Presentation on theme: "Staying PCI Compliant Good morning. Welcome to “staying PCI compliant."— Presentation transcript:
1 Staying PCI CompliantGood morning. Welcome to “staying PCI compliant.
2 Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and SecurityGene Welch » Manager, Customer Services
3 Agenda: Discussion Points PCI DSS Update Card Data Security Update Operational impact of new PCI-DSS 3.0 requirementsCard Data Security UpdateCompliance and Security ConceptsPaciolan Application Compliance and SecurityQ/A* Disclaimer – Presenters are not Visa certified QSAsQuestion the Audience for: 1.) How many people are business side, vs. tech side? 2.) How many saw last year’s PCI session?
4 Compliance is NOT Security Theme of The DayCompliance is NOT SecurityCompliance is mandatory so you can process credit cardsSecurity keeps you out of the newsTarget StoresSony PicturesAnthem Blue CrossControls are importantMost breaches happen from the INSIDE!Awareness is the first step in becoming secure….I want to leave you with a sense of the differences between security and compliance.
5 PCI DSS UpdatePCI-DSS 2.02.0 was valid and accepted by Visa until 12/31/14Paciolan processed under 2.0 for this yearToo much ambiguity amongst QSAs for how to evaluate 3.0GAP analysis.
6 PCI DSS 3.0 is mandatory from 12/31/14 onward PCI DSS UpdatePCI DSS 3.0 is mandatory from 12/31/14 onwardProvide stronger focus on some of the greater risk areas in the threat environmentStrong focus on POS device security!Provide increased clarity on PCI DSS & PA-DSS requirementsHelp manage evolving risks / threatsAlign with changes in industry best practicesClarify scoping and reportingStandards will evolve slowlyNew items and clarifications will be introduced periodically‘Guidance’ or ‘Best Practices’
7 PCI DSS 3.0 ChangesThere are two major changes in DSS 3.0 that affects Paciolan that will trickle down to you….
8 Section 9.9.2 - Inspection/tamper detection of payment devices PCI DSS 3.0 ChangesSection Inspection/tamper detection of payment devicesCreate control environment to detect and react to tamperingRegular testingReporting resultsProvide training of personnel and maintain appropriate documentation
9 PCI DSS 3.0 ChangesSection 12.8, Definition of PCI control responsibilities between Service Provider and CustomerDefine and document who has responsibilities for securing whatClient vs. PaciolanCustomer equipment - Paciolan can’t reasonably secure (PCs, Kiosks, swipers, network devices, etc.)Paciolan equipment - Pac will need to setup more standardized controls around VPN units, Pac-VT devices.Amendment of agreements and contracts with said language – Paciolan
10 Summary: PCI DSS 3.0 Changes Clarification and documentation of policies, procedures, and definition of responsibilitiesLegal / contract requirementsInventories and documentation of in-scope equipment
12 Card Data Security Update EMV / ‘Chip and Signature’What we know:Liability shift to banks and merchants in October, 2015Visa is supporting ‘Chip and Signature’, not ‘Chip and Pin’EMV efforts will be advanced on a per processor basisYou hold the merchant relationship with bank/processorPaciolan is researching CyberSource compatible hardware and awaiting the release of APIs to scope development effortCard reader hardware will cost between $250 and $750 per unit. Higher price point units will give more than just basic EMV capabilityFuture encryption optionsContactless payment option: Google Wallet, Apple Pay, others?US processors and acquirers dragging their feet. Anything in US that adds friction to payments is resisted.
13 Card Data Security Update Card Security Road MapPayment Processing Enhancements for eVenue (7.2)Utilizes same modernized payment architecture as Pac 7.xTokenizationBased on VISA and CyberSource OfferingsPac 8PII Data Field Encryption / De-IdentificationP2PE Solutions: Now there are 7 certified solution. Supported limited to very specific hardware devices.
14 Govind ShankarDirector, Systems Operations and Security
15 You are PCI Compliant.. Now what? Keep momentum going….Mitigate extra costs..Best allocate resources..Evolving PCI climate…
16 Drive security-conscious behavior Make informed risk-based decisions Engage the Business…..Drive security-conscious behaviorMake informed risk-based decisionsCultural change and employee awarenessCompliance and BusinessPCI as brand protection
17 Closing the Gap between Compliance and Security Adhering to industry regulations is not sufficientEver increasing number and sophistication of attacks..Segmentation and strategies for moving from compliance to securityThe future of PCI standards
18 Case Study: Target Impact Contributing Factors. Situation According to NY Times, Credit and debit card information for 40 million of Target’s customers had been compromised. An additional trove of personal information from some 70 million people had been exposed as well.SituationTarget shoppers got an unwelcome holiday surprise in December 2013 when the news came out 40 million Target credit cards had been stolen by accessing data on point of sale (POS) systems .The breach transpired between November 27 and December 15th Over 11 GB of data was stolen. Target missed internal alerts and found out about the breach when they were contacted by the Department of Justice.A series of steps were taken by the adversaries to obtain access to the credit card data and retrieve it from Target’s systems. A break down in detection further increased data loss.Contributing Factors.“Except for centralized authentication, domain name resolution, and endpoint monitoring services, each retail store functions as an autonomous unit” so the attacker knew to look for these pivot points.The number of POS machines that were compromised in a short amount of time indicates that the software was likely distributed to them via an automated update process.Data was moved to drop locations on hacked servers all over the world via FTPMonitoring software alerted staff ,but no action was taken.“Target was certified as meeting the standard for the payment card industry (PCI) in September Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology” – former Target Chairman, President and CEO Gregg Steinhafel
19 Impact Situation Contributing Factors Case Study: 350,000 customer cards were exposed;Approximately 9,200 of those were fraudulently used.The data breach caused the retailer $4.1 million in legal fees, investigations, customer communications and credit monitoring services.SituationHackers broke into Neiman Marcus’ store four months prior to stealing card data in July 2013, using memory-scrapping malware. Fraudulent card usage was subsequently detected in December 2013.The hackers exploited a vulnerable server to circumvent the POS systems and reloaded their software on multiple registers after it was deleted at the end of each day.To masquerade their activities in the protection logs the hackers gave the malware a name nearly identical to the company’s payment software.Contributing FactorsThe systems ability to automatically block the suspicious activity it flagged was turned off.Network Segmentation was not implementedThe 60,000 alerts set off by the malware were interpreted as false positives associated with the legitimate software.“During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware,” the company wrote. “To date, Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently.”
20 Security Program Maturity Measurement Who has access?Awareness and training programs?What data is most important to my organization (PII, PCI, IP, trade secrets)?Clearly defined data classification?Have tools and techniques in place to protect sensitive information?Technical controls in placeWhile there is no one right approach, having the right balance of people, process and technology can help you adopt a holistic view of the entire organization, to make right choices in your information security deployments.Put simply, people, process and technology are all important aspects of IT, and security cannot be implemented successfully until the challenges you face in each of these three components are addressed.
21 General Security Best Practices.. Never reply back to an to "unsubscribe“ from unknown sources.Watch out for Shoulder surfers..Passwords should be used by only one personRead Error Messages and checkboxes..Dumpster Diving..Limit Social Engineering..Phishing..Café session hijacks..
23 Compliance and security External threat vs. internal threat Staying PCI CompliantCompliance and securityExternal threat vs. internal threatExternal controls and internal controlsApplication level access controlsApplication logsProcedural controls to increase accountability
24 Compliance and Security Building codesHighway safety laws
25 External and Internal Threats External threats vs. internal threatsHigh profile breaches - risk of compromised dataEmbezzlementTheft of inventoryMisappropriation of assets
26 External Controls and Internal Controls External - The system’s ability to resist unauthorized attempts at access while allowing legitimate users to access dataInternal - Once determining to allow legitimate users, your internal controls come into play
35 Seat Status Changes (aka Seat History) Application LogsSeat Status Changes (aka Seat History)
36 Additional Internal Controls Procedural controls to increase accountabilityUser logins (aix, UniVerse, Pac7) – generic?Daily balancing to system recordsComplementary ticket procedures and oversightMonitor ticket returns and credit card refundsTickets/barcodes voided after an eventDisabling system access when someone leaves organization
37 Paciolan Password Policy Paciolan New User and Password PolicyNew users only added to system upon confirmation with authorized personnel approvalRequested password changes for existing users will be ed to confirmed contact address obtained from Paciolan CRM system