#PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems...
-
Upload
julian-drayton -
Category
Documents
-
view
214 -
download
0
Transcript of #PACnet15. Presenters Erik Janis » VP, Technical Services Govind Shankar » Director, Systems...
#PACnet15#PACnet15
Staying PCI Compliant
#PACnet15#PACnet15
Presenters
Erik Janis » VP, Technical Services
Govind Shankar » Director, Systems Operations and Security
Gene Welch » Manager, Customer Services
#PACnet15
Agenda:» PCI DSS Update
▫ Operational impact of new PCI-DSS 3.0 requirements» Card Data Security Update» Compliance and Security Concepts» Paciolan Application Compliance and Security » Q/A
* Disclaimer – Presenters are not Visa certified QSAs
Discussion Points
#PACnet15
Compliance is NOT Security» Compliance is mandatory so you can process credit cards» Security keeps you out of the news
▫ Target Stores▫ Sony Pictures▫ Anthem Blue Cross
» Controls are important▫ Most breaches happen from the INSIDE!
Awareness is the first step in becoming secure….
Theme of The Day
#PACnet15
PCI-DSS 2.0 » 2.0 was valid and accepted by Visa until 12/31/14» Paciolan processed under 2.0 for this year
▫ Too much ambiguity amongst QSAs for how to evaluate 3.0
PCI DSS Update
#PACnet15
PCI DSS 3.0 is mandatory from 12/31/14 onward» Provide stronger focus on some of the greater risk areas in the
threat environment» Strong focus on POS device security! » Provide increased clarity on PCI DSS & PA-DSS requirements » Help manage evolving risks / threats » Align with changes in industry best practices » Clarify scoping and reporting
Standards will evolve slowly» New items and clarifications will be introduced periodically» ‘Guidance’ or ‘Best Practices’
6
PCI DSS Update
#PACnet15
There are two major changes in DSS 3.0 that affects Paciolan that will trickle down to you….
PCI DSS 3.0 Changes
#PACnet15
Section 9.9.2 - Inspection/tamper detection of payment devices
Create control environment to detect and react to tampering» Regular testing» Reporting results
Provide training of personnel and maintain appropriate documentation
PCI DSS 3.0 Changes
#PACnet15
Section 12.8, 12.9 - Definition of PCI control responsibilities between Service Provider and Customer» Define and document who has responsibilities for securing what
▫ Client vs. Paciolan» Customer equipment - Paciolan can’t reasonably secure (PCs, Kiosks,
swipers, network devices, etc.)» Paciolan equipment - Pac will need to setup more standardized
controls around VPN units, Pac-VT devices.» Amendment of agreements and contracts with said language –
Paciolan
PCI DSS 3.0 Changes
#PACnet15
Summary:» Clarification and documentation of policies, procedures, and
definition of responsibilities▫ Legal / contract requirements
» Inventories and documentation of in-scope equipment
PCI DSS 3.0 Changes
#PACnet15
EMV eVenue Payment Processing Tokenization Personally Identifiable Information (PII)
11
Credit Card Security Update
#PACnet15
EMV / ‘Chip and Signature’» What we know:
▫ Liability shift to banks and merchants in October, 2015▫ Visa is supporting ‘Chip and Signature’, not ‘Chip and Pin’▫ EMV efforts will be advanced on a per processor basis
– You hold the merchant relationship with bank/processor▫ Paciolan is researching CyberSource compatible hardware and awaiting
the release of APIs to scope development effort▫ Card reader hardware will cost between $250 and $750 per unit.
Higher price point units will give more than just basic EMV capability– Future encryption options– Contactless payment option: Google Wallet, Apple Pay, others?
Card Data Security Update
#PACnet15
Card Security Road Map» Payment Processing Enhancements for eVenue (7.2)
▫ Utilizes same modernized payment architecture as Pac 7.x» Tokenization
▫ Based on VISA and CyberSource Offerings▫ Pac 8
» PII Data Field Encryption / De-Identification▫ Pac 8
Card Data Security Update
#PACnet15
»
#PACnet15
Govind ShankarDirector, Systems Operations and Security
#PACnet15
Keep momentum going…. Mitigate extra costs.. Best allocate resources.. Evolving PCI climate…
15
You are PCI Compliant.. Now what?
#PACnet15
Drive security-conscious behavior Make informed risk-based decisions Cultural change and employee awareness Compliance and Business PCI as brand protection
16
Engage the Business…..
#PACnet15
17
Closing the Gap between Compliance and Security
Adhering to industry regulations is not sufficient
Ever increasing number and sophistication of attacks..
Segmentation and strategies for moving from compliance to security
The future of PCI standards
#PACnet15
18
Case Study: Target
Impact According to NY Times, Credit and debit
card information for 40 million of Target’s customers had been
compromised. An additional trove of personal information from some 70
million people had been exposed as well.
SituationTarget shoppers got an unwelcome
holiday surprise in December 2013 when the news came out 40 million Target
credit cards had been stolen by accessing data on point of sale (POS) systems .
The breach transpired between November 27 and December 15th 2014.
Over 11 GB of data was stolen. Target missed internal alerts and found out
about the breach when they were contacted by the Department of Justice.
A series of steps were taken by the adversaries to obtain access to the credit
card data and retrieve it from Target’s systems. A break down in detection
further increased data loss.
Contributing Factors. “Except for centralized authentication, domain name resolution, and endpoint monitoring services, each retail store functions as an autonomous unit” so the attacker knew to look for these pivot points.The number of POS machines that were compromised in a short amount of time indicates that the software was likely distributed to them via an automated update process.Data was moved to drop locations on hacked servers all over the world via FTPMonitoring software alerted staff ,but no action was taken.
“Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology” – former Target Chairman, President and CEO Gregg Steinhafel
#PACnet15
19
Case Study:
Impact350,000 customer cards
were exposed;Approximately 9,200 of those were fraudulently
used.The data breach caused the retailer $4.1 million
in legal fees, investigations, customer
communications and credit monitoring
services.
SituationHackers broke into Neiman
Marcus’ store four months prior to stealing card data in July
2013, using memory-scrapping malware. Fraudulent card usage
was subsequently detected in December 2013.
The hackers exploited a vulnerable server to circumvent the POS systems and reloaded
their software on multiple registers after it was deleted at
the end of each day.To masquerade their activities in the protection logs the hackers
gave the malware a name nearly identical to the company’s
payment software.
Contributing Factors
The systems ability to automatically block the
suspicious activity it flagged was turned off.
Network Segmentation was not implemented
The 60,000 alerts set off by the malware were interpreted as
false positives associated with the legitimate software.
“During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware,” the company wrote. “To date, Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently.”
#PACnet15
20
Security Program Maturity Measurement
• Who has access?• Awareness and training programs?
• What data is most important to my organization (PII, PCI, IP, trade secrets)?
• Clearly defined data classification?
• Have tools and techniques in place to protect sensitive information?• Technical controls in place
#PACnet15
» Never reply back to an E-mail to "unsubscribe“ from unknown sources.
» Watch out for Shoulder surfers..» Passwords should be used by only one person» Read Error Messages and checkboxes..» Dumpster Diving..» Limit Social Engineering..» Phishing..» Café session hijacks..
21
General Security Best Practices..
#PACnet15
»
#PACnet15
Gene WelchManager, Customer Services
#PACnet15
Compliance and security External threat vs. internal threat External controls and internal controls Application level access controls Application logs Procedural controls to increase accountability
Staying PCI Compliant
#PACnet15
Compliance and Security» Building codes» Highway safety laws
24
Compliance and Security
#PACnet15
External threats vs. internal threats» High profile breaches - risk of compromised data» Embezzlement» Theft of inventory» Misappropriation of assets
25
External and Internal Threats
#PACnet15
External - The system’s ability to resist unauthorized attempts at access while allowing legitimate users to access data
Internal - Once determining to allow legitimate users, your internal controls come into play
26
External Controls and Internal Controls
#PACnet15
27
Internal Controls and Fraud Detection
#PACnet15
Application level access controls» Back office operator access» Selling controls
28
Application Controls
#PACnet15
Operator Access
29
Application Controls
#PACnet15
Selling Control
30
Application Controls
#PACnet15
Pac7 Selling Control
31
Application Controls
#PACnet15
Application logging» System process log» Transactions record operator, date and time» Transaction source and selling control» Seat status changes by operator, date and time
32
Application Logs
#PACnet15
Operator usage log report
33
Application Logs
#PACnet15
Transaction logging
34
Application Logs
#PACnet15
Seat Status Changes (aka Seat History)
35
Application Logs
#PACnet15
Procedural controls to increase accountability» User logins (aix, UniVerse, Pac7) – generic?» Daily balancing to system records» Complementary ticket procedures and oversight» Monitor ticket returns and credit card refunds» Tickets/barcodes voided after an event» Disabling system access when someone leaves organization
36
Additional Internal Controls
#PACnet15
New users only added to system upon confirmation with authorized personnel approval
Requested password changes for existing users will be emailed to confirmed contact email address obtained from Paciolan CRM system
Paciolan New User and Password Policy
37
Paciolan Password Policy
#PACnet15#PACnet15
Please complete either the session evaluation form on your chair or online at http://pacnet.paciolan.com/schedule.
Thank you!Questions?