pci compliance 103: ask the experteoplugin.commpartners.com/asae/2012/120306 pci compliance...

3/6/2012

1

PCI Compliance 103: Ask the Expert

Tuesday, March 6, 20122:00 pm – 3:30 pm ET

David A. Wallace MBA, CISA/M, CISSPGM, Data Security Standards Compliance

Chase Paymentech

This complimentary webinar is brought to you by ASAE-Endorsed Business Solutions and Chase Paymentech.

Your Presenter:With 29 years of experience in the Information Technology (IT) industry and 14 years of Information Security management experience, David Wallace serves as Group Manager for Chase Paymentech’s Security Standards Compliance team. In his role, Wallace is responsible for p pmanaging data security compliance for Chase Paymentech’s merchant portfolio and advising merchants about the Payment Card Industry (PCI) security standards.

Prior to joining Chase Paymentech, Wallace gained invaluable experience serving in information security management roles with companies such as NationsBank, Sabre Holdings/Travelocity, Pilgrim’s Pride and Perot Systems. In addition to his professional experience, Wallace has earned several industry certifications, including Certified Information Systems Security Professional in 1999, Certified Information Security Manager in 2004, and Certified Information Systems Auditor in 2008. He is also a frequent speaker at regional, national and international information security conferences including

David A. Wallace

Group Manager, Security Standards national and international information security conferences including

the RSA Conference and Computer Security Institute Conference.

Wallace spent his undergraduate years attending Louisiana State University in Shreveport, La., where he studied business administration and management information systems. He earned a master’s degree in business administration from Southern Methodist University in Dallas, Texas in 2003.

Security Standards Compliance

2

3/6/2012

2

• Payment Card Industry Basics

Agenda

Payment Card Industry Basics• Reducing Scope• Third Parties• Resources and Questions

3©2011, Chase Paymentech Solutions, LLC. All rights reserved.

P t C dPayment Card Industry Basics

4

3/6/2012

3

PCI Security Standards Council

The OrganizationMi i F d b fi j tMission — Formed by five major payment brands to enhance payment account data security21 member advisory board with 500+ participating organizations

ScopeStandards Management Assessor accreditation


Payment Brand Data Security Programs

• Mandate compliance for entities storing, i t itti dh ld d tprocessing, or transmitting cardholder data

• Origination point for new PCI standards• May differ from brand to brand

– And in some cases from region to regionS ti th th• Some more active than others


3/6/2012

4

PCI Security Standards• The PCI Data Security Standard (PCI DSS)

o Applies to any entity that stores, processes, and/or transmits cardholder datao Covers technical and operational system components

• The Payment Application Data Security Standards (PA-DSS)o Applies to developers and integrators of applications involved in authorization or

settlement. o Governs these applications that are sold, distributed or licensed to third parties.

• The PIN Transaction Security (PTS)o Applies to manufacturers of personal identification number (PIN) entry terminals used

for payment card financial transactions.


PCI Security Standards Council Accreditations

Type PCI SSC Designation ActivityAssessment Internal Security Assessor

(ISA)Merchant resource certified to validate compliance of PCI DSS

Qualified Security Assessor (QSA)

Independent third party certified to validate compliance of PCI DSS

Payment Application Qualified Security Assessor (PA-QSA)

Independent third party certified to evaluate compliance of Payment Applications to the PA-DSS

NetworkScanning

Approved Scanning Vendor (ASV)

Independent third party accredited to perform network vulnerability scan

Forensics PCI Forensics Investigator Independent third party accredited to

©2011, Chase Paymentech Solutions, LLC. All rights reserved.

8

Investigation (PFI) perform forensics investigation in the event of suspected cardholder data breach

Laboratory PCI RecognizedLaboratory

Independent third party certified to validate compliance of PIN TransactionSecurity Standards

3/6/2012

5

Self Assessment Questionnaire TypesSAQ

Validation Type

Description SAQForm

1Card-not-present (e-commerce or mail/telephone-order)merchants all cardholder data functions outsourced This would A1 merchants, all cardholder data functions outsourced. This wouldnever apply to face-to-face merchants.

A

2 Imprint-only merchants with no electronic cardholder datastorage B

3 Stand-alone dial terminal merchants, no electronic cardholderdata storage B

4Merchants with IP terminals, or POS systems connected to theInternet, no electronic cardholder data storage, no networkedd i

C

9

devices

Payment processing done via Virtual Terminal accessed viabrowser on Internet (No Ecommerce) C-VT

5All other merchants (not included in Types 1-4 above) and allservice providers defined by a payment brand as eligible tocomplete an SAQ.

D


Merchant Validation Levels and Requirements

Merchant Level Volume Requirements Compliance

Validation Target

4Less than 20,000 ecommerce or less than 1 million

Self-Assessment Questionnaire 12/31/20064 or less than 1 million

transactions with one card brand

Questionnaire Quarterly network scans

12/31/2006

3 Between 20,000 and 1 million Visa or MC ecommerce transactions in a 12 month period

Self-Assessment Questionnaire

Quarterly network scans

12 months from date of notification

2 Between 1 and 6 million Visa or MC transactions in a 12

Self-Assessment Questionnaire 1 Dec 31st of year

following notification2


10

month period Quarterly network scans following notification

1 Greater than 6 million Visa or MC transactions in a 12 month period

Onsite Assessment 1 Quarterly network scans

Sept. 30th of year following notification2

(1) MasterCard now requires Level 1 and Level 2 merchant assessments to be performed by an assessor – QSA or ISA (2) MasterCard requires all Level 1 and Level 2 merchants to validate compliance by June 30, 2011

3/6/2012

6

Payment Brand Enforcement

Prohibited data storage fines: up to $480,000/year$480,000/year

PCI Non-Compliance fines: up to $675,000/year

Compromise fines: Vary based on incident severityVary based on incident severityAssessed in addition tonon-compliance fines


What Do Hackers Want?

Payment Card Data is a target for criminals looking to turn data into cash quicklyq y


Source: Trustwave Global Security Report 2011

3/6/2012

7

What Could a Compromise Cost My Association?

Example 1 Example 2 Example 3 Example 4 Example 5 Example 6Example 1 Example 2 Example 3 Example 4 Example 5 Example 6

Type of Merchant Retailer Restaurant Rest / Ent Restaurant Service Provider Event OtherPCI Level 1 2 2 4 2 4Number of Account at risk 45,700,000 ~22,000 ~156,000 ~33,330 ~635,000 ~88,000Data at risk Magnetic Stripe Magnetic Stripe Magnetic Stripe Magnetic Stripe Account Numbers Account NumbersVisa Fine 40.9 M 15,000$ 10,000$ 15,000$ 17,500$ 10,000$ MasterCard Fine 24 M 10,000$ 90,000$ 14,600$ 100,000$ 5,000$ Visa ADCR Fine N/A 429,000$ -$ 69,000$ -$ -$ Compliance Cases $ - $ - $ 390,000 $ 3,000 $ - $ -

N/A Closed Active Active Closed ClosedForensic Investigation Unknown Unknown Unknown Unknown Unknown UnknownC t f U d U k U k U k U k U k U k

Card Present Card Not Present

Cost of Upgrades Unknown Unknown Unknown Unknown Unknown UnknownMerchant Brand Damage Unknown Unknown Unknown Unknown Unknown Unknown

TOTAL > $64.9 M > $454,000 > $490,000 > $101,600 > $117,500 > $15,000


What can I do?

14

3/6/2012

8

The Prioritized Approach – Simply

• Six Milestones:1. If you don’t need it, don’t store it2. Secure the perimeter3. Secure applications4. Monitor and control access to your systems5. Protect stored cardholder data6. Finalize remaining compliance efforts, and

ensure all controls are in placeensure all controls are in place

• Tools and guidance on the PCI SSC Web site


Use PA-DSS Validated Payment Applications

Validated payment applications:D t t hibit d d tDo not store prohibited data or cardholder data past authorization and settlementVersions available for most applicationsConfigured to update and patch automaticallyListed on the PCI Security StandardsListed on the PCI Security Standards Council Web Site

Cost: Varies by application


3/6/2012

9

#5 - Payment Hardware Best Practices

• Securely mount terminals to deter theft• Use PCI PTS validated terminals

– Support strong keys (Triple DES aka ‘TDES’)

– Tamper resistant if stolen• Memory is deleted if device is opened• PIN encryption key is deleted if device is opened• Cannot be used in skimmer/replacement attackp

– Required by July 1,2010 for merchants accepting PIN Debit

– Listed on the PCI Council web site• Cost: Varies by terminal


#4 - Use Strong Passwords

• Change the default password on a new systemCh d d• Choose a good password– Easy to remember– Hard to guess– Mixed Case, Alpha-Numeric, Special characters

• Pink Floyd• Pink Floyd!y• P1nk F10yd!• F10yd!P1nk• FP11!0nykd

• Cost FREE18©2011, Chase Paymentech Solutions, LLC. All rights reserved.

3/6/2012

10

#3 - Install and Use Anti-Virus Software

• Anti-Virus software– Usually includes anti-virus anti-– Usually includes anti-virus, anti-

spyware and a personal firewall– Checks the hard drive and memory for

existing infections– Monitors communications for infected

files and web pagesU d t t ti ll i th I t t– Updates automatically via the Internet

• Cost: Often FREE from Internet Service Provider


#2 – Apply Patches

• Update software patches:– Address newly identified vulnerabilities– Released

• Regularly (Microsoft “Patch Tuesdays”) • As needed when critical vulnerabilities appear

– Can be downloaded and installed automatically

• Cost: Free


3/6/2012

11

#1 – Install a Firewall

• Consumer-grade firewalls: g– Available since the late 1990s– Require little or no configuration – Available from most

large retailers Cost: Less than $100– Cost: Less than $100


SScope Reduction

22

3/6/2012

12

Security Business Decision 101

• Assess the risks• Identify the mitigation optionsy g p• Determine how much risk

– The business is comfortable accepting– The business is ALLOWED to accept?

• Recognize the constraints• Acquire and apply resourcesq pp y


But what WAS the BUSINESS Decision?

• The drivers for storing, processing, and transmitting cardholder data are BUSINESS drivers

• The business has to ask (or BE ASKED) – Do legacy cardholder data business processes make

sense in the post PCI world in light of• the expenditures we will be called upon to make? • the processes we will have to implement?• the effort we will have to exert?

24

• the discipline we will have to maintain?– To achieve and maintain compliance?


3/6/2012

13

If the Answers Are “No”• The business has to:

– Reengineer Processes• Evaluate acceptance processes and• Evaluate acceptance processes and

technologies• Identify significant post deposit events and

their timing• Adjust data capture, processing, storage

and retrieval policies

25

– Reduce cardholder data storage• Rely on the Acquirer• Implement tokenization

– Examine outsourcing options25©2011, Chase Paymentech Solutions, LLC. All rights reserved.

What are Compliance‐Enabling Technologies?

Product (or service) that reduces the scope of PCINot a PCI requirementNot a PCI requirementDoes not replace PCI or its requirementsBenefits organizations

with large, ‘flat’ networkswho have well-defined and understood payment flows

Long term cost reductionLong term cost reductionGenerally lengthy and costly up-frontMulti-year payback

Not one-size-fits-all; proceed with caution!


3/6/2012

14

Eliminating the Scope of PCI

One solution: stop accepting cardsSee SAQ ASee SAQ A

Information security policySecurity awareness trainingService Provider compliance

You can only hope to reduce your scopeThere is no PCI Fairy!e e s o C a y


Some ExamplesMaskingVirtual TerminalEMV or ‘Chip and PIN’Point-to-point EncryptionTokenizationHosted Pay PageMobile?Mobile?


3/6/2012

15

Masking

Primarily a display technologyUnderlying data is still storedDisplay is suppressed on a need-to-know basis

Use of replacement data to obscure or replace PANData replacement strings can be random or fixedNot tokenization or encryptionNo hashing or encryption algorithms are usedUseful in limiting scope by denying end users access to fullUseful in limiting scope by denying end users access to full PAN

Sample Masking FormatsPCI 435461XXXXXX1234

FACTA ***********23456


Virtual Terminal

Web page with SSL-encrypted linkCard data capture & hosted remotelyC i t t k i tiCan incorporate tokenizationGood fit for card-not-present and e-Commerce

Call CentersCustomer self-serviceCan operating in conjunction with terminal/reader hardware to support card-present transactions

PCI SSC recognized use case in 2010 with Self gAssessment Questionnaire (SAQ) C-VT


3/6/2012

16

EMV

What is EMV?Europay-MasterCard-Visa standard for global i t bilit f I t t d Ci it ‘Chi ’ dinteroperability of Integrated Circuit or ‘Chip’ cardsAlmost universally implemented in EuropeWidely deployed in Canada

PIN-authenticated transactionsRecent attacks have demonstrated protocol vulnerabilities that can obviate PIN security in EU yimplementation


EMV & PCI

Primary EMV impact is card-present fraud reductionAlternate payment mechanisms are available

Mag stripe readManual PAN entry

Brands offering PCI incentives for EMV adoptionMasterCard SDP (Issuer centric)Visa TIP (Merchant centric)

EMV and PCI are not “EITHER/OR”EMV and PCI are not EITHER/ORMore like bacon and eggs or peanut butter and jelly

Good separatelyBetter together


3/6/2012

17

What is Tokenization?A form of PAN replacement that substitutes a derived value for the PAN

k k k hTokenization server creates tokens, tracks the relationship of tokens to PANS, and translates tokens back into PANsA TRUE token can have NO reversible relationship between token and PAN


Tokenization & PCI• Compliance

– Potentially eliminates cardholder data storage• Reduces scope and cost of PCI DSS compliance• Reduces scope and cost of PCI DSS compliance• Reduces risk in the event of compromise

– Tokenization occurs after authorization• Does not address acceptance• System accepting transactions can perpetuate an in‐scope

cardholder data environment within the merchants’ systems

• Operations– Credit card number is a highly specific value– May require integration into existing systems– Hosted Pay Page required to support scope limitation at acceptance34


3/6/2012

18

What is Point‐to‐point Encryption?

• Card data encrypted at swipe• Decryption occurs outside merchant environment• No decryption key material in merchant environment– REQUIRED to achieve scope reduction

• Implementation is key


Point‐to‐point Encryption and PCI• Encrypted PAN is still a PAN • If cardholder data:

– Is encrypted when read AND– Decryption occurs outside the merchant environment AND

– No key material exists in the merchant environment

• Then the merchant environment scope• Then the merchant environment scope is potentially minimized– Assuming no other cardholder data is stored, processed, or transmitted anywhere in the merchant environment


3/6/2012

19

Going Mobile

• Current generation of mobile applications are mostly ports from the PC/UNIX/Linux worldy p / /

• Applications developed based on prior platform assumptions– Secured (or securable) operating system– Availability of effective protective mechanisms

• Native• Aftermarket

– Robust logging and protected log files

• Mobile applications are still available– Adopt mobile devices with secure underlying operating systems– Must be able to implement PCI DSS controls

• For the operating system• For the application


Mobile and PCI• PCI SSC mobile device hierarchy

– Class 1 – Purpose built wireless payment deviceClass 2 Purpose built payment device operating– Class 2 – Purpose built payment device operating wirelessly

– Class 3 – Consumer call phone‐based device• Scenario 1 – PTS validated sled w/phone as radio• Scenario 2 – Phone has access to payment instrument data

• PCI SSC has delisted multiple PA DSS‐validated mobile payment applications– Common thread: device form factor

• MasterCard requires all merchants to use Validated Payment Applications by June 30, 201238


3/6/2012

20

Phone‐Based Mobile Application Issues

• Three words: Operating Systems Security• Cell phone operating systems today:

Contain known vulnerabilities– Contain known vulnerabilities– Are attracting serious hacker attention

• Have been successfully compromised in multiple recent hacking competitions• More vulnerabilities likely to emerge

– Support multiple forms of inbound connectivity• CDMA, GSM, etc.• 802.11• Bluetooth

– Lack basic protections such as • Passwords• Anti‐virus• Firewalls

– Lack the ability to patch & update securely, automatically, and seamlessly


Thi d P tThird Party Agentsg

40

3/6/2012

21

How Do I Choose a Service Provider?

• The same way you chose any vendor!– Provides a product and/or service you needProvides a product and/or service you need– At a price you want– In the best interest of your customers and stakeholders

• Check their finances• Check their references• Check their accredidation• Check their accredidation:


Key Considerations

• Compliance & Security• Liability and Indemnification


3/6/2012

22

Resources

Additional ResourcesChase Paymentech http://www.chasepaymentech.comCardholder Data Security http://www.chasepaymentech.com/datasecurity

PCI Security Standards Council https://www.pcisecuritystandards.org/Validated Payment Applications https://www.pcisecuritystandards.org/security_standards/vpa/PTS Certified devices https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.htmlSelf-Assessment Questionnaires https://www.pcisecuritystandards.org/saq/index.shtmlPrioritized Approach https://www.pcisecuritystandards.org/education/prioritized.shtml

Visa Cardholder Info Security Program http://usa.visa.com/merchants/risk_management/cisp.htmlVisa/BBB Data Security Microsite http://www.bbb.org/data-security/Visa Alert Page http://usa.visa.com/merchants/risk_management/cisp_alerts.html

US44©2011, Chase Paymentech Solutions, LLC. All rights reserved.

MasterCard Site Data Protection Program https://sdp.mastercardintl.com/

Trustwave http://www.trustwave.comPortal: Level 4 Merchant Portal https://www.trustwave.com/level4pci/Free Risk Profile http://chasepaymentech.riskprofiler.net/

referral code: WELCOMECHASEPAY

3/6/2012

23

Questions?

David A. Wallace

G M S it St d d C liGroup Manager, Security Standards ComplianceChase Paymentech

[email protected]

www.chasepaymentech.com/asae

pci compliance 103: ask the experteoplugin.commpartners.com/asae/2012/120306 pci compliance...

Documents