Sc World Congress Econference March 2011
-
Upload
neira-jones -
Category
Business
-
view
1.084 -
download
1
description
Transcript of Sc World Congress Econference March 2011
PCI Compliance – What’s the buzz?…Neira Jones
Head of Payment Security, Barclaycard23rd March 2011
Headlines…• 18th October 2010: the UK Government published their National Security
Strategy. – This placed "Hostile attacks upon UK Cyberspace by other states and large scale
cyber crime" at the same level as International Terrorism, and International Military threats.
• The Olympics are a target: In 2008, Beijing suffered 12 million cyber attacks per day.
– These games ran (!) for 16 days: total number of attacks = 192 million.– The number Internet users was estimated at 1.9 billion users in June 2010*, a 23%
increase since 2008.– As the number of internet users increases, a far larger attack statistic in 2012 is likely.
• A study by Cisco Systems (December 2010), projected that almost 12% of all enterprise workloads will run in the public cloud by the end of 2013.
Source: Miniwatts Marketing Group, 2010
Cloud Computing
• 2010: the Year Of The Cloud (Salesforce.com, IBM, Google, Microsoft , Oracle, Amazon, Rackspace, Dell and others)
• The key opportunity for service providers is to differentiate themselves by becoming cloud service providers.
• Perceived key benefits for organisation considering a move to the cloud:– reduce capital costs– become more agile by divesting infrastructure and application management to concentrate on
core competencies.– opportunity to re-architect older applications and infrastructure to meet or exceed modern
security requirements. • Key issues for organisations when determining migration decisions:
– security and control– data-centre overcapacity and scale– availability of skilled IT people.
The digital era…
• By 2015 there will be more interconnected devices on the planet than humans.*
• What’s mobile? What do I need to do?• The most recent figures estimated that every year in the UK,
identity fraud costs more than £2.7 billion and affects over 1.8 million people*.
• Every year, we share more of ourselves online.• Each time we do this, we place our data and our faith in the
security measures taken by those managing it on our behalf
* UK National Security Strategy, October 2010* * National Fraud Authority, October 2010
Fraud news (UK)…
“While another drop in fraud is good news, the crooks haven’t shut up shop, which is why there can be no room for complacency from the industry, shops or consumers.”
DCI Paul Barnard Head of the Dedicated Cheque and Plastic Crime Unit
• Crooks still got away with £1million/day.
• Compared to a 28% fall in 2009.
• Compared to a 19% drop in 2009. CNP fraud remains by far the biggest category.
☺• Debit and credit card fraud fell by nearly
£75M in 2010 to the lowest level for a decade.
• This represents a 17% drop to £365M
• Phone, internet and mail-order fraud (Card Not Present) fell 15%.
The challenges…
• Cloud computing• Mobile infrastructure• Third parties• Governance or compliance?• Risk management
Cloudy out there…
Moving to the Cloud?...
• Use the Cloud Computing Reference Model provided by NIST.– ask cloud services providers to disclose their security controls– ask cloud services providers to disclose how these controls are
implemented to the “consuming” organisation– “consuming” organisations will need to know which controls are
needed to maintain the security of their information.• This is a vital step as it is critical that a cloud service is classified
against the cloud architecture model, then against the security architecture, and then against the business, regulatory and other compliance requirements.
NIST Cloud Reference Model
Information(Data, Metadata,
Content)
Applications
APIs
Presentation
So
ftw
are
as a
Ser
vice
(S
aaS
)•Infrastructure as a Service (IaaS)
– Lowest level infrastructure resource stack– Capability to abstract resources (or not)– Physical and logical connectivity to those resources– Provides a set of APIs which allows “consumers” to
interact with the infrastructure.
Integration & Middleware
Pla
tfo
rm a
s a
Ser
vice
(P
aaS
)
Facilities
Hardware
Abstraction
Core Connectivity & Delivery
APIs
Infr
astr
uct
ure
as
a S
ervi
ce (
IaaS
)
•Platform as a Service (PaaS)– Sits on top of IaaS– Additional integration layer with application development
frameworks– Middleware– Programming languages and tools supported by the
stack– Functions allowing developers to build applications on the
platform
•Software as a Service (SaaS)– Sits on top of IaaS and PaaS stacks– Self-contained operating environment to deliver the
entire user experience
Cloud Computing and security
• Does the risk of moving sensitive data and applications to an emerging infrastructure exceed your tolerance levels?
• The limitations on cloud computing growth will include issues:– Data custody– Control– Security– Privacy– Jurisdiction– Portability standards for data and code
• Adopting cloud computing is a complex decision involving many factors: desktop applications, e-mail, collaboration, enterprise resource planning and potentially any application.
• The key consideration for a security architecture is that the lower down the SPI stack the cloud service provider stops, the more organisations will be responsible themselves for managing the risk to their assets.
Cloud Computing isn’t necessarily more or less secure than your current environment.
Control & risk management
• Whilst the risk assessment depends on the “where” and “how” of the assets, it also depends on the following:– The types of assets being managed– Who manages them and how– Which controls are selected and why– What compliance issues need to be considered
• Consideration should be made for risk mitigation in each of the SPI tiers (SaaS, PaaS, IaaS) and compliance/ regulatory requirements should be considered (e.g. PCI DSS, FSA, SOX, etc.).
What degree of control and risk management will the organisation have for each of the cloud service models.
IaaS
PaaSSaaS
Find the gaps…Find the gaps!
Facilities
Hardware
Abstraction
Core Connectivity & Delivery
APIs
Infr
astr
uct
ure
as
a S
ervi
ce (
IaaS
)Integration & Middleware
Pla
tfo
rm a
s a
Ser
vice
(Paa
S)
Information(Data, Metadata, Content)
Applications
APIs
Presentation
So
ftw
are
as a
Ser
vice
(S
aaS
)
Cloud Reference Model
Physical
Compute & Storage
Trusted computing
Network
Management
Information
Applications
Security Control Model
PCI DSS
Compliance Model
ISO 27002
DPA
DDA
SOX
FSA
Who does what?The lower down the stack the cloud service provider stops, the more security capabilities and management “consuming” organisations are responsible for implementing & managing themselves.
IaaSPaaS
SaaS
Provider bears the responsibility for security.
Security controls and their scope are negotiated in the service contracts (SLAs, privacy, compliance, liability etc.).
Provider responsible for the security of the platform.“Consuming” organisations responsible for
–securing applications developed against the platform
–developing applications securely (e.g. OWASP Top 10).
Provider responsible for securing the underlying infrastructure and abstraction layers.“Consuming” organisation will be responsible for the security of the remainder for the stack.
Evaluate cloud service providers
• Evaluating the risk for potential cloud service providers is a challenge:– ask cloud services providers to disclose their security controls– ask cloud services providers to disclose how these controls are
implemented to the “consuming” organisation– “consuming” organisations will need to know which controls are
needed to maintain the security of their information.• This is a vital step as it is critical that a cloud service is classified
against the cloud architecture model, then against the security architecture, and then against the business, regulatory and other compliance requirements.
For further reading, see http://www.cloudsecurityalliance.org/Research.html
On the move with mobile…
What’s mobile?
• Full-featured mobile phones with functionality similar to personal computers, or “smartphones”
• Laptops, netbooks, tablet computers & Portable Digital Assistants (PDAs)
• Portable USB devices for storage (such as “thumb drives” and MP3 devices) and for connectivity (such as Wi-Fi, Bluetooth and HSDPA/UMTS/EDGE/GPRS modem cards)
• Digital cameras• Radio frequency identification (RFID) and mobile RFID (M-RFID)
devices for data storage, identification and asset management• Infrared-enabled (IrDA) devices (printers, smart cards, etc.)
What do I need to do?What does a mobile security policy look like?
How do I enforce it?What does a mobile security policy look like?
How do I enforce it?
It’s all about risk…
What’s the buzz?
• Visa TIP program promotes a risk based approach.
• The banks want merchants to take a risk based approach.
• The merchants want to take a risk based approach.
• The PCI SSC has ‘blessed’ the adoption of a risk based approach.
At the end of the day, what we all want is to stop sensitive information being exploited by fraudsters.
The era of compliance for compliance’s sake is drawing to an end.
Barclaycard’s top ten tipsPrepare for change1. Don’t treat PCI DSS as an IT project: it is a Change
Programme and needs organisational commitment. 2. Train staff at all levels (there will be various degrees of
training, and don’t forget Board and Exco) and embed an Information Security culture within your organisation early.
3. Scope: Understand how card payments are currently processed (people, process and technology). Reduce the scope of the cardholder environment (the smaller, the easier)
4. There will be quick wins derived by reviewing and changing business processes and historical practices that require little investment. If you don’t need cardholder information, don’t have it…
5. Develop a gap analysis between current practices and what is necessary to become PCI DSS compliant. The gap analysis and cardholder data flow mapping is the most important step (and this should be refreshed periodically - once a year is advised).
Reduce Risk6. Remove sensitive authentication data storage as a
top most priority. 7. Prioritise Risk: once SAD storage is addressed, look at
vulnerabilities in the Card Not Present environment (e- commerce and Mail Order/ Telephone Order). (This tip is for markets that have implemented EMV in their F2F channel).
8. Outsource to compliant third parties where possible: in the e-comm space, Level 1 PCI DSS compliant end- to-end e-comm Software as a Service (SaaS) is increasingly seen as a means of achieving compliance quicker & maximising RoI. And if not possible, tie down third parties (contractually).
9. Assess suitability of and implement risk mitigation technologies (e.g. Verified by Visa, Secure Code, tokenisation, point-to-point encryption, etc.), whilst these are not PCI DSS requirements, they will improve security and reduce risk.
10. If Compensating Controls are required ensure that all parties are engaged to agree the controls before implementation (merchant, QSA, acquirers)
Third parties: do I have a choice?
For those who outsource…• 324 (UK) and 900 (US) Level 1 PCI DSS compliant service providers listed on Visa websites
http://www.visaeurope.com/en/businesses__retailers/payment_security/downloads__resources.aspx http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
• 867 Level 1 PCI DSS compliant service providers listed on MasterCard website http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20- %20November%2029%202010.pdf
For those who want to retain control in-house…• 724 PA DSS validated payment applications on PCI SSC website
https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=trueBarclaycard’s position…• We always recommend that our customers use Level 1 Service providers as self-assessment does not
provide you with an independent assessment of your supplier.• Contractual provisions are crucial.• Merchants should seek help from their acquiring bank when facing problems with third party providers
as a merchant cannot reach compliance without their third parties being compliant.
How organisations can select service providers