2011 secure payments summit
TRANSCRIPT
-
8/6/2019 2011 Secure Payments Summit
1/113
-
8/6/2019 2011 Secure Payments Summit
2/113
Chris JohnsonFraud Monitoring & Incident Response
October 19, 2010
The Cyber Landscape
-
8/6/2019 2011 Secure Payments Summit
3/113
-
8/6/2019 2011 Secure Payments Summit
4/113
Infiltration Technical skill required is low Insecure passwords/remote access Lack of firewalls or segmentation Input validation
Food & Beverage, Retail, and Hospitality targeted Common POS Integrators, Franchises,
interconnected businesses Shared/default remote access passwords Shared/default internal passwords
Franchise breaches Aggregate of small exposures Larger investigation scope
Data Breach Trends
-
8/6/2019 2011 Secure Payments Summit
5/113
Root Causes 3rd party managed payment systems with
shared/default passwords. Remote access with insecure passwords
Default or insecure passwords on publicfacing computer systems. Lack of firewalls or incomplete
segmentation from non-paymentenvironments.
SQL Injection / xp_cmdshell
Card-Present Data Breach
-
8/6/2019 2011 Secure Payments Summit
6/113
Common POS Integrators/Franchises
Internet
Username: POSSYPassword: POSSY
Username: POSSYPassword: POSSY
Username: POSSYPassword: POSSY
Hacker
POS Integrator
-
8/6/2019 2011 Secure Payments Summit
7/113
Interconnected Franchise
Username: POSSYPassword: POSSY
Username: POSSYPassword: POSSY
Username: POSSYPassword: POSSY
Hacker
Corporate
Internet
-
8/6/2019 2011 Secure Payments Summit
8/113
Data Gathering and Proliferation Sophistication and methodology have increased. Automation
Internal network reconnaissance Malware distribution Card data harvesting
Alteration of POS configuration files Encryption of card data Modification of file time stamps Secure deletion of evidence
Volume of per incident exposure declining PA-DSS Compliant applications dont store track data
Data Breach Trends
-
8/6/2019 2011 Secure Payments Summit
9/113
Input
CPU
Input/Output
PermaStora
WorkingStorage
OutputNetworkKeyboard Monitor
Hard DRAM
Keylogger NetworkSniffer
ScreenCapture
MemoryParser
FileExfiltration
Von Neumann and Data Extraction
-
8/6/2019 2011 Secure Payments Summit
10/113
Memory Parsers First seen in 2008 Consisted of separate off the shelf tools
Memory dumper Track data parser
Early versions had flaws Caused POS system to run out of disk storage Crashed
Evolved into stable malware Self-contained application Encrypted track data Modified timestamps of encrypted data Recompiled often to avoid antivirus detection and target
additional POS systems
Hotel/lodging and food/beverage franchise industry primarilytargeted
-
8/6/2019 2011 Secure Payments Summit
11/113
Characteristics Shopping Carts With Known Vulnerabilities
Google Dorks Lack of Input Validation
SQL injection, Remote File Include,Cross-Site Scripting (XSS), etc.
Automated tools for input validationvulnerability detection and exploitation
Card-Not-Present Data Breach
-
8/6/2019 2011 Secure Payments Summit
12/113
SQL Injection
ErrorCould not convertJohn Doe, 6011 -0000-0000- 0000 to an integer
Username:
Password:
Submit
or 1=cast((Select cardname, cardnum
from order where orderid > 0) AS int) --
-
8/6/2019 2011 Secure Payments Summit
13/113
-
8/6/2019 2011 Secure Payments Summit
14/113
-
8/6/2019 2011 Secure Payments Summit
15/113
Emerging Attacks and Predictions
Merchant Credential Theft Fraudulent credits to debit accounts
Mass SQL Injection
Large scale automation of SQLInjection
Cardholder System Infections
-
8/6/2019 2011 Secure Payments Summit
16/113
?
Questions
-
8/6/2019 2011 Secure Payments Summit
17/113
-
8/6/2019 2011 Secure Payments Summit
18/113
Social Media & Your Compliance
-
8/6/2019 2011 Secure Payments Summit
19/113
Speaker
Bill Uptmore CISSP, CISAEMC Practice [email protected]
-
8/6/2019 2011 Secure Payments Summit
20/113
Social Media & Your Compliance Risk to Compliance
What Happens? Challenges
Common Issues How to limit exposure
-
8/6/2019 2011 Secure Payments Summit
21/113
Risk To Compliance Statement of the Federal Trade Commission's Bureau of
CompetitionOn Guidelines for Merger Investigations
http://www.ftc.gov FINRA Provides Guidance Regarding the Reviewand Supervision of Electronic Communications - Also see
Regulatory Notice 10-06 (2010)
FDA Prescription Drug Requirements Legal Hold
-
8/6/2019 2011 Secure Payments Summit
22/113
What Happens Your Company & Your Reputation
Law Suit(s) Fines
More regulatory scrutiny Someone May Be Held
Accountable
-
8/6/2019 2011 Secure Payments Summit
23/113
-
8/6/2019 2011 Secure Payments Summit
24/113
Connecting The Dots
Employee has good news on potential acquisitionEmployee puts the information on Social Network site (company is not stated)
Three more employees share acquisition , but no one has stated company name
All employees work for the same company
Someone connects the dots. Now what?
-
8/6/2019 2011 Secure Payments Summit
25/113
Challenges Companies are not prepared to
deal with the fast changes in howtheir employees communicate
Consumer Demand Lack Of Training
-
8/6/2019 2011 Secure Payments Summit
26/113
Common IssuesRes Gesti StatementMiscommunicationFilter What Filter?
Statement Taken Out of ContextPeople Will Be People
Cumulative Impact
-
8/6/2019 2011 Secure Payments Summit
27/113
How Does It Happen?
We have become too open inwhat we say
We have become conditioned toshare the moment
-
8/6/2019 2011 Secure Payments Summit
28/113
Information Discovery Social Media Monitoring
Social Networking Site Could beSubpoenaed
-
8/6/2019 2011 Secure Payments Summit
29/113
How To Limit Exposure Provide Training Security Matters Do Your Diligence
-
8/6/2019 2011 Secure Payments Summit
30/113
Chris JohnsonFraud Monitoring & Incident Response
October 19, 2010
-
8/6/2019 2011 Secure Payments Summit
31/113
Next Generation FirewallsThreats Have Evolved, But Has Your Firewall?
Dmitriy AyrapetovProduct Line ManagerSonicWALL
Quick Quiz Real or Fake?
-
8/6/2019 2011 Secure Payments Summit
32/113
Quick Quiz Real or Fake?
FAKEREALREALFAKEFAKE
How does malware get on my
-
8/6/2019 2011 Secure Payments Summit
33/113
How does malware get on mycomputer?
Application Level Attacks Browser Drive-By Downloads (IE, Firefox, Safari) Application Exploits (Adobe Reader, Sun/Oracle JDK, Flash, Office)
No or Little User Intervention Required
Application Level?
-
8/6/2019 2011 Secure Payments Summit
34/113
Application Level? Malware is an economy
Your infected computer is a resource Ransomware/Keyloggers Your Data Botnets/Spam Your Resources & Liability Fake AV Your Money & Time
Applications are ubiquitous
Applications easy to target think ROI!
http://www.zdnet.com/blog/sestudy-finds-the-average-pri
renting-a-botn
the average price for renting a botnet is $67 for 24
hours, and $9 for hourlyacce
B I Al d H A Fi ll!
http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528 -
8/6/2019 2011 Secure Payments Summit
35/113
But I Already Have A Firewall!Stateful
Firewall
80 = HTTP
443 = HTTPS
21 = FTP
3389 =RDP
Firewall Report -Some Web Traffic, FTP, RDP, HTTPS
Everythings OK!
Web TrafficWeb Traffic
Great What Else? Application Chao
http://www.ebay.com/http://www.ebay.com/ -
8/6/2019 2011 Secure Payments Summit
36/113
GreatWhat Else?
Bad Control Good Prioritiz
Applications tunneling througha few ports
Many, many applications
Traditional BW Managementcant keep up
Full ApplicCo
SSL TInspec
Content Secu
Application Chao
Evolution of Firewalls
http://www.oracle.com/index.htmlhttp://en.wikipedia.org/wiki/Image:Skype_logo.pnghttp://images.google.com/imgres?imgurl=http://www.experientia.com/blog/uploads/2007/08/sap.jpg&imgrefurl=http://www.experientia.com/blog/sap-user-experience-testing/&h=1188&w=2395&sz=205&hl=en&start=6&um=1&tbnid=TgxjctreCJb-NM:&tbnh=74&tbnw=150&prev=/images?q=sap&um=1&hl=en&sa=Nhttp://images.google.com/imgres?imgurl=http://www.instranet.com/company/partners/images/siebel_logo.gif&imgrefurl=http://www.instranet.com/company/partners/&h=60&w=200&sz=2&hl=en&start=1&um=1&tbnid=J7qL057FlT2mkM:&tbnh=31&tbnw=104&prev=/images?q=siebel+logo&um=1&hl=enhttp://www.ebay.com/http://en.wikipedia.org/wiki/Image:BitTorrentLogo.gifhttp://www.salesforce.com/products/ -
8/6/2019 2011 Secure Payments Summit
37/113
CONFIDENTIAL
Evolution of Firewalls
Stateful Packet Inspection:UTM:
Next Generation Firewall:
Addressing of the EnvelopeContents of the Envelope/Letter
Subject of the Letter
Stateful InspectionDeep Packet Inspection (DPI)
D d
-
8/6/2019 2011 Secure Payments Summit
38/113
Do you ever wonderWhats really on my network?
Wheres all my bandwidth going?
Where Is this traffic coming from?
What are the threats?
-
8/6/2019 2011 Secure Payments Summit
39/113
Visualize??
-
8/6/2019 2011 Secure Payments Summit
40/113
Visualize??
Application Traffic
Application BreakdownUser BreakdownCountry Identification
Dig Deeper with Filtering
Apply Application Control
So Again What Does an NGFW Do?
-
8/6/2019 2011 Secure Payments Summit
41/113
So, Again, What Does an NGFW Do? Identify and Control Applications and Users
Block Intrusions Block Malware and Threats Enforce Content Security
All of the above, but for SSL traffic as wellt Importantly not hinder performance and LET YOU WORK
-
8/6/2019 2011 Secure Payments Summit
42/113
Q&A
-
8/6/2019 2011 Secure Payments Summit
43/113
Chris JohnsonFraud Monitoring & Incident Response
October 19, 2010
-
8/6/2019 2011 Secure Payments Summit
44/113
Where Privacy Meets PCI
Chris ZoladzNavigate LLC
Events Making PCI/Privacy a
-
8/6/2019 2011 Secure Payments Summit
45/113
g yBusiness Priority
Consumer and regulator expectationshave never been higher
State security breach laws result in privacy lapsesbeing public events
The Massachusetts privacy law could be a gamechanger
U.S. federal privacy law is likely
U S State Security Breach Laws
-
8/6/2019 2011 Secure Payments Summit
46/113
U.S. State Security Breach Laws46 States including the District of Columbia have a breach law
The laws are similar but not the same, differences include:
Definition of a breachInclusions and exceptions
Definition of PIINotification Requirements
Learn Morehttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/ SecurityBreachNotificationLaws/tabid/13489/Default.aspx
The Maryland Law
http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx -
8/6/2019 2011 Secure Payments Summit
47/113
The Maryland LawCovers both paper and electronic data
Name in combination with social security numberor drivers license number or credit card number
Notification exemption if data is encrypted
State Attorney General must be notified beforeany notifications to Maryland residents are sent
Notification Content & Requirements
-
8/6/2019 2011 Secure Payments Summit
48/113
Notification Content & RequirementsExplain what happened, why, and how the person canprotect themselves
De facto practice is to offer 1 year of free creditmonitoring service
Sent to all affected individuals or communicated to majormedia if individual notification is not practical
Certain State Attorneys General (e.g., MA, MD, NC) andConsumer Protection Offices must be notified
Notification Content & Requirements
-
8/6/2019 2011 Secure Payments Summit
49/113
Notification Content & RequirementsSending notification letters
Credit monitoring serviceCall center to handle questions
Legal fees
Lost productivity of employees that are part of the incidentresponse effort
Potential FTC settlements
Loss of customer, public and regulator trust
Recently released Ponemon Institute study disclosed cost of $216per record
Massachusetts In Detail
-
8/6/2019 2011 Secure Payments Summit
50/113
Massachusetts In Detail
Written Information Security Program(WISP)
Designated program owners
Employee training
Policies
possession of PII outside the facility
remote access to PII
disciplinary actions for violations
Inventory paper and electronic records as wellas systems and media
Regularly monitor and annually review securimeasures
Encrypt PII on laptops, portable devices
Service provider program
Limit the collection, storage and access to PIIRisk assessments
Incident response
Specific computer security requirements
Learn Morehttp: //www.mass.gov/?pageID=ocahomepage&L=1&L0=Home&sid=Eoca
The FTC is Also an Enforcer
http://www.oispp.ca.gov/default.asphttp://www.oispp.ca.gov/default.asphttp://www.oispp.ca.gov/default.asphttp://www.oispp.ca.gov/default.asphttp://www.oispp.ca.gov/default.asphttp://www.oispp.ca.gov/default.asphttp://www.oispp.ca.gov/default.asp -
8/6/2019 2011 Secure Payments Summit
51/113
The FTC is Also an EnforcerPrivacy is a central element of the FTCs consumer
protection mission. (Source: www.ftc.gov/privacy)
Focuses on unfair or deceptive trade practices
Settlements:- Range from tens of thousands to millions of dollars.- Include agreement by the company to independentoversight of their information security program for up toyears.
EU Data Protection Directive
-
8/6/2019 2011 Secure Payments Summit
52/113
EU Data Protection Directive Went into effect in 1998
Key requirements:- Notice- Choice- Onward transfer- Security- Data Integrity- Access- Enforcement
(Note: Canada, Australia, Russia and others havesimilar national laws)
Dont Think If, Think When
-
8/6/2019 2011 Secure Payments Summit
53/113
Don t Think If, Think When Incident response planning
Learn from others - was their weaknessyour weakness?http://www.privacyrights.org/ar/ChronDataBreaches.htm
You cant plan for every scenario but youcan plan many of them
An effective plan is the difference betweena well-managed event and a disaster.
Elements of an Incident Responsel
http://www.privacyrights.org/ar/ChronDataBreaches.htmhttp://www.privacyrights.org/ar/ChronDataBreaches.htmhttp://www.privacyrights.org/ar/ChronDataBreaches.htmhttp://www.privacyrights.org/ar/ChronDataBreaches.htm -
8/6/2019 2011 Secure Payments Summit
54/113
pPlan
Form a Response Team
Incident Discovery and ConfirmationIsolate and RemediateNotificationAnalysis/Explanation
Close-outPractice the planExecute with speedThe plan should be viewed by legal counsel
Are You Prepared?
-
8/6/2019 2011 Secure Payments Summit
55/113
Are You Prepared?A person calls the IT Director on Monday morning, theheaviest online sales day of the week and:
Claims to have penetrated the companys websitethrough a common vulnerability and is recordingevery keystroke entered on the website.
Provides the last 10 ten credit card numbers enteredon the website as evidence.
Is requesting a $50,000 consulting fee to help thecompany strengthen its website security
Provided a bank account and routing number for awire transfer.. . .
Initial Questions
-
8/6/2019 2011 Secure Payments Summit
56/113
QWhat would you do first?
What if the callers information regarding the last 10transactions is accurate?
Has the website really been compromised or is thecaller receiving data from an employee?
Would you shut down the website?
Would you immediately call law enforcement for thisapparent extortion?
. . .
Contact Information
-
8/6/2019 2011 Secure Payments Summit
57/113
Chris Zoladz
The PCI Coach
www.thepcicoach.com
-
8/6/2019 2011 Secure Payments Summit
58/113
Chris JohnsonFraud Monitoring & Incident Response
October 19, 2010
-
8/6/2019 2011 Secure Payments Summit
59/113
Payment Application DataSecurity Standards
Unraveling the Mystery of PA DSS
What is PA DSS
-
8/6/2019 2011 Secure Payments Summit
60/113
The global security standard created by the Payment CardIndustry Security Standards Council (PCI SSC).
Is the definitive data standard for software vendors thatdevelop payment applications.
Prevents developed payment applications for third partiesfrom storing prohibited secure data including magnetic stripe,
CVV2, or PIN
Requires that software vendors develop paymentapplications that are compliant with the Payment Card
Industry Data Security Standards (PCI DSS).
Why PA DSS
-
8/6/2019 2011 Secure Payments Summit
61/113
y Payment Application found source of multiple data
compromises events
Merchants has limited insight to the security of commercial payment applications
Merchants held liable for losses associated with datacompromise events, not application provider
What is Subject to PA DSS
-
8/6/2019 2011 Secure Payments Summit
62/113
jThe PA-DSS applies to software vendors and others who
develop payment applications that store, process, or transmit
cardholder data as part of authorization or settlement, wherethese payment applications are sold, distributed, or licensed tothird parties. Applies to payment applications provided in modules
May only apply to the baseline module ,if that module is the only one performingpayment funct
If other modules also perform payment functions, PA-DSS applies to those modules
as
Note: It is considered a best practice for software vendors to isolate paymentfunctions into a single or small number of baseline modules, reserving other modules
for non-payment functio
What is NOT Subject to PA DSS
-
8/6/2019 2011 Secure Payments Summit
63/113
jMerchants that use in-house developed applications &
stand-alone POS hardware terminals
Only applies to applications that store ,process, or transmit cardholder data
Home grown systems must be included inover all PCI DSS compliance review (DSS
Req. 6.3) Point to point encryption and tokenization do
not remove an application from scope
Terminal may not connect to other systems
PA DSS MandatesEffective
-
8/6/2019 2011 Secure Payments Summit
64/113
Phase Visa Compliance MandateEffectiveDate
1
Newly boarded merchants must not use known vulnerablepayment applications, and VisaNet Processors (VNPs) and agents
must not certify new payment applications to their platformsthat are known vulnerable payment applications
1/1/08
2 VNPs and agents must only certify new payment applications totheir platforms that are PA-DSS-compliant
7/1/08
3Newly boarded Level 3 and 4 merchants must be PCI DSScompliant or use PA-DSS-compliant applications*
10/1/08
4VNPs and agents must decertify all vulnerable paymentapplications**
10/1/09
5Acquirers must ensure their merchants, VNPs and agents useonly PA-DSS compliant applications
7/1/10
PA DSS Mandates - Continued
-
8/6/2019 2011 Secure Payments Summit
65/113
Effective July 1, 2012 , MasterCard will revise the MasterCardSDP Program Standards to require all merchants and Service
Providers that use third party-provided payment applications toonly use those applications that are compliant with the PaymentCard Industry Payment Application Data Security Standard (PCIPA-DSS), as applicable. The applicability of the PCI PA-DSS tothird party-provided payment applications is defined in the PCI
PA-DSS Program Guide. In addition, MasterCard will establish anew PA-DSS compliance validation requirement for Level 1,
Level 2, and Level 3 merchants as well as Level 1 and Level 2Service Providers.
-
8/6/2019 2011 Secure Payments Summit
66/113
R l i d D l i
-
8/6/2019 2011 Secure Payments Summit
67/113
Regulation and Deregulation :
How Compliance Gets Made
Michael DahnDirector, PCI Compliance
Rules Keep Getting Bigger
-
8/6/2019 2011 Secure Payments Summit
68/113
Hello Dave 2001 : Space Odyssey
-
8/6/2019 2011 Secure Payments Summit
69/113
Know the Rules Before You CanBreak Them
-
8/6/2019 2011 Secure Payments Summit
70/113
Break Them
Dance Improvisation Music Composition Know which rules are
Followed Flexible Broken
Why Regulation?
-
8/6/2019 2011 Secure Payments Summit
71/113
Trying to get a
handle on largeproblems: Unbound risk
Consumerprotection
How Compliance Happens
-
8/6/2019 2011 Secure Payments Summit
72/113
-
8/6/2019 2011 Secure Payments Summit
73/113
Data Breaches & Black Swans
-
8/6/2019 2011 Secure Payments Summit
74/113
Slide Title
-
8/6/2019 2011 Secure Payments Summit
75/113
Large Data Breaches (million records)
Evolution of Methods Flat files, network sniffing, serial port sniffing, custommalware
EU: retail moved to e-commerce
What risk are we trying to prevent?
-
8/6/2019 2011 Secure Payments Summit
76/113
-
8/6/2019 2011 Secure Payments Summit
77/113
Next Steps
Vaccinations & RegulatoryCompliance
-
8/6/2019 2011 Secure Payments Summit
78/113
p The problem is that although most all agree that
vaccination is positive for the population not everyoneagrees that it is positive for the individual
Individuals say: My environment is already secure I know how to manage risk better than the regulatory
bodies
My environment is special and unique and does not fitinto your Procrustean boxes
Are we as secure as we think we are? Do we rely on third parties? Who do we share data with?
Who do we give access to our data and systems?
Vaccinations & RegulatoryCompliance
-
8/6/2019 2011 Secure Payments Summit
79/113
p Economics of Immunization and
Compliance A poorer population will benefit more strongly
from an immunization program than one thatmaintains a high level of sanitation, healthcare, and treatment programs
A more vulnerable population (e.g. retail,restaurants, higher education, e-commerce,etc.) will benefit more from regulatorycompliance than one that is more highly secure
-
8/6/2019 2011 Secure Payments Summit
80/113
Vaccinations & RegulatoryCompliance
-
8/6/2019 2011 Secure Payments Summit
81/113
p Tipping point of vaccination
An aggressive vaccination program thatfirst targets children and ultimatelyreaches 70% of the US population wouldmitigate pandemic influenza *flu+
Vaccine and Infectious Disease Institute(VIDI) at Fred Hutchinson CancerResearch Center
So what makes us happy?
Slide Title
-
8/6/2019 2011 Secure Payments Summit
82/113
Bullets
Bullets Bullets Bullets
Bullets Bullets Bullets
Slide Title
-
8/6/2019 2011 Secure Payments Summit
83/113
Bullets
Bullets Bullets Bullets
Bullets Bullets Bullets
Understand the Intent
-
8/6/2019 2011 Secure Payments Summit
84/113
Do not focus on the fingeror you will miss all thatheavenly glory [of RegulatoCompliance+
- Bruce Lee, Enter the Dragon
Example: Audit Logging
-
8/6/2019 2011 Secure Payments Summit
85/113
PCI DSS Requirements
# 10.2 and the implications Intent
This is only the beginning
Verizon PCI Compliance ReportA ll l i ll
-
8/6/2019 2011 Secure Payments Summit
86/113
Are all regulatory requirements equallyimportant?
What are organizations good/bad atdoing?
How does regulatory adherence impactdata breaches?
How effective is regulatory compliance?
Compliance vs Validation
-
8/6/2019 2011 Secure Payments Summit
87/113
21
A point-in-time event
Validation
In order to understand the report and the conclusions drawn from the data,it is necessary to differentiate between c ompliance and v alidation .
6
A continuous process of adheringto the regulatory standard as setforth in the PCI DSS
Compliance
Compliance Statistics
-
8/6/2019 2011 Secure Payments Summit
88/113
What are we bad at doing?
-
8/6/2019 2011 Secure Payments Summit
89/113
% of Orgs meeting PCI Regs
-
8/6/2019 2011 Secure Payments Summit
90/113
Slide TitleB ll t
-
8/6/2019 2011 Secure Payments Summit
91/113
Bullets
Bullets Bullets Bullets
Bullets Bullets Bullets
3 Habits of Highly Effective Regulation Education Education Education!
-
8/6/2019 2011 Secure Payments Summit
92/113
Education, Education, Education!
Drives adoption and adherence
Flexibility of controls
100 % compliance is not the goal when system failures occur groups
PCI DSS Compensating controls EU Data Protection Directive Comply or explain
More data for Risk Modeling
Can we ever manage risk on a moving target? Frequentist vs. Bayesian statistics
What is the Solution? Building more roads to ease traffic is like
-
8/6/2019 2011 Secure Payments Summit
93/113
Building more roads to ease traffic is liketrying to cure obesity by loosening the belt
Richard Moe, Head of the US National Trust foHistoric Preservation
Simply applying more security does not
necessarily mean you achieve bettersecurity
Rotate days that cars are permitted on theroad?
What is the Solution?H l t d t l
-
8/6/2019 2011 Secure Payments Summit
94/113
Help prevent data sprawl
Security is required where data is maintaine Data, data, anywhere? Data, data, everywhere?
Reduce scope through grouping of systems
Business Process Re-engineering The more complex a system the harder (and
more costly) it is to maintain
Options Examine Use Cases
-
8/6/2019 2011 Secure Payments Summit
95/113
Examine Use Cases Medical record data vs. payment card data Data retention sometimes required, but what
do you retain? Dept collection agencies Reoccurring payments
Data mining and analysis Cost to secure data vs. Business need for
data Cost to securing data can be proportional to
the volume of it
-
8/6/2019 2011 Secure Payments Summit
96/113
Questions: @MikD
-
8/6/2019 2011 Secure Payments Summit
97/113
-
8/6/2019 2011 Secure Payments Summit
98/113
Chris JohnsonFraud Monitoring & Incident Response
October 19, 2010
Compliance Validation Overview
-
8/6/2019 2011 Secure Payments Summit
99/113
Dick BlossFifth Third Processing Solutions
Vice PresidentGovernance, Risk and Compliance
Where Do We Begin? Understand the mission and scope
-
8/6/2019 2011 Secure Payments Summit
100/113
Understand the mission and scope
Appoint a program manager Discuss with acquirer Engage your security org. & others Determine a schedule
BE OBJECTIVE
The Players PCI Security Standards Council
-
8/6/2019 2011 Secure Payments Summit
101/113
PCI Security Standards Council
The Networks (The Brands) Your Acquirer Your third-party providers Every employee of your company
-
8/6/2019 2011 Secure Payments Summit
102/113
-
8/6/2019 2011 Secure Payments Summit
103/113
Qualified Security Assessors Willing to partner
-
8/6/2019 2011 Secure Payments Summit
104/113
Willing to partner
Consultative Insightful
Resourceful
Available Communicative
Scope - Less is More Segment your network
-
8/6/2019 2011 Secure Payments Summit
105/113
Segment your network
Retain only the data you need Limit access by non-essential
systems to cardholder data region
Talk to acquirer & providers aboutP2P encryption and tokenization
Validation TipsAIM and DO
-
8/6/2019 2011 Secure Payments Summit
106/113
Awareness and Attitude Inventory Monitoring
Documentation Organization
Monitoring Vulnerability Scans
-
8/6/2019 2011 Secure Payments Summit
107/113
Vulnerability Scans
Approved Scanning Vendor Quarterly doesnt mean JUST quarterly
Penetration Tests
Event Logs File Integrity Providers Compliant Status
Assertions of ComplianceQSA/Merchant confirms that ...
ROC was completed according to the PCI DSS Requirements
-
8/6/2019 2011 Secure Payments Summit
108/113
ROC was completed according to the PCI DSS Requirements
Its all true! (Fair representation in all material aspects)
Their payment application stores no sensitive data after the authn
That they have read the PCI DSS and maintain 24/365 compliance
they found no evidence of storage of magnetic stripe or PIN data
And the Return on This Effort?
-
8/6/2019 2011 Secure Payments Summit
109/113
ValidationCompliance
Security
A point-in- timeevent
You oother 364
A long
Leverage Available Resources Acquirer may offer
-
8/6/2019 2011 Secure Payments Summit
110/113
q y
Training Step-by-step SAQ guidance Advice on security best-practices
PCI Security Standards Council www.pcisecuritystandards.org/merchants Annual Community Meetings
Brands and their web sites
Challenge Your Providers PTS & PA-DSS compliant products?
-
8/6/2019 2011 Secure Payments Summit
111/113
Providers compliant status and ownershipof responsibility? Is your acquirer responsive and providingdirection?
Do you have clear instructions on properconfiguration of your paymentapplications?
Do you really need that card number?
Questions?
-
8/6/2019 2011 Secure Payments Summit
112/113
-
8/6/2019 2011 Secure Payments Summit
113/113
Chris JohnsonFraud Monitoring & Incident Response
October 19, 2010