3 rd European PCI DSS Roadshow Dublin, March 5 th 2013 Friday, 04 September 2015 (c) VigiTrust...
-
Upload
annice-copeland -
Category
Documents
-
view
213 -
download
0
Transcript of 3 rd European PCI DSS Roadshow Dublin, March 5 th 2013 Friday, 04 September 2015 (c) VigiTrust...
3rd European PCI DSS Roadshow
Dublin, March 5th 2013
Wednesday 19 April 2023 (c) VigiTrust 2003-2013 1
www.vigitrust.com
Today’s Agenda
(c) VigiTrust 2003-2013
Start Finish Dublin Description08:30 09:00 Registration Main event Registration run by VigiTrust
09:00 09:10 Welcome Note Provided by VigiTrust
09:10 09:55Keynote – PCI SSC Perspective Jeremy King, European Director, PCI SSC
09:55 10:10 Mobility & Retail - Impact for Payments & Security
Rowan Fogarty, Managing Director at PortHand
10:10 10:30PCI DSS - Perspective On Continuous
ComplianceMathieu Gorge, CEO, VigiTrust
10:30 10:50 Break Tea/Coffee Break
10:50 11:20Payments as part of Critical National
Operations – Risks OverviewPeadar Duffy, Chairman, RMI
11:20 11:50 The Positive Economist – A Perspective on Payments
Susan Hayes, founder, The Positive Economist
11:50 12.00 Concluding thoughts VigiTrust
12:00 12:15 Q&A session Moderated Q&A with speakers
Mathieu Gorge CEO & Founder, VigiTrust
- Founded VigiTrust in 2003- InfoSecurity Ireland Chairman - Created PCI DSS European RS - Independent Security Expert
for ENISA- East West Institute working
groups - ANSI – PHI reviewer - Geneva Security Forum- ISS world
• ISSA WCC (since 2008)• ISACA NYC (since 2009)• PCI Council SIGs (since 2011)
• Articles– techTarget (Security)– ISACA– Searchstorage.com – Computer Fraud & Security– SC Magazine– ISSA Journal– Baseline
Wednesday 19 April 2023 (c) VigiTrust 2003-2013
CSMSCompliance & Security Management Suite
SAMS
Security Accreditation Management System
Enterprise
MCP
Merchant Compliance Portal
Agregators
eSEC
Security eLearning Modules
Mid-Size
5 Pillars of Security Framework™Physical Security, People Security, Data Security, IT Security, Crisis Management
About VigiTrust
(c) VigiTrust 2003-2013
Payments Industry – a Definition Payment security entails managing and securing payment data across an organization’s full order lifecycle, from the point of payment acceptance, through fraud management, fulfilment, customer service, funding and financial reconciliation, and transaction record storage.
The presence of payment data at any of these points, whether on organization systems, networks or visible to staff, exposes the organization to risk.
The presence of payment data …. exposes the organization to risk.
Therefore you need to fully understand your own ecosystem and payments data flow
(c) VigiTrust 2003-2013
2010 to 2012 – A very busy time for PCI DSS• US remains the most compliant territory in terms of PCI DSS• Europe Gaining Traction
– Appointment of Jeremy King as European Director
• PCI DSS was updated in October 2010– PCI DSS Lifecycle Update – Changes or lack of same in v2.0
• New Guidance papers from the Council – 2011 & 2012– Tokenization, P2PE, Wireless, Virtualization – includes Cloud Computing
Definitions– Cloud, Cloud, Cloud– Mobile, Mobile, Mobile
• Visa – is the US really going Chip & PIN?
(c) VigiTrust 2003-2013
Changes to Data Protection in the EU• Not a directive but a single regulation in the EU
– Harmonization at European level…but with challenges
• Applies to companies based outside in the EU if personal data is handled abroad by companies that are active in the EU and offer services to EU citizens
• Right to be forgotten• Controllers responsibilities
– Policies & procedures, Staff Training
• Data processing impact assessment – If any data is likely to present risks to individuals
• Security– Both processor and controllers must put security measures in place
• Fines • Data Breach Notification
– Within 24 hours of noticing the breach
• Data Portability (service providers) & Data Transfers• Data Protection Officers
Wednesday 19 April 2023(c) VigiTrust 2003-2013
10
Intersection between PCI DSS compliance and the DPA
• Need for appropriate levels of security• Compliance with PCI DSS should enable compliance with key provisions of
the DPA
• ICO in the UK made an example of Lush (Lush Cosmetics Ltd)– "This breach should serve as a warning to all retailers that online security must be taken
seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times”
– For online retailers, the PCI DSS is clearly now best practice– Adherence to the PCI DSS should ensure compliance with the security obligations under the
Act– Undertaking from Lush requires them to only store minimum amount of payment data
necessary to receive payments, and keep for no longer than necessary.
(c) VigiTrust 2003-2013
PCI DSS & GRC Process
SOX SAS 70 II PCI DSS HIPAAEU Data
ProtectionOthers
Regulatory, Legal and Corporate Governance Frameworks
Remediation Work
Policies & Procedures
Education &
Security Awareness
Specialized Skills Transfer
Official Assessors &
Auditors
Network & Hardware Security
Application Security
GRC Process
Self-Governed Pre-
Assessment
Step 1 Step 2 Step 3 Step 4 Step 5
Continuous Compliance Process
(c) VigiTrust 2003-2013
Scoping your ecosystem for PCI DSS
• Scope your network’s perimeter to determine the ecosystem’s size– Traditional Perimeter – either in or out of the firewall– Cloud
• Private / Public / Hybrid
– Wireless networks – also part of your ecosystem– Mobile & I/O devices are also part of your ecosystem
• Must be referenced in your asset inventory
• Diagrams are key– Must cover your WHOLE ecosystem– Must be kept up to date
• Flow of data between all ecosystem sub-areas must be clear– Know where the data comes from, where it might transit through,
where it may be stored/copied, where it ends up
(c) VigiTrust 2003-2013
Required Documentation• Diagrams and Data Flows
– Ecosystem Diagrams– Data Flow Diagrams – Network Diagrams
• Asset Inventory • Acceptable Usage Policy for staff• Access Control Policy• Firewall Rules and Business Justification for Rules • AV, Anti-Spam and Intrusion Detection-Prevention Policy • Incident Response Plan • Hardening, Log and Patch Management Policy • Back-Up and Media Storage Policy • Security Assessment, Application Security & Vulnerability Management Policy• Management of Third Parties Policy
(c) VigiTrust 2003-2013
Technical Solutions typically required for PCI DSS
• Anti-Virus / Anti-Spam• Firewalls & VPNs• IDS/IPS• Web Filtering / Mail Filtering• IM monitoring• File Integrity• SIEM – Central Log solutions• Asset Management• PSD Mgt/Control• Encryption
• Onsite vs Managed Services Vs Cloud services?
(c) VigiTrust 2003-2013
Building & Maintaining PCI DSS Teams (1)An effective PCI DSS project team is essential to the success of your PCI compliance process in terms of raising security awareness, enforcing security policies and implementing technical solutions. The first step in creating a project team is to decide which staff members to include on the team.
Who should be part of my PCI DSS team?
Basically anyone who falls within the scope of PCI DSS may be a member of your PCI project team. A typical PCI DSS project team might consist of:
•IT Department staff/ IT Manager• Development staff• Human Resources staff• Operations management• Security staff
PCI Project
Manager /Security Officer
(c) VigiTrust 2003-2013
Building & Maintaining PCI DSS Teams (2)
In order to determine what role each member of the PCI Project team should have, we should first consider the elements that make up a security strategy. Typically there are five key elements:
• Physical Security • People Security• Data Security• IT Security• Disaster Recovery and Business Continuity
Po
lic
y W
ork
Te
ch
nic
al
So
luti
on
sU
se
r A
wa
ren
es
s
January 2012 April 2012 July 2012 October 2012 January 2013 April 2013 July 2013 October 2013 January 2014
Finalise AUPs
Disseminate AUPs
Finalise DR Scenarios + ERPs
Develop and Roll-out Change Management
procedures
Develop and Roll out Storage Policy
Roll out Encrypted E-mail usage policy
Roll out Tele-Working Policy
Design helpdesk Support & Shared Knowledge Base
Policy
Fine Tune Internet & Web Content Filters
Roll-out VPN to all remote branches
Review all Firewall Configuration
settings
Deploy new version of Anti-Virus on All Gateways
Test all back-up Tape Units + Upgrade B-up S/w
Install and test all back-up systems at DR site
Install Laptop Encryption Software for managers
Install Laptop Encryption Software for all laptop & PDA users
Decommissioning of old Helpdesk system + Roll-out of new Helpdesk and CRM integrated solution
Awareness Strategic Session with HR Manager
Staff Awareness Program – Phase 1
Staff Awareness Program – Phase 2
Staff Awareness Campaign – Posters, Flyers, Security Events
Senior Managers Refresher
Program Program
Staff Re-Fresher Sessions
HR Training on how to deal with
Security Incidents
E-mail Etiquette Training to Sales Satff
Security Awareness
presentation to the Board
Building & Maintaining PCI DSS Teams (3)
(c) VigiTrust 2003-2013
Finally Getting Some attention…User Awareness• PCI DSS Requirement 12.6 states:
– “The company needs to implement a formal security awareness program, and educate employees upon hire at least once annually on the importance of cardholder data security. “
– PCI DSS requires every member of staff involved inbe trained as to what PCI DSS is about, why and how to protect card holder storing, transmitting or processing cardholder data to data as well as best practice security.
• Qualified Security Assessors (QSAs) verify that awareness training is being delivered by randomly questioning employees about their security awareness levels for cardholder data. Organizations must be able to demonstrate compliance with 12.6.
(c) VigiTrust 2003-2013
PCI DSS – Integration with other standards
• PCI DSS can be mapped to other standards– E.g HIPPA Security & Administrative Rules– E.g. ISO 27001
• http://www.iso27001security.com/ISO27k_Mapping_ISO_27001_to_PCI-DSS_V1.2.pdf
(c) VigiTrust 2003-2012
Comparison Criteria ISO27k PCI DSSScope Defined by the entity Cardholder Data
Choice of Controls Wide Very prescriptive
Flexibility in Implementation of Controls
High Low
Ongoing Management of Compliance Status
Very granular and well documented Not flexible and not comprehensive
Corporate Culture & Risk Management – The overall Picture
Risk Management Strategy for Internal and/or external Risk Management Teams
DPA, PCI DSS & ISO 27001 compliance
Best Practices - Achieve and Maintain compliance with PCI DSS
• What first steps can you take?– Remember the five accreditation process steps
• Education• Pre-assessment (internal)• Remediation• Actual Assessment• Continuous compliance
– Mix of 3 key elements• Policies & procedures• Technical Solutions• Awareness Training
– What do you next then?• Policies & procedures: draw up a list of P&Ps in place @ your org.• Technical Solutions: update your network diagram + pen test• Awareness Training: identify in-scope employees and start the education process
(c) VigiTrust 2003-2013
Recommended Readingwww.pcisecuritystandards.org
www.vigitrust.com
http://searchcompliance.techtarget.com/tip/Does-using-ISO-27000-to-comply-with-PCI-DSS-make-for-better-security
http://searchsecurity.techtarget.co.uk/news/2240036890/PCI-virtualisation-With-new-guidelines-compliance-may-be-harder
http://searchsecurity.techtarget.co.uk/tip/Employee-information-awareness-training-PCI-policy-templates
http://searchsecurity.techtarget.co.uk/expert/Mathieu-Gorge
ENISA http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
NISThttp://www.nist.gov/itl/cloud/upload/SP_500_293_volumeII.pdf
(c) VigiTrust 2003-2013
Concluding Thoughts on how to Achieve and Maintain compliance with PCI DSS
• PCI DSS is evolving – PCI DSS v3.0 is long awaited• Mobility is here & the market welcomes the new guidance#
– However we need the PCI SSC to invest its accumulated funds into helping the market with this new major challenge
• PCI DSS adoption growth rate is driven by Data Protection in the EU – this will continue
• PCI DSS adoption growth rate is driven by PHI and State PII in the US – this will continue and a Federal law will come in
You need to start preparing now for upcoming changes in the standard and in legal frameworks incorporating PCI DSS
(c) VigiTrust 2003-2013
3rd European PCI DSS Roadshow
Dublin, March 5th 2013
Wednesday 19 April 2023 (c) VigiTrust 2003-2013 32
[email protected]://www.linkedin.com/in/mgorge
www.vigitrust.com