Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Internet Security Systems (ISS) an IBM owned Company Payment Card Industry (PCI) Cary Lynch – Engagement Manager IBM Internet Security Systems Ahead of the threat.™ 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company My Role Cary Lynch – West Engagement Manager (Security Services). – Engagement Management of PCI projects in region – Facilitation of Merchant / Acquirer Bank communication throughout remediation effort – Certified QSA to conduct PCI Assessments 2 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Agenda – PCI and Limited Budgets IBM ISS Overview PCI Overview – PCI History – PCI Assessment Criteria Consequences of No Action The Reality of Limited Budgets – Where to Start? – What to Do? How to Stay Compliant 3 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company The reality of limited budgets PCI compliance does not = good information security Good information security can lead to PCI compliance Becoming PCI compliant (or staying PCI compliant) requires a budget but… There are ways to become (or stay) PCI compliant without breaking the bank So, The Question Becomes…. What to do with a limited budget? Where to start on a limited budget? 4 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company PCI History Visa first developed the Cardholder Information Security Program (CISP) MasterCard and others started to develop separate criteria – all slight variations of each other In 04/05, Visa and MasterCard formally agreed to combine efforts and created the Payment Card Industry (PCI) assessment criteria – Visa’s heavy policy emphasis – MasterCard’s technical scanning requirements In 09/06, all payment card providers joined forces to establish the PCI Security Standards Council (PCISSC) – Founders include: American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. – Several releases of PCI data security standards: PCI v1.2 released Oct. 2008 – http://www.pcissc.org 5 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company What is the PCI DSS An information security standard that includes: – Objectives – Requirements – Controls Created to assist organizations in protecting cardholder data. 6 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company PCI Requirements – The “Digital Dozen” Install and maintain a firewall configuration to protect data Do not user vendor supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data sent across open, public networks Use and regularly update anti-virus software Develop and maintain secure systems and applications Restrict access to cardholder data by “need to know” Assign unique IDs to each person with access Restrict physical access to information Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Implement an information security policy 7 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Who is required to be PCI compliant? Any merchant or service provider that stores, processes, or transmits cardholder data! 8 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company When are you required to be PCI compliant? Initial PCI compliance deadlines for merchants and service providers has passed. 9 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Merchant Criteria Risk Prioritized Validation Merchant Level Annual Transaction Volume Level 1 6 Million or more Any merchant that has suffered an attack Level 2 1 Million to 6 Million Level 3 20,000 – 1 Million transactions Level 4 All other merchants Visa 10 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Compliance Requirements for Merchants Validation Priority Validation Action Required Scope of Validation Validation by: Level 1 Annual On-site Audit (Report On Compliance) Any systems storing, processing, or transmitting Visa cardholder data. Independent Assessor or Internal Audit if signed by Officer of the company. Internet Facing Perimeter Systems Approved Scan Vendor Any systems storing, processing, or transmitting Visa cardholder data. Merchant Quarterly Network Scan Level 2 Annual PCI Self Assessment Questionnaire Approved Scan Vendor Quarterly Network Scan Internet Facing Perimeter Systems Level 3 Annual PCI Self Assessment Questionnaire Any systems storing, processing, or transmitting Visa cardholder data. Merchant Approved Scan Vendor Quarterly Network Scan Internet Facing Perimeter Systems Level 4 Annual PCI Self Assessment Questionnaire recommended Quarterly Network Scan recommended Any systems storing, processing, or transmitting Visa cardholder data. Merchant Internet Facing Perimeter Systems Visa 11 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Service Provider Criteria Risk Prioritized Validation Validation Priority Annual Transaction Volume Level 1 All VisaNet Processors (Member and non-Member) All Payment Gateways Any service provider that stores, processes or transmits over 300,00 transactions annually Level 2 Service Providers not in Level 1 that stores, processes or transmits less than 300,00 transactions annually Visa 12 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Compliance Requirements for Service Providers Validation Priority Validation Action Required Scope of Validation Validation by: Level 1 • Any systems storing, processing, or transmitting Visa cardholder data. • • Annual On-site Security Audit Quarterly Network Scan • Level 2 • Included on Visa Inc’s List of PCI DSS Complaint Service Providers Internet Facing Perimeter Systems • Annual On-site Security Audit Any systems storing, processing, or transmitting Visa cardholder data. • Quarterly Network Scan • Not included on Visa Inc’s List of PCI DSS Complaint Service Providers • • Internet Facing Perimeter Systems Qualified Independent Security Assessor Approved Scan Vendor Qualified Independent Security Assessor Approved Scan Vendor Visa 13 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company PCI Process To be an approved 3rd party PCI assessor: Participate in PCI training (and pass the exam) Obtain CPE Credits on a 3 year cycle Individual background checks Both the organization and individual must be certified Qualified Security Assessor Company (QSAC) Approved Scan Vendor (ASV) Qualified Security Assessor (QSA) Qualified Payment Application Security Professional (PA-DSS) Must also already be a QSAC All assessors must follow the Data Security Standards (DSS) and generate an approved Report on Compliance (ROC) to meet documentation requirements All quarterly scanning must utilize the same software, and approved PCI scan policy 14 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Consequences of NO Action Acquirers may be levied fines of $5000-$100,000 a month for non-compliance. – This may be passed down to you. Increased Transaction fees Potential Termination of relationship Ultimately up to your acquiring bank’s discretion…. 15 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company PCI non-compliance and a Breach (or suspicion of a breach) Brand name damage should a breach occur – Loss of existing and new customers Potential forensic analysis costs Cost of dealing with a breach – Detection – Notification – Follow-up 16 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Cost of a Breach Poneman Institute 17 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company The reality of limited budgets PCI compliance does not = good information security Good information security can lead to PCI compliance Becoming PCI compliant (or staying PCI compliant) requires a budget but… There are ways to become (or stay) PCI compliant without breaking the bank So, The Question Becomes…. What to do with a limited budget? Where to start on a limited budget? 18 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company What we typically see out there…. Common Findings – Lack of network network segmentation – Lack of knowledge where all the data is at rest – Lack of encryption for data at rest – Storing too much data – Lack of encryption for emails and messaging – Lack of segregation of duties – Back end operation networks breaking the isolation of PCI networks from other networks – Too many firewall rules with no business justification – Generic IDs and Shared IDs – Insufficient Documented Policies and Procedures 19 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company PCI – Where to Start on a limited budget? Identify where PCI data is stored, processed, and transmitted – Map your data flow – Who has access to PCI data and systems – Evaluate your processes – Document your processes (policy, procedures) 20 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company PCI - What to do with a limited budget? Reduce your PCI in scope environment – Segmentation – Stop/Modify unnecessary processes • Ask yourself, is this necessary and required? – Limit data retention to only what is necessary • Do not store what you do not need. – Only allow access to those who require it – Ask an Expert – Consider compensating controls – Document your standards Prioritize Your Approach 21 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Phase I www.pcisecuritystandards.org Reduce your PCI in scope environment – Stop/Modify unnecessary processes • Ask yourself, is this necessary and required? – Limit data retention to only what is necessary • Do not store what you do not need. 22 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Phase 2 www.pcisecuritystandards.org Reduce your PCI in scope environment – Segmentation – Stop/Modify unnecessary processes • Ask yourself, is this necessary and required? 23 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Phase 3 www.pcisecuritystandards.org Reduce your PCI in scope environment – Segmentation – Stop/Modify unnecessary processes • Ask yourself, is this necessary and required? 24 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Phase 4 www.pcisecuritystandards.org Reduce your PCI in scope environment – Stop/Modify unnecessary processes • Ask yourself, is this necessary and required? – Only allow access to those who require it 25 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Phase 5 www.pcisecuritystandards.org Reduce your PCI in scope environment – Stop/Modify unnecessary processes • Ask yourself, is this necessary and required? – Limit data retention to only what is necessary • Do not store what you do not need. – Only allow access to those who require it 26 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Phase 6 www.pcisecuritystandards.org Reduce your PCI in scope environment – Stop/Modify unnecessary processes • Ask yourself, is this necessary and required? – Limit data retention to only what is necessary • Do not store what you do not need – Only allow access to those who require it – Ask the Expert 27 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Prioritize your approach www.pcisecuritystandards.org 28 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Compensating Controls – What is it? When an entity cannot meet a requirement explicitly due to LEGITIMATE technical or documented business constraints. A compensating control must: – Meet the intent and rigor of the requirement – Sufficiently offset the risk that the original requirement was designed to defend against. – Above and Beyond other PCI requirements. – Be commensurate with additional risk imposed by not adhering to the original PCI requirement. Compensating Controls are typically valid for 1 year. PCI SSC 29 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Compensating Controls – Example An FTP server has been utilized for transferring data including cardholder information. Customer could not implement a secure form of transfer prior to compliance deadline due to documented business constraints. – Install the latest, and most updated, version of the FTP daemon on the FTP server. – Lock down all directories so that only authorized users can get access to their own directories and no one else's. – Disable anonymous access. – Enable audit logging to a file in /var/log that logs who transferred what and when. – Enable disk quotas at 4GB, so that someone with mal-intent cannot fill up the disk with extraneous data. – Lock down network access to the FTP server(s) to specific IP addresses. – Enable a strong password policy for each user ID that has access to the FTP server. – Enable account lockout after 5 failed attempts and lockout persists until an Administrator unlocks the account. – Encrypt any sensitive cardholder data that may be resident on the FTP server(s). – Enable TCP wrappers to more closely monitor access. – Require the FTP server display a warning banner. 30 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company How to stay PCI compliant PCI compliance is required Executive Sponsorship/Buy-in Evaluate any new business processes to see how it will affect your PCI compliance status/PCI environment. – Is it necessary/required? – What is the impact? Continue PCI processes – Penetration Testing, Network scans, Internally developed processes. Consider PCI a lifecycle process, not a last minute requirement. 31 5/25/2017 © 2009 IBM Corporation Internet Security Systems (ISS) an IBM owned Company Questions? Thank You! IBM Internet Security Systems Ahead of the threat.™ 5/25/2017 © 2009 IBM Corporation