1. Brian Cloud August 06, 2009

2. Overall Digital Security  What is Digital Security  Murphy’s Law Since 2005, over 263M records breeched (privacyreports.com) ○ Hacking, Internal Flaws, Stolen Equipment  Marketing is Profitability, Profiles are Productivity

3. Security Concerns  Databases  Communications and Transmissions  Media  Access Levels  Traveler Issues and Awareness  Types of Issues: Data Breech Intellectual Property Theft DoS Attacks Internal Issues and Employee Mindset

4. PCI Compliance Overview  What is it? Payment Card Industry (PCI) Data Security Standard (DSS) defines what cardholder data can be stored and how it may be processed and managed to keep it secure.  Who must comply? All members, merchants, and service providers that store, process, OR transmit cardholder data. All system components which are defined as any network component, server, or application that is included in or connected to the cardholder data environment.  PCI Security Standard Council Develop and manage the PCI Data Security Standard. Establish and maintain industry-level approval processes for Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV). Publish and distribute the PCI Data Security Standard. Provide an open forum for all key stakeholders

5. Cardholder Data  Any personally identifiable information associated with the cardholder that is stored, processed, or transmitted. Account number, expiration date, name, address, social security number, etc.  It is never acceptable to retain magnetic stripe data subsequent to transaction authorization. However, the following individual data elements may be retained subsequent to transaction authorization: Cardholder Account Number Cardholder Name Card Expiration Date  Still applies even if cardholder data is not stored

6. Compliance Review  Build and Maintain a Secure Network Install and maintain a firewall configuration to protect data. Do not use vendor-supplied defaults for system passwords and other security parameters.  Protect Cardholder Data Protect stored data. Encrypt transmission of cardholder data and sensitive information across public networks.  Maintain a Vulnerability Management Program Use and regularly update antivirus software. Develop and maintain secure systems and applications.  Implement Strong Access Control Measures Restrict access to data by business need-to-know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data  Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes.  Maintain an Information Security Policy Maintain a policy that addresses information security.

7. Getting Compliant  Compliance Classification (Levels I-IV) determined by number of transactions in merchant account  Point of Sale (POS) environment Merchant location (i.e. travel agency, retail store, restaurant, hotel property, gas station, supermarket, or other point of sale location). Internet protocol (IP) -based POS environment is one in which transactions are stored, processed, or transmitted on IP-based systems, or systems communicating via TCP/IP.  Compensating Controls for encryption of stored data Complex network segmentation Internal firewalls that specifically protect the database TCP wrappers or firewall on the database to specifically limit who can connect to the database. Separation of the corporate internal network on a different network segment from production, with additional firewall separation from database servers.

8. PCI Compliance Level Definitions Compliance Validation Level Annual On-site Assessment Quarterly Perimeter Scan Self- Assessment Questionnaire Level 1 > 6M Transactions Required N/A Level 2 1M-6M Transactions N/ARequired Level 3 20K-6M Transactions N/ARequired Level 4 < 20K Transactions N/ADetermined by Acquirer Determined by Acquirer ** Anyone suffering a breech may be escalated

9. Participating Card Associations PCI Compliance Cardholder Information Security Program (CISP) Site Data Protection (SDP)

10. Penalties and Fees  When do I get penalized? Not meeting PCI Compliance by the specified date. Card Holder data compromise when not PCI compliant.  What are the fines associated? Dependent on the card brand and acquiring bank. Non-compliance (Visa Example) – $5,000 and $25,000 a month for each of its Level 1 and 2 merchants (CVV2 can be worse). Card Holder Breach (Visa Example) –Fines up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident. Safe Harbor if PCI Compliant. Impose restrictions on noncompliant merchants All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward. Cost of re-issuing cards associated with the compromise. Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity). Possible revocation of merchant status Loss of Business Integrity with Customers

11. Credit Card Breeches  The Cost of Non-Compliance 20% of individuals who received a data breach notification during 2005 terminated their relationship with that company. Stock price: A 2004 study found that companies that suffered data breaches lost an average of just over 5% of their market valuation. Breach Recovery: Average cost to recover from a data breach - $14 million ($140 per customer record). Average loss was 2.6% of all customers.  Examples of breaches TJMax: At least 45.7 million credit/debit cards of shoppers stolen. Largest ever. BJ’s Wholesale: Booked $16 million reserve to cover all costs related to breach. DSW Shoe Warehouse: Booked $6.5 million reserve to cover breach costs. ChoicePoint: $15 million fine.

12. Common Security Holes  Databases Database activity monitoring Set access levels  PCs Antivirus Antispyware Patches and Updates  Laptops Disk encryption VPN Usage Selective Access to Files Secured Wireless (no WEP 3/31/10)  Media Flash Drives, CDs  Networks Firewalls User security DMZs  Vendors Verify! SaaS usually better Online Tools  Employee Controls Workplace Mentality Signed agreements Limited accounts Restrictive web and IM access Enforce good passwords  DR and BCP make certain security is #1 data recovery is secure  Traveler Issues Lock machines Limit usage of private data Use firewalls Secure passports

13. Common Failure Points  Data Encryption While at rest and during transit. Proper encryption key management.  Network Monitoring and Logging Inability to recreate user’s activity (who did what, when, where, and how). Lack of real time monitoring of network events (e.g., IDS and firewall).  Network Segmentation Customer network’s typically flat. Systems serve multiple purposes.  Data Archival and Disposal Backup tapes not secured or encrypted. Hard copies not secured or not disposed of properly.  Web Application Security Lack of software development life cycle. Poor QA process and testing.

14. Steps You Should be Taking  Get A Security Assessor  Re-Assess Until Compliant  Self-Audit (PCI Data Security Standards Compliance Questionnaire) https://www.pcisecuritystandards.org/saq/index.shtml  Perform a System Perimeter Scan  Inform Employees, Change Environments and Mindsets  Key Questions Only applicable to e-commerce merchants? How do merchants determine the cost of compliance validation? What if a merchant has outsourced the storage, processing, or transmission of cardholder data to a service provider? Do merchants need to include their service providers in the scope of their PCI Data Security Standards Review?

15. Path to Compliance  Determine the locations of the card holder data.  Reduce scope by eliminating or segmenting the card holder data.  Baseline your environment against the PCI DSS to identify gaps. Online tools available for Vulnerability Reports  For all gaps determine recommendations with associated effort (don’t overlook “gotcha’s” such as logging track data on a Point of Sales system). (Online Mediation Reports)  Develop a prioritized plan to address gaps.  Execute (…but with management support).  Continue to Scan