Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lessons Learned from Implementing Existing Standards Dos and Don'ts for Implementing Authentication Standards Jeff Stapleton, CISSP, CTGA, QSA Cryptographic.

Published byClement Austin Modified over 9 years ago

Similar presentations

Presentation on theme: "Lessons Learned from Implementing Existing Standards Dos and Don'ts for Implementing Authentication Standards Jeff Stapleton, CISSP, CTGA, QSA Cryptographic."— Presentation transcript:

1 Lessons Learned from Implementing Existing Standards Dos and Don'ts for Implementing Authentication Standards Jeff Stapleton, CISSP, CTGA, QSA Cryptographic Assurance Services LLC X9F4 Working Group Information Assurance Consortium Payment Card Industry (QSA)

2 Agenda Standards Organizations Authentication Case Studies – TG-3 PIN Compliance – SET Brand CA Compliance – WebTrust for CA Compliance – PCI DSS Compliance Other Standards Summary…………………. 1

3 Informal Organizations Formal Organizations US TAG Standards Organizations 2 ISO TC68 JTC1 ANSI X9 INCITS NIST IETF CABF US TAG USA Member ISO: International Standards 172 countries 248 Technical Committees ~3000 standards TC68: Financial Services 63 countries 11 Subgroups 50 standards JTC1: Information Technology 85 countries 19 Subgroups 357standards ANSI: USA National Body 820 organizations 284 accredited groups X9: Financial Services 150 organizations 15 subgroups 115 standards INCITS: Information Technology 1700 organizations 40 subgroups (?) standards IETF: Internet (?) individuals 118 subgroups 5734 specifications NIST: Federal Government ~30 subgroups +10,000 documents CA Browser Forum 42 members 5 documents

4 Case Studies TG-3 PIN Compliance – TG-3 Compliance – TG-3 Assessments SET Brand CA Compliance – SET Brand CA Compliance – SET Brand CA “audits” WebTrust for CA Compliance – WebTrust for CA Compliance – WebTrust for CA Evaluations PCI DSS Compliance – PCI Compliance – PCI (QSA) Assessments Two slides per topic – Compliance program – Compliance effort Four case studies – Facts – Issues – Stories 3

5 TG-3 PIN Compliance X9 TG-3 (TR-37) Retail Financial Services Compliance Guideline for Online PIN Security and Key Management – ANSI X9.8 PIN Management and Security – ANSI X9.24 Retail Financial Services – Symmetric Key Management Part 1: Using Symmetric Techniques Part 2: Using Asymmetric Techniques for Distribution of Symmetric Keys Adopted by EFT Networks in 1996 – Pulse; wholly owned subsidiary of Discover Financial Services – STAR; wholly owned subsidiary of First Data Resources (FDR) – NYCE; wholly owned subsidiary of Metavante – Certified TG-3 Assessor (CTGA) ISO 9564 PIN Management and Security ISO 11568 Banking – Key Management – Retail EMV Integrated Circuit Card Specification for Payment System (offline) 4

6 Exception Control Objective YesNo N/A Procedures… __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ TG-3 Assessments Prescriptive checklist – Reviews – Interviews – Inspections – Observations – Tests Symmetric Keys – General Security Controls – TRSM Controls – General Key Management – Additional Key Management Asymmetric Keys – General Asymmetric Controls – Asymmetric Controls – Mutual Authentication – Credential Management – Additional Asymmetric Controls 5

7 SET Brand CA Compliance Secure Electronic Transaction (SET) – Book 1: Business Description – Book 2: Programmer’s Guide – Book 3: Formal Protocol Definition – Visa and MasterCard: 1995 – 2003 Participants – 16+ companies involved – 50+ key individuals involved Brand CA – JCB; Japan – MasterCard (MC); USA – PBS; Denmark – Visa; USA – Cyber-Comm (CC); France 6 SET MCVisa R MPGU Brand CA Root CA Regional Geo-Political CA User CAMerchant CAPayment Gateway CA UserMPG

8 SET Brand CA “Audits” Brand CA Control Objectives (TG-3) ANSI X9.79 PKI Policy and Practices – Policy Authority ( PA ) – Certificate Issuer ( CI ) – Certificate Manufacturer ( CM ) – Registration Authority ( RA ) – Repository ( Rep ) – Subscriber ( Sub ) – Relying Party ( RP ) PKI Standards – WebTrust for CA – ISO 21188 7 SET JCB MC CA of Japan Bank of Japan Sumitomo Bank Fujitsu Merchant Consumer PA CI CM RA RP Rep Sub PA RepRA Exception Control Objective YesYes NoNo N/AN/A Procedure s… ___ ___ ___ ___ ___ ___ ___ ___ ___

9 WebTrust for CA Compliance ANSI X9.79 PKI Policy and Practices – CA control criteria submitted to AICPA and CICA – Redeveloped as WebTrust for CA Auditing standard: WebTrust for CA – Licensed in 37 countries by CPA (or equivalent) – Mandated by most states as SAS 70 criteria – Mandated by all Browser Vendors CA Browser Forum – Extended Validation (EV) Audit Criteria – EV Certificate Issuance and Management Guide – EV Certificate Usage Guide ISO 21188 PKI Policy and Practices 8 X X   Organization Auditor Service Provider Auditor Out Sourced SAS 70

10 WebTrust for CA Evaluations Audit performed by licensed CPA (or equivalent) – American Institute of Certified Public Accountants – Canadian Institute of Chartered Accountants – WebTrust for CA – WebTrust for CA Extended Validation (EV) Evaluation is “Readiness” Check for Audit – Validate CP and CPS (RFC 3647) – Validate X.509 certificates (RFC 5280) – Validate Subscriber (EV) Agreement – Validate Operational Procedures – Controls over Root CA (offline) and Subordinate CA (online) – Controls over SSL and VPN implementations 9 Public Key Certificate

11 PCI Compliance Payment Card Industry Security Standards Council (PCI SSC) – Expansion of the Visa Cardholder Information Security Program (CISP) – Visa, MasterCard, Amex, Discover, JCB established in 2006 – 500+ Participating Organizations PCI Data Security Standard (DSS) – Qualified Security Assessor (QSA) Company – Approved Scanning Vendor (ASV) Company – Penetration Tester qualifications and test results undefined – Wireless controls scattered throughout requirements PCI Payment Application Data Security Standard (PA-DSS) – Payment Application Qualified Security Assessor (PA-QSA) Company PCI PIN Transaction Security (PTS) – Formerly PIN Encryption Device (PED) compliance program – Visa and MasterCard PIN compliance programs 10

12 PCI (QSA) Assessments PCI DSS v1.2 “protect cardholder data” – Requirement 1: Install and maintain a firewall – Requirement 2: Do not use vendor-supplied defaults – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data – Requirement 5: Manage anti-virus software – Requirement 6: Software assurance – Requirement 7: Restrict access by business need to know – Requirement 8: Assign a unique ID – Requirement 9: Restrict physical access – Requirement 10: Track and monitor all access – Requirement 11: Regularly test security systems – Requirement 12: Maintain information security policy Wireless controls scattered throughout requirements 11

13 Other Authentication Standards ANSI Standards – X9.84 Biometric Management and Security – X9.95 Trusted Time Stamps (TSA) – X9.112 Wireless Management and Security (802.11x) Work in Progress – X9.117 Mutual Authentication – X9.112 Wireless – Part 3: Mobile Banking (TSM) Gaps: no password standard – Green Book CSC-STD-002-85 (1985) Password Management – FIPS 112 (1985) Password Usage withdrawn 2005 – ANSI X9.26 (1990) Financial Institution Sign-On Authentication for Wholesale Transactions withdrawn 1999 12

14 Summary Many standards to choose from Many technologies to choose from Many compliance programs to follow – Many today; more tomorrow – Change is inevitable Watch out for technology transitions – Mergers and acquisitions – New vulnerabilities – Technology breakthroughs Compliance is a journey, not a destination 13

Download ppt "Lessons Learned from Implementing Existing Standards Dos and Don'ts for Implementing Authentication Standards Jeff Stapleton, CISSP, CTGA, QSA Cryptographic."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.

Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.

Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.

Similar presentations

Ads by Google