PCI Data Security Compliance SCITDA Spring Conference Roadmap for PCI Data Security Compliance SCITDA Spring Conference David C. Reavis Office of South Carolina State Treasurer March 5, 2018

The Enemy Hacker / Fraudster Major Card Breaches TJ-Max Equifax Target NC Ferry Division As merchants, governments are: To be PCI compliant Subject to fines by card brands Fraud is rampant across the country Governments easy targets Subscription to a PCI Compliance Validation service is now required Hacker / Fraudster

Responses After Card Security Breach I thought the IT Department was taking care of PCI compliance, since it deals mostly with IT stuff I thought outsourcing processing to a vendor relieved me of PCI responsibility I didn’t know I was required to give all new hires PCI Awareness training, and provide refresher training annually I didn’t know the contract with our third-party service provider had to specify their responsibility for PCI compliance I didn’t know I had to complete a self-assessment questionnaire (SAQ) annually and provide it to the card processor I didn’t know the IP addresses for our POS software had to undergo quarterly vulnerability scans I didn’t know we had to have a security incident plan tested annually I didn’t know we could be fined for not being PCI compliant

Treasurer’s Policy on PCI Compliance SC State Treasurer issued policy July 2016 Specifies participants’ responsibilities regarding PCI compliance Subscription to a PCI Compliance Validation service is a requirement to continue participating in the new statewide contract Utilize First Data’s “PCI Rapid Comply” service; or Select a vendor of choice (for extensive services) STO issued a PCI Roadmap document providing guidance in complying with PCI Designed for the business staff, more so than the IT staff Adherence is responsibility of the business office

Source of PCI Compliance Requirements Participants in the Merchant Card Services Agreement are contractually: Considered “merchants” Subject to card association rules (Visa, Master, etc.) Rules specifically require all merchants to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS) Issued by PCI Security Standards Council Council formed by card brands Failure to comply with PCI-DSS can result in substantial fines (Up to $500,000 per brand)

Fines for PCI Non-Compliance Card brands can ask for proof of compliance at any time Merchant must provide proof of compliance Must respond within specified time frame Visa and MasterCard at their discretion may levy non-compliance assessments if compliance not validated Published MasterCard Assessments Occurrence or Violation Amount First violation $10,000 Second violation $20,000 Third violation $40,000 Fourth violation $80,000

Three Components of PCI DSS Compliance – Adherence to the standard Applies to every merchant regardless of volume Applies to both technical and business practices Validation – Verification that merchant is compliant Depends upon type of card capture method(s) utilized Two types of Validation Self-Assessment Questionnaire (SAQ) Annually – Applies to every merchant External Vulnerability Scanning Quarterly – Applies if external-facing IP addresses are involved (Web and POS Software) – Must be performed by a Qualified Scanning Vendor (QSV) Attestation – Providing proof of validation to card processor Card processor reports to Visa and MasterCard Attest whenever requested by the card processor

PCI Compliance Responsibilities Business problem with an IT solution Imperative there be a coordination of all parties and activities involved in the validation process Best practice is to have a PCI Oversight committee comprised of both business and IT staff Business staff (who signed merchant card contract), not IT, is responsible for attestation

Card Volumes Determine Level of Compliance Four levels of merchants Determined by each card brand, not by PCI council Based upon annual volume of the highest brand, not all brands combined (Visa is normally higher than MasterCard State agencies and universities are either a level 3 or 4 Level 4 - Fewer than 20,000 e-commerce transactions and all other channels less than one million transactions Level 3 - 20,000 or more e-commerce transactions annually Both levels require annual SAQ and vulnerability scans Levels 1 & 2 requires on-site security assessment One million transactions of highest brand

Cardholder Data Environment (CDE) Identify all capture methods / merchant numbers Ecommerce vs Non-ecommerce In-house vs Outsourced Identify all capture methods with IP addresses Ecommerce POS Software

Third-party Service Providers Outsourcing limits PCI scope, not eliminates If service provider is not compliant, then merchant is not compliant Fines for breaches accessed to merchant not to the service provider However, service provider can require merchant to be compliant also Requirement 12.8/12.9 requires merchant to “manage” the service provider: Maintaining a “written agreement” specifying the service provider’s and merchant’s responsibility for compliance Best practice is to also address “liability” for non-compliance Monitoring the service provider’s ongoing compliance status Two Levels of Service Providers

Service Provider Arrangements Two Types of Arrangements with Service Providers Depends upon who is the “merchant of record” – Agency or Service Provider Agency is “Merchant of Record” Agency executes a “Participation Agreement” to participate in First Data’s contract Agency is assigned one or more merchant numbers by First Data Service Provider is “Merchant of Record” Agency has an agreement with service provider only Service Provider has one merchant number with First Data for all its clients SC.Gov (SC Interactive, LLC) provides both types of arrangements PCI-DSS liability to agency applicable under both arrangements Scope is limited is service provider is merchant of record Service provider’s agreement with agency still requires agency to be PCI compliant

Internal Service Providers Definition of Service Provider - “Business entity … directly involved in the processing, storage, or transmission of cardholder data. This includes companies that provide service that control or could impact the security of cardholder data.” External-facing IP addresses require external vulnerability scanning By an “Approved Scanning Vendor” (ASV) Regardless of who houses the server(s) DTO’s Role in PCI Compliance Server housed and managed by DTO DTO considered an internal service provider DTO arranges for scanning Server housed by DTO but managed by agency Agency arranges for scanning

Card Capture Devices New Requirement 9.9 effective July 2015 Pertains to physical protection of devices Maintain an updated list of devices Periodically inspect device surfaces to detect: Tampering Substitution Provide training to employees to be aware of attempted tampering or substitution. Perform inventory of devices utilized and stored

POS Software Applications PA-DSS Payment Application Data Security Standard Different than PCI DSS Pertains to software application Ensure application listed on the PCI Security Council’s Website Ensure the version utilized is consistent with the current version indicated on the Council’s Website Ensure the application is configured correctly. Perform inventory

PCI Compliance Security Policy Requirement 12.1 Develop Publish Disseminate Employee expectations Full-time Part-time Consultants Volunteers STO has a sample policy available for state agencies

Employee Awareness Program Requirement 12.6 Formal Awareness Training Upon Hire Annual Refresher Employee must acknowledge training In writing Electronically Two options for training Third-party vendor In-house developed (STO has a power point module for use)

Security Incident Plan Requirement 12.10 General IT Security Incident Plan not sufficient Should incorporate card brands’ requirements Visa requires proof of compliance within 48 hours of a breach Forensic investigation may be required if breached Must be tested annually Timely notification most important – Fines higher if not STO has a sample policy available for state agencies

IT Related Issues Vulnerability Scanning Penetration Testing Firewalls Encryption & Tokenization Two types of encryption - E2E and P2P E2E better: Combines encryption with tokenization TransArmor provided by First Data Utilizes E2E (Fee is $.01 per transaction) Reduces PCI Scope by eliminating certain SAQ questions https://www.firstdata.com/downloads/marketing-merchant/TransArmor-FAQs.pdf Business area should ensure that IT staff is complying with PCI DSS

Some Scanning Vulnerabilities SSH Protocol Version - Cryptographic problems Telnet Accessibility - Plaintext (unencrypted) management channels Data Base Accessibility - Open port SSH Protocol Version – Prior to Version 2 Open SSH X11 Session Hijacking Vulnerability Remote Desktop Man In The Middle IIS .cnf - Allows remote users to read sensitive information MySQL Server Date_Format Function Format String Vulnerability PHP prior to 5.2.6 Multiple Vulnerabilities - Buffer overflows Apache Prior to Version 2.2.8 Multiple Vulnerabilities SSLv2 Supported - Cryptographic weaknesses Darwin Streaming Server < 5.5.5 Multiple Vulnerabilities

Penetration Testing Became requirement with version 3.2 standard – July 2015 Pertains to capture methods associated with SAQs A-EP, C, and D Primarily to demonstrate proof of “segmentation” of networks Performed annually or when significant system change Cover both application and network layer threats Can be performed by in-house staff The persons must by qualified staff members who are organizationally independent from those responsible for the security of the systems Refer to PCI Council’s document https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance _March_2015.pdf

Chip Card (EMV) Technology Designed to reduce fraud for Card Present transactions only POS Terminals – Terminal only or terminal with attached PIN Pad POS Software – Different manufactures must certify their product EMV “capable” different than EMV “enabled” Fraud liability shift became effective October 1, 2015 Party that does not support EMV takes on certain fraud liabilities Party is either bank that issued the card or merchant that accepts the card Not an industry requirement, but a best practice Has no effect on PCI liability for smaller merchants Fraud liability is not considerably more than it was prior to the October 2015 Merchants were responsible for most fraud anyway Card counterfeit fraud protection is provided by all brands However, lost/stolen fraud protection is only provided by MasterCard and Discover (not Visa or Amex)

Validating PCI Compliance Validating compliance with PCI DSS SAQ and External Vulnerability Scanning Two options First Data’s PCI Rapid Comply – Online Portal Contract with a QSA Extensive PCI Related Services may be needed Example – PCI Gap analysis and penetration testing Not available from PCI Rapid Comply Explanation of eight SAQs Depends upon capture methods utilized

Eight SAQs Choose the SAQ that applies to your organization Link to Council’s guidelines for selection of SAQ: https://www.pcisecuritystandards.org/documents/SAQ-InstrGuidelines-v3_2.pdf

PCI Rapid Comply Portal Read FAQs at following website: https://cloversecurity.com/faq.html Watch Educational Videos and read Educational Articles Gather merchant statement and identify the Agency’s unique MID (chain #) Register the agency using the agency’s MID (chain number) All merchants numbers associated with the MID will be displayed Only one SAQ for the entire agency (chain level) is to be prepared If multiple capture methods (e.g., Website, Mail/Telephone, In person) Prepare a paper SAQ for each method or merchant number - Offline Use paper SAQs to prepare one SAQ online through the portal

PCI Rapid Comply Screen Similar to TurboTax, questions prompted next depend upon items selected Document repository useful to upload proof of compliance (policies, security incident plans, scan results, devices inventory, etc.

First Steps for PCI Establish a PCI Oversight Committee (Business & IT staff) Identify cardholder data environment (CDE) Identify service providers and obtain written agreements Inventory card capture devices Inventory POS software Develop a security policy Develop an employee awareness training program Develop a security incident plan – specific to PCI Verify IT’s compliance Vulnerability Scanning if applicable Penetration Testing if applicable Subscribe to a “validation” service PCI Rapid Comply, or Qualified Security Assessor Complete the proper SAQ annually Ascertain anniversary date - for expiration Required within 90 days of implementation Close the Barn Door

Not Recommended

SC State Treasurer’s Office David Reavis – david.reavis@sto.sc.gov Resources PCI Security Council Web Site https://www.pcisecuritystandards.org/ Visa’s CISP Web Site https://usa.visa.com/support/small-business/security-compliance.html MasterCard SDP Web Site http://www.mastercard.com/us/sdp/index.html PCI Rapid Comply Service https://cloversecurity.com/faq.html SC State Treasurer’s PCI Policy and Road Map Document http://treasurer.sc.gov/government/banking-division/ Consider securing the services of a Qualified Security Assessor (QSA) Banking Division SC State Treasurer’s Office David Reavis – david.reavis@sto.sc.gov