Compliance Update- The importance of PCI DSS and PA DSS                            Brooks Wallace                         ...
Agenda Overview of PCI SSC    – Changes to the Standards    – Relationship between PCI and PA DSS   EMEA Fraud Trends  ...
Payment Card Industry Security Standards           Council (PCI SSC)                                           © 2010
Who is the SSC?Founded in 2006 by American Express, Discover,JCB, MasterCard and Visa  They are governed by an Executive ...
Overview of Standards Changes October 28, 2010 – PCI DSS 2.0 Released January 1, 2011 – PCI DSS 2.0 Effective December ...
Reasons for ChangeImprove clarityImprove flexibilityAlign with industry best practicesEliminate redundancyManage evol...
Change Categories Additional guidance (2)Explanations and/or definitions to increase understanding or provide further inf...
Frequent Questions                     © 2010
Frequent Questions•   Why is PA DSS compliance ‘suddenly’ important?        PA-DSS has always been important, as insecure...
Frequent Questions•   Why is PA DSS compliance ‘suddenly’ important?        PA-DSS has always been important, as insecure...
Frequent Questions•   Why is PA DSS compliance ‘suddenly’ important?        PA-DSS has always been important, as insecure...
Frequent Questions•   Why is PA DSS compliance ‘suddenly’ important?        PA-DSS has always been important, as insecure...
Get the DetailsPCI SSC Website: www.pcisecuritystandards.org•List of Qualified Security Assessors (QSA)•List of compliant ...
Global Security Report - 2010               On the Trustwave Web site               https://www.trustwave.com/whitePapers....
Incident Response –The Sample Set218 Investigations   •   24 countries   •    18% Found Inconclusive       –    No evidenc...
Incident Response – The Sample SetCountries Represented in 2009                                    Australia              ...
Incident Response – The Sample Set                          Industries                           L4 Merchants make up     ...
Incident Response – Investigative Conclusions                           Types of Data at Risk                            P...
Incident Response – Investigative Conclusions                           Types of Target Assets                            ...
Incident Response – Investigative ConclusionsSystem Administration Responsibility  Third Party vendors are often negligent...
Summary• Attackers are using old vulnerabilities• Attackers know they won’t be detected• Organizations do not know what th...
Compliance Case Studies                          © 2010
PA-DSS Case Study             Type: Payment Application Provider• Compliance Issues:      −   Ensure security of online an...
PCI Case Study             Type: Level 4 Merchant (Hospitality)•Compliance Issues:      −   Hospitality environment holds ...
About Trustwave                  © 2010
Choosing a QSA        Choosing the RIGHT QSA is    difficult, choosing the wrong QSA                is disastrous.     Que...
The leader in              compliance and data        MSSP with more than 1,400 devices under management                 M...
TrustKeeper Merchant Experience               www.trustwave.com                                   © 2010
TrustKeeper Merchant Experience Help and Guidance                      www.trustwave.com                                 ...
TrustKeeper Merchant Experience Help and Guidance                      www.trustwave.com                                 ...
Summary• The PCI SSC is making it easier for you to understand the PCI and PA  DSS standards• PA DSS compliant application...
Thank You            © 2010
Upcoming SlideShare
Loading in …5
×

Latests status on pci and pcipa 2010

839 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
839
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Latests status on pci and pcipa 2010

  1. 1. Compliance Update- The importance of PCI DSS and PA DSS Brooks Wallace 25 November 2010 © 2010
  2. 2. Agenda Overview of PCI SSC – Changes to the Standards – Relationship between PCI and PA DSS EMEA Fraud Trends PA DSS Case Study PCI DSS Case Study About Trustwave – Compliance Solutions – Choosing a QSA Summary © 2010
  3. 3. Payment Card Industry Security Standards Council (PCI SSC) © 2010
  4. 4. Who is the SSC?Founded in 2006 by American Express, Discover,JCB, MasterCard and Visa  They are governed by an Executive Committee comprised of representatives from those card brands  Their primary objectives include: – Custodian of the PCI DSS, PA-DSS and PTS – QSA/PTS Lab education, certification and quality assurance – Final validation and listing maintenance for PA-DSS validated applications © 2010
  5. 5. Overview of Standards Changes October 28, 2010 – PCI DSS 2.0 Released January 1, 2011 – PCI DSS 2.0 Effective December 31, 2011 – PCI DSS 1.2.1 Retired July 1, 2012 – Risk Ranking (PCI DSS 6.2) sunrise* * Affects PA-DSS 5.2.6 and 7.1 © 2010
  6. 6. Reasons for ChangeImprove clarityImprove flexibilityAlign with industry best practicesEliminate redundancyManage evolving risks / threats © 2010
  7. 7. Change Categories Additional guidance (2)Explanations and/or definitions to increase understanding or provide further information on a particular topic (e.g. scoping requirements). Evolving requirements (3)Changes to ensure that the standards are up to date with emerging threats and changes in the market (e.g. data search for scope confirmation, vulnerability risk ranking). Clarification (52)Clarifies intent of requirement. Ensure that concise wording in the standards portray the desired intent of requirements (e.g. encryption related to PAN, addition of ‘and router’ in 1.2). © 2010
  8. 8. Frequent Questions © 2010
  9. 9. Frequent Questions• Why is PA DSS compliance ‘suddenly’ important?  PA-DSS has always been important, as insecure applications are the number one cause of data loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank. © 2010
  10. 10. Frequent Questions• Why is PA DSS compliance ‘suddenly’ important?  PA-DSS has always been important, as insecure applications are the number one cause of data loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank.• If I use a PA DSS compliant application am I PCI DSS compliant?  No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate their compliance with PCI DSS by showing that the application has been installed as per the vendor’s Installation Guide. © 2010
  11. 11. Frequent Questions• Why is PA DSS compliance ‘suddenly’ important?  PA-DSS has always been important, as insecure applications are the number one cause of data loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank.• If I use a PA DSS compliant application am I PCI DSS compliant?  No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate their compliance with PCI DSS by showing that the application has been installed as per the vendor’s Installation Guide.• Does PA-DSS compliance save me money with PCI DSS compliance validation?  Yes. Applications that are not PA-DSS compliant must be FULLY assessed and validated against the PCI DSS, which is complex and therefore time consuming. With PA-DSS compliant applications, the assessor need only confirm that the installation is as per the Installation Guide. © 2010
  12. 12. Frequent Questions• Why is PA DSS compliance ‘suddenly’ important?  PA-DSS has always been important, as insecure applications are the number one cause of data loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank.• If I use a PA DSS compliant application am I PCI DSS compliant?  No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate their compliance with PCI DSS by showing that the application has been installed as per the vendor’s Installation Guide.• Does PA-DSS compliance save me money with PCI DSS compliance validation?  Yes. Applications that are not PA-DSS compliant must be FULLY assessed and validated against the PCI DSS, which is complex and therefore time consuming. With PA-DSS compliant applications, the assessor need only confirm that the installation is as per the Installation Guide.• Does PA DSS compliance reduce the scope of my PCI DSS validation?  No. PA-DSS only SUPPORTS PCI compliance, all devices that transmit, process, or store cardholder data are in scope for PCI compliance. PA DSS Applications reduce the risk to cardholder data but the systems on which they run must be secure. © 2010
  13. 13. Get the DetailsPCI SSC Website: www.pcisecuritystandards.org•List of Qualified Security Assessors (QSA)•List of compliant Payment Applications•Participating Organisations•List of QSAs in remediation•All standards and guidelines (some language support)•FAQsTrustwave Webinar Archive: www.trustwave.com•PA DSS 2.0: What do you need to know?•PCI DSS 2.0: What can you expect?•PCI DSS Expert Panel: Your Questions Answered  1 December for EMEA © 2010
  14. 14. Global Security Report - 2010 On the Trustwave Web site https://www.trustwave.com/whitePapers.php © 2010
  15. 15. Incident Response –The Sample Set218 Investigations • 24 countries • 18% Found Inconclusive – No evidence of critical data leaving – Many factors impact an inconclusive case • Average of 156 Day Lapse Between Initial Breach and Detection! © 2010
  16. 16. Incident Response – The Sample SetCountries Represented in 2009 Australia Belgium Canada Chile China Cyprus Denmark Dominican Republic Ecuador Germany Greece Ireland Luxembourg Malaysia Puerto Rico Saudi Arabia South Africa Sri Lanka Switzerland Ukraine United Arab Emirates United Kingdom SpiderLabs visited 24 different United States Virgin Islands countries in 2009 to perform © 2010
  17. 17. Incident Response – The Sample Set Industries L4 Merchants make up over 90% of Trustwave investigations © 2010
  18. 18. Incident Response – Investigative Conclusions Types of Data at Risk Payment Card Data is a target for criminals looking to turn data into cash quickly. © 2010
  19. 19. Incident Response – Investigative Conclusions Types of Target Assets While many POS vendors have patched their systems to support security controls, many companies are still running very old software. © 2010
  20. 20. Incident Response – Investigative ConclusionsSystem Administration Responsibility Third Party vendors are often negligent in their administration of security controls and best practices. © 2010
  21. 21. Summary• Attackers are using old vulnerabilities• Attackers know they won’t be detected• Organizations do not know what they own or how their data flows• Blind trust in 3rd parties is a huge liability• Fixing new/buzz issues, but not fixing older issues• This is just the ‘low hanging fruit’, as PCI takes effect, the thieves will move on to easier targets © 2010
  22. 22. Compliance Case Studies © 2010
  23. 23. PA-DSS Case Study Type: Payment Application Provider• Compliance Issues: − Ensure security of online and back-end processing − Address common data breach attack vectors (SQL injection, cross-site scripting) − Ensure SSL encryption for all transactions• Trustwave Solution − Analyzed IT architecture to properly scope for compliance validation needs prior to assessment activity − Performed application penetration testing and PA DSS assessment − Provided an EV SSL certificate for necessary encryption with the highest degree of identify validation © 2010
  24. 24. PCI Case Study Type: Level 4 Merchant (Hospitality)•Compliance Issues: − Hospitality environment holds inherent risks − Multiple, often vastly distributed, locations – difficult to manage − Legacy systems, multiple third party providers•Trustwave Solution: − Engaged TrustKeeper® compliance tool to easily manage scanning and questionnaires for multiple locations − Installed Unified Threat Management (UTM) at each location for ongoing perimeter management and protection, including firewall, intrusion prevention, content filtering, virtual private network − Pragmatic approach to assessment services utilising significant industry knowledge and experience © 2010
  25. 25. About Trustwave © 2010
  26. 26. Choosing a QSA Choosing the RIGHT QSA is difficult, choosing the wrong QSA is disastrous. Questions you should be asking your QSA include:• How many of your QSAs have submitted a compliant RoC to either an acquirer or Card Scheme?• How many RoCs has your company submitted?• How do you compensate for the differing opinions of QSAs (based on their unique skill-sets)?• How many assessments has your company performed in my industry vertical?• Do you provide any other compliance related services? © 2010• How do you help clients maintain compliance?
  27. 27. The leader in compliance and data MSSP with more than 1,400 devices under management Monitor more than 18 million events per day security Top 10 global Certificate Authority with more than 40,000 SSL certificates issued Performed more than 4,000 network and application penetration tests Conducted more than 740 forensic investigations Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40 percent of Payment Apps.Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); OIRA (2005) © 2010
  28. 28. TrustKeeper Merchant Experience www.trustwave.com © 2010
  29. 29. TrustKeeper Merchant Experience Help and Guidance www.trustwave.com © 2010
  30. 30. TrustKeeper Merchant Experience Help and Guidance www.trustwave.com © 2010
  31. 31. Summary• The PCI SSC is making it easier for you to understand the PCI and PA DSS standards• PA DSS compliant applications do not automatically make you PCI DSS compliant• Compromises are going undetected and hackers are using old vulnerabilities to get in• Choosing the right QSA is difficult but many have the tools and skills to help you achieve compliance• Trustwave is a good resource for any merchant for information on PCI and PA DSS © 2010
  32. 32. Thank You © 2010

×