www.sans.org •  The National Institute of Standards and Technology- www.nist.gov •  The Center for Internet Security- www.cisecurity.org •  Approved QSA Listing-

https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm

•  Approved ASV Listing- https://www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm

•  PCI KnowledgeBase http://www.knowpci.com •  PCI Auditor Community Site (Message Board)

http://pcifile.org/phpBB2/index.php •  PCI DSS Compliance Demystified (Blog) http://pcianswers.com/

Useful links

Page 46: PCI-DSS for IDRBT

Questions?

46