Download presentation
Presentation is loading. Please wait.
Published byGodwin Fleming Modified over 9 years ago
1
PCI requirements in business language What can happen with the cardholder data?
2
Partneri Medijski pokrovitelji
3
Sadržaj predavanja What is PCI DSS? Who must comply with PCI DSS? The PCI DSS requirements Steps of the PCI DSS assessment? Compliance level Incidents Background of an incident Typical example
4
What is PCI DSS? Payment Card Industry Data Security Standard Developed by: Founding payment brands Main principles Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
5
Who must comply with PCI DSS? Covered Not covered Issuer & Service Provider (s) Cardholder Acquirer & Service Provider (s) Merchant & Service Provider (s)
6
The PCI DSS requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: No use of vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks
7
The PCI DSS requirements Maintain a Vulnerability Management program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to- know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data
8
The PCI DSS requirements Regularly Monitor and Test Networks Requirement 10: Track & monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
9
Steps of the PCI assessment Preparation for the assessment Perform penetration testing Perform vulnerability scanning Perform security awareness training Establish testing procedures regarding hosting providers Develop data retention and disposal policy and procedures …
10
Steps of the PCI assessment Type of the assessment Qualified Security Assessors onsite review Self assessment Network security scan Depends on Number of transactions Special request from certain payment brand
11
Compliance Level Definitions - Merchants Compliance Validation LevelQSA Onsite Review Self Assessment Network Security Scan Level 1 - Any merchant - regardless of channel >6M transactions) Any merchant that has suffered a hack. Any merchant identified by any payment card brand as Level 1 Required (annually) Not requiredRequired (quarterly) Level 2 - Any merchant - regardless of channel 1M to 6M transactions Not requiredRequired (annually) Required (quarterly) Level 3 - 20K-1M e-commerce transactions Not requiredRequired (annually) Required (quarterly) Level 4 - <20,000 e-commerce transactions <1M non-ecommerce transactions Not requiredRecommended (annually) Recommended (annually)
12
Compliance Level Definition – Service Providers Compliance Validation LevelQSA onsite review Self assessment Network Security Scan Level 1 - VisaNet connection; All Payment Gateways; TPP and DSE that handle data for Level 1 & 2 Merchants Required (annually) Not requiredRequired (quarterly) Level 2 - Not Level 1 w/ >1M transactions; DSE that handle data for Level 3 Merchants Required (annually) for MasterCard Required (annually) for Visa Required (quarterly) Level 3 - <1M transactions; all other DSEs Not requiredRequired (annually) Required (quarterly)
13
Incidents Heartland Payment System (2009) Hannaford Brothers and Sweetbay (2008) TJX (2007) Cardsystem Solution Inc. (2005)
14
Background of an incident CardSystem Solutions Inc. Credit card processing company Purposes of managing data „research” 40 million card accounts (name, bank account number) Attack Breached security protocol Virus Sensitive data stored in clear
15
Background of an incident Data removal process Contractually obligated to delete Inappropriate data removal process Use of information Sold on a Russian website Affected a number of high-profile companies
16
Typical example PCI DSS 6.1 “Ensure that all system components and software have the latest vendor-supplied security patches.”
17
Typical example We have Windows based system We use WSUS (Windows Server Update Services), therefore all of our servers and workstations are patched Are we compliant?
18
Typical example How does a client PC look like? – Adobe FLASH – Adobe Acrobat – JRE – … and many more These software versions and patches are typically not managed centrally
19
Typical example IDDescription APSB09-15Security Advisory for Adobe Reader and Acrobat APSB09-10Security Updates available for Adobe Flash Player, Adobe Reader and Acrobat APSA09-03Security Advisory for Adobe Reader, Acrobat and Flash Player APSB09-07Security Updates available for Adobe Reader and Acrobat APSB09-06Security Updates available for Adobe Reader and Acrobat APSA09-02Buffer overflow issues in Adobe Reader and Acrobat APSB09-04Security Update available for Adobe Reader and Acrobat APSB09-03Security Update available for Adobe Reader 9 and Acrobat 9 APSA09-01Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and Acrobat Source: http://www.adobe.com/support/security/
20
Typical example …and of course they are exploited in the wild Easy to use tools for PDF mangling – Metasploit – Origami – …
21
Typical example
25
Hvala
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.