Post on 06-Aug-2020
©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.
©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.
INTRODUCTION TO PCI-DSSUnderstanding the Payment Card Industry Security Standard
August 18, 2016
Keith Swiat – Director, Security and Privacy Services
©2015 RSM US LLP. All Rights Reserved.
Few Key Terms
• PCI DSS – Payment Card Industry Data Security Standards− PA-DSS – Payment Application Data Security Standards
• Payment Cards – Visa, MasterCard Worldwide, American Express, Discover Financial Services, JCB International
• Merchant – Entity that accepts payments cards for payment• Acquirer – (Merchant Bank or Acquiring Bank) Typically a financial institution, that
processes payment card transactions for merchants− Payment Processor
• Issuing Bank – Financial institution issuing credit card• Service Provider – Business entity not directly involved with processing of payments.
(e.g. Managed Firewall Service Provider)• Cardholder Data Environment (CDE) – Stores, processes, or transmits cardholder
information• Qualified Security Assessor (QSA) – Required for Level 1 Assessments • Report on Compliance (ROC) – Report generated by QSA for Level 1 Assessment • Self Assessment Questionnaire (SAQ) – Reporting for Level 2-4 Assessments
©2015 RSM US LLP. All Rights Reserved.
What drives PCI compliance?
• Hackers and large international organized crime syndicates
• Higher monthly fees for non-compliance• The fallout of a data breach:
− The fallout can be significant, including fines/penalties, termination of your ability to accept payment cards, lost customer confidence, legal costs, settlements and judgments, fraud losses, etc.
− A breach could result in a cost of, on average, $200 per card number lost
• Knowing what data you have and where it resides
©2015 RSM US LLP. All Rights Reserved.
Visual Depiction – Payment Card Transaction
E-CommerceMerchant
Cardholder
Service Provider/Processor
VISA networkCard Swipe Merchant
Issuer (banks)
©2015 RSM US LLP. All Rights Reserved.
PCI DSS Requirements
©2015 RSM US LLP. All Rights Reserved.
PCI Requirements (Merchant)
LEVEL VALIDATION ACTIONS VALIDATED BY
1
Annual on-site security audit** AND **
Quarterly network scan
Independent assessor (QSA) or internal auditor if trained by PCI Association
Qualified and certified independent scan vendor (ASV)
2 & 3Annual self-assessment questionnaire
** AND **Quarterly network scan
Merchant (Self Assessment)
Qualified and certified independent scan vendor (ASV)
4Annual self-assessment questionnaire recommended
Network scan recommended
Merchant (Self Assessment)
Qualified and certified independent scan vendor (ASV)
©2015 RSM US LLP. All Rights Reserved.
Self Assessment Questionnaire (SAQ) v 3.2
SAQ Descriptions
A Card-not-presentmerchants(e-commerceormail/telephone-order) thathavefullyoutsourcedallcardholderdatafunctionstoPCIDSScompliantthird-partyserviceproviders,withnoelectronicstorage,processing,ortransmissionofanycardholderdataonthemerchant’ssystemsorpremises.Notapplicabletoface-to-facechannels.
A-EP E-commercemerchantswhooutsourceallpaymentprocessingtoPCIDSSvalidatedthirdparties,andwhohaveawebsite(s)thatdoesn’tdirectlyreceivecardholderdatabutthatcanimpactthesecurityofthepaymenttransaction.Noelectronicstorage,processing,ortransmissionofanycardholderdataonthemerchant’ssystemsorpremises.Applicableonlytoe-commercechannels
B Merchantsusingonly:•Imprintmachineswithnoelectroniccardholderdatastorage;and/or•Standalone,dial-outterminalswithnoelectroniccardholderdatastorage.Notapplicabletoe-commercechannels.
©2015 RSM US LLP. All Rights Reserved.
SAQ DescriptionsB-IP Merchantsusingonlystandalone,PTS-approvedpaymentterminalswithan
IPconnectiontothepaymentprocessor,withnoelectroniccardholderdatastorage.Notapplicabletoe-commercechannels.
C-VT MerchantswhomanuallyenterasingletransactionatatimeviaakeyboardintoanInternet-basedvirtualterminalsolutionthatisprovidedandhostedbyaPCIDSSvalidatedthird-partyserviceprovider.Noelectroniccardholderdatastorage.Notapplicabletoe-commercechannels.
C Merchantswithpaymentapplicationsystemsconnectedtothe Internet,noelectroniccardholderdatastorage.Notapplicabletoe-commercechannels.
9
©2015 RSM US LLP. All Rights Reserved.
SAQ DescriptionsP2PE Merchantsusingonlyhardwarepaymentterminalsthatareincludedinand
managedviaavalidated,PCISSC-listedP2PEsolution,withnoelectroniccardholderdata storage.Notapplicabletoe-commercechannels
D SAQDforMerchants:Allmerchantsnotincluded indescriptionsfortheaboveSAQ types.SAQDforServiceProviders:Allserviceprovidersdefinedbyapaymentcardbrandaseligible tocompleteaSAQ.
10
©2015 RSM US LLP. All Rights Reserved.
Self Assessment Questionnaire (SAQ) v 3.1
©2015 RSM US LLP. All Rights Reserved.
Key PCI 3.X requirements
Requirement2.1– Removedefaultpasswords
Requirement3.4.1– Diskencryption• BitlockerisNOT approved
Requirement6.4.1– Environmentseparation• Production&Development
Requirement10.2.1– AuditCHDaccess•Useraccessaudited/Nosharedaccounts
Requirement10.6– Logreviews•Dailyreviewforanomalies/SIEMsolutionrecommended
Requirement12.8– Vendormanagement• Serviceprovideragreement/acknowledgementmustdocumenttheresponsibilitiesofthevendorprotectingCHD
©2015 RSM US LLP. All Rights Reserved.
Key PCI 3.X requirements (cont)
Requirement9.9– Protectcapturedevices• Alldevicesthatcapturepaymentdata(PINPADs,cardswipes,CHIPreaders,etc)musthaveuniquetamperproofstickers
Requirement11.3– Pentestingmethodology• Methodologyhastobedocumentedandbasedonindustrystandard(suchasNISTSP800-115)andincludecurrentthreatsandvulnerabilities
Requirement12.8.5– Vendormanagement• MaintaininformationofwhichPCIDSSrequirementsaremanagedbyeachservicerprovider/entity
Requirement12.9– Vendoracknowledgement• Writtenacknowledgementofresponsibilities discussed in12.8
©2015 RSM US LLP. All Rights Reserved.
PCI Data Security Standard Version 3.2 Updates
• ThePCI-DSSversion3.2waspublishedApril2016.Thisversionofthestandardwillbeconsideredeffectiveimmediately.
• Version3.1ofthePCI-DSSwillberetiredonOctober31st,2016.
• AftertheOctober31st date,allROCsmustbedonefollowingversion3.2ofthePCI-DSS
• Visawillnotaccept3.1ROCsafterDecember31
©2015 RSM US LLP. All Rights Reserved.
PCI Data Security Standard Version 3.2 Updates
• Updatednotetoclarifythatsomebusiness-as-usualprinciplesmayberequirementsforcertainentities,suchasthosedefinedintheDesignatedEntitiesSupplementalValidation(AppendixA3)
• VerificationthatpoliciesandproceduresareinplaceandoperatingeffectivenessispresentispartofthedutiesoftheQSA.
• Removedexamplesof“strong”or“secure”protocolsfromanumberofrequirements,asthesemaychangeatanytime.(1.1.6)
©2015 RSM US LLP. All Rights Reserved.
PCI Data Security Standard Version 3.2 Updates
Whilesomerequirementswillbein“bestpractice”modeuntilFebruary2018,suchextensionisnotintendedtodelaymigrationstosecureversionsofSSLormulti-factorauthenticationprojects.
ClientswillstillhavetodemonstratehowtheyareaddressingtherisksrepresentedbyweakimplementationsofSSLorauthenticationmethods.
©2015 RSM US LLP. All Rights Reserved.
PCI Data Security Standard Version 3.2 Updates
• Clarifiedcorrecttermismulti-factorauthentication,ratherthantwo-factorauthentication,astwoormorefactorsmaybeused.
• Secureallindividualnon-consoleadministrativeaccessand allremoteaccesstotheCDEusingmulti-factorauthentication.(8.3)(bestpracticeuntilJanuary31,2018)
©2015 RSM US LLP. All Rights Reserved.
PCI Data Security Standard Version 3.2 Updates
• The PCI-DSS will incorporate two new appendices in the standard that were previously separated supplemental documents: − Appendix A2—Additional PCI-DSS requirements for
entities using SSL/ Early TLS− Appendix A3—Designated entities supplemental
validation (DESV)The Designated Entities Supplemental Validation (DESV) includes specific requirements for entities around PCI-DSS compliance program governance processes, including but not limited to scoping validation, documentation and incident response methodologies.
18
©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.
KEY INITIAVES FOR PCI 3.2 COMPLIANCE
©2015 RSM US LLP. All Rights Reserved.
Key Initiatives for PCI 3.2 compliance
• Implement multi-factor authentication for administrative and super-user ID’s in devices, servers and platforms that are part of the CDE.
• At the same time, all administrative access from non-CDE network segments to the CDE must be brought under the multi-factor regime.
©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.
THE FUTURE OF PCI –HOW TO REDUCE RISK
©2015 RSM US LLP. All Rights Reserved.
Point-of-Sale (POS) architecture
Cardholder data not encrypted and subject to compromise. Includes
network and POS Server
©2015 RSM US LLP. All Rights Reserved.
Tokenization
The process of replacing a credit card number with a unique set of numbers that have no bearing on the original data.
©2015 RSM US LLP. All Rights Reserved.
Point-of-Sale (POS) architecture (cont)
P2PE- POSdevicedirecttoprocessor
©2015 RSM US LLP. All Rights Reserved.
EMV (Europay/Mastercard®/Visa®) chip card
• Commonly known as “Chip and Pin”• October 1, 2015 – EMV implementation date
− Fraud liability shifts to merchants that do not have certified chip card readers
• More secure for card present transactions− However, consider…
• Cards are not encrypted• Data transmission across network• Implementation costs for new EMV POS terminal
• Doesn't provide additional security for eCommerce, mail, phone and fax orders
©2015 RSM US LLP. All Rights Reserved.
Cardholder Data Environment (CDE)
POSterminalsdirectlyto processor(EncryptedP2P)
Chargebacks occuronprocessorwebsite
Eliminatesneedtostoreencryptedcreditcarddata• Vulnerability• MemoryScraping• Skimming
Mobiledevicerisks:• Lossofmobiledevicecouldmeanlossofpaymentinformation(physicalsecurity)
• Capturingtransmissionofinformation• SecuringtheOSandcheckingforvirus/malware
©2015 RSM US LLP. All Rights Reserved.
PCI compliance and IT Management Decisions
Costlyupgrades• Networksegmentation• Hardwareandsoftwareupgrades• Vulnerabilityscanning• Monitoringandalertingsystems• Frauddetectionsystems
Assessmentsandattestations• Implementingcontrolstoprotectcardholderdata• CompleteareportoncompliancebyaQSA(QualifiedSecurityAssessor)or,• PerformaSAQ(selfassessmentquestionnaire)• AttestationofCompliance(AOC)
Fines• NotbeingPCIDSScompliant
©2015 RSM US LLP. All Rights Reserved.
Information security initiatives (PCI)
Educationandawareness• Lackofeducationandawarenessaroundpaymentsecuritycoupledwithpoorimplementationandmaintenance
Increasedflexibility• PCIDSS3.Xfocusonsomeofthemostfrequentlyseenrisks—suchasweakpasswordsandauthenticationmethods,malware,andpoorself-detection—providingaddedflexibilityonwaystomeettherequirements
SecurityisaSHAREDresponsibility
©2015 RSM US LLP. All Rights Reserved.
Data/Network isolation vs segregation
Thereisadifference!
• Isolation:Informationornetworkiscompletelystandalone• Segregation:Informationornetworkisconnectedtootherdatasetsorsubnetworksbutaccessisrestrictedbypermissions
DataclassificationandrecordsmanagementfacilitatesandeffectiveITsecurityprogram
Brainteaser- Whatisapotentialriskforacallcentreofaretailcompanytakingphoneorders?
©2015 RSM US LLP. All Rights Reserved.
Results of non-compliance(Attacker perspective)
©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.
KEY TAKEAWAYS
©2015 RSM US LLP. All Rights Reserved.
Key cybersecurity tasks
• Full disk/file encryption for key systems including servers (when appropriate)
• Properly trained IT staff• Inventory of authorized hardware and software on the
network• Testing and production networks are segregated
©2015 RSM US LLP. All Rights Reserved.
Key cybersecurity tasks
• Incident Response Plan (IRP) and table top exercises• Quarterly auditing of user accounts for network and key
applications• Employee onboarding/termination program• System patch management solution• Information security officer is not an IT employee• Security awareness training
©2015 RSM US LLP. All Rights Reserved.
Key cybersecurity tasks
• Regularly performing network testing and program to remediate identified issues
• Security Incident and Event Management (SIEM) solution and daily review
• 24/7 incident response team and not Monday to Friday 9-5• Third party solutions
− FireEye− WebSense− Carbon Black/Bit 9− DLP Solutions
©2015 RSM US LLP. All Rights Reserved.
Key takeaways
• Third party vendors cause the impression of information security responsibilities of the client are relinquished
• Confusion around information security responsibilities when multiple IT vendors involved
• Network vulnerability and penetration testing is not properly performed
• PCI Self Assessment Questionnaires (SAQ) are not being completed or answers are inaccurate
• Antivirus programs are a placebo
• Information technology and information security are different
• Organizations need to find alternatives to conduct business w/o collection of unnecessary PII
©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.
©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.
©2015 RSM US LLP. All Rights Reserved.
This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person.
RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International.
RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registeredtrademark of RSM US LLP.
© 2015 RSM US LLP. All Rights Reserved.
Keith SwiatRSM US LLP1185 Avenue Of The AmericasNew York, NY 10036212-372-1687
+1 800 274 3978www.rsmus.com