Jordan Levesque – Making sure your business is PCI compliant

• Brief overview of PCIDSS

• What's new in PCI DSS 3.2

• Why is PCI important?

• Dive in! Simple things you can do to be secure

• Tomorrows session: What RCS does to keep your data secure

Overview of PCIDSS

• Payment Card Industry Data Security Standard

• Mandated by card brands

• Framework for applying good security posture

What's new in 3.2?

• Greater focus on Multifactor Authentication

– All remote access must have MFA

– All local administrator access must have MFA

• PAN masking requirements

• Pushed out SSL/TLS 1.0 migration deadline to from June 2016 to June 2018

Why is PCI important?

Risk Overview

62% more breaches in 2013 than in 2012,

over 553 million identities stolen, up from 93 million in 2012, an increase of more than 594%

2012

2013

= 20 million

Risk Overview

Threats are becoming more advanced, and attacks are becoming more frequent

Breach Overview

Average time to detection of a breach

197 daysJan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Avg cost per record for retailers

$172Avg cost per breach

$4 million

Jan 1 Jul 17

Dive into PCI!

Scary at first, but when you take a step back, not so much!

What are the 12 Standards?

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data

• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

• Requirement 3: Protect stored cardholder data• Requirement 4: Encrypt transmission of cardholder data across open, public

networks• Requirement 5: Use and regularly update anti-virus software or programs• Requirement 6: Develop and maintain secure systems and applications• Requirement 7: Restrict access to cardholder data by business need to know• Requirement 8: Assign a unique ID to each person with computer access• Requirement 9: Restrict physical access to cardholder data• Requirement 10: Track and monitor all access to network resources and cardholder

data• Requirement 11: Regularly test security systems and processes• Requirement 12: Maintain a policy that addresses information security for all

personnel

Initial Reaction

Standard 1: Simplified

Install and maintain a firewall configuration to protect cardholder data

More than just having one in place

• It is commercial grade

• It is configured properly

• It is monitored

• It is updated

• It is logged

Standard 2: Simplified

Do not use vendor-supplied defaults for system passwords and other security parameters

Username: administrator

Password: password

Username: corpnetadm

Password: Dt3&c@J%wG9E

NAUGHTY

NICE

Standard 2: Solutions

NAUGHTY NICE

Standard 3

Protect stored cardholder data

• Mostly application-based– Simply using CounterPoint is not enough. Ensure that:

• It is up to date• It is configured properly• Its users are trained

• NCR is implementing new features in current version of CounterPoint to address this Standard– P2P encryption– EMV– NCR Securepay

Standard 3: CounterPoint FeaturesP2P encryption

Encrypts card data at the swipe. Decrypted at the processor.

EMV

Technical standard for smart payment cards

Data stored on integrated circuits rather than magnetic stripes.

Once implemented, no card data is stored!Only personal and business information,

therefore reducing your PCI scope.

NCR Securepay

Payment gateway service

Card data is never collected or stored by NCR Retail Online, which means your online store is considered “out of scope” for PCI assessments.

Standard 4: Simplified

Encrypt transmission of cardholder data across open, public networks

Your company and VPNs sittin` in a tree…

E-N-C-R-Y-P-T

Standard 5: Simplified

Use and regularly update anti-virus software or programs

Bonus points if:

• Its centrally managed by dedicated personnel

• Its lightweight on system resources

Standard 6: Simplified

Develop and maintain secure systems and applications

The big takeaway here:

• Document and demonstrate policies and procedures

• CHANGE CONTROL

Standard 7: Simplified

Restrict access to cardholder data by business need to know

Principle ofleast-privilege:Only grant access to what is legitimately needed by each person

Standard 8: Simplified

Assign a unique ID to each person with computer access

Username is “jen123”, here's

my password

Lol thanks!

This one is easy:• Don’t share logins• Use Multi-Factor

Authentication (MFA)

Standard 8: MFA Solutions

Something you know

Password

Something you have

RSA TokenDigital Certificate

YubiKeyPhone & Duo Security

Something you are

IrisFingerprint

Voice

Standard 9: Simplified

Restrict physical access to cardholder data

The dream: Reality:

PIN

Biometric

Fence

Standard 10: Simplified

Track and monitor all access to network resources and cardholder data

Tricky to turn into meaningful data, but standard security hygiene will help get you there:• Maintain and store logs from everything

– Store records before logs are overwritten due to storage limitations

• Audit where possible– Windows server security logs are a great start

Standard 11: Simplified

Regularly test security systems and processes

• Request a network evaluation and a penetration test “pentest”

• Have a plan in the event of an incident

– At the very least: Isolate affected systems

Standard 12: Simplified

Maintain a policy that addresses information security for all personnel

• Similar to Standard 6: Document policies and procedures

• Host periodic security awareness events that identify prominent threats such as phishing

Standard 12: Solution

Phishing is an extremely common attack vector, where users are tricked into giving up their

credentials

Duo Security has made it easy to raise awareness of phishing:

https://insight.duo.com/

External Resources & Huge Thanks

• Duo Security– https://insight.duo.com/

– https://duo.com/resources/ebooks/modern-guide-to-retail-data-risks

• IBM– http://www-03.ibm.com/security/infographics/data-

breach/

• ZDNET– http://www.zdnet.com/article/businesses-take-over-

six-months-to-detect-data-breaches/