Understanding Your PCI DSS Guidelines: Successes and Failures
Upcoming SlideShare
Loading in...5
×
 

Understanding Your PCI DSS Guidelines: Successes and Failures

on

  • 345 views

 

Statistics

Views

Total Views
345
Views on SlideShare
345
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Understanding Your PCI DSS Guidelines: Successes and Failures Understanding Your PCI DSS Guidelines: Successes and Failures Presentation Transcript

  • ▲ E-Guide UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES
  • UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later I E-G uide , SearchSecurity.com expert Mike Chapple details the PCI validation requirements for merchants covered by PCI DSS and reviews PCI’s successes and failures. As the industry preps for PCI DSS 3.0 learn what needs to be improved upon and what has remained effective. PA G E 2 O F 1 3 n this SPONSORED BY
  • UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES PCI VALIDATION: REQUIREMENTS FOR MERCHANTS COVERED BY PCI DSS Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later Mike Chapple, Enterprise Compliance Organizations subject to the Payment Card Industry Data Security Standard (PCI DSS) must meet a laundry list of PCI validation requirements on a regular basis to certify its compliance to their merchant banks. These requirements include the need for periodic reports on compliance (ROCs), vulnerability scans, penetration testing and Web application testing. In this tip, we examine these requirements to provide a detailed outline of what is needed to remain PCI DSS-compliant. REPORTING COMPLIANCE: SAQS AND ROCS Perhaps the most significant PCI requirement is that all but the smallest merchants (those who process fewer than 20,000 e-commerce transactions and less than 1 million total transactions per year) must submit annual compliance validation reports to their merchant bank. The scope of these reports and the qualifications of the individuals performing the assessment vary depending PA G E 3 O F 1 3 SPONSORED BY View slide
  • UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later upon where an organization falls within the PCI DSS merchant levels. The largest merchants (those with over 6 million transactions per year) are classified as Level 1 merchants and must have an independent audit performed on an annual basis. This audit may be performed by either a Qualified Security Assessor (QSA) or the firm's internal audit group if the audit is signed by an officer of the company. In those cases, the QSA or internal auditors complete an ROC for submission to the merchant bank. Level 2 and 3 merchants may conduct the assessment using their own IT and business staff and document the results on one of the self-assessment questionnaires (SAQ). The scope of the audit depends upon the characteristics of the merchant's cardholder data environment -- essentially, the more complex the environment, the greater the scope of the audit. The possibilities are as follows: SAQ A, the simplest form, is reserved for those merchants that have out sourced all card processing responsibilities. SAQ B contains the requirements for imprint-only or standalone dial out terminal users that do not store any cardholder data electronically. PA G E 4 O F 1 3 SPONSORED BY View slide
  • UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later SAQ C is used in cases where merchants have payment application sys tems that are connected to the Internet but do not store cardholder data. There is a separate version of SAQ C for those merchants using virtual terminals. SAQ D, the most complex form, is required for all merchants that are not  eligible to fill out one of the shorter SAQs. This includes merchants with systems that store cardholder information. Of course, it's in every merchant's best interest to move as far down the SAQ chain as possible. Don't fill out the lengthy SAQ D if your organization is eligible to complete the brief SAQ A! VULNERABILITY SCANS All merchants with externally facing (public) IP addresses must also complete quarterly external network vulnerability scans and provide those results to their merchant bank. The PCI DSS standard requires organizations to perform the scans through any of theirApproved Scanning Vendors (ASVs), but the organization's merchant bank may require that it use a specific ASV. Many PA G E 5 O F 1 3 SPONSORED BY
  • UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later merchant banks require the use of a single ASV partner who, in turn, provides the bank with direct access to consolidated reports, easing the administrative burden on their end. Of course, simply performing the scan is not sufficient -- companies must actually pass the scan to be able to assert PCI DSS compliance. For this reason, it's a good idea to run regular compliance scans for the company's own purposes to validate that it will pass before running the official scan that will be reported to its merchant bank. SECURITY TESTING Two additional requirements apply to organizations with infrastructures that process cardholder data: penetration testing and Web application assessment. Organizations must perform annual internal and external penetration testing of its cardholder data environment, including both network and application layer tests. Similarly, organizations with Web applications must perform Web application assessments on an annual basis and after any significant changes. Both of these tests must be performed either by a qualified security consultant or by qualified employees of the merchant, provided that the employees performing the tests are organizationally independent from those maintaining PA G E 6 O F 1 3 SPONSORED BY
  • UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later the systems. As companies build their PCI DSS compliance program, it is increasingly important to keep all of these requirements in mind. It's a good idea to plan an annual calendar of assessments and tests so that the company doesn't miss a deadline or wind up rushing to complete all of its PCI validation requirements at the end of the year. Finally, be sure to retain documentation of all of the company's assessments so that its compliance can be demonstrated to an auditor. MIKE CHAPPLE, Ph. D., CISA, CISSP, is an IT security manager at the University of Notre Dame. He previously served as an information security researcher at the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com and serves as its resident expert on enterprise compliance, frameworks and standards for the Ask the Experts panel. He is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. PA G E 7 O F 1 3 SPONSORED BY
  • UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES PCI DSS REVIEW: ASSESSING THE PCI STANDARD NINE YEARS LATER Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later Mike Chapple, Enterprise Compliance Nine years ago, the major payment card brands came together and quietly released the first version of the Payment Card Industry Data Security Standard (PCI DSS), consolidating the confusing set of overlapping requirements previously promulgated by the card brands. Almost a decade later, the industry now awaits the third major PCI DSS release as the council prepares to issue PCI DSS 3.0. Now is an excellent opportunity for the industry to reflect upon the standard's successes and failures, and that's what we'll do here in this PCI DSS review. COMPLIANCE VS. SECURITY: WHERE ARE WE? Of course, the goal of the PCI DSS is to improve the security of payment card information and reduce the cost of fraud to the sponsoring institutions. It's no secret, however, that the goal of most organizations subject to PCI DSS is simply to pass their assessments and be able to certify compliance for another year. PA G E 8 O F 1 3 SPONSORED BY
  • UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later This is an age-old discussion in the world of compliance: How much of what we do actually improves security, and how much is simply bureaucratic overhead? There's no doubt that PCI DSS, as with any regulatory obligation, requires us to perform some tasks that don't contribute to the security of our information. For example, none of us want to spend time filling out self-assessment questionnaires or documenting the results of an account review. However, the vast majority of PCI DSS requirements do have a legitimate basis in information security dogma, and while some wish the standard raised the bar higher, most security professionals freely admit that the requirements indeed reflect industry standard best practices. Has the state of security improved since the release of PCI DSS? I contend that, indeed, it has. While organizations that have always had strong security programs may have only seen marginal improvements in their security, it is indisputable that many organizations only considered payment card security for the first time when faced with this compliance mandate. The cause of most payment card breaches can be traced back to basic security controls that were lacking, and the PCI DSS has helped build awareness around the need for fundamental information security practices. PA G E 9 O F 1 3 SPONSORED BY
  • UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES CONSISTENCY OF ASSESSMENTS Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later One of the early complaints among merchants and service providers regulated by PCI DSS was that the standard contained a number of vague requirements that were inconsistently enforced by the Qualified Security Assessors (QSAs) certified by the PCI Security Standards Council to conduct PCI DSS validation assessments. This led to confusion within the regulated industry and some degree of "shopping around" for a QSA that would provide organizations with the results that it wanted to hear. Thankfully, this situation has improved. The PCI SSC heard this feedback and put a tremendous amount of effort into building a community of QSAs who consistently interpret the standards. To achieve this task, the council moved from a standard document that simply listed requirements to one that incorporates the precise audit procedures that QSAs are to follow when validating compliance. For example, requirement 9.1.1 involving the use of video cameras and access control mechanisms now has three specific procedures: 9.1.1 a "Verify that video cameras and/or access control mechanisms are in place to monitor the entry/exit points to sensitive areas." PA G E 1 0 O F 1 3 SPONSORED BY
  • UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES 9  .1.1 b "Verify that video cameras and/or access control mechanisms are protected from tampering or disabling." Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later 9  .1.1 c "Verify that video cameras and/or access control mechanisms are monitored and that data from cameras or other mechanisms is stored for at least three months." With this new degree of precision, merchants and service providers now go into assessments with a reasonable understanding of the procedures that QSAs will perform when conducting assessments. PREPARING FOR PCI DSS 3.0 As we approach the third release of PCI DSS, many organizations now have a degree of confidence borne from experience that simply was not there in the past. While compliance managers should certainly review the PCI DSS Version 3.0 Change Highlights issued by the SSC, there is plenty of time to prepare before the standard goes into effect in January 2014. Take the time provided to you during this grace period to review the new standard and implement any changes that might be necessary in your cardholder environment to remain PA G E 1 1 O F 1 3 SPONSORED BY
  • UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later compliant in the coming year. The bottom line? In my opinion, the PCI DSS compliance field has matured significantly over the past decade and evolved from a confusing, feared set of technical requirements to a well-understood standard that is now often used as the "gold standard" of security even in unregulated fields. MIKE CHAPPLE, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, is a technical editor forInformation Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. PA G E 1 2 O F 1 3 SPONSORED BY
  • UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES FREE RESOURCES FOR TECHNOLOGY PROFESSIONALS Home PCI validation: Requirements for merchants covered by PCI DSS PCI DSS review: Assessing the PCI standard nine years later TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web’s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more —drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. WHAT MAKES TECHTARGET UNIQUE? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers—all to create compelling and actionable information for enterprise IT professionals across all industries and markets. PA G E 1 3 O F 1 3 SPONSORED BY