Brian Cloud

August 06, 2009

Overall Digital Security

What is Digital Security

Murphy’s LawSince 2005, over 263M records breeched

(privacyreports.com)○ Hacking, Internal Flaws, Stolen Equipment

Marketing is Profitability, Profiles are Productivity

Security Concerns Databases Communications and Transmissions Media Access Levels Traveler Issues and Awareness

Types of Issues:Data BreechIntellectual Property TheftDoS AttacksInternal Issues and Employee Mindset

PCI Compliance Overview What is it?

Payment Card Industry (PCI) Data Security Standard (DSS) defines what cardholder data can be stored and how it may be

processed and managed to keep it secure.

Who must comply? All members, merchants, and service providers that store, process, OR

transmit cardholder data. All system components which are defined as any network component,

server, or application that is included in or connected to the cardholder data environment.

PCI Security Standard Council Develop and manage the PCI Data Security Standard. Establish and maintain industry-level approval processes for Qualified

Security Assessors (QSA) and Approved Scanning Vendors (ASV). Publish and distribute the PCI Data Security Standard. Provide an open forum for all key stakeholders

Cardholder Data Any personally identifiable information associated

with the cardholder that is stored, processed, or transmitted. Account number, expiration date, name, address, social

security number, etc.

It is never acceptable to retain magnetic stripe data subsequent to transaction authorization. However, the following individual data elements may be retained subsequent to transaction authorization: Cardholder Account Number Cardholder Name Card Expiration Date

Still applies even if cardholder data is not stored

Compliance Review

Getting Compliant Compliance Classification (Levels I-IV) determined by number

of transactions in merchant account

Point of Sale (POS) environment Merchant location (i.e. travel agency, retail store, restaurant, hotel

property, gas station, supermarket, or other point of sale location). Internet protocol (IP) -based POS environment is one in which

transactions are stored, processed, or transmitted on IP-based systems, or systems communicating via TCP/IP.

Compensating Controls for encryption of stored data Complex network segmentation Internal firewalls that specifically protect the database TCP wrappers or firewall on the database to specifically limit who can

connect to the database. Separation of the corporate internal network on a different network

segment from production, with additional firewall separation from database servers.

PCI Compliance Level Definitions

Compliance Validation Level

AnnualOn-site

Assessment

QuarterlyPerimeter

Scan

Self-AssessmentQuestionnaire

Level 1> 6M Transactions

Required Required N/A

Level 21M-6M Transactions

N/A Required Required

Level 320K-6M Transactions

N/A Required Required

Level 4< 20K Transactions

N/A Determinedby Acquirer

Determinedby Acquirer

** Anyone suffering a breech may be escalated

Participating Card Associations

PCI Compliance

Cardholder Information Security Program (CISP)

Site Data Protection (SDP)

Penalties and Fees When do I get penalized?

Not meeting PCI Compliance by the specified date. Card Holder data compromise when not PCI compliant.

What are the fines associated? Dependent on the card brand and acquiring bank. Non-compliance (Visa Example) – $5,000 and $25,000 a month for each of its

Level 1 and 2 merchants (CVV2 can be worse). Card Holder Breach (Visa Example) –Fines up to $500,000 per incident, for any

merchant or service provider that is compromised and not compliant at the time of the incident. Safe Harbor if PCI Compliant.

Impose restrictions on noncompliant merchants All fraud losses incurred from the use of the compromised account numbers from

the date of compromise forward. Cost of re-issuing cards associated with the compromise. Cost of any additional fraud prevention/detection activities required by the card

associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).

Possible revocation of merchant status Loss of Business Integrity with Customers

Credit Card Breeches The Cost of Non-Compliance

20% of individuals who received a data breach notification during 2005 terminated their relationship with that company.

Stock price: A 2004 study found that companies that suffered data breaches lost an average of just over 5% of their market valuation.

Breach Recovery: Average cost to recover from a data breach - $14 million ($140 per customer record).

Average loss was 2.6% of all customers.

Examples of breaches TJMax: At least 45.7 million credit/debit cards of shoppers stolen. Largest

ever. BJ’s Wholesale: Booked $16 million reserve to cover all costs related to

breach. DSW Shoe Warehouse: Booked $6.5 million reserve to cover breach

costs. ChoicePoint: $15 million fine.

Common Security Holes

Common Failure Points Data Encryption

While at rest and during transit. Proper encryption key management.

Network Monitoring and Logging Inability to recreate user’s activity (who did what, when, where, and how). Lack of real time monitoring of network events (e.g., IDS and firewall).

Network Segmentation Customer network’s typically flat. Systems serve multiple purposes.

Data Archival and Disposal Backup tapes not secured or encrypted. Hard copies not secured or not disposed of properly.

Web Application Security Lack of software development life cycle. Poor QA process and testing.

Steps You Should be Taking Get A Security Assessor Re-Assess Until Compliant Self-Audit (PCI Data Security Standards Compliance Questionnaire)

https://www.pcisecuritystandards.org/saq/index.shtml Perform a System Perimeter Scan Inform Employees, Change Environments and Mindsets

Key Questions Only applicable to e-commerce merchants? How do merchants determine the cost of compliance validation? What if a merchant has outsourced the storage, processing, or

transmission of cardholder data to a service provider? Do merchants need to include their service providers in the scope of their

PCI Data Security Standards Review?

Path to Compliance Determine the locations of the card holder data.

Reduce scope by eliminating or segmenting the card holder data.

Baseline your environment against the PCI DSS to identify gaps. Online tools available for Vulnerability Reports

For all gaps determine recommendations with associated effort (don’t overlook “gotcha’s” such as logging track data on a Point of Sales system). (Online Mediation Reports)

Develop a prioritized plan to address gaps.

Execute (…but with management support).

Continue to Scan