Jordan Levesque Making sure your business is PCI · •Why is PCI important? •Dive in! Simple...
Transcript of Jordan Levesque Making sure your business is PCI · •Why is PCI important? •Dive in! Simple...
Jordan Levesque – Making sure your business is PCI compliant
• Brief overview of PCIDSS
• What's new in PCI DSS 3.2
• Why is PCI important?
• Dive in! Simple things you can do to be secure
• Tomorrows session: What RCS does to keep your data secure
Overview of PCIDSS
• Payment Card Industry Data Security Standard
• Mandated by card brands
• Framework for applying good security posture
What's new in 3.2?
• Greater focus on Multifactor Authentication
– All remote access must have MFA
– All local administrator access must have MFA
• PAN masking requirements
• Pushed out SSL/TLS 1.0 migration deadline to from June 2016 to June 2018
Why is PCI important?
Risk Overview
62% more breaches in 2013 than in 2012,
over 553 million identities stolen, up from 93 million in 2012, an increase of more than 594%
2012
2013
= 20 million
Risk Overview
Threats are becoming more advanced, and attacks are becoming more frequent
Breach Overview
Average time to detection of a breach
197 daysJan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Avg cost per record for retailers
$172Avg cost per breach
$4 million
Jan 1 Jul 17
Dive into PCI!
Scary at first, but when you take a step back, not so much!
What are the 12 Standards?
• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• Requirement 3: Protect stored cardholder data• Requirement 4: Encrypt transmission of cardholder data across open, public
networks• Requirement 5: Use and regularly update anti-virus software or programs• Requirement 6: Develop and maintain secure systems and applications• Requirement 7: Restrict access to cardholder data by business need to know• Requirement 8: Assign a unique ID to each person with computer access• Requirement 9: Restrict physical access to cardholder data• Requirement 10: Track and monitor all access to network resources and cardholder
data• Requirement 11: Regularly test security systems and processes• Requirement 12: Maintain a policy that addresses information security for all
personnel
Initial Reaction
Standard 1: Simplified
Install and maintain a firewall configuration to protect cardholder data
More than just having one in place
• It is commercial grade
• It is configured properly
• It is monitored
• It is updated
• It is logged
Standard 2: Simplified
Do not use vendor-supplied defaults for system passwords and other security parameters
Username: administrator
Password: password
Username: corpnetadm
Password: Dt3&c@J%wG9E
NAUGHTY
NICE
Standard 2: Solutions
NAUGHTY NICE
Standard 3
Protect stored cardholder data
• Mostly application-based– Simply using CounterPoint is not enough. Ensure that:
• It is up to date• It is configured properly• Its users are trained
• NCR is implementing new features in current version of CounterPoint to address this Standard– P2P encryption– EMV– NCR Securepay
Standard 3: CounterPoint FeaturesP2P encryption
Encrypts card data at the swipe. Decrypted at the processor.
EMV
Technical standard for smart payment cards
Data stored on integrated circuits rather than magnetic stripes.
Once implemented, no card data is stored!Only personal and business information,
therefore reducing your PCI scope.
NCR Securepay
Payment gateway service
Card data is never collected or stored by NCR Retail Online, which means your online store is considered “out of scope” for PCI assessments.
Standard 4: Simplified
Encrypt transmission of cardholder data across open, public networks
Your company and VPNs sittin` in a tree…
E-N-C-R-Y-P-T
Standard 5: Simplified
Use and regularly update anti-virus software or programs
Bonus points if:
• Its centrally managed by dedicated personnel
• Its lightweight on system resources
Standard 6: Simplified
Develop and maintain secure systems and applications
The big takeaway here:
• Document and demonstrate policies and procedures
• CHANGE CONTROL
Standard 7: Simplified
Restrict access to cardholder data by business need to know
Principle ofleast-privilege:Only grant access to what is legitimately needed by each person
Standard 8: Simplified
Assign a unique ID to each person with computer access
Username is “jen123”, here's
my password
Lol thanks!
This one is easy:• Don’t share logins• Use Multi-Factor
Authentication (MFA)
Standard 8: MFA Solutions
Something you know
Password
Something you have
RSA TokenDigital Certificate
YubiKeyPhone & Duo Security
Something you are
IrisFingerprint
Voice
Standard 9: Simplified
Restrict physical access to cardholder data
The dream: Reality:
PIN
Biometric
Fence
Standard 10: Simplified
Track and monitor all access to network resources and cardholder data
Tricky to turn into meaningful data, but standard security hygiene will help get you there:• Maintain and store logs from everything
– Store records before logs are overwritten due to storage limitations
• Audit where possible– Windows server security logs are a great start
Standard 11: Simplified
Regularly test security systems and processes
• Request a network evaluation and a penetration test “pentest”
• Have a plan in the event of an incident
– At the very least: Isolate affected systems
Standard 12: Simplified
Maintain a policy that addresses information security for all personnel
• Similar to Standard 6: Document policies and procedures
• Host periodic security awareness events that identify prominent threats such as phishing
Standard 12: Solution
Phishing is an extremely common attack vector, where users are tricked into giving up their
credentials
Duo Security has made it easy to raise awareness of phishing:
https://insight.duo.com/
External Resources & Huge Thanks
• Duo Security– https://insight.duo.com/
– https://duo.com/resources/ebooks/modern-guide-to-retail-data-risks
• IBM– http://www-03.ibm.com/security/infographics/data-
breach/
• ZDNET– http://www.zdnet.com/article/businesses-take-over-
six-months-to-detect-data-breaches/