©2015 RSM US LLP. All Rights Reserved IASA CAROLINA’S CHAPTER MEETING WAKE FOREST UNIVERSITY CHARLOTTE DECEMBER 14, 2015

©2015 RSM US LLP. All Rights Reserved. HOW CAN PCI BE LEVERAGED TO IMPROVE YOUR CYBERSECURITY PROGRAM December 14, 2015

©2015 RSM US LLP. All Rights Reserved. Objectives What is PCI, why does it exist, and how PCI compliance affects your industry and organization Challenging requirements that could drastically impact your compliance efforts Guidance on how to provide the highest level of security for confidential data while still implementing efficient payment card processes How to gain the most benefit from PCI compliance to protect your whole organization.

©2015 RSM US LLP. All Rights Reserved. Corbin Del Carlo National Leader PCI Services Director, Security and Privacy Services RSM US LLP (847) Introductions 3

©2015 RSM US LLP. All Rights Reserved. “The world isn’t run by weapons anymore, or energy, or money. It’s run by little ones and zeroes, little bits of data. It's all just electrons.” Cosmo - Sneakers 4 The World Has Changed

©2015 RSM US LLP. All Rights Reserved. What drives PCI compliance? Hackers and large international organized crime syndicates Higher monthly fees for non-compliance The fallout of a data breach: -The fallout can be significant, including fines/penalties, termination of your ability to accept payment cards, lost customer confidence, legal costs, settlements and judgments, fraud losses, etc. -A breach could result in a cost of, on average, $200 per card number lost. Knowing what data you have and where it resides

©2015 RSM US LLP. All Rights Reserved. Information Value (marketplaces) 6

©2015 RSM US LLP. All Rights Reserved. Fraud cycle

©2015 RSM US LLP. All Rights Reserved. The PCI DSS  The PCI DSS was introduced to force the implementation of controls at service providers and merchants to protect CHD  The PCI DSS has very specific controls that can be implemented to reduce risk data compromise.  Based on 12 requirements  Roughly 404 sub-requirements which are specific controls to be implemented  Designed with current breach methods in mind and focused on implementing controls that prevent data loss. 8

©2015 RSM US LLP. All Rights Reserved. The PCI DSS (cont)  Required for all organizations that store, process, or transmit CHD.  Compliance deadline for Service Providers was April 30, 2007  Compliance deadline for all organizations was September 30, 2009  Why if the deadline past six years ago do so many organizations still not even know what PCI compliance is?  Compliance vs. Validation 9

©2015 RSM US LLP. All Rights Reserved. We are PCI compliant, we’re done right?  Of Course not…  Many validated complaint organizations were still compromised.  Heartland Payment systems (2008) million cards lost  Hannaford Brothers (2008) – 4.2 million cards lost  RBS Worldpay (2008) – 1.5 million  Global Payments (2012) – 7 million cards  Target (2013) – 40 million cards 10

©2015 RSM US LLP. All Rights Reserved. So what is the problem?  PCI compliance is…  Point in Time  Very limited focus  Contractual not unlawful  Gives a false sense of security  Significant costs create management expectations  Implemented controls create employee frustration (by passing controls)  Security is the Goal of the PCI DSS, but not the outcome 11

©2015 RSM US LLP. All Rights Reserved. How does this effect Insurance industry Lots of recurring payments which can require significant CHD storage Legal or regulatory scrutiny based on publicity of data breach PAN data integrated into multiple business processes -Segmentation difficult to impossible

©2015 RSM US LLP. All Rights Reserved. Scope of assessment -Evidence that card holder data only resides in the card holder data environment. Proof via Data flow documentation Interviews with business process owners Automated scans at perimeter points Proof of data containment Image courtesy of PCI SSC Requirements that organizations struggle with

©2015 RSM US LLP. All Rights Reserved. Requirements that organizations struggle with (cont.) E-Commerce Scoping whitepaper -Published in January Clarifies the scope of PCI DSS in relation to e-commerce apps -Most importantly pulls redirect systems into scope. -SAQ exceptions Images courtesy of PCI SSC Information Supplement – PCI DSS E-Commerce Guidelines

©2015 RSM US LLP. All Rights Reserved. Requirements that organizations struggle with (cont.) Requirement 3.4 Mixture of Hash and Truncation (tokens) -Additional controls are required if both the hashed and the truncated tokens are present in the same system If the organization is using tokens, what are those tokens? See Council’s token guidance 1. Requirement 4.1 -SSL no longer considered a Secure Protocol -TLS - must migrate to TLS 1.2 or have plan to do so by June 2016

©2015 RSM US LLP. All Rights Reserved. Requirement Audit access to CHD -Requirement that all individual user access to CHD must be logged and included in the audit trails -No shared accounts without some other control Requirement 10.6 daily log reviews -Clarified that log reviews should identify suspicious activity or anomalies -Allows risk management strategy to be applied to the logs reviewed -Actually a bit easier but almost (always) requires a SIEM Requirements that organizations struggle with (cont.)

©2015 RSM US LLP. All Rights Reserved. Requirement 9.9 – protect capture devices -All devices that capture payment data (PIN PADs, Card swipes, CHIP readers, etc.) must have unique tamper proof stickers Periodic review of all stickers to validate “not broken or equipment substituted” Requirement 11.3 – Pen-testing methodology -Methodology has to be documented and based on industry standard (such as NIST SP ) and include current threats and vulnerabilities -Has to include the CDE perimeter and critical devices -Has to validate any segmentation or scope reduction controls used to reduce the scope of the assessment -Retention of remediation documentation - Requirements that organizations struggle with (cont.)

©2015 RSM US LLP. All Rights Reserved. Requirement – Vendor Management -Merchant must maintain information of which PCI DSS requirements are managed by each servicer provider or by the entity -Responsibility matrix -MORE than just contractual language -Organization may need to determine if TPSP meets PCI DSS requirements, depending on services provided Requirement 12.9 – vendor acknowledgement -Service providers must provide and merchants must obtain written acknowledgement of responsibilities discussed in 12.8 Requirements that organizations struggle with (cont.)

©2015 RSM US LLP. All Rights Reserved. Matrix example: Requirements that organizations struggle with (cont.)

©2015 RSM US LLP. All Rights Reserved. SAQ’S

©2015 RSM US LLP. All Rights Reserved. SAQ v 3.1

©2015 RSM US LLP. All Rights Reserved. SAQ v 3.1

©2015 RSM US LLP. All Rights Reserved. EMV AND HOW TO REDUCE PCI RISK

©2015 RSM US LLP. All Rights Reserved. EMV – Chip based cards EMV - Europay, MasterCard and Visa October 1, 2015 date to have EMV (Chip) implemented Only Chip and Signature in USA Liability of loss shifts to lower technology Minimal PCI DSS impact -Consider: Chip does not change PAN transmission Are they going directly from POS to processor and not entering the network? -Card Not Present (eComm, Mail In, Phone, Fax) not impacted What are the costs to implement updated PINPAD/POS? Business perspective to update

©2015 RSM US LLP. All Rights Reserved. EMV – Chip and Signature Confirm issuer and processor are ready for accepting Chip and signature Global Operations -Implement global, if you have not already done so -Implement in US P2PE – Point-to-Point Encryption – consider EMV as part of this solution Multiple initiatives: -Some organizations are in process of implementing as part of POS upgrade tasks -Some organizations are waiting to upgrade until it is time to replace POS devices -Some organizations are waiting to see if the date is pushed back for EMV solutions -EMV will move forward as a result of high rate of breaches. US does 24% of global card transactions and is currently the target of 70% of fraud activity.

©2015 RSM US LLP. All Rights Reserved. Tokenization The process of replacing a credit card number with a unique set of numbers that have no bearing on the original data. 26

©2015 RSM US LLP. All Rights Reserved. P2PE -P2PE ensures sensitive credit and debit card data is protected from first card swipe, while in transit to the payment processor where it is securely decrypted -Consider P2PE along with EMV as part of your solution 27

©2015 RSM US LLP. All Rights Reserved. WHAT CAN BE DONE IT’S NOT HOPELESS

©2015 RSM US LLP. All Rights Reserved. How Do I get Started? When I get Back to the Office today? − Review your Information Security Policy/Program − How mature is our incident Response plan − How mature is our Risk Assessment Daily/Weekly − Update anti-virus software & apply patches − Monitor access to critical data 29

©2015 RSM US LLP. All Rights Reserved. How Do I get Started (cont.)? Monthly − Review Daily processes (terms, change management, log reviews) − Check security patches Quarterly − Test security systems and processes − Vulnerability Scanning Yearly − Independent penetration testing − Review and Update DR/IRP Plan − Vendor Security Reviews − Security Awareness Every 3-5 Years − Revisit Security Strategy /Needs (RA) does it really address your threats? 30

©2015 RSM US LLP. All Rights Reserved. 31 Corbin Del Carlo (847)

©2015 RSM US LLP. All Rights Reserved. 32

©2015 RSM US LLP. All Rights Reserved. This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registered trademark of RSM US LLP. © 2015 RSM US LLP. All Rights Reserved. RSM US LLP 4725 Piedmont Row Drive Suite 300 Charlotte, NC