the art of the compensating control v1_2
TRANSCRIPT
-
7/30/2019 The Art of the Compensating Control v1_2
1/12
The Art of the compensating control
Jonathan Care
Paresh Deshmukh
Global Security Consulting
-
7/30/2019 The Art of the Compensating Control v1_2
2/12
What is a compensating control?
+ In the past:
Everythingfrom a legitimate work-around for a
security challenge to something that the CIO wants to
achieve
+ Now:
Based on a risk analysis
Legitimate technological or documented business
constraint
+ Four criteria for validity:
Meet the intent and rigor of the original PCI DSS
requirement
Provide a similar level of defence as the original PCI
DSS requirement
Be above and beyond other PCI DSS requirements
(not simply in compliance with)
Be commensurate with the additional risk imposed by
not adhering to the PCI DSS requirement
-
7/30/2019 The Art of the Compensating Control v1_2
3/12
What compensating controls are not!
+ Not a short cut to compliance
Harder to do
Cost more money in the long run than addressingthe original issue
+ Not a permanent solution for a compliance gap
+ There is no compensating control for storing
sensitive authentication data afterauthorisation
+ While there is no defined lifespan for
compensating controls, they must be reviewed
as part of the annual assessment
Does it (still) meet the four criteria?
Does the original constraint still exist?
Is it still effective in the current security threatlandscape?
-
7/30/2019 The Art of the Compensating Control v1_2
4/12
Who approves compensating controls
+ Initial approval is by the complying
organisation Will this work for my organisation?
Can we support this?
+ Second stage approval is by the QSA
Does this meet the criteria for compensating
controls?
Am I willing to put my name to this?
+ Final stage approval is the Acquiring Bank
Substantial documentation is required
Open channel of communication
-
7/30/2019 The Art of the Compensating Control v1_2
5/12
Lunchtime fun: The compensating control cha-cha
+ Encryption is a hotly debated topic
Just do it
Its a mainframe
+ Things that arent encryption
RAID-5
Transposing digits in PAN
+ BUT ALSO
Disk only encryption inside the data centre withoutadditional user credentials
Transparent encryption appliances
+ By the way, encryption is not the problem with
Requirement 3 key management is!
Using COBOLs Random number generator to generate16 digits (128 bits) leads to
Lack of randomness due to entropy issues
Elimination of keyspace leading to only 53 bits of possiblekey material
-
7/30/2019 The Art of the Compensating Control v1_2
6/12
Sample Compensating Control (1)
+ Routers do not support SSH (PCI
Requirement 2.3)
+ Databases need encryption (PCI
Requirement 3.4)
+ Costs: Original cost estimates of
upgrade: 125MM
+ Risks:
Card numbers are not encrypted
at the point of sale
Routers/Switches can redirect or
span traffic for capture
Associate
ApplicationServers
MainframeDatabaseServers
Corporate Offices
Financial Institution
Customer
-
7/30/2019 The Art of the Compensating Control v1_2
7/12
Sample Compensating Control (2)
+ Transaction Data:
Now encrypted at the point of saleusing Industry Accepted
algorithms
Stays encrypted until passed to
financial institution
+ PANs are replaced with reference
numbers when transaction
returns
+ Mitigated risks by rendering the
data unreadable
Associate
ApplicationServers
MainframeDatabaseServers
Corporate Offices
Financial Institution
Customer
Unencrypted Card
4111111111111111
Encrypted Card Number:
aWxvdmVjcmVkaXRjYXJkcw==
-
7/30/2019 The Art of the Compensating Control v1_2
8/12
Compensating control Ju-Jitsu (The Art of Compliance)
+ Reduce the scope of PCI to the bare
minimum required Can you truncate PAN data?
Does your ecommerce site reallyneed
to be in the payment flow?
+ Ask the hard questions
Why do you need this?
What would you do without it?
+ In the event of a breach, how will this
assist a forensic investigator?
-
7/30/2019 The Art of the Compensating Control v1_2
9/12
Compensating control Ju-Jitsu (The Art of Compliance)
+ Not the golden parachute of compliance
initiatives.
+ Require work to build effective ones that will
pass the scrutiny of both a QSA and an
acquiring bank (or card brand).
Compensating controls may help you lower
the bar of compliance in the short term, but
remember, only you can prevent a security
breach.
-
7/30/2019 The Art of the Compensating Control v1_2
10/12
10Confidential and Proprietary 10
Data Breaches vs. Data Protection (Heres Why)
**GartnerToolkit Presentation: PCI Compliance Is Hard to Achieve but Worthwhile - 4 May 2007
-
7/30/2019 The Art of the Compensating Control v1_2
11/12
11Confidential and Proprietary 11
Data Breach Concerns
Source - Verizon 2009 Data Breach Report
-
7/30/2019 The Art of the Compensating Control v1_2
12/12
Final Thought : Why be compliant?