PCI: The Essentials
A simple, easy to use, online, B2B procurement portal for purchasing products and services to  identify, minimise and mana...
The Essentials• What PCI compliance is and why its important• Understand how to identify potential risks to card  data wit...
The Standard
Where did it come from?Restaurants sue POS vendor over data breach:Dec’09 Nearly 100 customers had their identities stolen...
ADC      Industry                        Forensics             Security        Best                           Results     ...
The Standard
Applies to:• Systems that store, process or transmit  cardholder data• Systems that connect to themCompliance is mandatory...
6 Goals, 12 RequirementsThe PCI DSS standard is based upon the following 6 core principles and 12 requirements: 264 contro...
264 ControlsRequirement 1: Install and maintain a firewall configuration to protect cardholder data. 1.1 Establish firewa...
The Structure
Cardholder Data?                                  Magnetic stripe                    Chip                                 ...
Controls-2-Data
Scoping
De-Scoping• Network segmentation is not a PCI DSS  control requirement• De-scoping is where you set the cost baseline  for...
Quiz 11. The PCI DSS applies to all systems that ________,   __________, or _________ card data.2. The PCI DSS is comprise...
The Players
The Players   Card Brands   PCI Council   Acquirers   QSA   ASV   Merchants   Service Providers
Relationships Matrix                   Acquirer     Merchant   Service Provider   Cardholder
Concerns & Consequences    Cardholder Data          Cardholder       Targeted              Victimized              Governm...
Cardholder Data Exposure       Service       Service       Provider      Provider        Payment       Application
Service Providers Businesses that facilitate: process, storage or  transmission of card data on behalf of Merchant or  Ac...
24
Quiz 21. The __________ issue fines for non-compliance.2. A service provider is defined as either   ______________ or ____...
Compliance Process
Process
Key Documentation   Card Data Security Policy   Comprehensive Network Diagram   Evidence   3rd Party Agreements   End...
Key Actions   Gap Analysis   Remediation   Monthly Acquirer Reports   Audit-ready (Evidence in place)   Pass ASV scan...
Process – not a checklist
• Identify• Minimise• Manage
Quiz 31. RoC is an acronym for ____________ on ____________.2. AoC is an acronym for ____________ of ____________.3. SaQ i...
Exercise
Situation:   You have a bank owned terminal (BOT) taking             credit card payments at your site. It is             ...
The Policies
Framework
Policies1.       INTRODUCTION     •     Required for the protection of client card data.2.       APPLICABILITY     •     A...
Policies6.1     ANNUAL DOCUMENTATION•     Current network diagram•     Card data asset register•     Card data flow diagra...
Policies6.6 EMPLOYEE CHECKS•       Staff with access to card data = criminal & credit checks6.7 SECURITY TRAINING•   Initi...
Policies6.11 NETWORK SECURITY VULNERABILITY SCANNING•     Done quarterly – Pass – submitted to Acquirer6.12 NETWORK SECURI...
Policies7.2 PASSWORDS & SECURITY ADMINISTRATION•   Vendor accounts & defaults removed•   Admin access encrypted•   Configu...
Policies8.   APPLICATION SECURITY•    Software security development lifecycle procedures•    Change control procedures as ...
Quiz 41. The Card Data Security Policy only applies to your   employees. True/False?2. __________ is responsible for 3rd p...
The Controls
ControlsRequirement 1: Install and maintain firewall configuration to protect cardholder data. 1.1 Establish firewall con...
Evidence• Types   • Observation (configuration or process)   • Documentation   • Interview   • Technical (monitoring of ne...
Controls ExampleRequirement 1: Install and maintain firewall configuration to protect cardholder data.1.1 Establish firewa...
Policy ExampleRequirement 12: Maintain a policy that addresses information security for employeesand contractors.12.8.4 Ma...
Compensating Controls• Used only when a specific control cannot be  implemented due to a business process• Implement “risk...
Compensating Controls                                           Information Required                                      ...
Quiz 51. Name the four types of evidence generally required.2. If you cannot implement a control you will fail the   audit...
ProjectManagement
Milestones• Risk based prioritisation of  implementation of the controls  established by card brands• Milestone 1 – identi...
Timelines• Missed deadline• Milestones 1-4• Validation• SAQ• AoC to Acquirer• Annual Recertification
How will you get there?•   By starting and maintaining momentum!•   Document everything•   Monthly Acquirer reports•   Qui...
2 Words          Due diligence
The Messages
Intent                  Give                  PCI                   a                 Chance!   Minimise risk to card hold...
Business Messages Card brand service requirements Regulatory requirement Losses impact our clients Lost client confidence ...
Employee Security of our customer credit card data is critical  to our mission. We’ve implemented a detailed security pr...
Partner Protection of our customer data is mission critical  to us. We have implemented a PCI DSS compliance  program an...
Customer We are implementing a PCI DSS compliance  program and are pending formal certification. We require all of our p...
Last Quiz1.   Name a business message.2.   Name a employee message.3.   Name a client message.4.   Name a partner message....
The Close
If Nothing Else, Remember• PCI DSS is a “risk management framework”• Implementation does not guarantee security• A framewo...
• Identify• Minimise• Manage
26 Dover Street         London    United Kingdom  +44 (0)20 3170 8955+44 (0)20 3008 6011 (fax)            67
Risk Factory: PCI - The Essentials
Upcoming SlideShare
Loading in …5
×

Risk Factory: PCI - The Essentials

1,332 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,332
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Your security soul
  • It’s a jungle out there
  • Templates such as solutions architecture documents, RFIs, RFPs,
  • An enlightened security pilgrim is worth his weight in gold to your organization.
  • Risk Factory: PCI - The Essentials

    1. 1. PCI: The Essentials
    2. 2. A simple, easy to use, online, B2B procurement portal for purchasing products and services to identify, minimise and manage the security threat to business data. www.riskfactory.com
    3. 3. The Essentials• What PCI compliance is and why its important• Understand how to identify potential risks to card data within your business• Foundation in data risk management• How to communicate the importance of PCI to stakeholders• The keys to achieving and maintaining compliance• How to avoid fines
    4. 4. The Standard
    5. 5. Where did it come from?Restaurants sue POS vendor over data breach:Dec’09 Nearly 100 customers had their identities stolen as a result of "Aloha" POS software payments terminals that were not PCI-DSS compliant. They have to pay for forensic audits to trace the problems, reimburse fraud costs to the credit card companies and pay for re-issuance of credit cards to affected individuals.
    6. 6. ADC Industry Forensics Security Best Results Practices Scans Advisory On Site Board PCI Data Security Audits Standard Self-Community Assessment Meeting Approved Questionnaire Proactive feedback Scanning from QSAs, Vendors ASVs and (ASVs) and Qualified POs Security Assessors (QSAs)
    7. 7. The Standard
    8. 8. Applies to:• Systems that store, process or transmit cardholder data• Systems that connect to themCompliance is mandatory – Enforced through merchant services agreements
    9. 9. 6 Goals, 12 RequirementsThe PCI DSS standard is based upon the following 6 core principles and 12 requirements: 264 controls requirementsBuild and Maintain a Secure NetworkRequirement 1: Install and maintain a firewall configuration to protect cardholder data.Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.Protect Cardholder DataRequirement 3: Protect stored cardholder data.Requirement 4: Encrypt transmission of cardholder data across open, public networks.Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly update anti-virus software.Requirement 6: Develop and maintain secure systems and applications.Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need-to-know.Requirement 8: Assign a unique ID to each person with computer access.Requirement 9: Restrict physical access to cardholder data.Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder data.Requirement 11: Regularly test security systems and processes.Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security
    10. 10. 264 ControlsRequirement 1: Install and maintain a firewall configuration to protect cardholder data. 1.1 Establish firewall configuration standards that include the following: 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration. 1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks. 1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the internal network zone (intranet). 1.1.4 Description of groups, roles and responsibilities for logical management of network components. 1.1.5 Documented list of services/ports necessary for business. 1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP) and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN). 1.1.7 Justification and documentation for any risky protocols allowed - for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented. 1.1.8 Quarterly review of firewall and router rule sets. 1.1.9 Establish configuration standards for routers.
    11. 11. The Structure
    12. 12. Cardholder Data? Magnetic stripe Chip Card account number Expiry dateCard (PAN) number
    13. 13. Controls-2-Data
    14. 14. Scoping
    15. 15. De-Scoping• Network segmentation is not a PCI DSS control requirement• De-scoping is where you set the cost baseline for the project.• Take your time.• The more you can take out of scope – the less it will cost to implement the controls.
    16. 16. Quiz 11. The PCI DSS applies to all systems that ________, __________, or _________ card data.2. The PCI DSS is comprised of _________ principles, ___________ requirements and 264 controls.3. The PCI DSS is a checklist of controls. True/False?4. Controls only apply to systems “in scope”. True/False?5. We can store sensitive card holder data. True/False?
    17. 17. The Players
    18. 18. The Players Card Brands PCI Council Acquirers QSA ASV Merchants Service Providers
    19. 19. Relationships Matrix Acquirer Merchant Service Provider Cardholder
    20. 20. Concerns & Consequences Cardholder Data Cardholder Targeted Victimized Government Media Regulatory Intervention Scrutiny Enforcement
    21. 21. Cardholder Data Exposure Service Service Provider Provider Payment Application
    22. 22. Service Providers Businesses that facilitate: process, storage or transmission of card data on behalf of Merchant or Acquirer. Any business requiring connectivity to a card holder network or application.
    23. 23. 24
    24. 24. Quiz 21. The __________ issue fines for non-compliance.2. A service provider is defined as either ______________ or __________________.3. Merchant Levels are determined by the _________ of ___________ per __________.4. QSAs are monitored by _______________5. The Acquirers set the compliance deadlines for the Merchants. True/False?
    25. 25. Compliance Process
    26. 26. Process
    27. 27. Key Documentation Card Data Security Policy Comprehensive Network Diagram Evidence 3rd Party Agreements End User Agreements Security Vulnerability Scan Reports Security Penetration Reports
    28. 28. Key Actions Gap Analysis Remediation Monthly Acquirer Reports Audit-ready (Evidence in place) Pass ASV scan Network Security Penetration Test Application Security Penetration Test Validation RoC to Acquirer / Card Brands Annual Revalidation
    29. 29. Process – not a checklist
    30. 30. • Identify• Minimise• Manage
    31. 31. Quiz 31. RoC is an acronym for ____________ on ____________.2. AoC is an acronym for ____________ of ____________.3. SaQ is an acronym fro _________ ________ ________.4. I need to pass both an ASV scan and penetration test prior to validation. True/False.5. These quizzes are getting on my nerves. True/False
    32. 32. Exercise
    33. 33. Situation: You have a bank owned terminal (BOT) taking credit card payments at your site. It is connected directly to the bank and is not connected to your local systems.Problem: Is it “in scope” of PCI DSS? Design a process for determining your answer.Dilemma: What problem do you still have?
    34. 34. The Policies
    35. 35. Framework
    36. 36. Policies1. INTRODUCTION • Required for the protection of client card data.2. APPLICABILITY • All employees, contractors and 3rd party suppliers.3. COMPLIANCE • Compliance Manager monitors & enforces • Collaborative effort • Non-compliance = disciplinary action4. REVIEW, UPDATES & MAINTENANCE • Annual • 30 days after significant changes5. EXCEPTIONS • Require Compliance Manager’s prior approval6. PROGRAM MANAGEMENT
    37. 37. Policies6.1 ANNUAL DOCUMENTATION• Current network diagram• Card data asset register• Card data flow diagram clearly indicating all credit card dependant business processes• List of all roles having access to card data• 3rd Party Statements of Compliance6.2 INFORMATION SECURITY RISK ASSESSMENTS• Annually• Prior to significant changes6.3 MINIMISE HOLDINGS6.4 CARD DATA ASSET REGISTER• Maintain current list of all devices hosting card data6.5 ASSET CLASSIFICATION• Hardware & software marked “Company Confidential”
    38. 38. Policies6.6 EMPLOYEE CHECKS• Staff with access to card data = criminal & credit checks6.7 SECURITY TRAINING• Initial• Annual update6.8 3rd PARTY CONNECTIVITY AGREEMENTS• Condition of connectivity6.9 3rd PARTY COMPLIANCE6.10 3rd PARTY AUDITS• Initial• Annual verification
    39. 39. Policies6.11 NETWORK SECURITY VULNERABILITY SCANNING• Done quarterly – Pass – submitted to Acquirer6.12 NETWORK SECURITY PENETRATION TESTING• Annually• After significant changes6.13 APPLICATION SECURITY PENETRATION TESTING• Applies to all application process/store/transmit• Conducted prior to launch• After significant changes• Annually7. SYSTEM SECURITY7.1 FIREWALL & ROUTER CONFIGURATIONS• As stated in Annex
    40. 40. Policies7.2 PASSWORDS & SECURITY ADMINISTRATION• Vendor accounts & defaults removed• Admin access encrypted• Configuration security build standards7.3 CARD DATA STORAGE• Minimise!• Data Retention Policy• Do not store authentication data7.4 CARD DATA TRANSMISSION• Encrypted when sent over public networks (email, etc.)7.5 ANTI-VIRUS MANAGEMENT• Software on all systems that process, store or transmit card data7.6 SYSTEM MONITORING • Quarterly testing for wireless - Implement IDS - File integrity monitoring
    41. 41. Policies8. APPLICATION SECURITY• Software security development lifecycle procedures• Change control procedures as detailed in Annex• Patches• Process to keep up to date with new application threats9. LOGS & RECORDS• System logs as detailed in Annex10. SYSTEM USER SECURITY• Need to know• Password• Screensaver, lock outs11. PHYSICAL ACCESS CONTROLS • Facility access control, locks alarms • Visitor badging • Protection of hard copy card data
    42. 42. Quiz 41. The Card Data Security Policy only applies to your employees. True/False?2. __________ is responsible for 3rd party compliance verification.3. Credit and criminal records checks need to be conducted for all employees. True/False?4. Identification badges are required for access to any facility. True/False?5. This guy uses way too much mousse in his hair. True/False.
    43. 43. The Controls
    44. 44. ControlsRequirement 1: Install and maintain firewall configuration to protect cardholder data. 1.1 Establish firewall configuration standards that include the following: 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration. 1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks. 1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the internal network zone (intranet). 1.1.4 Description of groups, roles and responsibilities for logical management of network components. 1.1.5 Documented list of services/ports necessary for business. 1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP) and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN). 1.1.7 Justification and documentation for any risky protocols allowed - for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented. 1.1.8 Quarterly review of firewall and router rule sets. 1.1.9 Establish configuration standards for routers.
    45. 45. Evidence• Types • Observation (configuration or process) • Documentation • Interview • Technical (monitoring of network traffic)• Required for each and every control !
    46. 46. Controls ExampleRequirement 1: Install and maintain firewall configuration to protect cardholder data.1.1 Establish firewall configuration standards that include the following:1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration. Observation (configuration) Observation (process) Documentation (firewall rule set) Interview (systems administrator) Technical (monitoring of network traffic)
    47. 47. Policy ExampleRequirement 12: Maintain a policy that addresses information security for employeesand contractors.12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.Observation (configuration) Observation (process) Documentation (policy) Interview (receptionist) Technical (none)
    48. 48. Compensating Controls• Used only when a specific control cannot be implemented due to a business process• Implement “risk-based” supplementary control(s)• Designed for the business• Accepted by the business• Must be accompanied by supporting evidence• Accompanied by supporting processes
    49. 49. Compensating Controls  Information Required Explanation1. Constraints List constraints precluding compliance with the original Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each requirement. require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user.1. Objective Define the objective of the original control; identify the The objective of requiring unique logins is twofold. First, it is not considered acceptable objective met by the compensating control. from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action.1. Identified Risk Identify any additional risk posed by the lack of the Additional risk is introduced to the access control system by not ensuring all users have a original control. unique ID and are able to be tracked.1. Definition of Compensating Controls Define the compensating controls and explain how they Company XYZ is going to require all users to log into the servers from their desktops using address the objectives of the original control and the the SU command. SU allows a user to access the “root” account and perform actions increased risk, if any. under the “root” account but is able to be logged in the SU-log directory. In this way, each user’s actions can be tracked through the SU account.1. Validation of Compensating Controls Define how the compensating controls were validated Company XYZ demonstrates to assessor that the SU command being executed and that and tested. those individuals utilizing the command are logged to identify that the individual is performing actions under root privileges1. Maintenance Define process and controls in place to maintain Company XYZ documents processes and procedures to ensure SU configurations are not compensating controls. changed, altered, or removed to allow individual users to execute root commands without being individually tracked or logged
    50. 50. Quiz 51. Name the four types of evidence generally required.2. If you cannot implement a control you will fail the audit. True/False?3. Compensating controls are _________ based and must be accepted by ___________________.4. When designing a compensating control you must always consider the ____________ objective.5. If I just nod once and a while, this guys actually thinks I’m listening to him. True/False.
    51. 51. ProjectManagement
    52. 52. Milestones• Risk based prioritisation of implementation of the controls established by card brands• Milestone 1 – identify what you have, where you have it and write policies to protect it.• Milestone 2 – Network integrity• Milestone 3 – Code integrity• Milestone 4 – Logs & records• Milestone 5 – Incidents• Miles 6 – Auditing & testing
    53. 53. Timelines• Missed deadline• Milestones 1-4• Validation• SAQ• AoC to Acquirer• Annual Recertification
    54. 54. How will you get there?• By starting and maintaining momentum!• Document everything• Monthly Acquirer reports• Quick resolution of questions• Compensating controls• Site visits – practice audits• Disseminating information
    55. 55. 2 Words Due diligence
    56. 56. The Messages
    57. 57. Intent Give PCI a Chance! Minimise risk to card holder data
    58. 58. Business Messages Card brand service requirements Regulatory requirement Losses impact our clients Lost client confidence = Lost £ System down time = Lost £ Repair costs = Lost £ Data theft & fraud = Lost £ Reputation losses = Lost £ Fines = Lost £
    59. 59. Employee Security of our customer credit card data is critical to our mission. We’ve implemented a detailed security program to protect this data. Security is your responsibility. Security is everyone’s responsibility. Failure to meet this responsibility… We need your help and suggestions.
    60. 60. Partner Protection of our customer data is mission critical to us. We have implemented a PCI DSS compliance program and are pending formal certification. Regulatory compliance is a shared responsibility. Connectivity to our systems require compliance to PCI DSS controls as a condition of contract. How can we help you?
    61. 61. Customer We are implementing a PCI DSS compliance program and are pending formal certification. We require all of our partners and suppliers to meet PCI DSS controls We have implemented a rigorous security testing program to ensure the security integrity of our systems. Protection of your personnel data is critical to our business. If you have any question regarding our policies – do not hesitate to contact us.
    62. 62. Last Quiz1. Name a business message.2. Name a employee message.3. Name a client message.4. Name a partner message.5. Name all five members of the original Jackson 5.
    63. 63. The Close
    64. 64. If Nothing Else, Remember• PCI DSS is a “risk management framework”• Implementation does not guarantee security• A framework only serves to identify, minimise and manage the risk of compromise.• At the day’s end - You still own the risk.
    65. 65. • Identify• Minimise• Manage
    66. 66. 26 Dover Street London United Kingdom +44 (0)20 3170 8955+44 (0)20 3008 6011 (fax) 67

    ×