Presented by: Jeff Soukup PCI DSS 101 Presented by: Jeff Soukup jsoukup@trustwave.com
Agenda Trustwave Corporate Profile PCI Scope PCI DSS Makes Business Sense Compromise Statistics PCI DSS Standard Overview Resources Questions
Trustwave Corporate Profile
Mission Trustwave is committed to identifying and protecting sensitive data in every form in every environment. Our vision is for a global community in which transactions are safe and information flows freely and securely. Changed all text to black.
Trustwave is an established company serving a global client base with industry-leading solutions Founded in 1995 Approximately 425 employees in 21 locations on six continents Thousands of customers throughout the world, including 6 of the Fortune Top 10 Chicago is global HQ; London, Sydney and Sao Paolo are regional HQs Secure Operation Centers in Chicago and Warsaw Changed all text to black. Award-winning, patented security technology 2010 SC Magazine “Finalist” Encryption 2009 SC Magazine “Recommended” Managed Security Services 2009 Frost & Sullivan NAC Best Practices Forrester 9 out of 10 rating NAC solution
The leader in compliance and data security MSSP with more than 1,400 devices under management Monitor more than 18 million events per day Top 10 global Certificate Authority with more than 40,000 SSL certificates issued Performed more than 2,000 network and application penetration tests Conducted more than 740 forensic investigations Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series Changed all text to black. PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40 percent of Payment Apps. Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); QIRA (2005)
PCI Scope
Payment Card Acceptance The Payment Card Industry’s Data Security Standard states: PCI Data Security Requirements apply to all members, merchants, and service providers that store, process or transmit cardholder data 8
Supporting the PCI Smart Program August 19 PCI SSC The Payment Card Industry self-regulates to protect cardholder data They Payment Card Industry Security Standards Council (PCI SSC) was founded by the major card brands and is responsible for developing, communicating and maintaining industry security standards. Trustwave Confidential-Page
Data Supporting a Transaction Supporting the PCI Smart Program Data Supporting a Transaction Sensitive Authentication Data** Cardholder Data PAN Cardholder Name* Expiration Date* Primary Account Number (PAN) Payment card number (credit or debit) that identifies the Issuer and the particular cardholder account. Cardholder Name Customer to whom the card is issued or individual authorized to use the card. Expiration Date Expiration dates provide another layer of fraud protection when transactions are processed manually. Magnetic Stripe Contains sensitive account information which should not be stored by a merchant’s system. There are 2 types of magnetic stripe data: Track 1 contains the cardholder’s name as well as account number and other discretionary data. Track 2 contains cardholder’s account, encrypted PIN, plus other discretionary data. Track 2 is the most common. Card Validation Value or Code The 3 digit number printed on the back of most payment cards, such as Visa, MasterCard and Discover. This number is an added security feature for card not present transactions and is not part of the regular credit card number. The following list provides the terms for each card brand: CAV Card Authentication Value (JCB) CVC Card Validation Code (MasterCard) CVV Card Verification Value (Visa and Discover) CSC Card Security Code (American Express) Note: Located on front of card, flat print. Magnetic Stripe/Track Data Track 1, Track 2 CVV Storage Permitted Protection Required Service Code* Storage NOT Permitted *These data elements must be protected if stored in conjunction with PAN . **Sensitive authentication data must NOT be stored subsequent to authorization – even if encrypted. Trustwave Confidential-Page
Merchant Acceptance Channels Supporting the PCI Smart Program August 19 Merchant Acceptance Channels POS-Dial Terminal POS-IP Terminal Touch Screen & Computer E-Commerce Multiple Point of Sale (POS) Dial Terminal Point of Sale (POS) IP Terminal Touch Screen & Computer E-Commerce Multiple Trustwave Confidential-Page
The Mandate: Visa Merchant Levels Defined Merchant Classification Criteria (as of July 18, 2006) 1 Any merchant -regardless of acceptance channel-that: Processes over 6 million Visa transactions per year In some cases, merchants who suffered a hack or an attack that resulted in an account data compromise Has been identified by any other payment card brand as Level 1 2 Any merchant that processes 1 million to 6 million Visa transactions, regardless of acceptance channel 3 Any merchant that processes 20,000 to 1 million Visa e-commerce transactions 4 Any merchant that processes fewer than 20,000 Visa e-commerce transactions or fewer than 1 million Visa transactions regardless of acceptance channel
Validation Actions Depend on Level Merchant Level Validation Actions Validated By Deadline 1 Annual On-site PCI DSS Data Security Assessment Qualified Security Assessor 9/30/04 (Visa’s new level 1 merchants have up to one year from identification to validate) Quarterly Network Scan Approved Scanning Vendor 2 Annual PCI DSS Self-Assessment Questionnaire/Annual On-site PCI DSS Data Security Assessment Merchant/Qualified Security Assessor 6/30/05 (Visa’s new level 2 merchants have until 9/30/07)
Validation Actions Depend on Level (cont.) Merchant Level Validation Actions Validated By Deadline 3 Annual PCI DSS Self-Assessment Questionnaire 6/30/05 Quarterly Network Scan Approved Scanning Vendor 4 Validation requirements and dates are determined by the merchant’s acquirer
Self Assessment Questionnaire (SAQ) 1.2 SAQ Version Validation Type Description of Subject Merchant SAQ 1.2 A 13 Questions 1 Card not present merchants only that outsource all parts of the credit card transaction. Data is only kept in paper reports. SAQ 1.2 B 27 Questions 2 This merchant only accepts payment cards using an imprint machine and does not keep any card data electronically. 3 Merchants who use stand alone, dial out terminal connected to a phone line or processor. Terminal has NO internet connection and no data is stored electronically. SAQ 1.2 C 41 Questions 4 Payment application is connected to the internet but is not connected to any other system w/in the network. No data is stored electronically. Service providers who connect remotely to the application are in compliance with Security Best Practices. SAQ 1.2 D 222 Questions 5 Any merchant that does not fit any of the above categories and any eligible service provider.
PCI DSS Makes Business Sense
PCI DSS Compliance: Sound Business Practice Fundamental Best Security Practices Avoid fraud Helps to understand own system better Clarifies where data is stored Upholds Brand Name Adds value to name Increases consumer confidence Non-compliant, compromised business could expect: Damage to their brand/reputation Investigation costs Remediation costs Fines and fees
Supporting the PCI Smart Program August 19 Non-Compliance Non-compliance with the PCI DSS can result in: Non-compliance fees from the Acquiring bank Fees are assessed on a regular basis, usually monthly Financial costs to reverse damages in the event of a security breach Regulatory fines and penalties in the event of a security breach Higher costs to process credit card transactions or even loss of the ability to process credit card transactions in the event of a breach Stricter compliance requirements being imposed on a merchant after a breach Trustwave Confidential-Page
Compromise Statistics
Incident Response – About the Sample Set Header August 19 Incident Response – About the Sample Set Types of Detection Explain each: Self-Detection Public Detection Law Enforcement Regulatory Detection (#1) Regulator Detection is the most successful because they are able to correlate fraud use with common legitimate source. Trustwave Confidential-Page
Incident Response – About the Sample Set Header August 19 Incident Response – About the Sample Set Industries Explain the idea of “It wont happen to me.” and “it is only an ecommmerce problem”. Non-traditional targets made up more than 50% of the 2009 cases. Trustwave Confidential-Page
Incident Response – About the Sample Set Header August 19 Incident Response – About the Sample Set Company Size Rather equal distribution across various organization sizes, not much of a trend here. Trustwave Confidential-Page
Incident Response – Investigative Conclusions Header August 19 Incident Response – Investigative Conclusions Types of Data at Risk Criminal want MONEY. Explain what track data is and how it is used for fraud. Explain Chip and PIN -> iCVV problem with issuers not following the rules Payment Card Data is a target for criminals looking to turn data into cash quickly. Trustwave Confidential-Page
Incident Response – Investigative Conclusions Header August 19 Incident Response – Investigative Conclusions Types of Target Assets Flows from the target data Where there is data in the systems, attackers will target Explain each item: Software Ecommerce Payment Switch ATM Hardware Terminal Hacking – readers/bluetooth, GMS While many POS vendors have patched their systems to support security controls, many companies are still running very old software. Trustwave Confidential-Page
PCI DSS Standard Overview
Six Goals, Twelve Requirements Install and maintain a firewall configuration to protect cardholder data Do not use vendor- supplied defaults for system passwords and other security parameters Build and Maintain a Secure Network Maintain a vulnerability management program Protect cardholder data
Six Goals, Twelve Requirements Header August 19 Six Goals, Twelve Requirements Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Build and Maintain a Secure Network Maintain a vulnerability management program Protect cardholder data Encrypt transmission of cardholder data across open, public networks Protect stored cardholder data Trustwave Confidential-Page
Six Goals, Twelve Requirements Header August 19 Six Goals, Twelve Requirements Install and maintain a firewall configuration to protect cardholder data Use and regularly update anti- virus software or programs Do not use vendor-supplied defaults for system passwords and other security parameters Develop and maintain secure systems and applications Build and Maintain a Secure Network Maintain a vulnerability management program Protect cardholder data Encrypt transmission of cardholder data across open, public networks Protect stored cardholder data Trustwave Confidential-Page
Six Goals, Twelve Requirements Header August 19 Six Goals, Twelve Requirements Install and maintain a firewall configuration to protect cardholder data Use and regularly update anti- virus software or programs Do not use vendor-supplied defaults for system passwords and other security parameters Develop and maintain secure systems and applications Build and Maintain a Secure Network Maintain a vulnerability management program Implement strong access control measures Protect cardholder data Restrict access to cardholder data by business need-to-know Encrypt transmission of cardholder data across open, public networks Assign a unique ID to each person with computer access Protect stored cardholder data Restrict physical access to cardholder data Trustwave Confidential-Page
Six Goals, Twelve Requirements Header August 19 Six Goals, Twelve Requirements Install and maintain a firewall configuration to protect cardholder data Track and monitor all access to network resources and cardholder data Use and regularly update anti- virus software or programs Do not use vendor-supplied defaults for system passwords and other security parameters Develop and maintain secure systems and applications Regularly test security systems and processes Build and Maintain a Secure Network Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Protect cardholder data Restrict access to cardholder data by business need-to-know Encrypt transmission of cardholder data across open, public networks Assign a unique ID to each person with computer access Protect stored cardholder data Restrict physical access to cardholder data Trustwave Confidential-Page
Six Goals, Twelve Requirements Install and maintain a firewall configuration to protect cardholder data Track and monitor all access to network resources and cardholder data Use and regularly update anti- virus software or programs Do not use vendor-supplied defaults for system passwords and other security parameters Develop and maintain secure systems and applications Regularly test security systems and processes Build and Maintain a Secure Network Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy Protect cardholder data Restrict access to cardholder data by business need-to-know Encrypt transmission of cardholder data across open, public networks Maintain a policy that addresses information security for employees and contractors Assign a unique ID to each person with computer access Protect stored cardholder data Restrict physical access to cardholder data
Resources PCI Security Standards Council: https://www.pcisecuritystandards.org/index.shtml Visa CISP: http://www.visa.com/cisp MasterCard SDP: http://www.mastercard.com/sdp
Questions?