Abstract: This presentation began with an introduction to the security strategies used in the past decades to protect sensitive data and mostly focused in securing the infrastructure. This is all tight back to the PCI-DSS framework and how this apply to organizations dealing with Cardholder Data (CHD). Then, emerging technologies are brought into the discussion along with their pros and cons. This includes technologies such as Point-to-Point Encryption (P2PE), magnetic strip vs EMV, tokenization, virtual terminals, among others. A real life project aimed to implement services in the cloud to de-scope certain segments from PCI-DSS in a mid-size university/hospital is discussed. © 2016 KELVIN MEDINA ALL RIGHTS RESERVED

1. 08/18/16, Nova Southern University, Fort Lauderdale, FL
Can you protect my Credit Card data? It is 2016 after all!
South Florida Information Systems Security Association (ISSA)

2. Can you protect my Credit Card data?
It is 2016 after all!
Emerging technologies, PCI-DSS Compliance & scope reduction
Mr. Kelvin Medina, QSA,CISSP, CISA, GCIH, SEC+, ITIL

3. Presenter
Mr. Kelvin Medina, QSA, CISSP, CISA, GCIH, SEC+, ITIL
Sr. Security Consultant, Trustwave
Contact Information
561-330-5757
kmedina@trustwave.com
https://www.linkedin.com/in/kelvinmedina

4. Presenter (Who is this guy anyway!?)
• Senior Security Consultant
– Emphasis around secure application development, source-code review, application testing and
cryptography in alignment with both the PCI Point-to-point Encryption (P2PE) & the Payment Application
Data Security Standard (PA-DSS).
• Information Security Engineer (ISE) at the University of Miami (UM)
– Internal consultant for IT enterprise compromised of more than 25k users, 700 plus applications, and
over $160 millions in credit card transactions per year across different facilities in South Florida
• Previously, Information Systems Security Officer (ISSO) at the US Navy
• Recent public engagements
– “Your biggest cyber threat? Naïve end-users”, United States Cybersecurity Magazine, January 2015
– Panelist, “Network Security and PCI-DSS”, South Florida Technology Alliance (SFTA), February 2015
• Education
– BS Computer Science, University of Puerto Rico
– MS Technical Management, Johns Hopkins University
– Global Pre-MBA Leadership Program, Yale University

5. Trustwave Product/Services
• Threat Management
– Managed SIEM
– Managed UTM
– Managed Network Access Control
– AND more!
• Vulnerability Management
– Managed Web Application Firewall (WAF)
– Managed Security Testing (Penetration Testing)
– Application Scanning, AND more!
• Compliance Management
– Payment Application (PA-DSS) Validation Services
– Point-to-Point Encryption (P2PE) Validation Services
– PCI Compliance, AND more!

6. PA-DSS, validation of payment applications
Initialization
Kick-off
Meeting
Information
Gathering
Application
Testing
Forensic
Review
Reporting
Submission
to PCI SSC
• Applicable to payment applications that
– Perform Authorizations
– Perform Settlements
• Changes to listed payment applications
– No-impact change
• Change of application description for
marketing purposes
– Low-impact change
• Changes that have minor impact to PA-DSS
reqs.
– High-impact change
• A new OS is added, changes to the
encryption mechanism, etc.

8. Securing the infrastructure, receipt for failure

9. Life according to PCI-DSS

10. What do I need to protect, anyway?

11. Emerging technologies and its challenges
• Naturally, technology moves fast
– In contrast to standards and
frameworks
• From startups to the typical
organization
– They are all creating new
ways to accept payments
• US FinTech Financing Activity
– Topped $12.21 billion in 2014

12. Moving toward a data centric approach
• Data centric approach
– Cell level security (e.g. Transparent Data Encryption (TDE) in Azure SQL)
– Encryption (e.g. P2PE)
– Security containers (e.g. MobileIron MDM)
• Social, Mobile, Analytics, and Cloud (SMAC)

13. The future, present (for some out there!)

14. Point to Point Encryption (P2PE) • Encryption of Cardholder Data
elements starting at POI
• End-to-End encryption (E2EE) is
not equal to P2PE
– Only a validated P2PE solution
has been accepted and listed
by PCI SSC
• Merchant-Managed Solution, ideal
for BIG merchant not looking to
give up their control
• P2PE SAQ includes only 26 PCI-
DSS Reqs.

15. Business Case: Achieving PCI-DSS compliance along with EHR?
• How to balance the
requirements of the
Electronic Health
Record (EHR) system
along with PCI-DSS?
• Over 300 points of
payment across
different cities
Physical Space Budget Constraints
Non-standardized Business
Processes
Lack of Executive Support
Challenges
Healthcare
Institution

16. Pilot project, hoping scope reduction!
• Use Desktop as a Service (DaaS) to reduce scope
EHR

17. What about… EHR and P2PE?
P2PE Credit Card Reader
Solution Provider
Data Decryption
Service

18. When shopping…
• Consider the following

19. Magnetic Stripe Technology
• Virtually no changes since its introduction in the 1960s
• Prone to
– Skimming (capture the track data)
– Shoulder-surfing or HD Camera
• (watch the PIN as it is being entered)

20. Europay, Visa, Mastercard (EMV) Technology
• EVM or smart cards were patented by in the 1970’s by France, Germany, and Japan
• Started as a way to store bank account information securely on a card

21. EMV Workflow

22. EMV Deadline for the US
• Liability fraud
shift from Issuer
to Merchant
– Oct 2015
• Not an actual
PCI-DSS
requirement

23. VISA expand Technology Innovation Program (TIP) Expanded
• VISA TIP now includes merchants who
process at least 75% of their transactions
through a PCI-validated P2PE solution
– Effective on April 1st, 2015
• Annual PCI-DSS validation assessment might
be waived

24. What is tokenization?
As per PCI-DSS “a process by which the primary account number (PAN) is replaced with a
surrogate value called a ―token. De-tokenization is the reverse process of redeeming a token
for its associated PAN value.”

25. Tokenization process

26. Tokenization scope reduction
• Merchant VS Tokenization Service Provider (TSP)

27. Panacea: Tokenization and encryption
• For real? Let’s see…

28. Mobile Payment Application (PA)
• 3 categories of Mobile Payment Applications
– Considered for PA-DSS
• Only Category 1 (PTS-approved) and 2 (purpose-built and bundled) devices
– Not considered for PA-DSS
• Category 3 devices (e.g. smartphones) not considered for PA-DSS PA
• This does not imply that not Category 3 applications cannot be used, but need to be custom built for
merchants or delivered as part of a service
• PCI SSC control does not extend to consumer applications
– PCI Mobile Payment Acceptance Security Guidelines
• Two guides: Merchants & Developers
– Secure devices and networks including segmentation
– Tokenization and data elimination
– Secure coding, etc.
Reference: https://www.pcisecuritystandards.org/documents/pa-dss_mobile_apps-faqs.pdf

29. Takeaways
• Whenever you consider a new product or service
– Weight pros and cons
• Use a security first approach
– Security is engaged as early as possible during the acquisition process
– See security as an integrated part of your business
• Clearly understand all the responsibilities
– Your responsibilities
– Your Vendor responsibilities
– Consult only with qualified organizations (e.g. QSA)
• Focus on security as an overall strategy for your business
• Read and understand the security requirements that apply to you!
• AND finally make informed, risk based decisions

30. THANK YOU