#pacnet15. presenters erik janis » vp, technical services govind shankar » director, systems...
TRANSCRIPT
![Page 1: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/1.jpg)
#PACnet15#PACnet15
Staying PCI Compliant
![Page 2: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/2.jpg)
#PACnet15#PACnet15
Presenters
Erik Janis » VP, Technical Services
Govind Shankar » Director, Systems Operations and Security
Gene Welch » Manager, Customer Services
![Page 3: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/3.jpg)
#PACnet15
Agenda:» PCI DSS Update
▫ Operational impact of new PCI-DSS 3.0 requirements» Card Data Security Update» Compliance and Security Concepts» Paciolan Application Compliance and Security » Q/A
* Disclaimer – Presenters are not Visa certified QSAs
Discussion Points
![Page 4: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/4.jpg)
#PACnet15
Compliance is NOT Security» Compliance is mandatory so you can process credit cards» Security keeps you out of the news
▫ Target Stores▫ Sony Pictures▫ Anthem Blue Cross
» Controls are important▫ Most breaches happen from the INSIDE!
Awareness is the first step in becoming secure….
Theme of The Day
![Page 5: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/5.jpg)
#PACnet15
PCI-DSS 2.0 » 2.0 was valid and accepted by Visa until 12/31/14» Paciolan processed under 2.0 for this year
▫ Too much ambiguity amongst QSAs for how to evaluate 3.0
PCI DSS Update
![Page 6: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/6.jpg)
#PACnet15
PCI DSS 3.0 is mandatory from 12/31/14 onward» Provide stronger focus on some of the greater risk areas in the
threat environment» Strong focus on POS device security! » Provide increased clarity on PCI DSS & PA-DSS requirements » Help manage evolving risks / threats » Align with changes in industry best practices » Clarify scoping and reporting
Standards will evolve slowly» New items and clarifications will be introduced periodically» ‘Guidance’ or ‘Best Practices’
6
PCI DSS Update
![Page 7: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/7.jpg)
#PACnet15
There are two major changes in DSS 3.0 that affects Paciolan that will trickle down to you….
PCI DSS 3.0 Changes
![Page 8: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/8.jpg)
#PACnet15
Section 9.9.2 - Inspection/tamper detection of payment devices
Create control environment to detect and react to tampering» Regular testing» Reporting results
Provide training of personnel and maintain appropriate documentation
PCI DSS 3.0 Changes
![Page 9: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/9.jpg)
#PACnet15
Section 12.8, 12.9 - Definition of PCI control responsibilities between Service Provider and Customer» Define and document who has responsibilities for securing what
▫ Client vs. Paciolan» Customer equipment - Paciolan can’t reasonably secure (PCs, Kiosks,
swipers, network devices, etc.)» Paciolan equipment - Pac will need to setup more standardized
controls around VPN units, Pac-VT devices.» Amendment of agreements and contracts with said language –
Paciolan
PCI DSS 3.0 Changes
![Page 10: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/10.jpg)
#PACnet15
Summary:» Clarification and documentation of policies, procedures, and
definition of responsibilities▫ Legal / contract requirements
» Inventories and documentation of in-scope equipment
PCI DSS 3.0 Changes
![Page 11: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/11.jpg)
#PACnet15
EMV eVenue Payment Processing Tokenization Personally Identifiable Information (PII)
11
Credit Card Security Update
![Page 12: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/12.jpg)
#PACnet15
EMV / ‘Chip and Signature’» What we know:
▫ Liability shift to banks and merchants in October, 2015▫ Visa is supporting ‘Chip and Signature’, not ‘Chip and Pin’▫ EMV efforts will be advanced on a per processor basis
– You hold the merchant relationship with bank/processor▫ Paciolan is researching CyberSource compatible hardware and awaiting
the release of APIs to scope development effort▫ Card reader hardware will cost between $250 and $750 per unit.
Higher price point units will give more than just basic EMV capability– Future encryption options– Contactless payment option: Google Wallet, Apple Pay, others?
Card Data Security Update
![Page 13: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/13.jpg)
#PACnet15
Card Security Road Map» Payment Processing Enhancements for eVenue (7.2)
▫ Utilizes same modernized payment architecture as Pac 7.x» Tokenization
▫ Based on VISA and CyberSource Offerings▫ Pac 8
» PII Data Field Encryption / De-Identification▫ Pac 8
Card Data Security Update
![Page 14: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/14.jpg)
#PACnet15
»
#PACnet15
Govind ShankarDirector, Systems Operations and Security
![Page 15: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/15.jpg)
#PACnet15
Keep momentum going…. Mitigate extra costs.. Best allocate resources.. Evolving PCI climate…
15
You are PCI Compliant.. Now what?
![Page 16: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/16.jpg)
#PACnet15
Drive security-conscious behavior Make informed risk-based decisions Cultural change and employee awareness Compliance and Business PCI as brand protection
16
Engage the Business…..
![Page 17: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/17.jpg)
#PACnet15
17
Closing the Gap between Compliance and Security
Adhering to industry regulations is not sufficient
Ever increasing number and sophistication of attacks..
Segmentation and strategies for moving from compliance to security
The future of PCI standards
![Page 18: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/18.jpg)
#PACnet15
18
Case Study: Target
Impact According to NY Times, Credit and debit
card information for 40 million of Target’s customers had been
compromised. An additional trove of personal information from some 70
million people had been exposed as well.
SituationTarget shoppers got an unwelcome
holiday surprise in December 2013 when the news came out 40 million Target
credit cards had been stolen by accessing data on point of sale (POS) systems .
The breach transpired between November 27 and December 15th 2014.
Over 11 GB of data was stolen. Target missed internal alerts and found out
about the breach when they were contacted by the Department of Justice.
A series of steps were taken by the adversaries to obtain access to the credit
card data and retrieve it from Target’s systems. A break down in detection
further increased data loss.
Contributing Factors. “Except for centralized authentication, domain name resolution, and endpoint monitoring services, each retail store functions as an autonomous unit” so the attacker knew to look for these pivot points.The number of POS machines that were compromised in a short amount of time indicates that the software was likely distributed to them via an automated update process.Data was moved to drop locations on hacked servers all over the world via FTPMonitoring software alerted staff ,but no action was taken.
“Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology” – former Target Chairman, President and CEO Gregg Steinhafel
![Page 19: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/19.jpg)
#PACnet15
19
Case Study:
Impact350,000 customer cards
were exposed;Approximately 9,200 of those were fraudulently
used.The data breach caused the retailer $4.1 million
in legal fees, investigations, customer
communications and credit monitoring
services.
SituationHackers broke into Neiman
Marcus’ store four months prior to stealing card data in July
2013, using memory-scrapping malware. Fraudulent card usage
was subsequently detected in December 2013.
The hackers exploited a vulnerable server to circumvent the POS systems and reloaded
their software on multiple registers after it was deleted at
the end of each day.To masquerade their activities in the protection logs the hackers
gave the malware a name nearly identical to the company’s
payment software.
Contributing Factors
The systems ability to automatically block the
suspicious activity it flagged was turned off.
Network Segmentation was not implemented
The 60,000 alerts set off by the malware were interpreted as
false positives associated with the legitimate software.
“During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware,” the company wrote. “To date, Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently.”
![Page 20: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/20.jpg)
#PACnet15
20
Security Program Maturity Measurement
• Who has access?• Awareness and training programs?
• What data is most important to my organization (PII, PCI, IP, trade secrets)?
• Clearly defined data classification?
• Have tools and techniques in place to protect sensitive information?• Technical controls in place
![Page 21: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/21.jpg)
#PACnet15
» Never reply back to an E-mail to "unsubscribe“ from unknown sources.
» Watch out for Shoulder surfers..» Passwords should be used by only one person» Read Error Messages and checkboxes..» Dumpster Diving..» Limit Social Engineering..» Phishing..» Café session hijacks..
21
General Security Best Practices..
![Page 22: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/22.jpg)
#PACnet15
»
#PACnet15
Gene WelchManager, Customer Services
![Page 23: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/23.jpg)
#PACnet15
Compliance and security External threat vs. internal threat External controls and internal controls Application level access controls Application logs Procedural controls to increase accountability
Staying PCI Compliant
![Page 24: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/24.jpg)
#PACnet15
Compliance and Security» Building codes» Highway safety laws
24
Compliance and Security
![Page 25: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/25.jpg)
#PACnet15
External threats vs. internal threats» High profile breaches - risk of compromised data» Embezzlement» Theft of inventory» Misappropriation of assets
25
External and Internal Threats
![Page 26: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/26.jpg)
#PACnet15
External - The system’s ability to resist unauthorized attempts at access while allowing legitimate users to access data
Internal - Once determining to allow legitimate users, your internal controls come into play
26
External Controls and Internal Controls
![Page 27: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/27.jpg)
#PACnet15
27
Internal Controls and Fraud Detection
![Page 28: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/28.jpg)
#PACnet15
Application level access controls» Back office operator access» Selling controls
28
Application Controls
![Page 29: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/29.jpg)
#PACnet15
Operator Access
29
Application Controls
![Page 30: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/30.jpg)
#PACnet15
Selling Control
30
Application Controls
![Page 31: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/31.jpg)
#PACnet15
Pac7 Selling Control
31
Application Controls
![Page 32: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/32.jpg)
#PACnet15
Application logging» System process log» Transactions record operator, date and time» Transaction source and selling control» Seat status changes by operator, date and time
32
Application Logs
![Page 33: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/33.jpg)
#PACnet15
Operator usage log report
33
Application Logs
![Page 34: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/34.jpg)
#PACnet15
Transaction logging
34
Application Logs
![Page 35: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/35.jpg)
#PACnet15
Seat Status Changes (aka Seat History)
35
Application Logs
![Page 36: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/36.jpg)
#PACnet15
Procedural controls to increase accountability» User logins (aix, UniVerse, Pac7) – generic?» Daily balancing to system records» Complementary ticket procedures and oversight» Monitor ticket returns and credit card refunds» Tickets/barcodes voided after an event» Disabling system access when someone leaves organization
36
Additional Internal Controls
![Page 37: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/37.jpg)
#PACnet15
New users only added to system upon confirmation with authorized personnel approval
Requested password changes for existing users will be emailed to confirmed contact email address obtained from Paciolan CRM system
Paciolan New User and Password Policy
37
Paciolan Password Policy
![Page 38: #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ca55503460f94965fe5/html5/thumbnails/38.jpg)
#PACnet15#PACnet15
Please complete either the session evaluation form on your chair or online at http://pacnet.paciolan.com/schedule.
Thank you!Questions?