PCI Compliance: Is Your Campus at Risk? Kris Herrin, CSO, Heartland Payment Systems NACCU – March 10, 2009 Agenda Introduction / Goals / Objectives Drivers: The „Carding‟ Market Important Roles and Terms Myths of PCI Data Security Standard PCI DSS Compliance in 5 Easy Steps Step 1: No Prohibited Data Step 2: Scope, Scope, Scope Step 3: Payment Application (PA-DSS) Step 4: The DSS Requirements Step 5: Compensating Controls What‟s New in PCI DSS v1.2 Tips and Tricks Q&A DISCLAIMERS • IANAL – I Am Not A Lawyer • IANTPS – I Am Not The PCI SSC • IANAQSA – I Am Not A Qualified Security Assessor Drivers: The ‘Carding’ Market National Interest Spy Fastest Personal Gain Thief growing segment Trespasser Personal Fame Curiosity Vandal Author Script-kiddy Hobbyist Expert Specialist Hacker Steve Riley, http://blogs.technet.com/steriley Drivers: The ‘Carding’ Market Drivers: Real-World Breaches The stats: Card Present vs. Card Not Present Level 4 vs. Levels 1-3 Universities as % Compromised Compromised Merchants Storing Full Track Merchant Issue vs. Third-Party Issue All numbers available from Trustwave Global Compromise Statistics: https://www.trustwave.com/whitePapers.php Important Roles and Terms DEFINE PCI Security Standards Council Participating Brands Payment Card Organizations Acquirers / Processors • Independent body ASVs (banksQSAs and transactions) (accept credit/debt card payments) that process ENFORCE • • Assess and validate compliance Eliminates competing PCI DSS Defines enforcement of and overlapping ••Merchants, Service Providers brand-specific requirements details Issues “mandates”that mandates › Any organization with specific •• Executes on bank cardstores, processes, AUDIT • Reports given merchant compliance Determines include to customers fines •• Reviews / approves American Express, or transmits cardholder data • Members scope, phases, dates, •• Interface between merchant and site • Listed Financial Services, JCB, Issues fines for non-compliance and Discover on the council Web card Merchant or Service Provider Categorization IMPLEMENT storage brands of prohibited data and Visa Int‟l MasterCard Worldwide, • Levels • Required to pass fines to merchants ›1–4 for security • Defines Merchantsand process requirements www.pcisecuritystandards.org ›1– other general security and 3 for Service Providers guidelines • Varying levels of audits, scans, and • Certifies Qualified Security Assessors assessments based on level statusVendors (QSAs) and Approved Scanning (ASVs) and maintains certification lists John Cebulski, Check Point, http://www.task.to/events/presentations/PCI_Toronto_Public.ppt Myths of PCI DSS 1. You can buy PCI compliance in a box 2. Outsourcing processing makes you compliant 3. PCI is an IT problem 4. PCI Compliance = Security 5. PCI compliance is impossible to obtain 6. PCI requires an army of Qualified Security Assessors 7. PCI is only for the big companies 8. Filling out a SAQ makes you complaint 9. PCI requires storing more data 10. PCI is your processor’s responsibility Adapted from PCI SSC document PCI DSS Myths Compliance Step #1: No Prohibited Data Thou Shall Not Store Full Magnetic Stripe Data, CAV2/CVV2/CVC2, or PIN/PIN Block After Authorization So … are you storing this data?? How would you know? Tip #1: It is your responsibility to make sure your payment application is PABP / PA-DSS compliant, preferably listed on Visa‟s list of Validated Payment Applications (http://www.visa.com/cisp) . Tip #2: If your payment application was simply upgraded to a „compliant‟ version, chances are good that old data still exists. Tip #3: The only way to know for sure is to search for it. Commercial Data Loss Prevention (DLP) tools or open source search are required. Compliance Step #2: Scope, Scope, Scope Definition #1: PCI applies to all system components that “store, process, or transmit cardholder data” Definition #2: “System components” are defined as network component, server, or application included in or connected to the cardholder data environment Definition #3: “Network components” include firewalls, switches, routers, Basically … any system that touches wireless access points, network appliances, and other security appliances cardholder data AND anything that can types include web application, Definition #4: “Server”touch those systems database, authentication, mail, proxy, network time protocol, and domain name server Definition #5: “Applications” include all purchased and custom applications, including internal and external (internet) applications Compliance Step #2: Scope, Scope, Scope Cardholder Data is defined as the full card number (aka Primary Account Number or PAN) To comply with PCI … don‟t store, transmit, or process Cardholder Data Failing that, limiting the data and segmenting the systems can dramatically reduce scope, and, consequently compliance cost To put it another way: you should try really, really hard not to store data Compliance Step #2: Scope, Scope, Scope Network Segmentation 101 POS System 5466 1601 1234 1234 BAD! Flat network – All systems in scope Admissions Library College Departments Adapted from Visa‟s PCI DSS Seminar for Acquirers, Merchants and Agents Compliance Step #2: Scope, Scope, Scope Network Segmentation 101 POS System 5466 1601 1234 1234 BETTER 2 Cardholder Environments Admissions Library 5466 1601 1234 1234 College Departments Adapted from Visa‟s PCI DSS Seminar for Acquirers, Merchants and Agents Compliance Step #2: Scope, Scope, Scope Network Segmentation 101 Called a „6/4 mask‟ POS System and must be done 5466 1601 1234 1234 before it gets to this machine to count!! BEST 1 Cardholder Environment Admissions Library 5466 16xx xxxx 1234 College Departments Adapted from Visa‟s PCI DSS Seminar for Acquirers, Merchants and Agents Compliance Step #3: Payment Application (PA-DSS) Time for another acronym … Payment Application Data Security Standard (PA-DSS) PA-DSS, originally Visa‟s PABP program, is targeted at payment app vendors PA-DSS applies to the payment application software/hardware only PCI DSS applies to merchant networks Standalone POS System Terminal Compliance Step #3: Payment Application (PA-DSS) What do you need to know?? 1. Call your vendor or acquirer to make sure you specific application (down to the version number) is NOT on Visa‟s known vulnerable list – this is the bad list 2. Check your specific application on Visa‟s Validate Payment App List (http://www.visa.com/cisp) – this is the certified good list 3. What if your app is on neither list?? Ask your application vendor and/or acquirer for attestation that the application is PA-DSS compliant 4. Last, keep in mind that just because the application is compliant does not mean your systems are compliant Compliance Step #4: The DSS Requirements Build and Maintain 1. Install and maintain a firewall configuration to protect data A Secure Network 2. Do not use vendor supplied defaults for system passwords and other security parameters Protect Cardholder 3. Protect stored cardholder data Data 4. Encrypt transmission of cardholder data across open, public networks Maintain A Vulnerability 5. Use and regularly update antivirus software Management Program 6. Develop and maintain secure systems and applications Implement Strong 7. Restrict access to data by business need-to-know Access Control 8. Assign a unique ID to each person with computer access Measures 9. Restrict physical access to cardholder data Regularly Monitor 10. Track and monitor all access to network resources and and Test Networks cardholder data 11. Regularly test security systems and processes Maintain an Information 12. Maintain a policy that addresses information security Security Policy Compliance Step #5: Compensating Controls Raise your hand if you think this stuff is complicated, complex, impossible to meet, and most companies can not be compliant with this standard. Now for the truth … PCI compliant != 100% adherence to the standard Compensating controls exist when “an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints” Compensating controls are a legitimate way to become compliant and they are use by most companies Compliance Step #5: Compensating Controls Here are some important things you should know about compensating controls 1. You can use compensating controls for any requirement except requirement 3.2 (prohibited data storage) 2. There are some requirements for compensating controls 1. Must meet the “intent and rigor” of the original requirement 2. Must provide a “similar level of defense” as the original requirement 3. Must be “above and beyond” other requirements 4. Must be “commensurate with the additional risk imposed” 3. Who decides all this?? Your assessor, your aquirer, and ultimately the card brand 4. Compensating controls must be revalidated annually Compliance Step #5: Compensating Controls Requirement Number: 8.1—Are all users identified with a unique user name before allowing them to access system components or cardholder data? Information Required Explanation 1. Constraints List constraints precluding compliance Company XYZ employs stand-alone Unix Servers without LDAP. As such, with the original requirement. they each require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user. 1. Objective Define the objective of the original The objective of requiring unique logins is twofold. First, it is not considered control; identify the objective met by the acceptable from a security perspective to share login credentials. Secondly, compensating control. having shared logins makes it impossible to state definitively that a person is responsible for a particular action. 1. Identified Risk Identify any additional risk posed by the Additional risk is introduced to the access control system by not ensuring all lack of the original control. users have a unique ID and are able to be tracked. 1. Definition of Define the compensating controls and Company XYZ is going to require all users to log into the servers from their Compensating explain how they address the objectives desktops using the SU command. SU allows a user to access the “root” Controls of the original control and the increased account and perform actions under the “root” account but is able to be risk, if any. logged in the SU-log directory. In this way, each user’s actions can be tracked through the SU account. 1. Validation of Define how the compensating controls Company XYZ demonstrates to assessor that the SU command being Compensating were validated and tested. executed and that those individuals utilizing the command are logged to Controls identify that the individual is performing actions under root privileges 1. Maintenance Define process and controls in place to Company XYZ documents processes and procedures to ensure SU maintain compensating controls. configurations are not changed, altered, or removed to allow individual users to execute root commands without being individually tracked or logged PCI DSS v1.2 October 2008 What’s New in PCI DSS v1.2 PCI DSS v1.2 was released October, 2008 and became effective immediately If you started your assessment before Dec 31, 2008, you can still use v1.1, otherwise you must you v1.2 New Self Assessment Questionnaires were just uploaded Some new stuff, some not-so-new stuff: Mostly clarifications (i.e. words people argued over) Combined some requirements New sunset dates for old wireless technologies (i.e. WEP) Removed a magic 500K number from scoping (bad for service providers) Generalized some things like intrusion detection Tips and Tricks Tip #1: If you have a QSA, work with them. Don‟t withhold information. Tip #2: If you need help, engage a QSA as a consultant. Tip #3: Nobody said you have to test once at the end of your year! Get an interim ROC done. Tip #4: Ping your acquirer if you are having problems. Tip #5: Don‟t bury your head in the sand!! Be proactive. Questions?
Pages to are hidden for
"3G-PCI_Compliance_Insider_Tips"Please download to view full document