PCI Compliance Fundamentals The Circuit


Published on

Brian Herman of StillSecure presented on PCI Compliance Fundamentals for The Circuit. He offered information on what is it, why is it important, and suggestions to implement.

Published in: Technology
  • Be the first to comment

PCI Compliance Fundamentals The Circuit

  1. 1. 1PCI Compliance Fundamentals 2011
  2. 2. What is PCI Compliance? 2• PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. – (American Express, Discover, JCB International, MasterCard, and Visa) • Security Management and Monitoring • Policies & Procedures • Network Architecture • Software design• If you accept payment cards, you are required to be compliant with the PCI Data Security Standard.• PCI – The Gold Standard – Compared to other standards the requirements are clearly defined
  3. 3. The PCI Data Security Standard 3
  4. 4. Why Is Compliance with PCI DSS Important? 4• A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including: – Regulatory notification requirements, – Loss of reputation, – Loss of customers, – Potential financial liabilities (for example, regulatory and other fees and fines), and – Litigation
  5. 5. Economics of an Credit Card Breach – Source CoalFire 5A hypothetical merchant has 10,000 card numbers and account holder information compromised. What is the potential financial impact to the merchant? Notify Clients and Provide Privacy $30 x 10,000 = $300,000 Guard Fines and Penalties from Card Brands $50,000 to $500,000 and Acquiring Banks Increased PCI audits and $50,000 x 3 years = $150,000 requirements for new controls Potential costs to re-issue credit 10,000 accounts x $20 = $200,000 cards Reputation Loss PRICELESS!Estimates are based on actual incidents examined by Coalfire’s forensic team. Fees and services required vary by incident. For more information on potential costs and risk from credit card compromise, contact Coalfire (www.coalfiresystems.com)
  6. 6. Why Is Compliance with PCI DSS Important? 6• Investigations after compromises consistently show common PCI DSS violations, including but not limited to: – Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised entities are unaware that their systems are storing this data. – Inadequate access controls due to improperly installed merchant POS systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3) – Default system settings and passwords not changed when system was set up (Requirement 2.1) – Unnecessary and insecure services not removed or secured when system was set up (Requirements 2.2.2 and 2.2.4) – Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the web site (Requirement 6.5) – Missing and outdated security patches (Requirement 6.1) – Lack of logging (Requirement 10) – Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems) (Requirements 10.6, 11.2, 11.4 and 11.5) – Poorly implemented network segmentation resulting in the cardholder data environment being unknowingly exposed to weaknesses in other parts of the network that have not been secured according to PCI DSS (for example, from unsecured wireless access points and vulnerabilities introduced via employee e-mail and web browsing) (Requirements 1.2, 1.3 and 1.4)*Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0
  7. 7. What are my organizations requirements? 7
  8. 8. Self-Assessment Questionnaire? 8 A) Requirement Areas: 9 & 12 13 Questions / requirements B) Requirement Areas: 3,4,7,9 & 12 29 Questions / requirements C-VT) Requirement Areas: 1-7,9 & 12 51 Questions / requirements C) Requirement Areas: 1-9,11 & 12 80 Questions / requirements D) Requirement Areas: 1-12 286 Questions / requirements Does your company store any cardholder data in electronic format?*Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0
  9. 9. Policies and Procedures 9PCI requirement Policies/proceduresRequirement 1 Configuration standards, Change control approval and testing process, Firewall placement, Maintain currentInstall and maintain a firewall configuration to network diagram, Description of Roles & Responsibilities, Documentation and business justification of allprotect cardholder data ports, protocols and services, FW and Router review.Requirement 2 Pre-production modifications, Develop configuration hardening standards, Removing/disablingDo not use vendor supplied defaults for system insecure/unnecessary services, protocols and functionality, One function per server, Encrypting all non-passwords and other security Parameters console accessRequirement 3 Limit duration of data retention, Secure deletion, Data types retained, Display masking, Safe storage,Protect stored cardholder data Encryption key managementRequirement 4 Minimum encryption standards, Wireless standardsEncrypt transmission of cardholder data acrossopen, public networksRequirement 5 Antivirus validation, current-actively running and generating logs,Use and regularly update anti-virus software or programsRequirement 6 Vulnerability identification, rank and management, Patching and patch validation, Secure applicationDevelop and maintain secure systems and development and deployment, Change control, Code reviewsapplicationsRequirement 7 Data control need-to-know requirements, Role-based accessRestrict access to cardholder data by business need toknowRequirement 8 Authentication and password management policies and procedures, Unique ID, user verification for passwordAssign a unique ID to each person with computer access resets, Employee termination, Remove inactive users, Vendor access, length, duration, strengthRequirement 9 Access control, Badge assignment, Visitors, Media access, distribution and destructionRestrict physical access to cardholder dataRequirement 10 Daily log review, Exception handling, log retention and availabilityTrack and monitor all access to network resources andcardholder dataRequirement 11 Detect and identify wireless access points, Alerting, incident handling and response, IDS/IPS configurationRegularly test security systems and processes and updates, Change controlRequirement 12 Information security policy, Risk assessment, Daily operational procedures, Usage policy, Personnel rolesMaintain a policy that addresses information security for and responsibilities, monitoring & analysis, incident response and escalation plan, security awarenessemployees and contractors program
  10. 10. Technologies 10PCI requirement TechnologiesRequirement 1 Firewall (network and personal), Routers and Switches, File Integrity MonitoringInstall and maintain a firewall configuration toprotect cardholder dataRequirement 2 Vulnerability Scanning / Management, VPNDo not use vendor supplied defaults for system passwords and other securityParametersRequirement 3 Encryption, Backup / data retentionProtect stored cardholder dataRequirement 4 Encryption, VPN, Firewall, WAF, IDS/IPSEncrypt transmission of cardholder data acrossopen, public networksRequirement 5 Antivirus, File Integrity Monitoring, Log ManagementUse and regularly update anti-virus software or programsRequirement 6 Vulnerability Scanning / Management, Patch Management, WAFDevelop and maintain secure systems andapplicationsRequirement 7 Firewall, VPN, Authentication, Application level access controlRestrict access to cardholder data by business need to knowRequirement 8 Multi-Factor Authentication, Application level access control, Firewall, VPNAssign a unique ID to each person with computer accessRequirement 9 PCI Certified Data CentersRestrict physical access to cardholder dataRequirement 10 Log Management, SIM , SEIM, File Integrity Monitoring, NTP ServiceTrack and monitor all access to network resources and cardholder dataRequirement 11 Vulnerability Scanning, IDS/IPS, File Integrity Monitoring, Log ManagementRegularly test security systems and processesRequirement 12 Log Management, SIM , SEIM, IDS/IPSMaintain a policy that addresses information security for employees and contractors
  11. 11. Ten Common Myths of PCI DSS 11Myth 1 – One vendor and product will make us compliantMyth 2 – Outsourcing card processing makes us compliantMyth 3 – PCI compliance is an IT projectMyth 4 – PCI will make us secureMyth 5 – PCI is unreasonable; it requires too muchMyth 6 – PCI requires us to hire a Qualified Security AssessorMyth 7 – We don’t take enough credit cards to be compliantMyth 8 – We completed a SAQ so we’re compliantMyth 9 – PCI makes us store cardholder dataMyth 10 – PCI is too hard*Source: PCI Security Standards Council
  12. 12. Proven PCI management practices 12• Limit the Scope of the PCI environment• PCI embedded in an overall security program• PCI compliant policies, procedures, and training• Monitoring and Reporting• Due diligence of your service provides, vendors• Work with a QSA• PCI DSS General Tips and Strategies to Prepare for Compliance Validation 1. Sensitive Authentication Data (includes the full track contents of the magnetic strip or chip, card verification codes and values, PINs and PIN blocks: 1. NEVER STORE THIS DATA 2. Ask your POS vendor about the security of your system 3. Card holder data- if you don’t need it don’t store it! 1. Payment brand rules allow for the storage of Personal Account Number (PAN), expiration date, cardholder name, and service code. 4. Card holder data- if you do need it, consolidate and isolate it. 5. Compensating Controls *Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0