Presentation is loading. Please wait.

Presentation is loading. Please wait.

Staying PCI Compliant Good morning. Welcome to “staying PCI compliant.

Similar presentations

Presentation on theme: "Staying PCI Compliant Good morning. Welcome to “staying PCI compliant."— Presentation transcript:

1 Staying PCI Compliant Good morning. Welcome to “staying PCI compliant.

2 Presenters Erik Janis » VP, Technical Services
Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer Services

3 Agenda: Discussion Points PCI DSS Update Card Data Security Update
Operational impact of new PCI-DSS 3.0 requirements Card Data Security Update Compliance and Security Concepts Paciolan Application Compliance and Security Q/A * Disclaimer – Presenters are not Visa certified QSAs Question the Audience for: 1.) How many people are business side, vs. tech side? 2.) How many saw last year’s PCI session?

4 Compliance is NOT Security
Theme of The Day Compliance is NOT Security Compliance is mandatory so you can process credit cards Security keeps you out of the news Target Stores Sony Pictures Anthem Blue Cross Controls are important Most breaches happen from the INSIDE! Awareness is the first step in becoming secure…. I want to leave you with a sense of the differences between security and compliance.

5 PCI DSS Update PCI-DSS 2.0 2.0 was valid and accepted by Visa until 12/31/14 Paciolan processed under 2.0 for this year Too much ambiguity amongst QSAs for how to evaluate 3.0 GAP analysis.

6 PCI DSS 3.0 is mandatory from 12/31/14 onward
PCI DSS Update PCI DSS 3.0 is mandatory from 12/31/14 onward Provide stronger focus on some of the greater risk areas in the threat environment Strong focus on POS device security! Provide increased clarity on PCI DSS & PA-DSS requirements Help manage evolving risks / threats Align with changes in industry best practices Clarify scoping and reporting Standards will evolve slowly New items and clarifications will be introduced periodically ‘Guidance’ or ‘Best Practices’

7 PCI DSS 3.0 Changes There are two major changes in DSS 3.0 that affects Paciolan that will trickle down to you….

8 Section 9.9.2 - Inspection/tamper detection of payment devices
PCI DSS 3.0 Changes Section Inspection/tamper detection of payment devices Create control environment to detect and react to tampering Regular testing Reporting results Provide training of personnel and maintain appropriate documentation

9 PCI DSS 3.0 Changes Section 12.8, Definition of PCI control responsibilities between Service Provider and Customer Define and document who has responsibilities for securing what Client vs. Paciolan Customer equipment - Paciolan can’t reasonably secure (PCs, Kiosks, swipers, network devices, etc.) Paciolan equipment - Pac will need to setup more standardized controls around VPN units, Pac-VT devices. Amendment of agreements and contracts with said language – Paciolan

10 Summary: PCI DSS 3.0 Changes
Clarification and documentation of policies, procedures, and definition of responsibilities Legal / contract requirements Inventories and documentation of in-scope equipment

11 Credit Card Security Update
EMV eVenue Payment Processing Tokenization Personally Identifiable Information (PII)

12 Card Data Security Update
EMV / ‘Chip and Signature’ What we know: Liability shift to banks and merchants in October, 2015 Visa is supporting ‘Chip and Signature’, not ‘Chip and Pin’ EMV efforts will be advanced on a per processor basis You hold the merchant relationship with bank/processor Paciolan is researching CyberSource compatible hardware and awaiting the release of APIs to scope development effort Card reader hardware will cost between $250 and $750 per unit. Higher price point units will give more than just basic EMV capability Future encryption options Contactless payment option: Google Wallet, Apple Pay, others? US processors and acquirers dragging their feet.  Anything in US that adds friction to payments is resisted.

13 Card Data Security Update
Card Security Road Map Payment Processing Enhancements for eVenue (7.2) Utilizes same modernized payment architecture as Pac 7.x Tokenization Based on VISA and CyberSource Offerings Pac 8 PII Data Field Encryption / De-Identification P2PE Solutions: Now there are 7 certified solution. Supported limited to very specific hardware devices.

14 Govind Shankar Director, Systems Operations and Security

15 You are PCI Compliant.. Now what?
Keep momentum going…. Mitigate extra costs.. Best allocate resources.. Evolving PCI climate…

16 Drive security-conscious behavior Make informed risk-based decisions
Engage the Business….. Drive security-conscious behavior Make informed risk-based decisions Cultural change and employee awareness Compliance and Business PCI as brand protection

17 Closing the Gap between Compliance and Security
Adhering to industry regulations is not sufficient Ever increasing number and sophistication of attacks.. Segmentation and strategies for moving from compliance to security The future of PCI standards

18 Case Study: Target Impact Contributing Factors. Situation
According to NY Times, Credit and debit card information for 40 million of Target’s customers had been compromised. An additional trove of personal information from some 70 million people had been exposed as well. Situation Target shoppers got an unwelcome holiday surprise in December 2013 when the news came out 40 million Target credit cards had been stolen by accessing data on point of sale (POS) systems . The breach transpired between November 27 and December 15th Over 11 GB of data was stolen. Target missed internal alerts and found out about the breach when they were contacted by the Department of Justice. A series of steps were taken by the adversaries to obtain access to the credit card data and retrieve it from Target’s systems. A break down in detection further increased data loss. Contributing Factors. “Except for centralized authentication, domain name resolution, and endpoint monitoring services, each retail store functions as an autonomous unit” so the attacker knew to look for these pivot points. The number of POS machines that were compromised in a short amount of time indicates that the software was likely distributed to them via an automated update process. Data was moved to drop locations on hacked servers all over the world via FTP Monitoring software alerted staff ,but no action was taken. “Target was certified as meeting the standard for the payment card industry (PCI) in September Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology” – former Target Chairman, President and CEO Gregg Steinhafel

19 Impact Situation Contributing Factors Case Study:
350,000 customer cards were exposed; Approximately 9,200 of those were fraudulently used. The data breach caused the retailer $4.1 million in legal fees, investigations, customer communications and credit monitoring services. Situation Hackers broke into Neiman Marcus’ store four months prior to stealing card data in July 2013, using memory-scrapping malware. Fraudulent card usage was subsequently detected in December 2013. The hackers exploited a vulnerable server to circumvent the POS systems and reloaded their software on multiple registers after it was deleted at the end of each day. To masquerade their activities in the protection logs the hackers gave the malware a name nearly identical to the company’s payment software. Contributing Factors The systems ability to automatically block the suspicious activity it flagged was turned off. Network Segmentation was not implemented The 60,000 alerts set off by the malware were interpreted as false positives associated with the legitimate software. “During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware,” the company wrote. “To date, Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently.”

20 Security Program Maturity Measurement
Who has access? Awareness and training programs? What data is most important to my organization (PII, PCI, IP, trade secrets)? Clearly defined data classification? Have tools and techniques in place to protect sensitive information? Technical controls in place While there is no one right approach, having the right balance of people, process and technology can help you adopt a holistic view of the entire organization, to make right choices in your information security deployments. Put simply, people, process and technology are all important aspects of IT, and security cannot be implemented successfully until the challenges you face in each of these three components are addressed.

21 General Security Best Practices..
Never reply back to an to "unsubscribe“ from unknown sources. Watch out for Shoulder surfers.. Passwords should be used by only one person Read Error Messages and checkboxes.. Dumpster Diving.. Limit Social Engineering.. Phishing.. Café session hijacks..

22 Gene Welch Manager, Customer Services

23 Compliance and security External threat vs. internal threat
Staying PCI Compliant Compliance and security External threat vs. internal threat External controls and internal controls Application level access controls Application logs Procedural controls to increase accountability

24 Compliance and Security
Building codes Highway safety laws

25 External and Internal Threats
External threats vs. internal threats High profile breaches - risk of compromised data Embezzlement Theft of inventory Misappropriation of assets

26 External Controls and Internal Controls
External - The system’s ability to resist unauthorized attempts at access while allowing legitimate users to access data Internal - Once determining to allow legitimate users, your internal controls come into play

27 Internal Controls and Fraud Detection

28 Application level access controls
Application Controls Application level access controls Back office operator access Selling controls

29 Application Controls Operator Access

30 Application Controls Selling Control

31 Application Controls Pac7 Selling Control

32 Application logging Application Logs System process log
Transactions record operator, date and time Transaction source and selling control Seat status changes by operator, date and time

33 Operator usage log report
Application Logs Operator usage log report

34 Application Logs Transaction logging

35 Seat Status Changes (aka Seat History)
Application Logs Seat Status Changes (aka Seat History)

36 Additional Internal Controls
Procedural controls to increase accountability User logins (aix, UniVerse, Pac7) – generic? Daily balancing to system records Complementary ticket procedures and oversight Monitor ticket returns and credit card refunds Tickets/barcodes voided after an event Disabling system access when someone leaves organization

37 Paciolan Password Policy
Paciolan New User and Password Policy New users only added to system upon confirmation with authorized personnel approval Requested password changes for existing users will be ed to confirmed contact address obtained from Paciolan CRM system

38 Thank you! Questions?

Download ppt "Staying PCI Compliant Good morning. Welcome to “staying PCI compliant."

Similar presentations

Ads by Google