Evolve Pci Compliance

1,234 views

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,234
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
69
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Evolve Pci Compliance

  1. 1. Donald Raleigh The Mission Critical Aspects of PCI Compliance
  2. 2. Copyright 2009 Evolve Systems® Agenda •Compliance Overview •Cyber Threats •Payment Card Overview •PCI Compliance •Controls Framework •Questions PCI = Payment Card Industry DSS = Data Security Standard
  3. 3. Copyright 2009 Evolve Systems® 1970-1980 1980-1990 1990-2000 2000- Present The Regulatory Environment Represents a New Enterprise Challenge  Computer Security Act of 1987  EU Data Protection  HIPAA  FDA 21CFR Part 11  C6-Canada  GLBA  COPPA  USA Patriot Act 2001  EC Data Privacy Directive  CLERP 9  CAN-SPAM Act  FISMA  Sarbanes Oxley (SOX)  CIPA 2002  Basel II  NERC CIP 02-09)  CISP  Payment Card Industry (PCI)  California Individual Privacy SB1386  Other State Privacy Laws (38)  Privacy Act of 1974  Foreign Corrupt Practice Act of 1977 Compliance Trends
  4. 4. Copyright 2009 Evolve Systems® State Privacy Laws Businesses must establish basic information security programs Businesses must proactively manage their confidential consumer information Businesses must take steps to know when their defenses have been breached In the event of an actual or suspected security breach businesses have a legal obligation to notify impacted consumers resulting in new security requirements Compliant infrastructures are required!
  5. 5. Copyright 2009 Evolve Systems® Risks Have Increased as Technology Changed
  6. 6. Copyright 2009 Evolve Systems® Unauthorized Users
  7. 7. Copyright 2009 Evolve Systems® Attack Vectors • Virus Attack • Spyware (intentional and unintentional) o Worms and Trojans o Image embedded Trojans • Targeted attacks that exploit poor system configuration and vulnerabilities • Targeted attacks against a "friendly" who either loses your data or passes along the attack • Physical theft • System misuse by an authorized user o Internal staff o Third parties
  8. 8. Copyright 2009 Evolve Systems® Stolen Account Data Value
  9. 9. Copyright 2009 Evolve Systems®  DSW Shoe Warehouse customer database was hacked and 1.4 million records were stolen and records over $6.5 million reserve on 2005 financial statements. Scary Bedtime Stories What is the cost of non-compliance  Other headlines…. - TJ MAX causes several states to introduce new legislation to protect cardholder data. - Card Systems International forced to sell operations at a loss. - Ongoing compromises are driving changes in the DSS to include dual factor authentication and wireless security.  FTC fines Choice Point $10 million for unfair business practices for failure to protect consumer data.
  10. 10. Copyright 2009 Evolve Systems® Costs of a PCI Compromise Notify Clients and Provide Privacy Guard Fines and Penalties Loss of Clients Fraud liability (ADCR) Reputation Loss $50 x 10,000 = $500,000 $10,000 to $1 million 10,000 clients – 15% = 1,500 clients 1,500 x $100 in fees = $150,000 in lost fees 1,000 accounts x $500 = $500,000 PRICELESS! A hypothetical merchant compromises 10,000 accounts when a third party service provider has a server stolen. What is the potential financial impact? PCI = Payment Card Industry DSS = Data Security Standard
  11. 11. Copyright 2009 Evolve Systems® Cardholder Verification Number (CVV2) Cardholder Verification Number (CVN) (CID/CVV2/CVC2) CVV2 CVV
  12. 12. Copyright 2009 Evolve Systems® Processor Gateway Service Provider Cardholder Merchant PCI Relationship Matrix Acquiring Bank App Vendors Acquiring BankIssuing Bank Merchant Cardholder Environment
  13. 13. Copyright 2009 Evolve Systems® Six Goals: Twelve Requirements – PCI DSS Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain Information Security Policy 12.Maintain a policy that addresses information security The “Digital Dozen” The Payment Card Industry Data Security Standard
  14. 14. Copyright 2009 Evolve Systems® The Mandate: Merchant Levels Defined Level Merchant Classification Criteria 1 Visa & MasterCard: Any merchant-regardless of acceptance channel-that:  Processes over 6 million Visa or MasterCard transactions per year  Has suffered a hack or an attack that resulted in an account data compromise  Visa or MasterCard determines should meet the Level 1 merchant requirements  Has been identified by any other payment card brand as Level 1 AMEX: Any merchant-regardless of acceptance channel-that processes over 2.5 million AMEX transactions 2 Visa & MasterCard: Any merchant that processes 1 million to 6 million Visa or MasterCard transactions, regardless of acceptance channel AMEX: Any merchant-regardless of acceptance channel-that processes 50,000 to 2.5 million AMEX transactions 3 Visa & MasterCard: Any merchant that processes 20,000 to 1 million Visa or MasterCard e- commerce transactions AMEX: Any merchant-regardless of acceptance channel-that processes less than 50,000 AMEX transactions 4 Visa & MasterCard: Any merchant that processes fewer than 20,000 Visa or MasterCard e- commerce transactions or processes fewer than 1 million Visa or MasterCard transactions, regardless of acceptance channel
  15. 15. Copyright 2009 Evolve Systems® Compliance Validation Requirements Level Validation Actions SCOPE Validated By 1 • Annual On-Site Security Audit - AND - • Authorization and Settlement Systems • Independent Assessor or Internal Audit if signed by Officer • Quarterly Network Scan • Internet Facing Perimeter Systems • Qualified Independent Scan Vendor 2 & 3 • Annual Self-Assessment Questionnaire - AND - • Any system storing, processing, or transmitting cardholder data • Merchant • Optional support from qualified vendor • Quarterly Network Scan • Internet Facing Perimeter Systems • Qualified Independent Scan Vendor 4 • Annual Self-Assessment Questionnaire • Internet Facing Perimeter Systems • Merchant • Optional support from qualified vendor • Network Scan Recommended • Internet Facing Perimeter Systems • Qualified Independent Scan Vendor
  16. 16. Copyright 2009 Evolve Systems® Food Service Industry represents the majority of the compromises. Retail Industry is the next largest industry seeing compromises. 52% 27% 4% 4% 3% 3% 2% FoodService Retail Entertainment Travel University Payment Processor Telecom Non-Profit/NGO Media Government Petroleum Medical Construction Case Analysis: Compromise by Industry
  17. 17. Copyright 2009 Evolve Systems® Top PCI DSS Violations #1 Requirement 12: Maintain a policy that addresses information security #2 Requirement 3: Protect stored data #3 Requirement 6: Develop and maintain secure systems and applications #4 Requirement 10: Track and monitor access to network and card data #5 Requirement 11: Regularly test security systems and processes #6 Requirement 8: Assign a unique ID to each person with computer access #7 Requirement 1: Install and maintain a firewall to protect cardholder data Violations >50% Found During Forensic Investigations Violations <50% Found During Forensic Investigations Violations Found During Initial PCI DSS Audits PCI = Payment Card Industry DSS = Data Security Standard
  18. 18. Copyright 2009 Evolve Systems® New Self Assessment Questionnaire (SAQ) SAQ
  19. 19. Copyright 2009 Evolve Systems® Visa Fine Schedule* (other card associations have different costs) Data compromise or non-compliance with PCI requirements: • First Violation -- Up to $50,000 • Second Violation -- Up to $100,000 • Third Violation -- At Visa’s discretion for more than two violations in 12 months Merchants who store full-track data: • Initial penalty of $50,000 • Thereafter Visa assesses fines up to $100,000 monthly until track data is removed • Representative fine structure based on public information distributed by Chase Paymentech. Actual fines to merchants may vary based on their acquirer. * Your Fines May Vary…
  20. 20. Copyright 2009 Evolve Systems® Assessment Scope Where is the card holder data? Customer Production Environment Acquiring Bank Wells Fargo, BoA, Chase Admin Environment Portal Access to Reconciliation Data (Charge Back / Sales Audit) Transaction Servers or Payment Gateway Transaction Record & Archive Data Warehouse Payment Gateway and Transaction Database Batch Settlement Application Servers Back Office & Customer Svc • Marketing • Customer Service • Ecommerce • Phone / Fax • Gift Cards • Fraud • Accounting / Administration Phone,Fax,Email Web Server (card not present) POS Terminals (card present in stores and parking facilities) Authorization Document Vaults Paper records
  21. 21. Copyright 2009 Evolve Systems® Phase Compliance Mandates Effective Date I. Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (“VNPs”) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications. 1/1/08 II. VNPs and agents must only certify new payment applications to their platforms that are PABP-compliant. 7/1/08 III. Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PABP-compliant applications. 10/1/08 IV. VNPs and agents must decertify all vulnerable payment applications. 10/1/09 V. Acquirers must ensure their merchants, VNPs and agents use only PABP- compliant applications. 7/1/10 Oct 23 Announcement from Visa: “It is critical that merchants and agents do not use payment applications known to retain prohibited data elements and that corrective action is immediately taken to address any identified deficiencies because these applications are at risk of being compromised.” New Visa Application Requirements
  22. 22. Copyright 2009 Evolve Systems® Summary • Assessment – vs - Audit • Penalties for non-compliance is high but guidelines on “Assessment” procedures are marginal (sample size, evidence of control effectiveness, retention period, testing oversight) • The testing procedures for each control activities are PRESCRIPTIVE .. Maintain evidence of controls • Self Assessment Questionnaire must track to the environment • Organizations may not understand the cardholder environment • Reporting process depends on the acquiring bank • More risks to manage than test procedures measure
  23. 23. Copyright 2009 Evolve Systems® 23 What’s One More Certification? Payment Application Best Practices [PABP]
  24. 24. Copyright 2009 Evolve Systems® Knowledge – Action = Negligence
  25. 25. Copyright 2009 Evolve Systems® Questions Donald Raleigh (651) 628-4000 don@evolve-systems.com www.evolve-systems.com/paragon

×