PCI requirements in business language What can happen with the cardholder data?
-
Upload
godwin-fleming -
Category
Documents
-
view
221 -
download
0
Transcript of PCI requirements in business language What can happen with the cardholder data?
Sadržaj predavanja
• What is PCI DSS?• Who must comply with PCI DSS?• The PCI DSS requirements• Steps of the PCI DSS
assessment?• Compliance level• Incidents• Background of an incident• Typical example
What is PCI DSS?• Payment Card Industry Data Security Standard• Developed by: Founding payment brands• Main principles
• Build and Maintain a Secure Network• Protect Cardholder Data• Maintain a Vulnerability Management Program• Implement Strong Access Control Measures• Regularly Monitor and Test Networks• Maintain an Information Security Policy
Who must comply with PCI DSS?Covered
Not covered
Issuer
& Service Provider (s)
Cardholder
Acquirer
& Service Provider (s)
Merchant
& Service Provider (s)
The PCI DSS requirements• Build and Maintain a Secure Network
• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: No use of vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data• Requirement 3: Protect stored cardholder data• Requirement 4: Encrypt transmission of cardholder data across open,
public networks
The PCI DSS requirements• Maintain a Vulnerability Management
program• Requirement 5: Use and regularly update anti-virus software• Requirement 6: Develop and maintain secure systems and applications
• Implement Strong Access Control Measures• Requirement 7: Restrict access to cardholder data by business need-to-
know• Requirement 8: Assign a unique ID to each person with computer access• Requirement 9: Restrict physical access to cardholder data
The PCI DSS requirements• Regularly Monitor and Test Networks
• Requirement 10: Track & monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes
• Maintain an Information Security Policy• Requirement 12: Maintain a policy that addresses information security
Steps of the PCI assessment• Preparation for the assessment
• Perform penetration testing• Perform vulnerability scanning• Perform security awareness training• Establish testing procedures regarding hosting
providers• Develop data retention and disposal policy and
procedures• …
Steps of the PCI assessment• Type of the assessment
• Qualified Security Assessors onsite review• Self assessment• Network security scan
• Depends on• Number of transactions• Special request from certain payment brand
Compliance Level Definitions - MerchantsCompliance Validation Level QSA Onsite
ReviewSelf
Assessment Network Security
ScanLevel 1 - Any merchant - regardless of channel >6M transactions)Any merchant that has suffered a hack.Any merchant identified by any paymentcard brand as Level 1
Required(annually)
Not required Required(quarterly)
Level 2 - Any merchant - regardless of channel 1M to 6M transactions
Not required Required(annually)
Required(quarterly)
Level 3 - 20K-1M e-commerce transactions Not required Required(annually)
Required(quarterly)
Level 4 - <20,000 e-commerce transactions<1M non-ecommerce transactions
Not required Recommended(annually)
Recommended(annually)
Compliance Level Definition – Service Providers
Compliance Validation Level QSA onsite review
Self assessment
Network Security Scan
Level 1 - VisaNet connection; All PaymentGateways; TPP and DSE that handledata for Level 1 & 2 Merchants
Required(annually)
Not required Required(quarterly)
Level 2 - Not Level 1 w/ >1M transactions; DSE thathandle data for Level 3 Merchants
Required(annually)
for MasterCard
Required(annually)
for Visa
Required(quarterly)
Level 3 - <1M transactions; all other DSEs
Not required Required(annually)
Required(quarterly)
Incidents• Heartland Payment System (2009) • Hannaford Brothers and Sweetbay (2008)• TJX (2007) • Cardsystem Solution Inc. (2005)
Background of an incident• CardSystem Solutions Inc.
• Credit card processing company
• Purposes of managing data• „research”• 40 million card accounts (name, bank account number)
• Attack• Breached security protocol• Virus• Sensitive data stored in clear
Background of an incident• Data removal process
• Contractually obligated to delete• Inappropriate data removal process
• Use of information• Sold on a Russian website
• Affected a number of high-profile companies
Typical examplePCI DSS 6.1
“Ensure that all system components and software have the latest vendor-supplied
security patches.”
Typical example• We have Windows based system• We use WSUS (Windows Server Update
Services), therefore all of our servers and workstations are patched
Are we compliant?
Typical example• How does a client PC look like?
– Adobe FLASH– Adobe Acrobat– JRE– … and many more
• These software versions and patches are typically not managed centrally
Typical exampleID Description
APSB09-15 Security Advisory for Adobe Reader and Acrobat
APSB09-10 Security Updates available for Adobe Flash Player, Adobe Reader and Acrobat
APSA09-03 Security Advisory for Adobe Reader, Acrobat and Flash Player
APSB09-07 Security Updates available for Adobe Reader and Acrobat
APSB09-06 Security Updates available for Adobe Reader and Acrobat
APSA09-02 Buffer overflow issues in Adobe Reader and Acrobat
APSB09-04 Security Update available for Adobe Reader and Acrobat
APSB09-03 Security Update available for Adobe Reader 9 and Acrobat 9
APSA09-01 Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and Acrobat
Source: http://www.adobe.com/support/security/
Typical example• …and of course they are exploited in the wild• Easy to use tools for PDF mangling
– Metasploit– Origami– …