pci internal controls and auditing requirements · pci internal controls and auditing ... can the...
TRANSCRIPT
Treasury Institute for Higher Education
1
PCI Internal Controls and Auditing Requirements
PCI DSS Workshop, April 24, 2017
Introduction
2
About University of Alaska
America’s Arctic university – land sea and
space grant system. Geographically
distributed across three major campuses –
in Anchorage, Fairbanks and Juneau with
17 satellite campuses and 28 facilities. As
of 2015, total enrollment is 32,000.
.
Speakers
Shiva Hullavarad
Manager of Compliance,
Information & Record Systems
University of Alaska System
P: 907-450-8074
Email:
Will Finley
Information Systems Auditor, University of Alaska System
P: 907-450-8092
Email: [email protected]
Arctic Circle 65th Parallel
Agenda
4
Introduction
PCI Governance /Advisory Team
What’s happening on campuses?
Risks of non-compliance
PCI DSS 3.2
PCI Lifecycle
Role of Internal audit
Tools for auditing PCI DSS
PCI Maturity model
Q & A
University of Alaska PCI
5
UA formed e-commerce committee to centralize and prioritize payment system
Recommended by acquirer bank to be complaint with PCI –DSS.
E-commerce committee transitioned to PCI Advisory team and chartered by VP Finance to develop PCI policy
Hired QSA to advice and conduct vulnerability scans
PCI Advisory team developed the PCI Administrative policy, requiring SAQ to be completed for each MID by Oct 31 every year
PCI Advisory team meets every month to review scan status, update and prioritize all PCI tasks
PCI Governance/Advisory Team
6
• Deficiency Reports• SAQ’s• Scope reduction efforts
PCI DSS Payment Card Industry - Data Security Standard
7
7
Standard that is applied to: Merchants
Service Providers (Third Third-party vendor, gateways)
Systems (Hardware, software)
That: Stores cardholder data
Transmits cardholder data
Processes cardholder data
Applies to: Electronic Transactions
Paper Transactions
PCI DSS – Applies to every business
8
8
All merchants are subject to the standard and to card association rules
No exemption provided to anyone
Immunity does not apply because
Requirement is contractual - not regulatory or statutory
Card associations can be selective who they provide services to
Merchants accept services on a voluntary basis
Merchants agree to abide by association rules when they execute e-merchant bank agreement
Merchant banks are prohibited by association rules from indemnifying a merchant from not being compliant with the standard
Association Rules require merchant banks to monitor merchants to ensure their compliance
Failure of a merchant bank to require compliance jeopardizes the merchant bank bank’s right to continue to be a merchant banks
Any fines levied are against the merchant bank, which in turns passes the fines onto the merchant
Campuses and Ah! Compliance
9
Institutes of higher education are required to maintain PCI compliance
At disadvantage compared to other industries like banking, services and retail
Have varied types of businesses on campus accepting credit cards for tuition, student fees, campus cards, events, dining, housing, athletics, parking, vending machines, online giving
Very difficult to have one office with knowledge of all the above – (mostly one person department)
Business challenges
10
• Many departments want to accept payments by credit cards, but their needs, resources and business and system maturity differ
• Absence of PCI Governance Team
• E-commerce is complex and is not easy deciding who is ‘in charge’ of e-commerce –
• Acquirer banks and credit card companies require the institution is compliant to the most current standard and non-compliance results in penalties and jeopardize reputation
• Centralized policies, education, management support and communication
The PCI compliance - 12 security requirements
11
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored data.
4. Encrypt transmission of cardholder data and sensitive information across public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications
The PCI compliance - 12 security requirements
12
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Routinely test security systems and processes.
Maintain an Information Security Policy.
12. Establish high-level security principles and procedures.
PCI DSS 3.2 - Threat is the main driver
13
Changing payment and threat environment
Breach reports and compromise trends
Feedback from industry6
Control
Objectives
6Control
Objectives
12 Core
Requirements290+ Audit
Procedures
Key changes Multi factor authentication for admins (8.3.1) 5 new sub requirements for service providers (3,10,11,12) 2 new appendices
SSL/TLS migration deadline Designated entities supplemental validation
Threat – Detect, Response and Recovery
14Source: Cisco Threat Report
SAQ - PCI DSS Version 3.2
15
Face-to-Face & Mail/Telephone Only eCommerce Only
B POS analog not connected to IP * A Card-not-present fully outsourced *
B-IP POS connected to IP * # A-EP Outsourced, but website redirectcan impact security of payment * #
C-VT Virtual Terminal IP, dedicated or segmented, and keyed only * #
C POS Software connected to IP, dedicated or segmented* #
P2PE-HW
POS hardware managed w/ Point to Point Encryption *
D Cardholder data is stored # D Cardholder data is either processed, transmitted, or stored #
Combination of Face-to-Face and eCommerce
D All merchants not included entirely in any one of the above, or where cardholder data is stored (Systems are connected / Not segmented) #
* Indicates cardholder data is not stored; # Indicates vulnerability scanning required.-
Levels of Merchants
16
All merchants must perform external network scanning to achieve compliance.
Level Transactions
per Year
Types of Targets
1 More than 6 million
Anyone with breach
Merchants, Merchant Agents,
Processors, Direct Connects
2 1 – 6 million Merchants, Merchant Agents,
Processors
3 20K – 1million eCommerce Merchants
4 All other Merchants Merchants
Difference between Compliance & Validation
17
17
Compliance – Means adherence to the standard
Applies to every merchant regardless of volume
Technical and business practices
Validation – Verification that merchant (including its services providers) is compliant with the standard
Applies based on Level assigned to merchant & transaction volume
Two types of Validation
Self-Assessment
Certified by a Qualified Security Assessor (QSA)
Attestation – Letter to card issuer (bank) signed by both merchant and acquirer bank attesting that validation has been performed
Validation - 2 steps
18
Annual Assessment Questionnaire Required of all merchants – regardless of level
Applies to both technical and business
Security Vulnerability Scan - Quarterly Required for External facing IP addresses
Web applications
POS Software and databases on networks
Applies even if there is a re-direction link to third third-party
Must be performed by Approved Scanning Vendor (ASV)
Validation based on Level assigned to merchant, based on transaction volume
Validation requirements – Merchant level
19
Level 1-Visa/MasterCard-- Annual onsite review by merchant's internal auditor or a Qualified Security Assessor (QSA) or Internal Audit if signed by Officer of the company, and a quarterly network security scan with an Approved Scanning Vendor (ASV).
Level 2-- Completion of PCI DSS Self Assessment Questionnaireannually, and quarterly network security scan with an approved ASV.
Level 3-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.
Level 4- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.
PCI DSS separates - Vulnerability and Threat
20
VulnerabilityAny flaw in the design, implementation or administration of a system that provides a mechanism for a threat to exploit the weakness of a system or process
They are weaknesses in networked environments, web applications and physical premises
ThreatAny person, circumstance or event that has the potential to cause damage to an organizational asset or business function
21
pursues its objectives repeatedly over an
extended period of time
adapts to defenders’ efforts to resist it
targetetted approach
is determined to maintain the level of interaction
needed to execute its objectives
Advanced Persistent Threat
PCI Lifecycle
22
Business unit IT Security Compliance Legal Risk Services
Source: FoundStone
PCI lifecycle - Discussion
23
1. Policy – authoritative source by which processes/actions are measured
2. Inventory – an accounting conducted by the auditee to validate fiduciary responsibilities are fulfilled
3. Prioritize – a determination of whether the auditee has evaluated assets and risks while “getting the job done”
PCI lifecycle – Continued…
24
4. Vulnerabilities – the weak link in the chain. Is a process in place to find vulnerabilities? Can the auditor find them?
5. Threats – what threats are known? Is a process in place to watch for new threats? Does the auditee have a process to eliminate, mitigate, or respond to threats?
6. Risk – the optimization of risk. Is risk reduced to acceptable levels? Risk to people, revenue, assets, and reputation? Evaluate decision to accept, avoid, reduce, or transfer the risk.
25
7. Remediation – when inadequacies are found, the auditor will want to see a plan to remedy the situation. The auditor will follow-up to validate that the remediation plan was implemented and works.
8. Measure – accounting is specific and measurable… auditors want to see the quantitative and qualitative results. Bean counters…
9. Compliance – a determination of how closely processes are aligning with authoritative guidance
PCI lifecycle – Continued…
26
Assess Risk: Assets X Vulnerability X Threats The product of:
Assets
Vulnerabilities
Threats
Based upon the criticality of AVT
Focus your resources on the true risk
See handout – spreadsheet #1
27
Tools for Auditing PCI DSS in Your Institution
The Audit Process
Role of Internal Audit
28
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. ”
The Institute of Internal Auditors
Audit – Effective tool
29
Focus on risk of occurrences that could prevent the University from achieving its goals
Risk factors:
Impact
Probability
Controls
There are many types of risk – non-compliance, fraud, improper reporting, ineffective or inefficient use of resources, reputational/credibility loss, etc.
Focus on areas with high risk and high probability that controls are not in place or are weak
Audit – Internal Controls
30
Internal controls are processes designed to provide reasonable assurance regarding the achievement of an organization’s objects related to:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws, regulations and policies
31
Authoritative Guidance
Federal statutes and regulations governing financial and personally identifiable data (GLBA, HIPAA, FERPA, FISMA)
State statutes and regulations governing financial and personally identifiable data
PCI DSS
The PCI Standards available from the PCI SSC Document Library: https://www.pcisecuritystandards.org/document_library
Contract with acquiring bank
Your institution’s own PCI regulations, policies, and procedures
Overview of Process
32
Audit Plan set by Audit Committee or governing structure
Planning
Conduct research on topic
Set scope, usually set by cardholder data environment
Develop audit program, internal control questionnaire (ICQ), preliminary request for information
Conducting fieldwork
Internal Control Questionnaires (Refer to hand outs)
Test work
Reporting
Planning
33
Planning and Risk Assessment Guide
Solicitation for Concerns
Preliminary Survey
Data Analysis and Sampling Methodology
Risk and Fraud Risk Assessment
Prior Audits
Authoritative Guidance
Background Information
Auditor Independence Statement
Scope and Objectives Memo
Entrance Letter
Preliminary Request for Information
Entrance Meeting
Key Contacts
Planning Meetings
Field Work
34
Use program to evaluate information provided from prior steps (Prelim Info Request, ICQ’s, meetings, etc)
Assessment of environment
Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)
Documentation of compensating controls
Attestation of Compliance and Action Plan for Non-Compliant Requirements (if applicable)
Approved Scanning Vendor (ASV) scan reports
Vendor SSAE-16 (Statement of Standards for Attestation Engagement) reports
Reporting
35
Deliverables: Report, memo
Provide findings and recommendations
Five elements of audit findings: Condition, criteria, cause, consequence (effect), corrective action (recommendation)
Quality of Internal Audit Report
Objective – Comments and opinions should be objective and unbiased
Clarity – Simple and straightforward
Accuracy – Comments correct and on-point
Brevity – Concise
Timeliness – Issued promptly after fieldwork
Reporting – continued…
36
What was found
Why it happened
What is required
What effect it has
Recommendation for improvement
Response – who, when and how
This can be combined with the; Gap Assessment Vulnerability scan reports Penetration test reports
Granularity
37
Determined by:
Risk-based auditing
Compliance-based auditing
Time
Scope
Sample Documents
• Program
• Preliminary Info Request
• ICQs
• Other helpful docs at:
– https://www.pcisecuritystandards.org
39
PCI Maturity ModelLevel Category Description
0 Not performed Complete lack of any recognizable processes. The institution has not even recognized that there is an issue to be addressed.
1 Performed Informally:
There is evidence that the institution has recognized that the issues exist and need to be addressed. There are no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.
2 Planned and Tracked
Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely.
3 Well Defined and Communicated
Procedures have been standardized and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.
4 Managed and Measurable
Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
5 Continuously Improved
Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity as recommended by the most current PCI DSS , providing tools to improve quality and effectiveness, making the institution quick to adapt.
Conclusions
• PCI compliance is not a one time thing – it’s constantly changing
• Dissemination and training are very critical
• Assess your environment
• Do not hesitate to file deficiency reports and work on them
• Internal audit is a important tool to enforce compliance
40