The document discusses best practices for PCI compliance and data protection. It introduces new PCI-DSS requirements and how they apply to merchants, service providers and hosting companies. It emphasizes using data discovery tools, limiting data access and retention, and implementing strong access controls, encryption, monitoring and auditing. The document recommends moving beyond point solutions to a layered data defense approach that protects data from unauthorized access and exfiltration across different systems.

1. Best Practices for PCI Compliance New England ISSA Chapter Meeting July 19, 2007

2. The PCI-DSS Requirement PCI-DSS 1.1 released September 7th, 2006 Released in conjunction with the announcement of the PCI Security Standards Council (PCI SSC) New Requirements 2.4 – Requirement for Hosting Providers 5.1.1 – Detection & Removal of Spyware, Adware and other Malware 6.6* – Application Firewall or Code Review on web facing apps 12.10 – Service Providers Only , maintain list of “connected entities” and ensure that they are compliant How do these new requirements apply to my organization? Merchants Service Providers Hosting Companies * Best Practice until June 30, 2008 when it becomes a requirement

3. What is PCI SSC? The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. PCI SSC members include Visa, MasterCard, American Express, Discover, and JCB PCI SSC committees: Technical Working Group (DSS) Technical Working Group (PED) Task Forces (ad hoc) Two change factors: Feedback from Merchants, Service Providers, Banks, and Qualified Security Assessors Compromises

4. Best Practices for Data Protection Use discovery tools to locate unencrypted data Eliminate & Purge data after its useful life Only send relevant data to internal customers Frequent and constant review Automate identity management Build into HR processes Include periodic access reviews Evaluate encryption by platform, by application Re-engineer process where needed

5. What are Assessors looking for? Diligence Requirement 3 – Retention Guides, Sensitive Data, and Encryption Requirement 4 – Transmissions over “public” networks Requirement 7 – Need to Know Requirement 8 – User/Password controls Requirement 10 – Track & Monitor Requirement 12 – Policy/Contracts Compensating Controls Appendix B Mainframes (z/OS, OS/390, Tandem/HP Non-Stop) Data Monitoring Where does the data go? Does it leave the control of the company? Paper is painful!

6. A Closer Look at PCI and Data Protection File Server Mainframe Database Log Encrypt External Users Internal Users Requirement 1: Install and Maintain a Firewall Configuration Requirement 8: Assign a Unique ID to Each Person Firewall IAM Requirement 3: Protect Stored Cardholder Data Data Protection Requirement 4: Encrypt Network Transmissions of Data Requirement 7: Implement Strong Access Control Requirement 10: Track and Monitor All Access to Cardholder Data

7. Challenges With PCI & Data Protection Where is all of the sensitive PCI data? What about privileged user access & activity? Encryption doesn’t help with privileged users! What happens if encryption keys are stolen? How can I verify whether I am protecting all the sensitive data? How and when do I know if data has been taken? Impact on computer system performance and business process: manage risk while not disabling business

8. Its Time to Re-Think Data Protection The Layered Data Defense System Protect Data From the “Inside Out” Data Auditing is the Foundation CMF email FTP Other Data Auditing End Point Monitoring PC Laptop Server File Server Mainframe Database Monitor Audit Alert Users Encryption Foundation Security Event Management

9. Data Auditing & Protection What Is Enterprise Data Auditing and Protection? Data auditing and protection is the set of processes and the supporting infrastructure for monitoring and auditing the activity taking place in your critical data repositories such as databases and file systems. It enables you to answer the following questions: Alert administrators Alert SIEM or other security products Generate reports Creating, reading, updating or deleting Changing Schema Exhibiting unusual behavior Privileged users Applications System users How Do You Protect Your Data ? What Are They Doing With the Data? Where is Your Data & Who’s Accessing It?

10. A New Approach to Data Auditing A Highly Scalable, Passive Network-Centric Approach With Intelligent Analytics Decode network and local SQL and file server traffic Policy-driven audit of activity by location, operation, content, users, etc. Intelligent analytics to identify anomalous user behavior and issue alerts Reports provide detailed and summary view into activity

11. Data Auditing Lifecycle

12. The importance of discovery PCI Challenge: Where is the cardholder data? Is it encrypted? Should it be? Solution: Discovery: Database Servers & File Shares Database/File Operations Content - Tables, Columns, File Names Users, Location, Time & Session Content Scanning for PCI Identifies data patterns such as credit card #’s, PANs, or magnetic stripe data (track data) PCI Requirements Supported Requirement #1 Discover un-trusted network access Requirement #3 Discover unencrypted cardholder data

13. Automate Data Policies PCI Challenge: How do I create data auditing policies for PCI? Solution: Passive network monitoring Strong, yet flexible policy language Multiple facets of the communication Operation, Content, User, Location, Hour, Size, etc. Policy wizard Policy Templates for PCI PCI Requirements Supported Requirement #10

14. Monitor Activity PCI Challenge: How do I gain visibility into activity with PCI data? Solution: Reports PCI Summary Reports Detailed Reports Custom Reports Automated approval workflow and report signing Forensics Drill down into event details PCI Requirements Supported Requirement #1, #3, #6, #7 Requirement #8 8.4 - Monitor passwords “in the clear” 8.5 - Identify dormant and shared user account Requirement 12.5 – monitor and control access to data Compensating control for encryption requirement #3

15. Protect Data PCI Challenge: How do I protect against data breaches and data leaks? Solution: Intelligent Analytics Real time, per-user behavioral profiling Simple anomaly operators used in policy Alert Policies Issue alerts on suspicious behavior, unauthorized activities or other events Ex. Alert when large amount of PAN or Credit Card numbers are being accessed and/or moved PCI Requirements Supported Requirement #10

16. Beyond PCI Avoid Point Solutions Target technology that enables monitoring and protection for multiple issues PCI SOX GLBA Data Theft Data Breach It’s a Data Problem, Not a Database Problem File Shares Mainframe Desktops

17. Questions? Michael Semaniuk 978-243-3212 [email_address]