Who is Coalfire?
Clients include Fortune 100, retail, government, education, financial, healthcare, Law Firm and manufacturing
Security, Governance, Compliance Management, Audit – GLBA, SOX, PCI, HIPAA, SAS70 & Government
Practice areas: Risk and Vulnerability Assessment, E-discovery and Forensic Analysis
Solutions: Policy Development, Data Classification, Logging and Monitoring, Incident Response, Etc.
Application Security: PABP Certification, Code Audits, Penetration Testing, SDL Development
Founded in 2001, with offices in Denver, Seattle and NYCwith over 30 full time IT Auditors
IT Governance
and Compliance
Management
Agenda
Payment Card Overview
Controls Framework
Questions
Compliance Overview
Cyber Threats
PCI Compliance
1970-1980
1980-1990
1990-2000
2000- Present
The Regulatory Environment Represents The Regulatory Environment Represents a New Enterprise Challenge a New Enterprise Challenge
Computer Security Act of 1987
EU Data Protection HIPAA FDA 21CFR Part 11 C6-Canada GLBA
COPPA USA Patriot Act 2001 EC Data Privacy Directive CLERP 9 CAN-SPAM Act FISMA Sarbanes Oxley (SOX) CIPA 2002 Basel II NERC CIP 02-09) CISP Payment Card Industry
(PCI) California Individual
Privacy SB1386 Other State Privacy Laws
(38)
Privacy Act of 1974 Foreign Corrupt Practice
Actof 1977
Compliance Trends
State Privacy Laws
Businesses must establish basic information security programs
Businesses must establish basic information security programs
Businesses must proactively manage their confidential
consumer information
Businesses must proactively manage their confidential
consumer information
Businesses must take steps to know when their defenses have been
breached
Businesses must take steps to know when their defenses have been
breached
In the event of an actual or suspected
security breach businesses have a legal obligation to
notify impacted consumers resulting
in new security requirements
In the event of an actual or suspected
security breach businesses have a legal obligation to
notify impacted consumers resulting
in new security requirements
Compliant infrastructures are required!
Risks Have Increased as Technology
Changed
Unauthorized Users
Attack Vectors
• Virus AttackVirus Attack• Spyware Spyware (intentional and unintentional)(intentional and unintentional)
o Worms and TrojansWorms and Trojanso Image embedded TrojansImage embedded Trojans
• Targeted attacks that exploit Targeted attacks that exploit poor system configuration and poor system configuration and vulnerabilities vulnerabilities
• Targeted attacks against a Targeted attacks against a "friendly" who either loses your "friendly" who either loses your data or passes along the attackdata or passes along the attack
• Physical theftPhysical theft• System misuse by an authorized System misuse by an authorized
userusero Internal staffInternal staffo Third partiesThird parties
Stolen Account Data Value
DSW Shoe Warehouse customer database was hacked and 1.4 million records were stolen and records over $6.5 million reserve on 2005 financial statements.
Scary Bedtime Stories What is the cost of non-
compliance
Other headlines….- TJ MAX causes
several states to introduce new legislation to protect cardholder data.
- Card Systems International forced to sell operations at a loss.
- Ongoing compromises are driving changes in the DSS to include dual factor authentication and wireless security.
FTC fines Choice Point $10 million for unfair business practices for failure to protect consumer data.
Costs of a PCI Compromise
Notify Clients and Provide Privacy Guard
Fines and Penalties
Loss of Clients
Fraud liability (ADCR)
Reputation Loss
$50 x 10,000 = $500,000
$10,000 to $1 million
10,000 clients – 15% = 1,500 clients1,500 x $100 in fees = $150,000 in lost fees
1,000 accounts x $500 = $500,000
PRICELESS!
A hypothetical merchant compromises 10,000 accounts when a third party service provider has a server stolen.
What is the potential financial impact?
Cardholder Verification Number
(CVV2)
Cardholder Verification Number (CVN)(CID/CVV2/CVC2)
CVV2
CVV
ProcessorGateway
Service Provider
Cardholder
Merchant
PCI Relationship MatrixAcquiring Bank
App Vendors
Acquiring BankIssuing Bank
Merchant Cardholder Environment
PCI Data Security Standard
PCI Compliance Levels
MerchantLevel 1
MerchantLevel 2
MerchantLevel 3
MerchantLevel 4
Any merchant processing 1 to 6 million VISA or MasterCard transactions per year.
Any merchant processing 20,000 to 1 million VISA or MasterCard e-commerce transactions per year.
Any merchant processing less than 20,000 VISA or MasterCard e-commerce transactions per year, and all other merchants with less than 1 million transactions
Any merchant processing over 6 million VISA or MasterCard transactions per year OR identified as any card brand as a Level 1 merchant.
Compliance Validation
RequirementsLevel Validation Actions SCOPE Validated By
1
• Annual On-Site Security Audit - AND -
• Authorization and Settlement Systems
• Independent Assessor or Internal Audit if signed by Officer
• Quarterly Network Scan • Internet Facing Perimeter Systems
• Qualified Independent Scan Vendor
2 & 3
• Annual Self-Assessment Questionnaire
- AND -
• Any system storing, processing, or transmitting cardholder data
• Merchant• Optional support from
qualified vendor
• Quarterly Network Scan • Internet Facing Perimeter Systems
• Qualified Independent Scan Vendor
4
• Annual Self-Assessment Questionnaire
• Internet Facing Perimeter Systems
• Merchant• Optional support from
qualified vendor
• Network Scan Recommended
• Internet Facing Perimeter Systems
• Qualified Independent Scan Vendor
New Self Assessment Questionnaire (SAQ)
Visa Fine Schedule*(other card associations have different costs)
Data compromise or non-compliance with PCI requirements:
• First Violation -- Up to $50,000
• Second Violation -- Up to $100,000
• Third Violation -- At Visa’s discretion for more than two violations in 12 months
Merchants who store full-track data:
• Initial penalty of $50,000
• Thereafter Visa assesses fines up to $100,000 monthly until track data is removed
• Representative fine structure based on public information distributed by Chase Paymentech. Actual fines to merchants may vary based on their acquirer.
Assessment ScopeWhere is the card holder data?
Customer Production Environment
Acquiring BankWells Fargo, BoA,
Chase
Admin Environment
Portal Access to Reconciliation Data (Charge Back / Sales Audit)
Transaction Servers or Payment Gateway
Transaction Record & Archive
Data WarehousePayment Gateway and Transaction Database
Batch Settlement
Application Servers
Back Office & Customer Svc
• Marketing
• Customer Service
• Ecommerce• Phone / Fax• Gift Cards
• Fraud• Accounting /
Administration
Ph
on
e,
Fa
x,
Em
ail
Web Server(card not present)
POS Terminals(card present in
stores and parking facilities)
Authorization
Document VaultsPaper records
Phase Compliance Mandates Effective Date
I. Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (“VNPs”) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications.
1/1/08
II. VNPs and agents must only certify new payment applications to their platforms that are PABP-compliant.
7/1/08
III. Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PABP-compliant applications.
10/1/08
IV. VNPs and agents must decertify all vulnerable payment applications. 10/1/09
V. Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications.
7/1/10
Oct 23 Announcement from Visa: “It is critical that merchants and agents do not use payment applications known to retain prohibited data elements and that corrective action is immediately taken to address any identified deficiencies because these applications are at risk of being compromised.”
New Visa Application Requirements
Summary
• Assessment – vs - Audit• Penalties for non-compliance is high but guidelines on
“Assessment” procedures are marginal (sample size, evidence of control effectiveness, retention period, testing oversight)
• The testing procedures for each control activities are PRECRIPTIVE .. Maintain evidence of controls
• Self Assessment Questionnaire must track to the environment
• Organizations may not understand the cardholder environment
• Reporting process depends on the acquiring bank• More risks to manage than test procedures measure
(example Hannaford)
Top Related