PCI Compliance - Delving Deeper In The Standard

601 views

Published on

Presentation on the PCI DSS in greater depth.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
601
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • For most small to medium sized businesses
  • Firewallscontrol electronic traffic as it moves within the internal network and between internal and external networks
  • Assess and Analyze (This critical step will help you understand how much becoming PCI compliant will cost you!)Assess the current environmentAnalyze any gaps that may existClose the GapsRemediate gaps & problem areasGet the environment compliantStay CompliantPerform regular testing & scanningRemediate to stay compliant
  • PCI Compliance - Delving Deeper In The Standard

    1. 1. PCI Compliance: Delving Deeper in the Standard<br />John Bedrick, AccuCode<br />Topic Here<br />
    2. 2. Agenda<br />About AccuCode<br />Payment Card Industry Data Security Standard (PCI DSS) Schedules<br />Merchant Levels and Validation Requirements<br />PCI DSS Requirements<br />Where To Start<br />PCI DSS Self-Assessment Questionnaires (SAQ) <br />Continuous Compliance<br />PCI DSS: Validation Actions<br />Overcoming the Top PCI DSS Challenges<br />PCI DSS: The Top Violations and Basic Remediation Strategies<br />AO:Compliance™ and Next steps on the road to becoming PCI Compliant<br />Questions and Answers<br />
    3. 3. AccuCode the Company<br /><ul><li> Founded 1995
    4. 4. VAR, Professional & Managed Services, Commercial Software Products
    5. 5. National leader in application of retail systems, security & compliance, wireless networking, mobile computing, bar code & RFID technologies
    6. 6. Fastest Growing Privately Held Company in the U.S.
    7. 7. Trusted Advisor Delivering Guaranteed Outcomes</li></li></ul><li>AccuCode Customers & Partners<br />Partners<br />Manufacturing<br />Retail<br />Transportation<br />AccuCode has hundreds of customers & thousands of end-users!<br />
    8. 8. PCI DSS Schedules<br />
    9. 9. Schedule - Version 2.0 PCI DSS & PA-DSS<br />October 28, 2010 – 2.0 Released<br />January 1, 2011 – 2.0 Effective<br />December 31, 2011 – 1.2.1 Retired<br />July 1, 2012 – Risk Ranking (6.2) sunrise<br />
    10. 10. Merchant Levels and Validation Requirements<br />
    11. 11. The Mandate: Merchant Levels DefinedVisa, MasterCard, Discover, & JCB<br />*Any merchant can be assigned to a specific level by their acquirer, bank, or by a card brand.<br />
    12. 12. The Mandate: Merchant Levels DefinedAmerican Express (AMEX)<br />*Any merchant can be assigned to a specific level by their acquirer, bank, or AMEX.<br />**Compliance at this level is strongly suggested, but not mandated.<br />
    13. 13. PCI DSSRequirements<br />
    14. 14. Six Goals, Twelve Requirements<br />Install and maintain a firewall configuration to protect cardholder data<br />Do not use vendor-supplied defaults for system passwords and other security parameters<br />Maintain a vulnerability management program<br />Build and Maintain a Secure Network<br />Protect cardholder data<br />
    15. 15. Six Goals, Twelve Requirements<br />Install and maintain a firewall configuration to protect cardholder data<br />Do not use vendor-supplied defaults for system passwords and other security parameters<br />Maintain a vulnerability management program<br />Build and Maintain a Secure Network<br />Protect cardholder data<br />Encrypt transmission of cardholder data across open, public networks<br />Protect stored cardholder data<br />
    16. 16. Six Goals, Twelve Requirements<br />Install and maintain a firewall configuration to protect cardholder data<br />Use and regularly update anti-virus software or programs<br />Do not use vendor-supplied defaults for system passwords and other security parameters<br />Develop and maintain secure systems and applications<br />Maintain a vulnerability management program<br />Build and Maintain a Secure Network<br />Protect cardholder data<br />Encrypt transmission of cardholder data across open, public networks<br />Protect stored cardholder data<br />
    17. 17. Six Goals, Twelve Requirements<br />Install and maintain a firewall configuration to protect cardholder data<br />Use and update anti-virus software or programs regularly <br />Do not use vendor-supplied defaults for system passwords and other security parameters<br />Develop and maintain secure systems and applications<br />Maintain a vulnerability management program<br />Implement strong access control measures<br />Build and Maintain a Secure Network<br />Protect cardholder data<br />Restrict access to cardholder data by business need-to-know<br />Encrypt transmission of cardholder data across open, public networks<br />Assign a unique ID to each person with computer access<br />Protect stored cardholder data<br />Restrict physical access to cardholder data<br />
    18. 18. Six Goals, Twelve Requirements<br />Track and monitor all access to network resources and cardholder data<br />Install and maintain a firewall configuration to protect cardholder data<br />Use and regularly update anti-virus software or programs<br />Regularly test security systems and processes<br />Do not use vendor-supplied defaults for system passwords and other security parameters<br />Develop and maintain secure systems and applications<br />Maintain a vulnerability management program<br />Implement strong access control measures<br />Build and Maintain a Secure Network<br />Regularly monitor and test networks<br />Protect cardholder data<br />Restrict access to cardholder data by business need-to-know<br />Encrypt transmission of cardholder data across open, public networks<br />Assign a unique ID to each person with computer access<br />Protect stored cardholder data<br />Restrict physical access to cardholder data<br />
    19. 19. Six Goals, Twelve Requirements<br />Track and monitor all access to network resources and cardholder data<br />Install and maintain a firewall configuration to protect cardholder data<br />Use and regularly update anti-virus software or programs<br />Regularly test security systems and processes<br />Do not use vendor-supplied defaults for system passwords and other security parameters<br />Develop and maintain secure systems and applications<br />Maintain a vulnerability management program<br />Implement strong access control measures<br />Build and Maintain a Secure Network<br />Regularly monitor and test networks<br />Maintain an information security policy<br />Protect cardholder data<br />Restrict access to cardholder data by business need-to-know<br />Encrypt transmission of cardholder data across open, public networks<br />Maintain a policy that addresses information security for employees and contractors<br />Assign a unique ID to each person with computer access<br />Protect stored cardholder data<br />Restrict physical access to cardholder data<br />
    20. 20. PCI DSS Requirements - Summary<br />
    21. 21. Where to Start<br />
    22. 22. Steps to Validate PCI Compliance<br />Identify your validation type<br /><ul><li>This determines which Self-assessment Questionnaire (SAQ) you complete</li></ul>Complete the appropriate SAQ<br />
    23. 23. Steps to Validate PCI Compliance<br />Complete and provide evidence of a passing vulnerability scan<br /><ul><li>This scan must be completed by a PCI SSC Approved Scanning Vendor (ASV)
    24. 24. Scanning applies to any merchant electronically storing cardholder data or with processing systems with Internet connectivity</li></ul>Complete the relevant Attestation of Compliance (AOC)<br /><ul><li>Located in the SAQ</li></ul>Submit the SAQ, AOC and any other requested documents to your Bank/Acquirer<br />
    25. 25. PCI DSS Self-Assessment Questionnaires (SAQ) <br />
    26. 26. SAQ 1.2<br />
    27. 27. Continuous Compliance<br />
    28. 28. Challenges<br /><ul><li>The PCI DSS is NOT a checklist and being compliant does not necessarily equate with being secure
    29. 29. Achieving PCI DSS compliance is based on a snapshot of the level of security at the time of an audit
    30. 30. PCI DSS is a baseline for security, not the pinnacle
    31. 31. Many merchants make a last-minute “rush to compliance” in order to satisfy audit criteria
    32. 32. This last minute rush may produce a perfect compliance snapshot—but not produce ongoing security</li></li></ul><li>Continuous Compliance<br />The PCI DSS helps businesses address security and risk.<br />Merchants should:<br /><ul><li>Know their risk profile and level of compliance daily
    33. 33. Be ready to adapt to any requirement changes
    34. 34. Ensure employees are following security policies at all times</li></li></ul><li>Creating Continuous Compliance<br />The process of compliance is ongoing:<br />Assess<br /><ul><li>Identify gaps
    35. 35. Inventory IT assets and business processes for payment cards</li></ul>Remediate<br /><ul><li>Fix vulnerabilities </li></ul>Report<br /><ul><li>Submission of paperwork/records to proper groups, such as acquiring banks
    36. 36. Paperwork includes audit results, such as Report on Compliance (ROC) or SAQ
    37. 37. Submit appropriate AOC Form</li></li></ul><li>How to Assess<br />Study the PCI DSS standards<br />Inventory IT Assets and processes<br /><ul><li>Identify all systems, personnel and processes involved with the transmission, processing or store of cardholder data</li></ul>Identify Vulnerabilities<br /><ul><li>Your SAQ guides the assessment</li></ul>Validate with Third-party Experts<br /><ul><li>Depending on the complexity of the network environment, a Qualified Security Assessor (QSA) may be required to conduct a proper assessment</li></li></ul><li>How to Remediate<br />Remediation is the process of fixing vulnerabilities and may include:<br /><ul><li>Network scans to analyze infrastructure and identify known vulnerabilities
    38. 38. Review and remediate vulnerabilities uncovered by an on-site assessment or SAQ process
    39. 39. Prioritizing remediation to address most to least serious
    40. 40. Patches, fixes and any changes to processes and workflow
    41. 41. Re-scanning to confirm remediation</li></li></ul><li>How to Report<br /><ul><li>Conduct regular vulnerability scanning
    42. 42. All merchants need to submit quarterly scan reports, completed by an approved ASV
    43. 43. Some businesses may need to enlist a QSA to conduct an annual on-site assessment
    44. 44. Each payment brand has its own reporting guidelines</li></li></ul><li>PCI DSS:Validation Actions<br />
    45. 45. Merchant & Service Provider Levels & Validation Actions<br />MERCHANT<br />SERVICE<br />PROVIDER<br />* = Any Merchant or Service Provider using 3rd party payment applications are required to validate compliance or use an approved PCI DSS payment application.<br />
    46. 46. Checklist for Continuous Compliance<br />Don’t just “get” compliant, stay compliant:<br /><ul><li>Use the technologies and procedures implemented for compliance to reduce risk, making PCI DSS the basis for your policies
    47. 47. Establish a cycle of risk management analysis and response
    48. 48. Continue to reduce scope where possible
    49. 49. Work towards making the process of staying compliant easier
    50. 50. Compliance is the baseline for your information security program</li></li></ul><li>Overcoming the Top PCI DSS Challenges<br />
    51. 51. Overcoming the Top PCI DSS Challenges<br />Requirement 1: Install and maintain a firewall to protect cardholder data<br /><ul><li>Firewalls are the locks on doors
    52. 52. Firewall configurations must prohibit unauthorized access to system components in the cardholder data environment
    53. 53. Deny all connections in and out not specifically required for business functionality
    54. 54. Install firewall software on each mobile and/or employee-owned computer that connects to the cardholder data environment or to the public Internet</li></ul>34<br />
    55. 55. Overcoming the Top PCI DSS Challenges<br />Requirement 2: Do not use vendor-supplied defaults<br /><ul><li>In 2010, 88% of our cases found third-party vendors introduced security vulnerabilities, likely due to vendor supplied passwords
    56. 56. Choose a vendor with a solid security history
    57. 57. Monitor all vendors to ensure they follow best security practices
    58. 58. Make sure contracts with vendors also include security control requirements and acceptance of responsibility for loss of CHD in their custody</li></li></ul><li>Overcoming the Top PCI DSS Challenges<br />Requirement 3: Protect stored data<br /><ul><li>PAN (primary account number) must be unreadable, including:</li></ul>Backup media<br />In logs<br />On portable digital devices <br />Via wireless and public networks<br /><ul><li>To render PAN unreadable, use:</li></ul>Truncation (to first 6 and last 4 characters at a minimum)<br />Strong one-way hash functions<br />Strong cryptography <br />Better yet, get rid of it, you probably don’t need it!<br />
    59. 59. Overcoming the Top PCI DSS Challenges<br />Requirement 6: Develop and maintain secure systems and applications<br /><ul><li>New vulnerabilities pop up every day, along with new ways for hackers to compromise your systems
    60. 60. Merchants should:</li></ul>Use payment applications and devices approved by the PCI Security Standards Council <br />Identify and install security patches in a timely manner<br />Follow industry best practices if developing own payment apps<br />Regularly test the application’s security<br />
    61. 61. Overcoming the Top PCI DSS Challenges<br />Requirement 8: Assign a unique ID to each person with computer access<br /><ul><li>Following this requirement allows actions to be traced to a specific person—vital when a forensic analysis needs to take place
    62. 62. Each user needs their own password
    63. 63. For remote access, two-factor authentication is required
    64. 64. Passwords must be unreadable, in storage and during transmission
    65. 65. Enforce Role Based Access Control (RBAC). </li></ul>You should only have access to the systems and information necessary to perform your function<br />
    66. 66. Overcoming the Top PCI DSS Challenges<br />Requirement 10: Track and monitor access to network and card data<br /><ul><li>System logs are the audit trail when something goes wrong
    67. 67. Logs must be captured
    68. 68. Logs must be reviewed at least once daily (automate the exception events as compared to a ‘known good’ baseline)
    69. 69. Logs must be stored securely for a year (preferably centrally)
    70. 70. Good log management can be the difference between an annoying event, and a business crippling disaster</li></li></ul><li>Overcoming the Top PCI DSS Challenges<br />Requirement 11: Regularly test security systems and processes<br /><ul><li>If you don’t test it, how will you know if it’s broken?
    71. 71. Testing should be frequent to identify any vulnerabilities</li></ul>PCI DSS requires quarterly scans<br /><ul><li>Vulnerability scanning products/services from an Approved Scanning Vendor (ASV) fulfill this PCI requirement
    72. 72. What to test:</li></ul>External network (conducted by an ASV)<br />Internal network (may be conducted in-house)<br />Wireless network, identifying all wireless devices for purposes of access control<br />Any other traffic in the cardholder data environment <br />
    73. 73. Overcoming the Top PCI DSS Challenges<br />Requirement 12: Maintain a policy that addresses information security<br /><ul><li>The written policy determines the controls used to ensure security and compliance with the PCI DSS
    74. 74. Must address all PCI DSS requirements, as well as:</li></ul>Daily procedures<br />Usage policies for each technology, such as laptops and e-mail<br />Info. security responsibilities for employees and contractors<br />Security awareness program for employees<br />Employee screening<br />Third-party vendor responsibility and accountability<br />Incident response plan<br />
    75. 75. PCI DSS:The Top Violations and Basic Remediation Strategies<br />
    76. 76. Top PCI DSS Violations<br />98.4%<br />97.5%<br />99.2%<br />95.1%<br />92.6%<br />90.9%<br />83.6%<br />74.6%<br />68.9%<br />48.4%<br />8.1%<br />7.4%<br />Source: Trustwave - 2011 Global Security Report <br />
    77. 77. Remediation Strategies<br />Segmentation:<br /><ul><li>Isolate Point-of-Sale (POS) systems / PCI workstations from rest of the network environment</li></ul>Default Device Configurations:<br /><ul><li>Change or Remove them (if they exist)</li></ul>Firewall / IPS:<br /><ul><li>Build a secure configuration
    78. 78. Self-managed / Outsourced</li></ul>Log Monitoring:<br /><ul><li>Applies to both POS systems and networking</li></ul>Policies and Procedures:<br /><ul><li>Templates available</li></li></ul><li>Summary<br /><ul><li>Make sure your firewall is configured correctly and working properly.
    79. 79. No vendor-supplied default configurations and/or passwords
    80. 80. Make PCI data (specifically PAN) inaccessible and/or unreadable
    81. 81. Use secure applications and check for updates and patches often
    82. 82. Everyone gets their own UNIQUE User ID and password
    83. 83. Collect and store the necessary system logs, reviewing daily
    84. 84. Test at least quarterly to find vulnerabilities (e.g., network scans)
    85. 85. Write a security policy (update as needed) and educate/train ALL your employees.</li></li></ul><li>AO:Compliance™ and Next Steps<br />
    86. 86. AO:Compliance Makes PCI Compliance as Easy as: <br />
    87. 87. Next Steps, If You Need Help<br />AccuCode and our partners are ready to assist you with getting and staying PCI Compliant.<br /><ul><li>Go to the AO:Compliance website to find out more information about our compliance and security offerings www.aocompliance.com
    88. 88. Contact Us: compliance-info@accucode.com</li></ul>If you need help with other technology issues, AccuCode can also assist you with that as well.<br /><ul><li>Visit the AccuCode website for more information about our other products and services www.accucode.com</li></li></ul><li>Questions and Answers<br />

    ×