Presentation on theme: "#PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer."— Presentation transcript:
Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems Operations and Security Gene Welch » Manager, Customer Services
#PACnet15 Agenda: » PCI DSS Update ▫Operational impact of new PCI-DSS 3.0 requirements » Card Data Security Update » Compliance and Security Concepts » Paciolan Application Compliance and Security » Q/A * Disclaimer – Presenters are not Visa certified QSAs Discussion Points
#PACnet15 Compliance is NOT Security » Compliance is mandatory so you can process credit cards » Security keeps you out of the news ▫Target Stores ▫Sony Pictures ▫Anthem Blue Cross » Controls are important ▫Most breaches happen from the INSIDE! Awareness is the first step in becoming secure…. Theme of The Day
#PACnet15 PCI-DSS 2.0 » 2.0 was valid and accepted by Visa until 12/31/14 » Paciolan processed under 2.0 for this year ▫Too much ambiguity amongst QSAs for how to evaluate 3.0 PCI DSS Update
#PACnet15 PCI DSS 3.0 is mandatory from 12/31/14 onward » Provide stronger focus on some of the greater risk areas in the threat environment » Strong focus on POS device security! » Provide increased clarity on PCI DSS & PA-DSS requirements » Help manage evolving risks / threats » Align with changes in industry best practices » Clarify scoping and reporting Standards will evolve slowly » New items and clarifications will be introduced periodically » ‘Guidance’ or ‘Best Practices’ 6 PCI DSS Update
#PACnet15 There are two major changes in DSS 3.0 that affects Paciolan that will trickle down to you…. PCI DSS 3.0 Changes
#PACnet15 Section Inspection/tamper detection of payment devices Create control environment to detect and react to tampering » Regular testing » Reporting results Provide training of personnel and maintain appropriate documentation PCI DSS 3.0 Changes
#PACnet15 Section 12.8, Definition of PCI control responsibilities between Service Provider and Customer » Define and document who has responsibilities for securing what ▫ Client vs. Paciolan » Customer equipment - Paciolan can’t reasonably secure (PCs, Kiosks, swipers, network devices, etc.) » Paciolan equipment - Pac will need to setup more standardized controls around VPN units, Pac-VT devices. » Amendment of agreements and contracts with said language – Paciolan PCI DSS 3.0 Changes
#PACnet15 Summary: » Clarification and documentation of policies, procedures, and definition of responsibilities ▫Legal / contract requirements » Inventories and documentation of in-scope equipment PCI DSS 3.0 Changes
#PACnet15 EMV / ‘Chip and Signature’ » What we know: ▫Liability shift to banks and merchants in October, 2015 ▫Visa is supporting ‘Chip and Signature’, not ‘Chip and Pin’ ▫EMV efforts will be advanced on a per processor basis – You hold the merchant relationship with bank/processor ▫Paciolan is researching CyberSource compatible hardware and awaiting the release of APIs to scope development effort ▫Card reader hardware will cost between $250 and $750 per unit. Higher price point units will give more than just basic EMV capability – Future encryption options – Contactless payment option: Google Wallet, Apple Pay, others? Card Data Security Update
#PACnet15 Card Security Road Map » Payment Processing Enhancements for eVenue (7.2) ▫Utilizes same modernized payment architecture as Pac 7.x » Tokenization ▫Based on VISA and CyberSource Offerings ▫Pac 8 » PII Data Field Encryption / De-Identification ▫Pac 8 Card Data Security Update
#PACnet15 » Govind Shankar Director, Systems Operations and Security
#PACnet15 Keep momentum going…. Mitigate extra costs.. Best allocate resources.. Evolving PCI climate… 15 You are PCI Compliant.. Now what?
#PACnet15 Drive security-conscious behavior Make informed risk-based decisions Cultural change and employee awareness Compliance and Business PCI as brand protection 16 Engage the Business…..
#PACnet15 17 Closing the Gap between Compliance and Security Adhering to industry regulations is not sufficient Ever increasing number and sophistication of attacks.. Segmentation and strategies for moving from compliance to security The future of PCI standards
#PACnet15 18 Case Study: Target Impact According to NY Times, Credit and debit card information for 40 million of Target’s customers had been compromised. An additional trove of personal information from some 70 million people had been exposed as well. Situation Target shoppers got an unwelcome holiday surprise in December 2013 when the news came out 40 million Target credit cards had been stolen by accessing data on point of sale (POS) systems. The breach transpired between November 27 and December 15th Over 11 GB of data was stolen. Target missed internal alerts and found out about the breach when they were contacted by the Department of Justice. A series of steps were taken by the adversaries to obtain access to the credit card data and retrieve it from Target’s systems. A break down in detection further increased data loss. Contributing Factors. “Except for centralized authentication, domain name resolution, and endpoint monitoring services, each retail store functions as an autonomous unit” so the attacker knew to look for these pivot points. The number of POS machines that were compromised in a short amount of time indicates that the software was likely distributed to them via an automated update process. Data was moved to drop locations on hacked servers all over the world via FTP Monitoring software alerted staff,but no action was taken. “Target was certified as meeting the standard for the payment card industry (PCI) in September Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology” – former Target Chairman, President and CEO Gregg Steinhafel
#PACnet15 19 Case Study: Impact 350,000 customer cards were exposed; Approximately 9,200 of those were fraudulently used. The data breach caused the retailer $4.1 million in legal fees, investigations, customer communications and credit monitoring services. Situation Hackers broke into Neiman Marcus’ store four months prior to stealing card data in July 2013, using memory-scrapping malware. Fraudulent card usage was subsequently detected in December The hackers exploited a vulnerable server to circumvent the POS systems and reloaded their software on multiple registers after it was deleted at the end of each day. To masquerade their activities in the protection logs the hackers gave the malware a name nearly identical to the company’s payment software. Contributing Factors The systems ability to automatically block the suspicious activity it flagged was turned off. Network Segmentation was not implemented The 60,000 alerts set off by the malware were interpreted as false positives associated with the legitimate software. “During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware,” the company wrote. “To date, Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently.”
#PACnet15 20 Security Program Maturity Measurement Who has access? Awareness and training programs? What data is most important to my organization (PII, PCI, IP, trade secrets)? Clearly defined data classification? Have tools and techniques in place to protect sensitive information? Technical controls in place
#PACnet15 » Never reply back to an to "unsubscribe“ from unknown sources. » Watch out for Shoulder surfers.. » Passwords should be used by only one person » Read Error Messages and checkboxes.. » Dumpster Diving.. » Limit Social Engineering.. » Phishing.. » Café session hijacks.. 21 General Security Best Practices..
#PACnet15 Compliance and security External threat vs. internal threat External controls and internal controls Application level access controls Application logs Procedural controls to increase accountability Staying PCI Compliant
#PACnet15 Compliance and Security » Building codes » Highway safety laws 24 Compliance and Security
#PACnet15 External threats vs. internal threats » High profile breaches - risk of compromised data » Embezzlement » Theft of inventory » Misappropriation of assets 25 External and Internal Threats
#PACnet15 External - The system’s ability to resist unauthorized attempts at access while allowing legitimate users to access data Internal - Once determining to allow legitimate users, your internal controls come into play 26 External Controls and Internal Controls
#PACnet15 27 Internal Controls and Fraud Detection
#PACnet15 Selling Control 30 Application Controls
#PACnet15 Pac7 Selling Control 31 Application Controls
#PACnet15 Application logging » System process log » Transactions record operator, date and time » Transaction source and selling control » Seat status changes by operator, date and time 32 Application Logs
#PACnet15 Procedural controls to increase accountability » User logins (aix, UniVerse, Pac7) – generic? » Daily balancing to system records » Complementary ticket procedures and oversight » Monitor ticket returns and credit card refunds » Tickets/barcodes voided after an event » Disabling system access when someone leaves organization 36 Additional Internal Controls
#PACnet15 New users only added to system upon confirmation with authorized personnel approval Requested password changes for existing users will be ed to confirmed contact address obtained from Paciolan CRM system Paciolan New User and Password Policy 37 Paciolan Password Policy
#PACnet15 Please complete either the session evaluation form on your chair or online at Questions?