PCI Compliance – What’s the buzz?… Neira Jones Head of Payment Security, Barclaycard 23rd March 2011
Headlines…• 18th October 2010: the UK Government published their National Security Strategy. – This placed "Hostile attacks upon UK Cyberspace by other states and large scale cyber crime" at the same level as International Terrorism, and International Military threats.• The Olympics are a target: In 2008, Beijing suffered 12 million cyber attacks per day. – These games ran (!) for 16 days: total number of attacks = 192 million. – The number Internet users was estimated at 1.9 billion users in June 2010*, a 23% increase since 2008. – As the number of internet users increases, a far larger attack statistic in 2012 is likely.• A study by Cisco Systems (December 2010), projected that almost 12% of all enterprise workloads will run in the public cloud by the end of 2013. Source: Miniwatts Marketing Group, 2010
Cloud Computing• 2010: the Year Of The Cloud (Salesforce.com, IBM, Google, Microsoft , Oracle, Amazon, Rackspace, Dell and others)• The key opportunity for service providers is to differentiate themselves by becoming cloud service providers.• Perceived key benefits for organisation considering a move to the cloud: – reduce capital costs – become more agile by divesting infrastructure and application management to concentrate on core competencies. – opportunity to re-architect older applications and infrastructure to meet or exceed modern security requirements.• Key issues for organisations when determining migration decisions: – security and control – data-centre overcapacity and scale – availability of skilled IT people.
The digital era…• By 2015 there will be more interconnected devices on the planet than humans.*• What’s mobile? What do I need to do?• The most recent figures estimated that every year in the UK, identity fraud costs more than £2.7 billion and affects over 1.8 million people*.• Every year, we share more of ourselves online.• Each time we do this, we place our data and our faith in the security measures taken by those managing it on our behalf * UK National Security Strategy, October 2010 * * National Fraud Authority, October 2010
Fraud news (UK)… ☺• Debit and credit card fraud fell by nearly • Crooks still got away with £1million/day. £75M in 2010 to the lowest level for a decade.• This represents a 17% drop to £365M • Compared to a 28% fall in 2009.• Phone, internet and mail-order fraud • Compared to a 19% drop in 2009. CNP (Card Not Present) fell 15%. fraud remains by far the biggest category. “While another drop in fraud is good news, the crooks haven’t shut up shop, which is why there can be no room for complacency from the industry, shops or consumers.” DCI Paul Barnard Head of the Dedicated Cheque and Plastic Crime Unit
The challenges…• Cloud computing• Mobile infrastructure• Third parties• Governance or compliance?• Risk management
Moving to the Cloud?...• Use the Cloud Computing Reference Model provided by NIST. – ask cloud services providers to disclose their security controls – ask cloud services providers to disclose how these controls are implemented to the “consuming” organisation – “consuming” organisations will need to know which controls are needed to maintain the security of their information.• This is a vital step as it is critical that a cloud service is classified against the cloud architecture model, then against the security architecture, and then against the business, regulatory and other compliance requirements.
NIST Cloud Reference Model Presentation •Software as a Service (SaaS) – Sits on top of IaaS and PaaS stacks Software as a Service (SaaS) APIs – Self-contained operating environment to deliver the entire user experience Applications Information (Data, Metadata, •Platform as a Service (PaaS) Content) – Sits on top of IaaS – Additional integration layer with application development Integration & frameworks Middleware Platform as a Service (PaaS) – Middleware – Programming languages and tools supported by the APIs stack Infrastructure as a Service (IaaS) – Functions allowing developers to build applications on the Core Connectivity & Delivery platform •Infrastructure as a Service (IaaS) Abstraction – Lowest level infrastructure resource stack – Capability to abstract resources (or not) Hardware – Physical and logical connectivity to those resources – Provides a set of APIs which allows “consumers” to Facilities interact with the infrastructure.
Cloud Computing and securityCloud Computing isn’t necessarily more or less secure than your current environment.• Does the risk of moving sensitive data and applications to an emerging infrastructure exceed your tolerance levels?• The limitations on cloud computing growth will include issues: – Data custody – Control – Security – Privacy – Jurisdiction – Portability standards for data and code• Adopting cloud computing is a complex decision involving many factors: desktop applications, e-mail, collaboration, enterprise resource planning and potentially any application.• The key consideration for a security architecture is that the lower down the SPI stack the cloud service provider stops, the more organisations will be responsible themselves for managing the risk to their assets.
Control & risk managementWhat degree of control and risk management will the organisation have foreach of the cloud service models.• Whilst the risk assessment depends on the “where” and “how” of the assets, it also depends on the following: SaaS – The types of assets being managed PaaS – Who manages them and how IaaS – Which controls are selected and why – What compliance issues need to be considered• Consideration should be made for risk mitigation in each of the SPI tiers (SaaS, PaaS, IaaS) and compliance/ regulatory requirements should be considered (e.g. PCI DSS, FSA, SOX, etc.).
Find the gaps… Find the gaps! Cloud Reference Model Presentation APIs Security Control Model Software as a Service (SaaS) Applications Compliance Model Applications Information DDA Information (Data, Metadata, Content) Integration & Middleware FSA Platform as a Service (PaaS) Management APIs Infrastructure as a Service (IaaS) PCI DSS Core Connectivity & Delivery Network ISO 27002 Abstraction Trusted computing DPA Hardware Compute & Storage Facilities Physical SOX
Who does what?The lower down the stack the cloud service provider stops, the more security capabilities andmanagement “consuming” organisations are responsible for implementing & managing themselves. SaaS PaaS IaaS Provider bears the Provider responsible for the security responsibility for security. Provider responsible for of the platform. securing the underlying “Consuming” organisations Security controls and their infrastructure and abstraction responsible for scope are negotiated in the layers. service contracts (SLAs, –securing applications developed privacy, compliance, “Consuming” organisation will be against the platform liability etc.). responsible for the security of –developing applications securely the remainder for the stack. (e.g. OWASP Top 10).
Evaluate cloud service providers• Evaluating the risk for potential cloud service providers is a challenge: – ask cloud services providers to disclose their security controls – ask cloud services providers to disclose how these controls are implemented to the “consuming” organisation – “consuming” organisations will need to know which controls are needed to maintain the security of their information.• This is a vital step as it is critical that a cloud service is classified against the cloud architecture model, then against the security architecture, and then against the business, regulatory and other compliance requirements.For further reading, see http://www.cloudsecurityalliance.org/Research.html
What’s mobile? What does a a mobile security policy look like? What does mobile security policy look like?What do I need to do? How do I enforce it? How do I enforce it?• Full-featured mobile phones with functionality similar to personal computers, or “smartphones”• Laptops, netbooks, tablet computers & Portable Digital Assistants (PDAs)• Portable USB devices for storage (such as “thumb drives” and MP3 devices) and for connectivity (such as Wi-Fi, Bluetooth and HSDPA/UMTS/EDGE/GPRS modem cards)• Digital cameras• Radio frequency identification (RFID) and mobile RFID (M-RFID) devices for data storage, identification and asset management• Infrared-enabled (IrDA) devices (printers, smart cards, etc.)
What’s the buzz?• Visa TIP program promotes a risk based approach.• The banks want merchants to take a risk based approach.• The merchants want to take a risk based approach.• The PCI SSC has ‘blessed’ the adoption of a risk based approach. At the end of the day, what we all want is to stop sensitive information being exploited by fraudsters. The era of compliance for compliance’s sake is drawing to an end.
Barclaycard’s top ten tipsPrepare for change Reduce Risk1. Don’t treat PCI DSS as an IT project: it is a Change 6. Remove sensitive authentication data storage as a Programme and needs organisational commitment. top most priority.2. Train staff at all levels (there will be various degrees of 7. Prioritise Risk: once SAD storage is addressed, look at training, and don’t forget Board and Exco) and embed an vulnerabilities in the Card Not Present environment (e- Information Security culture within your organisation early. commerce and Mail Order/ Telephone Order). (This tip3. Scope: Understand how card payments are currently is for markets that have implemented EMV in their F2F processed (people, process and technology). Reduce the channel). scope of the cardholder environment (the smaller, the 8. Outsource to compliant third parties where possible: easier) in the e-comm space, Level 1 PCI DSS compliant end-4. There will be quick wins derived by reviewing and to-end e-comm Software as a Service (SaaS) is changing business processes and historical practices increasingly seen as a means of achieving compliance that require little investment. If you don’t need cardholder quicker & maximising RoI. And if not possible, tie down information, don’t have it… third parties (contractually).5. Develop a gap analysis between current practices and 9. Assess suitability of and implement risk mitigation what is necessary to become PCI DSS compliant. The gap technologies (e.g. Verified by Visa, Secure Code, analysis and cardholder data flow mapping is the most tokenisation, point-to-point encryption, etc.), whilst these important step (and this should be refreshed periodically - are not PCI DSS requirements, they will improve once a year is advised). security and reduce risk. 10.If Compensating Controls are required ensure that all parties are engaged to agree the controls before implementation (merchant, QSA, acquirers)
Third parties: do I have a choice?How organisations can select service providersFor those who outsource…• 324 (UK) and 900 (US) Level 1 PCI DSS compliant service providers listed on Visa websites http://www.visaeurope.com/en/businesses__retailers/payment_security/downloads__resources.aspx http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf• 867 Level 1 PCI DSS compliant service providers listed on MasterCard website http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20- %20November%2029%202010.pdfFor those who want to retain control in-house…• 724 PA DSS validated payment applications on PCI SSC website https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=trueBarclaycard’s position…• We always recommend that our customers use Level 1 Service providers as self-assessment does not provide you with an independent assessment of your supplier.• Contractual provisions are crucial.• Merchants should seek help from their acquiring bank when facing problems with third party providers as a merchant cannot reach compliance without their third parties being compliant.