Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISACA VA Chapter Is PCI Broken? Presented By: Bryan Miller Syrinx Technologies 804-539-9154.

Published byShelby Dye Modified over 9 years ago

Similar presentations

Presentation on theme: "ISACA VA Chapter Is PCI Broken? Presented By: Bryan Miller Syrinx Technologies 804-539-9154."— Presentation transcript:

1 ISACA VA Chapter Is PCI Broken? Presented By: Bryan Miller Syrinx Technologies bryan@syrinxtech.com www.syrinxtech.com 804-539-9154

2 ISACA VA Chapter  Speaker Introduction  What is PCI  How Compliant Are We  What Happened to Target  The Aftermath  Lessons Learned  Summary 5/1/2014Is PCI Broken?2 Agenda

3 ISACA VA Chapter  B.S., M.S. – VCU  Former Adjunct Faculty Member @ VCU  CISSP, former Cisco CCIE  VA SCAN, ISSA, ISACA,VCU FTEMS speaker  Published author with 30 years in the industry  Founded Syrinx Technologies in 2007 5/1/2014Is PCI Broken?3 Speaker Introduction

4 ISACA VA Chapter 5/1/2014Is PCI Broken?4 Does anybody ever feel like this? (Does anybody other than me even remember this movie?)

5 ISACA VA Chapter 5/1/2014Is PCI Broken?5 What Is PCI

6 ISACA VA Chapter  The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e- purse, ATM, and POS cards.  Defined by the Payment Card Industry Security Standards Council (PCI SSC), the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure.  Source: Wikipedia 5/1/2014Is PCI Broken?6 Definition

7 ISACA VA Chapter If you transmit, store or process credit card data you are responsible to protect it. So….what exactly is “credit card data”? 5/1/2014Is PCI Broken?7 OK, one more time in plain English

8 ISACA VA Chapter  What you can store  Primary Account Number (obfuscated)  Cardholder Name  Expiration Date  What you must NEVER store  Magnetic stripe data  CVV  PIN 5/1/2014Is PCI Broken?8

9 ISACA VA Chapter  12 Requirements summarized by 6 control objectives  Build and Maintain a Secure Network and Systems  Protect Cardholder Data  Maintain a Vulnerability Management Program  Implement Strong Access Control Measures  Regularly Monitor and Test Networks  Maintain an Information Security Policy 5/1/2014Is PCI Broken?9 What It Is

10 ISACA VA Chapter  Began life as the “VISA Digital Dozen”  Current version is 3.0, released November 2013  Sponsored by  American Express  VISA  MasterCard  Discover  Japan Credit Bureau (JCB) 5/1/2014Is PCI Broken?10 What It Is

11 ISACA VA Chapter  A legal compliance obligation like HIPAA, GLBA, Sarbanes- Oxley  A guarantee that you won’t  Have a data breach  Suffer financial or reputational damages  Be the featured guest in the newspapers and magazines  Remember SECURE <> COMPLIANT 5/1/2014Is PCI Broken?11 What It Isn’t

12 ISACA VA Chapter 5/1/2014Is PCI Broken?12 Source: Rapid7

13 ISACA VA Chapter 5/1/2014Is PCI Broken?13 How Compliant Are We

14 ISACA VA Chapter 5/1/2014Is PCI Broken?14 Source: VERIZON 2014 PCI COMPLIANCE REPORT

15 ISACA VA Chapter 5/1/2014Is PCI Broken?15 Source: VERIZON 2014 PCI COMPLIANCE REPORT

16 ISACA VA Chapter 5/1/2014Is PCI Broken?16 Source: VERIZON 2014 PCI COMPLIANCE REPORT

17 ISACA VA Chapter 5/1/2014Is PCI Broken?17 Source: VERIZON 2014 PCI COMPLIANCE REPORT

18 ISACA VA Chapter 5/1/2014Is PCI Broken?18 What Happened to Target

19 ISACA VA Chapter  Attack began with phishing email attack on HVAC vendor  Attack began around 2 months before the actual breach  Malware from phishing allowed attackers to gain Target network credentials  Vendor claimed “…our IT system and security measures are in full compliance with industry practices.”  Vendor allegedly used free version of malware software 5/1/2014Is PCI Broken?19

20 ISACA VA Chapter  Using credentials obtained from HVAC, attackers expanded to internal Target networks  Unclear whether or not 2-factor authentication required by PCI was employed by HVAC vendor  Initial compromise between Nov. 27 – Dec. 15  Target announced breach December 19 5/1/2014Is PCI Broken?20

21 ISACA VA Chapter  What about warning signs?  Target allegedly warned two months before breach by internal security employees that its systems were not sufficiently secure (ignored?)  At the time Target was updating POS software  FireEye installed six months earlier  Security monitoring performed by a team in Bangalore  Reported findings November 30 (apparently ignored)  Malware updated December 2 5/1/2014Is PCI Broken?21

22 ISACA VA Chapter 5/1/2014Is PCI Broken?22

23 ISACA VA Chapter 5/1/2014Is PCI Broken?23 Supplier Portal Home Page – no credentials required

24 ISACA VA Chapter 5/1/2014Is PCI Broken?24 Facilities Management Home Page – no credentials required

25 ISACA VA Chapter 5/1/2014Is PCI Broken?25 Supplier Download Page – no credentials required

26 ISACA VA Chapter 5/1/2014Is PCI Broken?26 Metadata Obtained from Files Harvested from Downloads Page

27 ISACA VA Chapter 5/1/2014Is PCI Broken?27

28 ISACA VA Chapter 5/1/2014Is PCI Broken?28 The Aftermath

29 ISACA VA Chapter  January in-store and online traffic drops from 43% to 33% of US households  Target spent $61 million during Q4 related to breach  Estimated 5-10% will never shop there again  March 5 – Target replaces CIO and hires two additional positions  Chief Security Officer  Chief Compliance Officer 5/1/2014Is PCI Broken?29

30 ISACA VA Chapter  Lawsuits (at least 53) filed by multiple banks, including several in Target’s home state  Target’s PCI auditing firm Trustwave Holdings also named in lawsuits  Estimated losses could reach $18 billion  Estimated 110 million cardholders affected 5/1/2014Is PCI Broken?30

31 ISACA VA Chapter  Security engineer who first broke the story could soon be the subject of a Hollywood movie  Target accelerating plan to offer upgraded credit cards with chip technology  Current goal to release updated REDcards in early 2015 5/1/2014Is PCI Broken?31

32 ISACA VA Chapter 5/1/2014Is PCI Broken?32 Lessons Learned

33 ISACA VA Chapter  Four Questions the CIO Must Answer  Do we have an ISO/CISO providing direction?  Do we have an incident response plan?  Which alerts can we safely ignore?  What are we overlooking as insignificant? 5/1/2014Is PCI Broken?33

34 ISACA VA Chapter  Steps Every Organization Can Take 1. Accept that you have a problem. 2. Diagram credit card data flows in, through and out. 3. Ensure you have a tested incident response plan. 4. Clean up the “low hanging fruit”. 5. Invest in and maintain quality monitoring systems. 6. Review contracts with vendors, partners, clients, etc. 7. Create build lists for all systems to ensure consistency. 8. Limit the systems in PCI scope. 9. Build security audits into every project. 10. Provide feedback to all departments on progress. 5/1/2014Is PCI Broken?34

35 ISACA VA Chapter 5/1/2014Is PCI Broken?35 Summary

36 ISACA VA Chapter  PCI compliance (and security in general) should not be ignored or seen as just another business expense.  Start building monitoring systems and trust them when they report incidents.  Continue practicing due diligence. Security is a never ending issue. 5/1/2014Is PCI Broken?36

37 ISACA VA Chapter 5/1/2014Is PCI Broken?37 Q&A

Download ppt "ISACA VA Chapter Is PCI Broken? Presented By: Bryan Miller Syrinx Technologies 804-539-9154."

Similar presentations

Weighing the Risks and Benefits of Online Financial Transactions

Weighing the Risks and Benefits of Online Financial Transactions
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
ISACA January 8, 2013. IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
This refresher course will:

This refresher course will:
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.

© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Similar presentations

Ads by Google