Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Best Practices for PCI Compliance New England ISSA Chapter Meeting July 19, 2007
  2. 2. The PCI-DSS Requirement <ul><li>PCI-DSS 1.1 released September 7th, 2006 </li></ul><ul><li>Released in conjunction with the announcement of the PCI Security Standards Council (PCI SSC) </li></ul><ul><li>New Requirements </li></ul><ul><ul><li>2.4 – Requirement for Hosting Providers </li></ul></ul><ul><ul><li>5.1.1 – Detection & Removal of Spyware, Adware and other Malware </li></ul></ul><ul><ul><li>6.6* – Application Firewall or Code Review on web facing apps </li></ul></ul><ul><ul><li>12.10 – Service Providers Only , maintain list of “connected entities” and ensure that they are compliant </li></ul></ul><ul><li>How do these new requirements apply to my organization? </li></ul><ul><ul><li>Merchants </li></ul></ul><ul><ul><li>Service Providers </li></ul></ul><ul><ul><li>Hosting Companies </li></ul></ul>* Best Practice until June 30, 2008 when it becomes a requirement
  3. 3. What is PCI SSC? <ul><li>The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. </li></ul><ul><li>PCI SSC members include Visa, MasterCard, American Express, Discover, and JCB </li></ul><ul><li>PCI SSC committees: </li></ul><ul><ul><li>Technical Working Group (DSS) </li></ul></ul><ul><ul><li>Technical Working Group (PED) </li></ul></ul><ul><ul><li>Task Forces (ad hoc) </li></ul></ul><ul><li>Two change factors: </li></ul><ul><ul><li>Feedback from Merchants, Service Providers, Banks, and Qualified Security Assessors </li></ul></ul><ul><ul><li>Compromises </li></ul></ul>
  4. 4. Best Practices for Data Protection <ul><li>Use discovery tools to locate unencrypted data </li></ul><ul><li>Eliminate & Purge data after its useful life </li></ul><ul><li>Only send relevant data to internal customers </li></ul><ul><ul><li>Frequent and constant review </li></ul></ul><ul><li>Automate identity management </li></ul><ul><ul><li>Build into HR processes </li></ul></ul><ul><ul><li>Include periodic access reviews </li></ul></ul><ul><ul><li>Evaluate encryption by platform, by application </li></ul></ul><ul><ul><li>Re-engineer process where needed </li></ul></ul>
  5. 5. What are Assessors looking for? <ul><li>Diligence </li></ul><ul><ul><li>Requirement 3 – Retention Guides, Sensitive Data, and Encryption </li></ul></ul><ul><ul><li>Requirement 4 – Transmissions over “public” networks </li></ul></ul><ul><ul><li>Requirement 7 – Need to Know </li></ul></ul><ul><ul><li>Requirement 8 – User/Password controls </li></ul></ul><ul><ul><li>Requirement 10 – Track & Monitor </li></ul></ul><ul><ul><li>Requirement 12 – Policy/Contracts </li></ul></ul><ul><li>Compensating Controls </li></ul><ul><ul><li>Appendix B </li></ul></ul><ul><ul><li>Mainframes (z/OS, OS/390, Tandem/HP Non-Stop) </li></ul></ul><ul><li>Data Monitoring </li></ul><ul><ul><li>Where does the data go? </li></ul></ul><ul><ul><li>Does it leave the control of the company? </li></ul></ul><ul><ul><li>Paper is painful! </li></ul></ul>
  6. 6. A Closer Look at PCI and Data Protection File Server Mainframe Database Log Encrypt External Users Internal Users Requirement 1: Install and Maintain a Firewall Configuration Requirement 8: Assign a Unique ID to Each Person Firewall IAM Requirement 3: Protect Stored Cardholder Data Data Protection Requirement 4: Encrypt Network Transmissions of Data Requirement 7: Implement Strong Access Control Requirement 10: Track and Monitor All Access to Cardholder Data
  7. 7. Challenges With PCI & Data Protection <ul><li>Where is all of the sensitive PCI data? </li></ul><ul><li>What about privileged user access & activity? </li></ul><ul><ul><li>Encryption doesn’t help with privileged users! </li></ul></ul><ul><li>What happens if encryption keys are stolen? </li></ul><ul><li>How can I verify whether I am protecting all the sensitive data? </li></ul><ul><li>How and when do I know if data has been taken? </li></ul><ul><li>Impact on computer system performance and business process: manage risk while not disabling business </li></ul>
  8. 8. Its Time to Re-Think Data Protection The Layered Data Defense System <ul><li>Protect Data From the “Inside Out” </li></ul><ul><li>Data Auditing is the Foundation </li></ul>CMF email FTP Other Data Auditing End Point Monitoring PC Laptop Server File Server Mainframe Database Monitor Audit Alert Users Encryption Foundation Security Event Management
  9. 9. Data Auditing & Protection <ul><li>What Is Enterprise Data Auditing and Protection? </li></ul><ul><ul><li>Data auditing and protection is the set of processes and the supporting infrastructure for monitoring and auditing the activity taking place in your critical data repositories such as databases and file systems. </li></ul></ul><ul><ul><li>It enables you to answer the following questions: </li></ul></ul><ul><li>Alert administrators </li></ul><ul><li>Alert SIEM or other security products </li></ul><ul><li>Generate reports </li></ul><ul><li>Creating, reading, updating or deleting </li></ul><ul><li>Changing Schema </li></ul><ul><li>Exhibiting unusual behavior </li></ul><ul><li>Privileged users </li></ul><ul><li>Applications </li></ul><ul><li>System users </li></ul>How Do You Protect Your Data ? What Are They Doing With the Data? Where is Your Data & Who’s Accessing It?
  10. 10. A New Approach to Data Auditing <ul><li>A Highly Scalable, Passive Network-Centric </li></ul><ul><li>Approach With Intelligent Analytics </li></ul>Decode network and local SQL and file server traffic Policy-driven audit of activity by location, operation, content, users, etc. Intelligent analytics to identify anomalous user behavior and issue alerts Reports provide detailed and summary view into activity
  11. 11. Data Auditing Lifecycle
  12. 12. The importance of discovery <ul><li>PCI Challenge: </li></ul><ul><ul><li>Where is the cardholder data? </li></ul></ul><ul><ul><li>Is it encrypted? Should it be? </li></ul></ul><ul><li>Solution: </li></ul><ul><ul><li>Discovery: </li></ul></ul><ul><ul><ul><li>Database Servers & File Shares </li></ul></ul></ul><ul><ul><ul><li>Database/File Operations </li></ul></ul></ul><ul><ul><ul><li>Content - Tables, Columns, File Names </li></ul></ul></ul><ul><ul><ul><li>Users, Location, Time & Session </li></ul></ul></ul><ul><ul><li>Content Scanning for PCI </li></ul></ul><ul><ul><ul><li>Identifies data patterns such as credit card #’s, PANs, or magnetic stripe data (track data) </li></ul></ul></ul><ul><li>PCI Requirements Supported </li></ul><ul><ul><li>Requirement #1 </li></ul></ul><ul><ul><ul><li>Discover un-trusted network access </li></ul></ul></ul><ul><ul><li>Requirement #3 </li></ul></ul><ul><ul><ul><li>Discover unencrypted cardholder data </li></ul></ul></ul>
  13. 13. Automate Data Policies <ul><li>PCI Challenge: </li></ul><ul><ul><li>How do I create data auditing policies for PCI? </li></ul></ul><ul><li>Solution: </li></ul><ul><ul><li>Passive network monitoring </li></ul></ul><ul><ul><ul><li>Strong, yet flexible policy language </li></ul></ul></ul><ul><ul><ul><li>Multiple facets of the communication </li></ul></ul></ul><ul><ul><ul><ul><li>Operation, Content, User, Location, Hour, Size, etc. </li></ul></ul></ul></ul><ul><ul><ul><li>Policy wizard </li></ul></ul></ul><ul><ul><li>Policy Templates for PCI </li></ul></ul><ul><li>PCI Requirements Supported </li></ul><ul><ul><li>Requirement #10 </li></ul></ul>
  14. 14. Monitor Activity <ul><li>PCI Challenge: </li></ul><ul><ul><li>How do I gain visibility into activity with PCI data? </li></ul></ul><ul><li>Solution: </li></ul><ul><ul><li>Reports </li></ul></ul><ul><ul><ul><li>PCI Summary Reports </li></ul></ul></ul><ul><ul><ul><li>Detailed Reports </li></ul></ul></ul><ul><ul><ul><li>Custom Reports </li></ul></ul></ul><ul><ul><li>Automated approval workflow and report signing </li></ul></ul><ul><ul><li>Forensics </li></ul></ul><ul><ul><ul><li>Drill down into event details </li></ul></ul></ul><ul><li>PCI Requirements Supported </li></ul><ul><ul><li>Requirement #1, #3, #6, #7 </li></ul></ul><ul><ul><li>Requirement #8 </li></ul></ul><ul><ul><ul><li>8.4 - Monitor passwords “in the clear” </li></ul></ul></ul><ul><ul><ul><li>8.5 - Identify dormant and shared user account </li></ul></ul></ul><ul><ul><li>Requirement 12.5 – monitor and control access to data </li></ul></ul><ul><ul><li>Compensating control for encryption requirement #3 </li></ul></ul>
  15. 15. Protect Data <ul><li>PCI Challenge: </li></ul><ul><ul><li>How do I protect against data breaches and data leaks? </li></ul></ul><ul><li>Solution: </li></ul><ul><ul><li>Intelligent Analytics </li></ul></ul><ul><ul><ul><li>Real time, per-user behavioral profiling </li></ul></ul></ul><ul><ul><ul><li>Simple anomaly operators used in policy </li></ul></ul></ul><ul><ul><li>Alert Policies </li></ul></ul><ul><ul><ul><li>Issue alerts on suspicious behavior, unauthorized activities or other events </li></ul></ul></ul><ul><ul><ul><li>Ex. Alert when large amount of PAN or Credit Card numbers are being accessed and/or moved </li></ul></ul></ul><ul><li>PCI Requirements Supported </li></ul><ul><ul><li>Requirement #10 </li></ul></ul>
  16. 16. Beyond PCI <ul><li>Avoid Point Solutions </li></ul><ul><ul><li>Target technology that enables monitoring and protection for multiple issues </li></ul></ul><ul><ul><ul><li>PCI </li></ul></ul></ul><ul><ul><ul><li>SOX </li></ul></ul></ul><ul><ul><ul><li>GLBA </li></ul></ul></ul><ul><ul><ul><li>Data Theft </li></ul></ul></ul><ul><ul><ul><li>Data Breach </li></ul></ul></ul><ul><li>It’s a Data Problem, Not a Database Problem </li></ul><ul><ul><li>File Shares </li></ul></ul><ul><ul><li>Mainframe </li></ul></ul><ul><ul><li>Desktops </li></ul></ul>
  17. 17. Questions? Michael Semaniuk 978-243-3212 [email_address]