Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier, Dean & Howard, PLLC

Information Security Landscape In addition to legislation, why are information security programs, such as PCI, necessary?

Information Security Landscape In addition to legislation, why are information security programs, such as PCI, necessary? What we have is not working

Security – In The News 9/26/12: New vulnerability in all modern versions of Java 9/18/2012: New vulnerability in Internet Explorer affecting version 7, 8, and 9 on Windows XP, Windows Vista, Windows 7 8/28/2012: 1 Million account usernames, passwords, and sensitive data leaked in attack affecting banks and government agencies

Security – In The News Since January 2011: At least 12 Certification Authorities have been compromised Sony – Started with lawsuit on 1/11/2011, hacks begin April 3, 2011, Asks consumers to waive class-action lawsuit rights on September 16 or give up access to service RSA, Lockheed-Martin

Source: Trustwave Spiderlabs – Global Security Report 2011

Source: Verizon 2011 Data Breach Investigations Report

Study on Data Breaches Verizon conducts an annual study of data breaches The US Secret Service and Dutch High Tech Crime Unit provided the results of their data breach efforts which Verizon combined with their results The study does not include cost analysis of data breaches, but rather, high-level analysis of root cause and perpetrator

Source: Verizon 2011 Data Breach Investigations Report

How did we arrive here? Individual card brands maintained their own security and compliance programs for merchants, processors, inc. 1.VISA Cardholder Information Security Program (CISP) 2.MasterCard Site Data Protection Program 3.American Express Data Security Operating Policy 4.Discover Information and Compliance 5.JCB Data Security Program

Payment Card Industry (PCI): Security Standards Council (SSC) “The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) Requirements.”

PCI SSC – Why? To help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise

PCI – Key players Merchant Acquiring Bank; Issuing Bank Cardbrand Service Providers Council

PCI – Key players QSA – Qualified Security Assessor ISA – Internal Security Assessor ASV – Approved Scanning Vendor SAQ – Self-assessment Questionnaire ROC – Report on Compliance

PCI - Founding Global Card Brands American Express Discover Financial Services JCB International MasterCard Worldwide Visa Inc All have agreed agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs.

PCI Data Security Standard (DSS) 12 Requirements – 250 Testing Procedures “PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data…”

Cardholder Data Environment (CDE) The CDE is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. The PCI DSS security requirements apply to all system components (any network component, server, or application) that is included in or connected to the cardholder data environment.

PCI Overview – Visa Merchant Levels TierVisa, Inc. 1 Merchants processing over 6 million Visa transactions annually (all channels), or global merchants identified as Level 1 by any Visa region 2 Merchants processing 1 million to 6 million Visa transactions annually (all channels) 3 Merchants processing 20,000 to 1 million Visa ecommerce transactions annually 4 Merchants processing less than 20,000 Visa ecommerce transactions annually, and all other merchants processing up to 1 million Visa transactions annually

PCI Overview – Merchant Validation LevelAMEXDiscover/JCB Mastercard Visa, Inc. 1 Annual onsite assessment by QSA or internal auditor if signed by officer of merchant company Quarterly network scan by ASV Annual onsite assessment by QSA or merchant’s internal Auditor Quarterly network Scan by ASV Annual onsite assessment by QSA Quarterly network scan by ASV Annual onsite assessment by QSA Quarterly network scans by ASV Attestation of Compliance from 2 EU Only: Annual Self-Assessment Questionnaire Quarterly network scan by ASV Annual Self Assessment Questionnaire Quarterly network scan by ASV Annual Self Assessment Questionnaire* Quarterly network scan by ASV Annual Self-Assessment Questionnaire Quarterly network scan by ASV Attestation of Compliance form

PCI Overview – Merchant Validation LevelAMEXDiscover/JCB* Mastercard Visa, Inc. 3 Quarterly network scan by ASV (recommended) EU Only: SAQ (recommended) Annual Self- Assessment Questionnaire Quarterly Network Scan by ASV Annual Self- Assessment Questionnaire Quarterly network scan by ASV Annual Self-Assessment Questionnaire Quarterly network scan by ASV Attestation of Compliance from 4 N/ACompliance Validation requirements determined by acquirer. Compliance validation is at discretion of acquirer. Annual Self-Assessment Questionnaire Quarterly network scan by ASV Attestation of Compliance form

PCI Overview – Visa Reporting TierVisa, Inc. 1 At least twice a year, a statement of merchant compliance / non- compliance Annual Attestation of Compliance form Upon Request, a copy of ROC 2Same as Level 1 3 At least twice a year, a statement of merchant compliance / non- compliance 4 Set by acquirer

V2.0 released October 28, 2010

Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Requirement 1 Highlights Install and maintain a firewall configuration to protect cardholder data Standard configurations Change control process Placement & configuration ▫Minimum necessary 6-Month review Mobile software firewalls

Requirement 2 Highlights Do not use vendor-supplied defaults for system passwords and other security parameters Changing default passwords Configuration hardening standards ▫Operating systems, databases, applications, etc. System configuration ▫Minimum necessary

Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks

Requirement 3 Highlights Protect stored cardholder data Data retention and disposal policies ▫Minimum necessary No Track data storage No Card Verification Code (CVC) data storage Card Primary Account Number (PAN) masking PAN storage requirements / encryption Documentation

Requirement 4 Highlights Encrypt transmission of cardholder data across open, public networks Transmission encryption ▫The Internet ▫Wireless technologies (WiFi) ▫Mobile (cell) technologies Never send unencrypted using End-User Messaging technologies: ▫ , instant messaging, SMS (texting)

Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications

Requirement 5 Highlights Use and regularly update anti-virus software or programs Deployed on all systems ▫Commonly affected by malicious software  Yes – Windows  No – UNIX, Series i Must be current / latest signatures

Requirement 6 Highlights Develop and maintain secure systems and applications Vendor supplied patches ▫Critical < 30 days ▫Less critical within 2 to 3 months Establish process to identify new vulnerabilities Custom development ▫Change control process ▫Secure coding / code review (OWASP Top 10) ▫No production PANs used in testing

Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data

Requirement 7 Highlights Restrict access to cardholder data by business need-to-know Minimum necessary access to Cardholder Data Environment (CDE) User provisioning process ▫Based on job classification / function Default “deny all” configuration

Requirement 8 Highlights Assign a unique ID to each person with computer access All users must have a “Unique ID” and password for access to CDE Two-factor authentication for remote users Password / account management Policy communication

Requirement 9 Highlights Restrict physical access to cardholder data Physical security monitoring (i.e. video cameras) Physical access to system components Physical access to network jacks Employee and visitor identification Visitor tracking Backup media security, storage, tracking, destruction, etc.

Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes

Requirement 10 Highlights Track and monitor all access to network resources and cardholder data Linking CDE access to the individual user Automated audit trails ▫Actions taken ▫Logical access / creation, changing, deletion ▫Invalid logon attempts Audit log review Audit log retention Time synchronization

Requirement 11 Highlights Regularly test security systems and processes Quarterly wireless access point testing ▫Scanning / Physical inspection / Wireless IDS Quarterly vulnerability scans ▫External – Approved Scanning Vendor (ASV) ▫Internal – Internal staff or ASV Annual penetration test (Internal and External) ▫Firewall and application Intrusion Detection System (IDS) File Integrity Monitoring

Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for all personnel

Requirement 12 Highlights Maintain a policy that addresses information security for all personnel Must address all PCI requirements Reviewed annually Usage policies Responsibilities Security awareness program Employee screening Service provider policies Incident response plan

Reducing the Scope for PCI DSS Why does this matter? Card storage, processing, and transmission ▫Reduce the number of system and network components that are used to store, process, or transmit credit card data. Network segmentation ▫Reduce the number of system and network components that connect to the CDE ▫Flat Network = Everything is in scope!

What should IA do? Become familiar with the PCI requirements Actively participate in the organization’s PCI compliance program Where appropriate, own the PCI assessment process (SAQ, ROC) Utilize IA knowledge of risk and controls (and appropriate documentation) to help the organization build the PCI compliance program

What should IA do? Evaluate IA skill sets and identify any gaps Allocate training to address both knowledge of PCI compliance as well as key subject matter areas Participate in PCI community – become a Participating Organization or join a Special Interest Groups (wireless, encryption)

What should IA do? Consider PCI risks in our organization’s risk assessment process – both from a perspective of compliance vs. non-compliance as well as understanding the significant threats Consider the strength and maturity of controls and allocation of the organization’s resources which address the risks Evaluate the skills of the individuals that own the PCI controls

What should IA do? Understand where and how credit card data is collected, stored, processed and transmitted Ensure management fully explores opportunities to reduce the scope Understand the full path of credit card data from initial collection all the way to the acquiring bank, especially at third-parties along this path Understand where credit card data is encrypted and where it isn’t (both stored and during transmission) at every step along the way

What should IA do? Determine if the organization understands all of the locations credit card data is stored and how much credit card data is stored - determine if the amount of data is reasonable Familiarize yourself with tokenization Understand requirements related to wireless security, secure coding, network scanning and reporting (ASV), penetration tests

What should IA do? Consider third-party/partner risk in your organization from a compliance standpoint as well as risk of security incidents ▫Credit card processors or other intermediaries ▫Payment applications ▫Web sites owned, managed or hosted by third- parties which collect credit card data How do contracts with third parties address responsibilities to secure data and in handling incident response?

What should IA do? Consider IA role in compliance testing ▫Pre-assessment ▫ISA role ▫Integration of PCI testing with SOX, HIPAA or other compliance programs

PCI Skills Risk identification and assessment Internal control identification, design assessment (preventive/detective, mature/informal) and operating effectiveness; internal control development (monitoring controls, appropriate documentation, etc.) Compliance program development ▫Ownership of controls ▫Stakeholder identification and involvement ▫Audit program development ▫Workpaper documentation ▫Remediation programs

PCI Skills Strong technical background including knowledge of: ▫network architecture ▫firewall configuration, network protocols, etc. ▫wireless security ▫IPS/IDS Encryption design and implementation Secure coding Application security architecture

Questions? Jacob Arthur, CPA, QSA, CEH (Mobile) Timothy Agee, CISA, CGEIT, QSA (Mobile)