PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define...
-
Upload
vuongthuan -
Category
Documents
-
view
213 -
download
0
Transcript of PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define...
![Page 2: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/2.jpg)
Lightweight Intro
Dark Myths of PCI
Shades of Grey 3
![Page 3: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/3.jpg)
Source: https://www.pcisecuritystandards.org/
“The Payment Card Industry Data
Security Standard represents a
common set of industry tools and
measurements to help ensure the safe
handling of sensitive information.”
![Page 4: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/4.jpg)
PCI = Payment Card Industry
PCI SSC = PCI Security Standards Council
PCI DSS = PCI Data Security Standard
PAN = Primary Account Number
QSA = Qualified Security Assessor
CHD = Cardholder Data
SAD = Sensitive Authentication Data
CVV2 or CAV2 / CVC2 / CID ( Visa JCB / MasterCard / Discover & AmEX)
![Page 5: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/5.jpg)
The Payment Card Industry Security Standards Council (PCI SSC)
representing the major credit card brands:
VISA
MasterCard
American Express
Discover
JCB
Ensures a consistent „standard of care‟ for protection of Cardholder
Data (CHD)
![Page 6: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/6.jpg)
Anyone who transmits, processes or stores CHD
This includes Debit Cards!
All merchants must comply
Some require onsite validation
Source: PCI-SSC website – Asia-Pac Participating Organisations
Two categories
Merchants (e.g. Supermarkets)
Service Providers (e.g. Payment Gateways)
![Page 7: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/7.jpg)
1. Install and maintain a firewall configuration to
protect cardholder data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across
open, public networks
5. Use and regularly update anti-virus software or
programs
6. Develop and maintain secure systems and
applications
![Page 8: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/8.jpg)
7. Restrict access to cardholder data by business
“need-to-know”
8. Assign a unique ID to each person with
computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information
security for employees and contractors
![Page 9: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/9.jpg)
The standard is not perfect. There are some grey areas.
However, each requirement or control is based on one of two
intents:
Prevention: Protect CHD from disclosure
Detection: Identify the events leading up to a data disclosure
![Page 10: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/10.jpg)
Compliance isn‟t simply an expensive pile of technology
There is not a single product solution
Achieving and maintaining compliance is not just a technical issue –
it relies heavily on people, policy and processes
UNFORTUNATELY NOT
![Page 11: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/11.jpg)
![Page 12: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/12.jpg)
The point is CHD is exposed by:
Theft of documents
Poor document disposal
Skimming / fake PoS terminals
Theft of computers laptops, desktops and servers
Web site compromises
WiFi attacks
“Rogue” employees and careless “trusted” third parties
Configuration errors
Unencrypted data being stored
![Page 13: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/13.jpg)
![Page 14: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/14.jpg)
PCI takes time,
money, effort away
from core security
PCI is all about core
security
Misguided priority on
protecting IP and
thwarting insiders
Prioritise network
control, anti-malware,
logging etc.
This is a lament uttered
by those with a weak
security program
MYTH “MYTH BUSTED”
![Page 15: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/15.jpg)
MYTH “MYTH BUSTED”
Checklist Security ≠
Risk-based Security
Protect the CHD
A successful security
program cannot be reduced
to a checklist
Do minimum to
comply and send
QSA away
Evade the assessor
Checklists have their
place in security
![Page 16: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/16.jpg)
MYTH “MYTH BUSTED”
Possible to follow the
letter and not the intent
of the Standard
Following the letter =
letter (email) notifying
you of a breach
PCI = antithesis of
“security theatre”
Semblance of security with no
real risk reduction
Procure hardware and create
documents
See PCI as a compliance
point and not a starting point
![Page 17: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/17.jpg)
MYTH “MYTH BUSTED”
Heartland breached
despite being compliant
We accept that patients may
die after seeing a doctor.
Medicine = Faulty Science?
Basic PCI Compliance not
enough
Heartland Breached ஃ PCI
Ineffective
Security professionals believe
following external guidance =
100% safety
Complexity is enemy of payment
systems and networks
![Page 18: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/18.jpg)
![Page 19: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/19.jpg)
SAQ A:
Card-Not-Present with all functions outsourced (e-commerce or MO/TO)
11 Q
SAQ B:
Imprint only/individual dial-up terminals (no card data storage)
21 Q
SAQ C:
Payment apps connected to Internet (no card data storage)
38 Q
SAQ D:
All other merchants and all service providers defined by payment
brand as eligible
Full DSS!
![Page 20: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/20.jpg)
PCI DSS inherently onerous (if unprepared)
Merchants can define their own scope
Merchants not required to attend PCI DSS merchant training
Merchants can (and do) answer the SAQ unaided
ஃ Merchants can and often do, find themselves inexplicably
overestimating their level of compliance……….
This will satisfy the Acquirers until a breach occurs……..
![Page 21: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/21.jpg)
*
Merchant:
Defined by Payment Brand
Levels 1-4
Determined by Acquiring Bank (transaction volume)
Merchant must confirm with Acquirer
Service Provider:
Defined by Payment Brand
Levels 1-2
May be determined by any party!
*VISA levels used as a guide
![Page 22: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/22.jpg)
PCI applies to all network components, servers or applications in or
connected to the CHD environment
CHD environment contains cardholder or sensitive authentication
data
This is the point at which the drops……(mostly)
![Page 23: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/23.jpg)
Remediate the entire environment
Segment the network
Outsource the handling of CHD
Cease to accept credit cards
![Page 24: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/24.jpg)
To reduce the cost of compliance:
Reduce the SCOPE
The more places you store CHD, the more compliance will cost
Mask / truncate CHD
Accept but do not store data if not needed!
Question existing business processes
• Why is CHD being stored?
![Page 25: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/25.jpg)
PAN – Primary Account Number
4000 0012 3456 7899
It must be unreadable when stored
Encrypted (FFwEQ129AbaCS)
Hashed (as above)
Truncated (4000 00** **** 7899)
Masking
Is not secure storage
SAD – Sensitive Authentication Data
Storage is forbidden at all times
![Page 26: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/26.jpg)
Do not try and invent new truncation methods
The intent of truncation is that only a portion (not to exceed the first six
and last four digits) of the PAN is stored
4000 00** **** 7899
4000 1023 **** ****
How about 4000 1*** **** 7899?
Might be problematic for merchant, but is acceptable.
![Page 27: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/27.jpg)
1. Store & Forward/Posting
Card Data touches server
Server transmits CHD to SP
ஃ The Web Server will be considered
“In Scope”!
1 3
2
![Page 28: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/28.jpg)
2. Redirection
Card Data does not touch the
server pre/post-authorisation
ஃ The Web Server may be considered
“OUT of Scope”!
The QSA has an important role to
play in advising the merchant
1
2
3
4
![Page 29: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/29.jpg)
It may feel like an audit, but
it’s NOT about getting a tick
in a box!
![Page 30: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/30.jpg)
![Page 31: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/31.jpg)
Identify and document the
gap between "where you
are" and the standard.
It provides the foundation
for determining time,
budget and resources
required.
![Page 32: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/32.jpg)
Achieving PCI compliance is not the end of the
journey, it’s the start.
A compliant state must be maintained at all
times.
This compliant state must be revalidated
annually and after any “significant” change to the
CHD Environment.
Information security threats emerge faster than
any standards committee can keep up with.
![Page 33: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/33.jpg)
Reduce the scope
Prioritise remediation activities based on
risk
Complying to the standard is a minimum
requirement, not an end goal
You cannot outsource the consequences
of a breach
![Page 34: PCI DSS - Security Assessment · Imprint only/individual dial-up terminals ... Merchants can define their own scope Merchants not required to attend PCI DSS merchant training](https://reader030.fdocuments.in/reader030/viewer/2022011802/5b5050787f8b9a1b6e8e066a/html5/thumbnails/34.jpg)
No standard can address every risk for
every business
Be pragmatic. The only effective solution is
to combine policies, procedures and
technologies to meet the risks specific to
your organisation