PCI Security Standards Council · 2018. 4. 4. · systems (PCI DSS Req. 11) Key problem areas for...
Transcript of PCI Security Standards Council · 2018. 4. 4. · systems (PCI DSS Req. 11) Key problem areas for...
PCI Security Standards Council
Today’s Speaker
Mark Mrotek
Certifications Program Manager
PCI Security Standards Council
NEED MARK PHOTO
Today’s Agenda
• About the PCI Security Standards Council
• Protecting Payments with PCI Standards, Best Practices & Services
• 2016 Updates
• Educational Resources & Training
• Involvement Opportunities
About the PCI Security Standards Council
Founded in 2006 -
Guiding open standards for
payment card security
• Development
• Management
• Education
• Awareness
Our Focus
Collaboration and information sharing
Education
Simplified solutions for merchants
5
38% more security incidents were detected in 2015 than the year before. – PWC 2016
Global State of Information Security Survey
Cyber
$7.7 million - average cost of global cybercrime in 2015
Ponemon/HP
Cybercrime is on the Rise
ISACA, January 2016
Breaches can be Prevented
92% 97%compromises were simple were avoidable through
simple or intermediate
controls
99.9% of breaches were preventable – caused
by known vulnerabilities with fixable patches
76% of companies took weeks or more to
discover breach
67% of organizations did not adequately test the
security of all in-scope systems
72 percent of hackers say they won't waste time on an attack that doesn't hold the promise of quick and high-value information, and 69 percent will quit if they see that the target has a strong defense. – Ponemon Institute
PCI Security StandardsBest Practices & Services
Training – Assessors, Investigators
Certification – Equipment, Service Providers, Assessors, Investigators
Payment Equipment Payment SoftwareMerchant & Payment Service Provider
Environments
PCI Security Standards
Point of
Interaction
Data center
EcommerceMoto
In Store
Server
3rd Party
Processor
The
Internet
3rd party
suppliersStock
ControlMgmt.
Sales and
Marketing
Acquiring
Bank
Merchant
Protect cardholder data throughout the transaction cycle
Six Goals Twelve Requirements
Build and Maintain a Secure
Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security
parameters
Protect Cardholder Data3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test
Networks
10.Track and monitor all access to network resources and cardholder data
11.Regularly test security systems and processes
Maintain an Information Security
Policy
12.Maintain a policy that addresses information security for employees and
contractors
PCI Data Security Standard (PCI DSS)
Other Standards & Solutions
• Point-to-Point Encryption
• Payment card production
• Payment terminals
• Payment applications
• Cover wide variety of payment
security challenges
• Provide protection for payment
data in multiple channels – online,
mobile, in-store
• Ensure lab-tested devices and
technology solutions
• Token Service Providers
Certification
• Payment Application
Assessors
• PCI Forensic Investigators
• Internal Security Assessors
• Approved Scanning Vendors• Point-to-Point Encryption
Assessor
• Qualified Security Assessor
• Qualified Integrator &
Reseller
• U.S. EMV VAR Qualification
Program
Training
PCI Awareness Training
PCI Essentials
PCI Professional Program (PCIP)™
Internal Security Assessor (ISA) – Online!
Qualified Security Assessor (QSA)
Qualified Integrators and Resellers (QIR)™ Program
Corporate Group Training– Let Us Come To You!
To learn more, visit:
www.pcisecuritystandards.org/training
Logging and
monitoring controls
(PCI DSS Req. 10)
Maintaining secure
systems (PCI DSS
Req. 11)
Ongoing Security Remains Challenge
Testing security
systems (PCI DSS
Req. 11)
Key problem areas for breached organizations
“The security benefits associated with maintaining PCI compliance are vital to the long-term success of all merchants who process card payments. This includes continual identification of threats and vulnerabilities that could potentially impact the organization. Most organizations never fully recover from data breaches because the loss is greater than the data itself.”
– QSR Magazine
Why we fail to maintain secure environments
• Lack of awareness by IT practitioners
• Incentive to keep security a primary focus
• Quickly evolving technology landscape
• Rapid development and distribution of new solutions
• Still unnecessary exposure of card holder data
Why?
Compliance vs. Security
Reliance on annual assessments
Pressure to meet customer demands
Failing to adapt to changes
Compliance vs. Security
“While validation is no assurance of security, not being compliant is pretty much a guarantee that you’re not secure.”
-2015 Verizon PCI Compliance Report
Moving From Compliance to Protection
• Focus on security not compliance
• PCI DSS is not a once-a-year activity
• Don’t forget about people
Mitigate Risk with Vigilance
• Software patched & up-to-date
• Configuration settings don’t expose payment card data
• Monitor internal & 3rd party access
• Use strong authentication & strong passwords
Regularly Monitor Controls!
Ongoing Security
Understand how
changes in the
organization affect
security controls
Monitor security control
operation
Conduct periodic
security control
assessments
Detect and respond to
security control failures
The Standards Continually Evolve
Research Threat and Risk LandscapeIndustry Feedback
Secure Sockets Layer (SSL)
SSL to TLS Background and Timeline
• SSL/TLS used as example in DSS v3 and earlier
• Example of ‘strong cryptography’
• Example of additional security for insecure services
• Marketplace feedback
• Technical issues - relatively easy
• Business issues - complex
April 2014 NIST –
SSL&TLS 1.0 Unsafe
PCI SSC Seeks
Industry Input
April 2015
PCI SSC Issues PCI
DSS v3.1 and Guidance
Marketplace Feedback
December 2015 PCI SSC Issues New Migration
Dates
SSL and Early TLS: New Migration Dates
All processing and third party entities – including Acquirers, Payment Processors, Gateways and Service
Providers must provide a TLS 1.1 or greater service offering by 30 June 2016.
All entities must cutover to a secure version of TLS (as defined by NIST) by June 2018.
Consistent with the existing language in PCI DSS v3.1, all new implementations must be enabled with
TLS 1.1 or greater (TLS 1.2 recommended).
POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not
being susceptible to all known exploits for SSL and early TLS, can continue to use SSL/early TLS beyond June 2018 consistent with the current exception.
SSL & early TLS not considered strong cryptography & not allowed as
security control after 30 June 2018
Key Recommendations
• Migrate to a minimum of TLS 1.1,
preferably TLS 1.2.
• Patch TLS software against
implementation vulnerabilities
• Configure TLS securely
Additional GuidanceInformation Supplement & FAQ
• Clarification on “new” vs. “existing” implementations
• Guidance on allowances for POS POI environments
• Suggestions/examples of risk mitigation techniques
• Suggestions/examples on alternative cryptographic options to replace SSL/early TLS
• Best practices for proper TLS configuration
• FAQs and tips for small merchant environments
PCI DSS Version 3.2
• DSS v3.2 to be released in first half of 2016• To address SSL/TLS migration
• Additionally Under Review for DSS• Access controls for authentication to CDE
• Review of Designated Entities requirements for inclusion
• Review of existing PAN criteria for masking, etc.
Prioritize Technology: Devalue Data and Reduce Risk
EMV chip
Tokenization
Point-to-Point Encryption
• Improve your security.
• Reduce your risk.
• Simplify your PCI DSS
compliance efforts.
“Fraud is evolving at a frantic pace…When the industry cracks down on one type of fraud, criminals quickly shift their attack vector and area of operation.”
– Al Pascual, Fraud & Security, Javelin Research
Magnetic Stripe Fraud
Data on magnetic stipe is static
Can be easily captured or copied
Written onto a second card to make a clone
Used to undertake fraudulent transactions
Hand held skimmer Skimmer in POI device Skimmer attached to ATM
Impact of EMV Chip on F2F Fraud
If I Have EMV Chip, Do I Need PCI?
The Security Fruit Tree
Low hanging fruit
Bulk fruit
High Fruit
Card-Not-Present data
EMV chip card data
PCI and EMV chip
together
“Card-not-present (CNP) fraud is expected to more than double from $2.8 billion to more than $6.3 billion by 2018.” – Aite Group
Preparing for EMV Chip with PCI
• There is no silver bullet
• EMV does not negate the
need for secure passwords,
patching systems, logging
monitoring for intrusions,
using firewalls, etc.
• EMV chip brings great
benefits to transactions in
your stores, but fraud will
migrate to the online
marketplace
• Multi-channel organizations
need to consider their entire
payment infrastructure, not
just brick and mortar, and
ensure proper security
protocols are in place
• Talk to your acquiring bank to
understand implications and
benefits of EMV chip
migration for your business
• Talk to you technology
vendors and service
providers to make sure you
are securing the other parts
of your system and
purchasing the right products
and services
EMV chip needs PCI protections
Don’t forget e-commerce security
Use trusted partners
Upgrade your terminals and devices for the best security and to take advantage
of the latest technology options to enable your business.
Replace any version that
has expired – choose a 3.1
version device or higher
from the PCI PIN
Transaction security
listing.
Consider any future Point-
to-Point Encryption
(P2PE) and tokenization
plans and what additional
layers of security you may
want to make the best
investment.
Preparing for EMV Chip with PCI
Point-to-Point Encryption and Tokenization
PCI Guidance and Best Practices
• Tokenization best practices
• Merchant Guide to Point-to-Point Encryption
• PCI DSS compliance in the cloud
• Building a security awareness program
• Protecting against malware
• Skimming prevention
• Defending against phishing attacks
• Working with third parties
• Maintaining PCI DSS compliance
• Accepting payments with a mobile phone
Available at: www.pcisecuritystandards.org
“90% of all incidents were attributed to human error or misuse of systems.” – Verizon 2015 Data Breach Investigation Report
PCI Awareness Training
• Entry-level course that provides baseline knowledge of PCI DSS for organizations that must meet compliance with PCI DSS
What is it?
• Managers or business owners charged with PCI DSS compliance / data security
Who should attend?
• Drive understanding of PCI DSS compliance across your business
• Learn how and where to implement PCI across your organization
What’s the benefit?
• One day instructor led training
• Four hour online course
How is this course offered?
PCI Professional (PCIP) TrainingProfessionals in payment industry with two years experience in an IT or IT related role and knowledge of information technology, network security and architecture, and the payment industry
Who?
What you get?
Anytime, from home or office - Six hour self-paced eLearning course. Final exam administered at Pearson VUE Testing Center
When and Where?
You’ll learn :
• Principles of PCI DSS, PA-DSS, PCI PTS, and PCI P2PE
• Appropriate uses of compensating controls
• How new technologies effect PCI
• And more
Why?
Two year individual qualification that demonstrates knowledge of PCI
standards
ISA Training
Experienced security assessment, risk management and audit staff at ISA Sponsor companies Who?
What you get?
• eLearning training available anytime, from home or office - 8 hour self-paced course (plus four hour online pre-requisite course)
• Two day instructor-led classes scheduled at locations worldwide (plus four hour online pre-requisite course)
When and Where?
You’ll learn :
• PCI DSS assessment and testing and reporting procedures
• Network segmentation
• Hardware and communications infrastructure
• And more
Why?
Annual qualification to assess and validate their company’s
adherence to PCI DSS
“As threats continue to mount, understanding and managing cybersecurity risks have become top of mind for leaders in business and government…Businesses are also embracing a more collaborative approach to cybersecurity.”
– PWC 2016 Global State of Information Security Survey
Partnerwith the Council
Participating Organizations
727PCI Council
Participating Organizations
Join the Global Collaboration Today!
https://www.pcisecuritystandards.org/get_involved/participating_organizations
Community Meeting – Las Vegas
www.pcisecuritystandards.org/about_us/events
20 – 22 September 2016
Q&A
Thank you