PCI Challenges
26
Your Text here Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 1 Network DSL Router POS Server POS Terminals Requirement 1 Requirement 2 Requirement 3 Requirement 4 Requirement 5 Requirement 6 Requirement 7 Policies Requirement 8 Requirement 9 Requirement 10 Requirement 11 3 rd Party Scan Vendor Requirement 12 PIN Pads PCI-DSS: Israeli Market and Challenges Shahar Geiger Maor CISSP, Senior Analyst, STKI www.shaharmaor.blogspot.com
-
Upload
shahar-geiger-maor -
Category
Technology
-
view
1.093 -
download
3
description
Trends and market status in Israel
Transcript of PCI Challenges
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 1
Network DSL Router
PO
S S
erv
er
PO
S T
erm
inals
Requirement 1
Requirement 2
Requirement 3
Requirement 4
Requirement 5
Requirement 6
Requirement 7
Po
licie
s
Requirement 8
Requirement 9
Requirement 10
Requirement 11
3rd Party
Scan Vendor
Requirement 12
PIN
Pa
ds
PCI-DSS:
Israeli Market and Challenges
Shahar Geiger Maor
CISSP, Senior Analyst, STKI www.shaharmaor.blogspot.com
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
Presentation’s Agenda
A short review of the Israeli market
The Idea behind PCI DSS
PCI trends and challenges
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
Information Security:
Israeli Market Size (M$)
2009 changes 2010 changes 2011 changes 2012
Security
Software 85.0 23.53% 105.0 4.76% 110.0 9.09% 120.0
GRC &
BCP 50.0 50.00% 75.0 9.33% 82.0 9.76% 90.0
Security VAS
85.0 11.76% 95.0 8.42% 103.0 6.80% 110.0
totals 220.0 25.00% 275.0 7.27% 295.0 8.47% 320.0
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 4
What’s on the CISO’s Agenda?
(STKI Index 2009)
NAC 18%
Access/Authentication 15%
EPS/mobile 15% DLP
10%
DB/DC SEC 10%
Market/Trends 10%
Encryption 9%
Miscellaneous 5%
SIEM/SOC 5%
Sec Tools 5%
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 5
What’s on the PCI DSS Agenda? Control Objectives PCI DSS Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open,
public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all
systems commonly affected by malware
6. Develop and maintain secure systems and
applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-
to-know
8. Assign a unique ID to each person with computer
access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources
and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
What’s on the CISO’s Agenda?
(STKI Index 2009)
NAC 18%
Access/Authentication 15%
EPS/mobile 15% DLP
10%
DB/DC SEC 10%
Market/Trends 10%
Encryption 9%
Miscellaneous 5%
SIEM/SOC 5%
Sec Tools 5%
Implement Strong
Access Control
Measures Protect
Cardholder Data
Protect
Cardholder Data
Maintain a Vulnerability
Management Program
Regularly Monitor and
Test Networks
Maintain an Information
Security Policy
Build and Maintain a
Secure Network
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 7
What’s on the CISO’s Agenda?
(STKI Index 2009)
NAC 18%
Access/Authentication 15%
EPS/mobile 15% DLP
10%
DB/DC SEC 10%
Market/Trends 10%
Encryption 9%
Miscellaneous 5%
SIEM/SOC 5%
Sec Tools 5%
Protect
Cardholder Data
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 8
Presentation’s Agenda
A short review of the Israeli market
The Idea behind PCI DSS
PCI trends and challenges
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 9
What is the Incentive?
Source: http://datalossdb.org/statistics?timeframe=all_time
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
What is the Incentive?
)2010-2000( datalossdb.org/statistics?timeframe=all_timehttp://Source:
• Data loss incidents 2,754
• Credit-card related data loss 396 (35%)
• How? Hack (48%)
• CCN compromised 297,704,392
• …CCNs\Incident 751,779
• Actual $$$ loss… ?
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 11
Data Loss Analysis –Answering the
“How?” Q
0% 10% 20% 30% 40% 50% 60%
Virus
Disposal_Document
Unknown
Web
Lost\Stolen X
Fraud
Hack
General
CCN
)2010-2000( datalossdb.org/statistics?timeframe=all_timehttp://Source:
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 12
Who’s Who
PCI Council (By the PCI DSS):
• outlined the MINIMUM data security protections measures
for payment card data
• Defined merchants and service providers levels and
compliance validation requirements
Cards brands(PCI Regime):
• Initiated PCI DSS
• Will enforce PCI
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 13
Who’s Who
merchants and service providers
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 14
PCI DSS
Payment Card
Payment Card Industry
(Data security)
Data Security Standard
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 15
PCI DSS (in other words…)
PCI
DSS
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 16
Presentation’s Agenda
A short review of the Israeli market
The Idea behind PCI DSS
PCI trends and challenges
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 17
Israeli PCI: Market Status (May 2010)
PCI “Newborns”
Gap Analysis
PCI work plan (Prioritized Approach?)
1-4 Milestones
4+ Milestones
Financial
Sector Telco\Services
Sector
Retail\Whole
sale\Manu’ Sector
Healthcare Sector
PCI
Compliance
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 18
PCI Challenges: Requirement No 3 Control Objectives PCI DSS Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open,
public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all
systems commonly affected by malware
6. Develop and maintain secure systems and
applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-
to-know
8. Assign a unique ID to each person with computer
access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources
and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 19
PCI Challenges: Requirement No 3 Control Objectives PCI DSS Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open,
public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all
systems commonly affected by malware
6. Develop and maintain secure systems and
applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-
to-know
8. Assign a unique ID to each person with computer
access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources
and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 20
PCI Challenges: Requirement No 3
R 3.3:
• Masking -mask PAN (Primary Account Number) when
displayed (the first six and last four digits are the
maximum number of digits to be displayed).
R 3.4:
• Index Token -A cryptographic token that replaces the PAN,
based on a given index for an unpredictable value.
• One-way hashes based on strong cryptography
• Truncation -only a portion (not to exceed the first six and
last four digits) of the PAN is stored.
• Strong cryptography with associated key management
processes
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 21
PCI Challenges:
The “New trend Syndrome”
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 22
PCI Challenges: End-User Experience
System heterogeneity –Sensitive data is scattered around
in all sorts of formats
Main-Frame and other legacy systems –how is it possible
to protect sensitive data without changing the source
code?
What happened to risk management??? (PCI vs. SOX)
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 23
PCI Challenges: End-User Experience 2
“My DB does not support PCI” –the “Upgrade vs. pay the
fine” dilemma
“Index token is cheaper than other alternatives” –True or
false?
Inadequate knowledge of the QSAs?
Who audit the auditors?
should be
answered by
the PCI Council
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 24
PCI Challenges -The PCI paradox
PCI compliance
1 security patch is missing
A data loss incident occurs…
An investigation
starts
Remember that security
patch?
Your Text here Your Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 25
Conclusions and Opportunities
Needs a house cleaning? PCI can help
PCI is basic security. Almost nothing new here…
Think “security & risk” instead of “compliance & audit”
PCI (and other regulations) are the “floor” and not the
“ceiling” of security measures
Stop waiting! act now (….but not before 11.7.2010)
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 26
Thank you! stki.info@shahar
