©2015 RSM US LLP. All Rights Reserved. · ©2015 RSM US LLP. All Rights Reserved. INTRODUCTION TO...


INTRODUCTION TO PCI-DSSUnderstanding the Payment Card Industry Security Standard

August 18, 2016

Keith Swiat – Director, Security and Privacy Services

©2015 RSM US LLP. All Rights Reserved.

Few Key Terms

• PCI DSS – Payment Card Industry Data Security Standards− PA-DSS – Payment Application Data Security Standards

• Payment Cards – Visa, MasterCard Worldwide, American Express, Discover Financial Services, JCB International

• Merchant – Entity that accepts payments cards for payment• Acquirer – (Merchant Bank or Acquiring Bank) Typically a financial institution, that

processes payment card transactions for merchants− Payment Processor

• Issuing Bank – Financial institution issuing credit card• Service Provider – Business entity not directly involved with processing of payments.

(e.g. Managed Firewall Service Provider)• Cardholder Data Environment (CDE) – Stores, processes, or transmits cardholder

information• Qualified Security Assessor (QSA) – Required for Level 1 Assessments • Report on Compliance (ROC) – Report generated by QSA for Level 1 Assessment • Self Assessment Questionnaire (SAQ) – Reporting for Level 2-4 Assessments


What drives PCI compliance?

• Hackers and large international organized crime syndicates

• Higher monthly fees for non-compliance• The fallout of a data breach:

− The fallout can be significant, including fines/penalties, termination of your ability to accept payment cards, lost customer confidence, legal costs, settlements and judgments, fraud losses, etc.

− A breach could result in a cost of, on average, $200 per card number lost

• Knowing what data you have and where it resides


Visual Depiction – Payment Card Transaction

E-CommerceMerchant

Cardholder

Service Provider/Processor

VISA networkCard Swipe Merchant

Issuer (banks)


PCI DSS Requirements


PCI Requirements (Merchant)

LEVEL VALIDATION ACTIONS VALIDATED BY

1

Annual on-site security audit** AND **

Quarterly network scan

Independent assessor (QSA) or internal auditor if trained by PCI Association

Qualified and certified independent scan vendor (ASV)

2 & 3Annual self-assessment questionnaire

** AND **Quarterly network scan

Merchant (Self Assessment)


4Annual self-assessment questionnaire recommended

Network scan recommended

Merchant (Self Assessment)



Self Assessment Questionnaire (SAQ) v 3.2

SAQ Descriptions

A Card-not-presentmerchants(e-commerceormail/telephone-order) thathavefullyoutsourcedallcardholderdatafunctionstoPCIDSScompliantthird-partyserviceproviders,withnoelectronicstorage,processing,ortransmissionofanycardholderdataonthemerchant’ssystemsorpremises.Notapplicabletoface-to-facechannels.

A-EP E-commercemerchantswhooutsourceallpaymentprocessingtoPCIDSSvalidatedthirdparties,andwhohaveawebsite(s)thatdoesn’tdirectlyreceivecardholderdatabutthatcanimpactthesecurityofthepaymenttransaction.Noelectronicstorage,processing,ortransmissionofanycardholderdataonthemerchant’ssystemsorpremises.Applicableonlytoe-commercechannels

B Merchantsusingonly:•Imprintmachineswithnoelectroniccardholderdatastorage;and/or•Standalone,dial-outterminalswithnoelectroniccardholderdatastorage.Notapplicabletoe-commercechannels.


SAQ DescriptionsB-IP Merchantsusingonlystandalone,PTS-approvedpaymentterminalswithan

IPconnectiontothepaymentprocessor,withnoelectroniccardholderdatastorage.Notapplicabletoe-commercechannels.

C-VT MerchantswhomanuallyenterasingletransactionatatimeviaakeyboardintoanInternet-basedvirtualterminalsolutionthatisprovidedandhostedbyaPCIDSSvalidatedthird-partyserviceprovider.Noelectroniccardholderdatastorage.Notapplicabletoe-commercechannels.

C Merchantswithpaymentapplicationsystemsconnectedtothe Internet,noelectroniccardholderdatastorage.Notapplicabletoe-commercechannels.

9


SAQ DescriptionsP2PE Merchantsusingonlyhardwarepaymentterminalsthatareincludedinand

managedviaavalidated,PCISSC-listedP2PEsolution,withnoelectroniccardholderdata storage.Notapplicabletoe-commercechannels

D SAQDforMerchants:Allmerchantsnotincluded indescriptionsfortheaboveSAQ types.SAQDforServiceProviders:Allserviceprovidersdefinedbyapaymentcardbrandaseligible tocompleteaSAQ.

10


Self Assessment Questionnaire (SAQ) v 3.1


Key PCI 3.X requirements

Requirement2.1– Removedefaultpasswords

Requirement3.4.1– Diskencryption• BitlockerisNOT approved

Requirement6.4.1– Environmentseparation• Production&Development

Requirement10.2.1– AuditCHDaccess•Useraccessaudited/Nosharedaccounts

Requirement10.6– Logreviews•Dailyreviewforanomalies/SIEMsolutionrecommended

Requirement12.8– Vendormanagement• Serviceprovideragreement/acknowledgementmustdocumenttheresponsibilitiesofthevendorprotectingCHD


Key PCI 3.X requirements (cont)

Requirement9.9– Protectcapturedevices• Alldevicesthatcapturepaymentdata(PINPADs,cardswipes,CHIPreaders,etc)musthaveuniquetamperproofstickers

Requirement11.3– Pentestingmethodology• Methodologyhastobedocumentedandbasedonindustrystandard(suchasNISTSP800-115)andincludecurrentthreatsandvulnerabilities

Requirement12.8.5– Vendormanagement• MaintaininformationofwhichPCIDSSrequirementsaremanagedbyeachservicerprovider/entity

Requirement12.9– Vendoracknowledgement• Writtenacknowledgementofresponsibilities discussed in12.8


PCI Data Security Standard Version 3.2 Updates

• ThePCI-DSSversion3.2waspublishedApril2016.Thisversionofthestandardwillbeconsideredeffectiveimmediately.

• Version3.1ofthePCI-DSSwillberetiredonOctober31st,2016.

• AftertheOctober31st date,allROCsmustbedonefollowingversion3.2ofthePCI-DSS

• Visawillnotaccept3.1ROCsafterDecember31



• Updatednotetoclarifythatsomebusiness-as-usualprinciplesmayberequirementsforcertainentities,suchasthosedefinedintheDesignatedEntitiesSupplementalValidation(AppendixA3)

• VerificationthatpoliciesandproceduresareinplaceandoperatingeffectivenessispresentispartofthedutiesoftheQSA.

• Removedexamplesof“strong”or“secure”protocolsfromanumberofrequirements,asthesemaychangeatanytime.(1.1.6)



Whilesomerequirementswillbein“bestpractice”modeuntilFebruary2018,suchextensionisnotintendedtodelaymigrationstosecureversionsofSSLormulti-factorauthenticationprojects.

ClientswillstillhavetodemonstratehowtheyareaddressingtherisksrepresentedbyweakimplementationsofSSLorauthenticationmethods.



• Clarifiedcorrecttermismulti-factorauthentication,ratherthantwo-factorauthentication,astwoormorefactorsmaybeused.

• Secureallindividualnon-consoleadministrativeaccessand allremoteaccesstotheCDEusingmulti-factorauthentication.(8.3)(bestpracticeuntilJanuary31,2018)



• The PCI-DSS will incorporate two new appendices in the standard that were previously separated supplemental documents: − Appendix A2—Additional PCI-DSS requirements for

entities using SSL/ Early TLS− Appendix A3—Designated entities supplemental

validation (DESV)The Designated Entities Supplemental Validation (DESV) includes specific requirements for entities around PCI-DSS compliance program governance processes, including but not limited to scoping validation, documentation and incident response methodologies.

18


KEY INITIAVES FOR PCI 3.2 COMPLIANCE


Key Initiatives for PCI 3.2 compliance

• Implement multi-factor authentication for administrative and super-user ID’s in devices, servers and platforms that are part of the CDE.

• At the same time, all administrative access from non-CDE network segments to the CDE must be brought under the multi-factor regime.


THE FUTURE OF PCI –HOW TO REDUCE RISK


Point-of-Sale (POS) architecture

Cardholder data not encrypted and subject to compromise. Includes

network and POS Server


Tokenization

The process of replacing a credit card number with a unique set of numbers that have no bearing on the original data.


Point-of-Sale (POS) architecture (cont)

P2PE- POSdevicedirecttoprocessor


EMV (Europay/Mastercard®/Visa®) chip card

• Commonly known as “Chip and Pin”• October 1, 2015 – EMV implementation date

− Fraud liability shifts to merchants that do not have certified chip card readers

• More secure for card present transactions− However, consider…

• Cards are not encrypted• Data transmission across network• Implementation costs for new EMV POS terminal

• Doesn't provide additional security for eCommerce, mail, phone and fax orders


Cardholder Data Environment (CDE)

POSterminalsdirectlyto processor(EncryptedP2P)

Chargebacks occuronprocessorwebsite

Eliminatesneedtostoreencryptedcreditcarddata• Vulnerability• MemoryScraping• Skimming

Mobiledevicerisks:• Lossofmobiledevicecouldmeanlossofpaymentinformation(physicalsecurity)

• Capturingtransmissionofinformation• SecuringtheOSandcheckingforvirus/malware


PCI compliance and IT Management Decisions

Costlyupgrades• Networksegmentation• Hardwareandsoftwareupgrades• Vulnerabilityscanning• Monitoringandalertingsystems• Frauddetectionsystems

Assessmentsandattestations• Implementingcontrolstoprotectcardholderdata• CompleteareportoncompliancebyaQSA(QualifiedSecurityAssessor)or,• PerformaSAQ(selfassessmentquestionnaire)• AttestationofCompliance(AOC)

Fines• NotbeingPCIDSScompliant


Information security initiatives (PCI)

Educationandawareness• Lackofeducationandawarenessaroundpaymentsecuritycoupledwithpoorimplementationandmaintenance

Increasedflexibility• PCIDSS3.Xfocusonsomeofthemostfrequentlyseenrisks—suchasweakpasswordsandauthenticationmethods,malware,andpoorself-detection—providingaddedflexibilityonwaystomeettherequirements

SecurityisaSHAREDresponsibility


Data/Network isolation vs segregation

Thereisadifference!

• Isolation:Informationornetworkiscompletelystandalone• Segregation:Informationornetworkisconnectedtootherdatasetsorsubnetworksbutaccessisrestrictedbypermissions

DataclassificationandrecordsmanagementfacilitatesandeffectiveITsecurityprogram

Brainteaser- Whatisapotentialriskforacallcentreofaretailcompanytakingphoneorders?


Results of non-compliance(Attacker perspective)


KEY TAKEAWAYS


Key cybersecurity tasks

• Full disk/file encryption for key systems including servers (when appropriate)

• Properly trained IT staff• Inventory of authorized hardware and software on the

network• Testing and production networks are segregated



• Incident Response Plan (IRP) and table top exercises• Quarterly auditing of user accounts for network and key

applications• Employee onboarding/termination program• System patch management solution• Information security officer is not an IT employee• Security awareness training



• Regularly performing network testing and program to remediate identified issues

• Security Incident and Event Management (SIEM) solution and daily review

• 24/7 incident response team and not Monday to Friday 9-5• Third party solutions

− FireEye− WebSense− Carbon Black/Bit 9− DLP Solutions


Key takeaways

• Third party vendors cause the impression of information security responsibilities of the client are relinquished

• Confusion around information security responsibilities when multiple IT vendors involved

• Network vulnerability and penetration testing is not properly performed

• PCI Self Assessment Questionnaires (SAQ) are not being completed or answers are inaccurate

• Antivirus programs are a placebo

• Information technology and information security are different

• Organizations need to find alternatives to conduct business w/o collection of unnecessary PII


This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person.

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International.

RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registeredtrademark of RSM US LLP.

© 2015 RSM US LLP. All Rights Reserved.

Keith SwiatRSM US LLP1185 Avenue Of The AmericasNew York, NY 10036212-372-1687

+1 800 274 3978www.rsmus.com

©2015 RSM US LLP. All Rights Reserved. · ©2015 RSM US LLP. All Rights Reserved. INTRODUCTION TO...

Documents

Transcript of ©2015 RSM US LLP. All Rights Reserved. · ©2015 RSM US LLP. All Rights Reserved. INTRODUCTION TO...