Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session 11 Other Assurance Services

Similar presentations


Presentation on theme: "Session 11 Other Assurance Services"— Presentation transcript:

1 Session 11 Other Assurance Services
Sys Trust Payment Card Industry security standard compliance EECS David Chan 1

2 SysTrust A system assurance service developed by American Institute of Certified Public Accountants (AICPA) and Chartered Professional Accountants Canada (CPA Canada). Audits have been on new systems in an organization or systems shared by a number of partner organizations High control assurance EECS David Chan

3 SysTrust Principles The Availability Principle addresses accessibility to the defined system, products, or services as advertised or committed by contract, service-level, or other agreements. The Security Principle requires an entity to meet high standards for the protection of the system components from unauthorized access, both logical and physical. EECS David Chan

4 Main Trust Principles Processing Integrity Principle requires an entity to meet high standards for the completeness, accuracy, timeliness, and authorization of system processing including the processing of electronic commerce transactions. All three principles must be satisfied. EECS David Chan

5 Optional Trust Principles
Confidentiality – no unauthorized viewing Privacy – confidentiality of personal info EECS David Chan

6 Sys Trust Audit The auditor has to be licensed by AICPA or CPA Canada specifically for SysTrust engagements. The outcome of the audit consists of a report and an unqualified opinion on the internal controls to support the system. High control assurance. EECS David Chan

7 Control Criteria Operating organization of the system selects criteria (objectives) from the list provided by CPA Canada or AICPA to satisfy each main principle and each selected optional principle. Unless a criterion does not apply to the environment, it must be selected. There is no wording change to criteria. Each control criterion is supported by control activities (procedures), which can be manual or automated, developed by management. EECS David Chan

8 SysTrust Users Hosting organization User organizations
Trading partners, e.g., automated vendor inventory replenishment EECS David Chan

9 SysTrust Report An opinion on management’s asserted controls.
Opinion does not cover system description, although system description is often included in the report. But if the auditor knows that system description is misleading, s/he should not issue an opinion on the controls. Opinion covers the reporting period of not more than one year. EECS David Chan

10 Drivers for SysTrust Audit
The potential conflict of interest between the system operator and system user or owner. The complexity of systems, requiring expertise to conduct an audit that would provide a reasonable degree of assurance about their conformity with system reliability principles and criteria. EECS David Chan

11 Drivers for SysTrust Audit
The remoteness of users from systems requiring an independent objective representative to observe the system on their behalf. The consequences of system unreliability. The four conditions above may contribute individually to the need for assurance services related to the reliability of an entity’s key information system(s) and they may also interact to increase the need for such assurance. EECS David Chan

12 Process of a Sys Trust Audit
System hosting organization decides to pursue a Sys Trust audit. System hosting organization hires an accounting firm. System hosting organization selects optional principles as well as criteria for the mandatory and optional principles. Management develops control activities for each criterion. EECS David Chan

13 Process of a Sys Trust Audit
Accounting firm assesses the adequacy of control criteria and procedures. Accounting firm conducts testing. Accounting firm provides report to system hosting organization. System hosting organization shares report with user organizations. EECS David Chan

14 Options to Address Control Deficiency
Fix the control if there is still time. Replace the control with another existing control. Remove an optional principle. Cancel the engagement. EECS David Chan

15 Payment Card Industry (PCI) Security Standard
Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express, Diners Club, JCB International and Discover Card. All issuing financial institutions and merchants that take credit card transactions on the Internet have to comply. Failure to comply may lead to financial penalty. EECS David Chan Chan 15

16 PCI Security Standard Visa and MasterCard require major merchants and IT service organizations (over 1 million transactions annually or over 20,000 eTransactions annually) to have an annual external validation for compliance. EECS David Chan

17 PCI Standards 1.Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor supplied defaults for system passwords and other security parameters. 3. Protect stored cardholder data, including encryption. 4. Encrypt transmission of cardholder data across the Internet EECS David Chan 17

18 PCI Standards 5. Use regularly updated anti-virus software
6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business on a need-to-know basis 8. Assign a unique ID to each person with computer access EECS David Chan 18

19 PCI Security Standard 9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security EECS David Chan 19

20 PIN Not stored in banks. A value computed from the PIN, card number, card unique mathematical key and expiry date is stored in the bank. Thus, the actual PIN is not visible to bank employees. Choose PINs that are easy for you to remember but difficult for others to guess. EECS David Chan

21 Payment Card Encryption
Businesses and financial institutions are required by MasterCard, Visa and American Express to “not store” card numbers in plain text. EECS David Chan

22 Payment Card Data Storage (PCI Council)
EECS David Chan

23 Payment Card Encryption
1. The PIN, card number and expiry date are hashed together and stored on the card chip. This is in addition to the plaintext storage of the card number and expiry date on the card strip. The latter is required in order to support point of sales terminal that does not accommodate chip technology and also as a backup in case the chip is somehow unreadable (e.g., damaged by wear and tear) 2. The card issuing financial institution encrypts the card number and expiry date using a card specific key and then subtracts the newly created or changed PIN from the last 4 digits of the encrypted value, and stores the difference, called a PIN offset. The PIN is not stored anywhere. A PIN is verified by the financial institution using the above calculation and comparing the calculated PIN offset with the stored PIN offset. 4. A hash of the card specific key is stored in the chip, which is used by the card issuing financial institution to authenticate the card before verifying the PIN. 5. For offline terminal, the terminal computes the same hash as that stored in the card in step 1 and compares to the hash value read from the card. 6. The card number and expiry date are encrypted using the card issuing financial institution’s public key and then stored in the chip. When a card is used online, the encrypted card number and expiry date are transmitted. EECS David Chan

24 Payment Card Encryption
7.Card numbers and PINs sent by a financial institution which did not issue the cards, to the issuing financial institutions are encrypted using a symmetric key shared between the two financial institutions. 8. The card downloads the terminal’s digital certificate and verifies it using the issuer’s (e.g., Visa’s) public key. Each point of sale terminal has a digital certificate specific to the brand of card acceptable (e.g., Visa). 9. The card downloads the terminal specific Triple DES or AES 112-bit key encrypted with the terminal’s private key, which the card decrypts with the terminal’s public key. 10. For offline transactions, the card encrypts the PIN, card number and transaction data using the terminal symmetric key for transmission to the terminal. 11. For online transactions, the point-of-sale terminal downloads the card issuing financial institution’s digital certificate signed by the issuer (e.g., Visa). 12. For online transactions with a terminal, the card encrypts the terminal ID, card number and transaction data using the issuing financial institution’s public key and sends it to the financial institution. 13. The financial institution sends the approval or “decline” message to the card. 14. The card then shares the message with the terminal. 15. The card then reencrypts the result of the transaction, i.e., approved or declined, along with the transaction amount, terminal ID, using the terminal public key and stores the encrypted data package called a transaction certificate, in the card. EECS David Chan

25 Payment Card Encryption
16. The uploading of offline point of sale transactions to the merchant’s financial institution is encrypted using a terminal specific symmetric key which has been sent to the financial institution encrypted with the institution’s public key. 17. The settlement of the transaction between the card issuing financial institution, the credit card ultimate issuer (e.g., Visa) and the merchant’s financial institution is encrypted using unique symmetric keys between each pair of organizations. 18. For ATM transactions, the ATM generates a one time symmetric key and encrypts it using the financial institution’s public key and sends it to the financial institution. 19. Data transmission for ATM transactions is encrypted with the one time symmetric key. 20. Data transmission between the ATM financial institution and the card issuing financial institution is encrypted using a shared symmetric key between the two institutions. 21. For eBanking transactions, SSL encryption is used just like eBusiness. 22. The 3 or 4 digit card verification value (CVV) on the back of a credit card is not stored anywhere. It is derived by encrypting the card number and expiry date using a key specific to each card kept by the issuing financial institution. 23. The completed transactions should be sent by the point of sale terminal to the company’s data center encrypted using the data center’s public key. EECS David Chan

26 Conclusion SysTrust engagements are increasing because of increasing use of externally hosted systems. PCI is gaining prominence because the PCI Council (credit card companies) are now starting to enforce this standard. EECS David Chan

27 MC Question Which of the following is an optional SysTrust principle?
A. Confidentiality B. Security C. Processing integrity D. Availability EECS David Chan

28 MC Question Who is the primary audience of a SysTrust report?
A. Service organization management B. Shareholders’ auditors of service organization C. User organization(s) management D. Shareholders’ auditors of user organization(s) EECS David Chan

29 MC Question Who is responsible for developing control procedures in a SysTrust audit? A. External auditors B. Service organization management C. Internal auditors D. User organization management EECS David Chan

30 MC Question Which SysTrust principle addresses application controls?
A. Security B. Confidentiality C. Processing integrity D. Availability EECS David Chan

31 MC Question What kind of access to cardholder data must be monitored by a bank? A. All B. Update C. External D. Create EECS David Chan


Download ppt "Session 11 Other Assurance Services"

Similar presentations


Ads by Google