The underside of the PCI DSS ecosystem: PCI as Security, simple facts that no-one talks about and anecdotes from the merchant’s perspective

Patrick Wheeler, P.E.kpatrickwheeler@live.com

December 2009

… The following deck is shared post event: It is intended to be accompanied by a dialog and a verbal presentation that unfortunately is not as easy to share … however if you are struggling with PCI I encourage you to contact me via email, LinkedIn or any other means you find comfortable…

2

Overview

• A bit of background–Presenter–PCI DSS

• Is PCI DSS a viable security strategy in itself or a minimum baseline standard? –A walk through my favorite acronyms PCI / ISO / ITIL / COBIT

•Why is it important to think about security strategy on an enterprise-wide level?

•What are the most common errors companies commit?

•How do you ensure your QSA is successful while adopting an integrated enterprise-wide security strategy?

• • • •

• • • •

• • • •

3

Disclaimers

Doing the necessary …

“Views Expressed Here Don't Necessarily Reflect Those of Our Sponsors,” any Employer, Any Church, State or any Correct Thinking Individual

Copyrights, trademarks, images, citations and other attributable material reproduced here is incorporated for educational and illustrative purposes and please address any concerns to kpatrickwheeler@live.com

• These are my professional opinions, interpretations and recollections of situations encountered

• Without a doubt there are some factual errors, this is entirely unintentional, except where it is not

• I will refrain from using most names to protect the innocent, the guilty and those in-between

• Comments are offered with the intent to help the industry and anyone involved in protecting Payment Card Transactions and with mal-intent towards none (except maybe fraudsters)

4

Background … BIO –

Patrick Wheeler has been involved in IT Consulting, Business, Engineering and Security for over 16 yrs.  He has a Bachelors (BSEE) and an MBA and is a registered professional engineer.  His background includes fun job titles like Security Architect, Audit Manager, Inspector, Systems and Security Analyst, Project Manager, IS & Operations Director and VP of Operations.  •His business, IT and best practices experience includes audit and compliance functions including PCI as well as internal & external financial & technology audits, security reviews, SAS-70 and Department of Defense.  With a legal support background he has served as an expert witness on various aspects of best practices and industry standards.  •He has been involved in many industries from Government Agencies and Banking through Fashion and Retail as well as technology startups and such well known firms such as Apple, Webex, Tibco, Brocade and Wine.com.  Prior to moving to Europe where he is currently consulting in the security field he served in California’s Silicon Valley specializing in security, compliance and operational efficiency topics.•As the European IT Audit Manager for Levi Strauss & Company he managed their global PCI program.  He remains active and opinionated within the PCI community encouraging adoption and improvements to security as well as the PCI program.  Personal interests include driving old cars too fast while taking photographs (in a well controlled secure environment).

Andre Van Bever ©

Eight indicted in $9M RBS WorldPay heist... Eight men have been indicted on charges that they hacked into credit card processing firm RBS Worldpay, and helped steal more than $9 million in a highly coordinated heist nearly a year ago

Data Breaches are ever more frequent & negatively impact public perception & diminish public trust in an institution

Comprehensive Data Breach notification rules are inevitable

Credit Card security standards like PCI are a first step

Hackers escalate thefts of financial dataComputer hackers stole more sensitive records last year than in the previous four combined, with ATM cards and PIN information growing in popularity as targets, according … Organised criminal groups orchestrated nine in 10 of the most successful attacks, with 93 per cent of the 285m records exposed coming from the financial sector …

US to Get Data Breach Notification Laws: … notify anyone whose personal information may have been accessed in a breach … set new standards for data breach notifications, the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139), were passed by the Senate Judiciary Committee Nov. 5 …(link)

The European Council has approved a data breach notification rule for Europe's telecoms firms. … Security breach notification laws force companies which have lost customers' or employees' personal data to announce the loss. Information Society Commissioner Viviane

Reding said. "The Commission will … extend the debate to generally applicable breach notification requirements and work on possible legislative solutions … In 2010, the Commission intends … a major initiative to modernise and strengthen network and information security policy in the EU,"(link)

6

A bit about PCI DSS

In 2003 California enacts notification rule for private data breaches:

SB1386

“The Payment Card Industry Data Security Standard (PCI DSS) consists of an industry-wide set of controls and processes for securing cardholder data. Any system that stores, process and/or transmits cardholder data must comply with this standard. ”

In 2004 Credit Card brands merged individual security programs to create the Payment Card Industry Security Standards Council (PCI) which created the Data Security Standard (DSS)

• Initial focus was compliance among large merchants, internet channels & payment service providers. • Compliance is required Globally throughout all card channels, only differences are in deadlines and enforcement (this is a _big_ difference)• PCI is a Baseline standard and does not guarantee security

Is an attempt by the Industry to “Police Itself” and to prevent fragmented governmental regulations and intervention into business practices as well as

protecting the consumer

7

The BearStop me if you’ve heard this before …

“two friends hiking in the forest encounter a hungry bear …”

IT security often seems like a treadmill where you only get to choose from three options:

a) Run faster than the Bear

b) Run faster than your Friend(s)

c) Get out of the Forest

SB1386

May I introduce you to the Bear?

8

PCI Security as Policy ???

Sophisticated Enterprise Security Managers Leverage Multiple Best Practices

In a survey of security professionals conducted for the research report …72% of North American enterprise-class organizations (i.e., organizations with 1,000 or more employees) say they are implementing one or more formal IT best practice control and process models. The most widely-used commercial frameworks include:

ITIL (IT Infrastructure Library): Provides recommendations for a wide range of IT operations and service delivery best practices including security management. ITIL’s information security recommendations are based heavily on ISO/IEC 17999 and emphasize information confidentiality, integrity and availability.

ISO/IEC 17799/27002 (Information technology - Security techniques - Code of practice for information security management): Provides information security specialists with specialized recommendations for risk assessment, physical and information security policy, governance, development, compliance and access control. Originally labeled as ISO/IEC 17799, this set of best practices was renumbered as ISO/IEC 27002 in July 2007.

COBIT (Control Objectives for Information and related Technology): Provides 210 control objectives applied to 34 high-level IT processes, categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring. COBIT recommendations include issues related to ensuring effectiveness and value of IT as well as information security and process governance.

<source BSMReview.com>

Bear Repellant?

9

ITIL

COBIT

ISOPCI

Security Strategy on an Enterprise-wide Level

10

CobiT

Soup to Nuts

Soup to nuts is an American English idiom conveying the meaning of "from beginning to end". It is derived from the description of a full course dinner, in which courses progress from soup to a dessert of nuts. It is comparable to expressions in other languages, such as the Latin phrase ab ovo usque ad mala ("from the egg to the apples"), describing the typical Roman meal.

"Soup to nuts" is often used in I.T. and Project Management to refer to "the complete process" from original idea to completion.

11

ITIL

•ITIL security management is based on the Code of Practice for Information Security Management defined by ISO/IEC 27002.

<according to our friends at Wikipedia>

•The Information Technology Infrastructure Library (ITIL) is a set of concepts and policies for managing the Information Technology (IT) services (ITSM), developments and operations.

•ITIL gives a detailed description of a number of important IT practices with comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs.

12

ISO

<According to our friends at ISO27kfaq>

13

PCI

PCI is certainly not a strategy

One of PCI’s biggest criticisms: “It is too prescriptive”Is one of its biggest strengths…

PCI is, at its heart, basic housekeepingNot New

Not ComplicatedNot Rocket Science

<and, as we all know, not a guarantee>

PCI is a list of procedures and explicit instructions implementable by a decent IT security practitioner

and/or competent engineers/sysadminsand relatively easily verifiable

14

Security strategy on an enterprise-wide level• Why is it important to think about it? Don’t. Do it!

•Good Security leads to PCI compliance, not Vice Versa…•Good Security Management along industry standard principles is a strong basis for PCI security•No wasted efforts by implementing COBIT or ITIL or ISO or other standards•Mappings between ISO/COBIT/ITIL/PCI exist by very dedicated and smart people.

What if we do not have an enterprise level?

<thanks in part to http://www.stanford.edu/dept/Internal-Audit/infosec/>

Putting PCI in its place (the US version)

•Health Insurance Portability and Accountability Act of 1996 (HIPAA)•Payment Card Industry Data Security Standards (PCI-DSS_v1.2)•The Fair and Accurate Credit Transaction Act of 2003 (FACTA)

•Family Educational Rights & Privacy Act of 1974 (FERPA)•Digital Millennium Copyright Act of 1998 (DMCA)

•California Civil Code 1798.82-85 (SB-1386)•Graham-Leach-Bliley Act of 1999 (GLBA)

•Sarbanes-Oxley Act of 2002 (SOX) •and etc. and etc. ad nauseum

15

Common Mistakes Companies Make …

16

Card schemes unexplained

• What Tier are you? It depends…(scoping matters)• How to count?

• Owned & Operated: of course • Owned but not Operated ?• Franchisee ? Shop in Shop ?• What about different merchant ID’s, in different countries, with different banks ?

• Reporting •Deadline? What exactly is the deadline in Europe? To whom?

Which tier am I?

https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

17

Knowing your internal landscape

No substitute for internal knowledge and gaining active assistance of knowledgeable internal resources …

Don’t send a QSA off on their own and expect efficient and solid results …

Tailor your approach to the internal resource you are speaking to …

DBA’s and SysAdmins can be a breed apart

Make certain you have the righttechnical skills in your team …

“do you speak L33T?”

In Scoping discussion, _everything_ is on the table . . . (Lifetime Compliance TCO Calculations can be astounding)

18

Working with your Internal business partners

When can your business partners be your compliance effort’s worst enemy?

Turn your internal business partners into PCI advocates…• Legal / Information Technology / Treasury

Do you really want to be a service provider…

You are going to do _what_ with our Global SAP system ?!?!?!(can we re-review the concept of ‘segmentation’ and scope reduction?)

With Chip & Pin in Europe, PCI does-not/should-not be necessary...

It is a problem because of you Americans…

19

Working with your External business partners

Some bad technology decisions that looked good at the time …(can I interest anyone in a well-used Cisco MARS log management solution?)

•Working with POS systems and e-commerce vendors

•PCI? Never heard of it …

•Certified payment application? Sure, if you pay us for it …

•When your most trusted partners trip you

•What to do when your acquirers and banks are still working on their own compliance program?

PCI Compliance is a minimum, ‘PCI +’®™© is a market differentiator

Dear Mr. Retail Director, wish to speak with you about PCI DSS, the Data Security Standard … Wait a minute, let me get the IT guys on the phone …

Dear Ms. Risk Manager, wish to discuss our Certificate of Compliance – Wait a minute, let me call the auditors …

Dear Mssr. Regional Store Manager, we need to discuss Requirement 12: Maintain a policy that addresses information security for employees and contractors, Section 12.3.10 when accessing cardholder data via remote access technologies – Wait a minute, let me get a pillow …

Where is the business?

… An uncomfortable discussion with the Vice President of Audit …

…an even more uncomfortable meeting with the Enterprise Risk Manager …

… Meeting with a fifth generation billionaire chairman emeritus business owner …

Where is the business?

22

Making sure your QSA is successful …

I may not be a QSA, but “some of my best friends are QSA’s” (at least I think of them as my friends, perhaps not after this presentation)

What the Big Four Auditor missed

•Unethical sales techniques (throw a rock…)•Too stringent in interpretations / Audit focused•Accepting restrictions from clients (typical SAS-70 conflict…)•Race to the bottom as services become commoditized•Overreliance on latest whizz-bang technical solutions•Not focusing on the true needs of the client organization•Not being able to communicate to the client organization

Not Listening / Hearing Disabilities

No shortage of criticisms:

… while building an enterprise solution

23

A few Maladies to watch out for

“Yes I know my brand is at risk …”Brand risk does not automatically justify any and all expenditure

Separating the tools from the fools while ensuring their success in spite of themselves. Check your QSA for these maladies:

• Hammer syndrome – When you have a hammer, everything looks like a nail • Herr Professor Doctor syndrome – Lecturing on an hourly bill rate• The Niche syndrome – Yes, I know my encryption is lousy, but tell me about

my network segmentation• The Opinion syndrome – ‘In my professional opinion …’

When to keep your QSA in a locked box and not let them out in front of a senior executive

24

A few suggestions …

Build internal competence and a sense of responsibility & ownership within the organization

Repeat after me: “The QSA’s success is the client’s success”

Tone at the top matters … as do sotto voce comments

Ensure your QSA can engage with you on a strategic level

Ensure you can engage with your QSA on a strategic level

Choose your tools wisely, focus on long term solutions

Don’t buy quick-fix one-size-fits-all snake-oil magic-overnight-compliance solutions

Look for integrated solutions merged into existing mature business & IT processes

Look for tools that help you manage the security process, not PCI technical solutions

25

A few errors PCI commits on our behalf …

Names matter …One size fits all …Scaled down sizing will work …What about Europe, Asia, rest of America’s, Oceania …

<Insert your text here>

26

Is Compliance killing us ???

A few things we know to be true …

• PCI Compliance ensures credit card security• Once we pass PCI we are secure• Once we certify our compliance we are good for the rest of the year• We need to pass the PCI compliance audit• PCI compliance is best handled via the IT Project Management/Compliance Office with the assistance of the IT Security Group and bring the QSA auditors in to validate afterwards

If it walks like a duck & talks like a duck, what is it?

PCI + ®™©

27

DSS, its own worst enemy and our best hope

We all know what we wish to avoid … fragmented governmental rules(did I say that?)

A myriad of critics and criticisms, no better solution on offer …

We are all responsible for the success of the PCI ecosystem