THE WORLD OF CYBERSECURITY UNDERGROUND, HIPAA & PCI · © 2019 RSM US LLP. All Rights Reserved....
Transcript of THE WORLD OF CYBERSECURITY UNDERGROUND, HIPAA & PCI · © 2019 RSM US LLP. All Rights Reserved....
© 2019 RSM US LLP. All Rights Reserved. ©2016 RSM US LLP. All Rights Reserved.
THE WORLD OF CYBERSECURITY UNDERGROUND, HIPAA & PCIIowa Optometric Association
March 29, 2019
© 2019 RSM US LLP. All Rights Reserved.
Introductions
Travis Wendling
Manager
Security and Privacy Risk [email protected]
Jonathan Dreasler
Manager
Security and Privacy Risk [email protected]
1
© 2019 RSM US LLP. All Rights Reserved.
Agenda
• Current Landscape & Challenges• Implementing the Security Change• HIPAA Compliance and Security Frameworks• Shedding Light on the dark web• Understanding the Card Payment Process• Questions & Answers
2
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
CURRENT LANDSCAPE &CHALLENGES
© 2019 RSM US LLP. All Rights Reserved.
The rising criticality of information security
In the current economic, political and social landscape, addressing security has becoming a core necessity for most organizations:
42 31
Privacy and identity theft on the rise and customers demand higher level of security
assurance.
Network espionage on the rise.
Business partners, suppliers, and vendors are
requiring assurance from one another.
Regulators are calling for
organizations to demonstrate due
care with respect to security.
4
© 2019 RSM US LLP. All Rights Reserved.
What it sells for?
5
Social Security Number
Online Payment Services
Driver License Loyalty Accounts
Diplomas Passports
Credit or Debit Cards
General Non-financial Institution Logins
Subscription Services Medical Records
$1 $20—$200
$20 $20
With CCV #
$5With Bank Info
$15Fullz Info
$30
$1—$10 $1—$1000$100—
$400 $1000 +
$1
© 2019 RSM US LLP. All Rights Reserved.
Misconceptions
6
© 2019 RSM US LLP. All Rights Reserved.
Misconceptions
• New world order− Underground markets bringing the two sides together− Motivated attackers place bounties for the skilled
attackers to chase− Skilled attackers breach environments and sell access to
motivated− The underground economy has lowered the knowledge
threshold− Skilled attackers make more money at less risk by selling
their knowledge in packaged form• Kits, automation, subscriptions, malware prepacks, etc.
− Result: Pseudo “Advanced Persistent Threat (APT)” attackers
• a.k.a, “Idiots with nuclear weapons”
7
© 2019 RSM US LLP. All Rights Reserved.
The more we see the less we know
• Threats to systems and data have shifted rapidly in the last 24 months.
• Many of the standard methods of protection are now being bypassed with ease.
• Attackers have moved from brute force to simplicity, misdirection, abuse of trust.
• Over 90 percent of the incidents we have worked in the last 24 months have come from “the big 3.”− Social Engineering− Client Side Attacks− Custom Malware
• Being aware of these attacks will help you properly manage the risk to your organization.
8
© 2019 RSM US LLP. All Rights Reserved.
Cybersecurity Threats
• Hacking—Breaking through vulnerability and moving laterally− Network penetration− Data leakage and theft− Social engineering
• APT—“Uninvited Guest”− Arrives into your network and stays there under the radar − Harvesting information over time− Typically not found with anti-virus software− Sophisticated
• Malware—Code that is designed to do bad things− Execution of malicious code on an infrastructure− Escalate unauthorized privileges − Shut down your network (DDOS)− Encrypt key data (ransomware)
9
© 2019 RSM US LLP. All Rights Reserved.
Cyber claims 2018—causes of loss
10
Hackers22%
Ransomware16%
Malware/Virus11%Lost/stolen laptop
9%
Third Parties3%
Rogue Employees8%
Staff Mistakes6%
Business Email Compromise
5%
Other20%
© 2019 RSM US LLP. All Rights Reserved.
Cyber claims 2018—by industry
11
Technology7%
Financial Services13%
Health Care18%
Non-Profit8%
Professional Services18%
Retail11%
Other25%
Compiled from:- NetDiligence/RSM 2018 Annual Cyber Claims Study
© 2019 RSM US LLP. All Rights Reserved.
2018 NetDiligence Compiled from:- NetDiligence/RSM 2018 Annual Cyber Claims Study
12
© 2019 RSM US LLP. All Rights Reserved.
Data breach—the costs
• NetDiligence results: IBM/Ponemanresults*− Per record costs - Per record costs
• Median = $47.52 Mean = $148• Mean = $169
− Total costs CIFI **• Median = $50,000 - Per Record for FI = $336• Mean = $854,000
*Benchmark research sponsored by IBM Security Independently conducted by Ponemon Institute LLC** The impact of Cybersecurity Incidents on Financial Institutions, February 2018
13
© 2019 RSM US LLP. All Rights Reserved.
Data breach—the odds
The average global probability of a material breach in the next 24 months is 27.9 percent, an increase over last year’s 27.7 percent*
*Benchmark research sponsored by IBM Security independently conducted by Ponemon Institute LLC
14
© 2019 RSM US LLP. All Rights Reserved.
Data breach—the odds
If 2018 felt bad for breaches in the U.S.—It was!!!*
*Benchmark research sponsored by IBM Security independently conducted by Ponemon Institute LLC
15
© 2019 RSM US LLP. All Rights Reserved.
Security statistics—trouble with the math?
Compiled from:- NetDiligence/RSM 2018 Annual Cyber Claims Study
0
0.5
1
1.5
2
2.5
3
3.5
Average Records Exposed(In Millions)
2011
2012
2013
2014
2015
2016
2017
2018
16
© 2019 RSM US LLP. All Rights Reserved.
Security statistics—trouble with the math?
Compiled from:- NetDiligence/RSM 2018 Annual Cyber Claims Study
0
5
10
15
20
25
Number of Claims by Data Type
PCI
PHI
PII
Files-Critical
Non-card Financial
Other
17
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
HIPAA COMPLIANCE AND RISK ANALYSIS
© 2019 RSM US LLP. All Rights Reserved.
HIPAA Compliance
19
Security
• Risk assessment and analysis
• Access management• Incident response• Contingency planning
and backups• Workstation security• Media movement and
destruction• Encryption• Audit controls• Business associates• Training and updates
Breach Notification
• Risk assessment of breach
• Notice to individuals• Notification to media• Notification to
secretary• Notification by BA• Law enforcement delay• Burden of proof
Privacy
• Notice of privacy practices
• Rights to request privacy protection for PHI
• Administrative requirements
• Uses and disclosures of PHI
• Amendment of PHI• Accounting of
disclosures
Risk Analysis
© 2019 RSM US LLP. All Rights Reserved.
HIPAA compliance approach
20
Central/Enterprise ControlsRisk managementPolicyUser provisioningWorkforce trainingIncident managementDisaster recoverySystem auditing and loggingPhysical and environmental
Risk AnalysisAsset inventoryAsset classificationThreat sourcesControl effectivenessVulnerability assessmentResidual riskCorrective action plans
Site AssessmentsSite profileSite planning and coordinationControl and sampling finalizationSite reporting
© 2019 RSM US LLP. All Rights Reserved.
Risk analysis
Enterprise Applications
Site Applications, networking,
devices
Physician Applications
and Networking
Data Centers and Server locations
Vendor Access; badging,
computing devices
Mobile Devices
• Marketing applications• Printers and copy machines• Medical devices• Shared drives
Should Include complete lists of:• All Applications• Sites• Vendors• BAAs• Hardware• Software
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
SECURITY FRAMEWORKS
© 2019 RSM US LLP. All Rights Reserved.
Security drivers
23
HIPAASO/IEC 27001, 27002, 27799
CFR Part 11 COBIT
NIST SP 800-53r4 NIST SP 800-66
NIST CSF
PCI DSS v3
FTC Red Flags Rule JCAHO IM
HHS Security GuidanceCMS IS ARS
MARS-E v1
THSC 181
TAC 390.2
201 CMR 17.00
NRS 603A
CSA Cloud Control Matrix v1
© 2019 RSM US LLP. All Rights Reserved.
Security program management
Security Program
Assessments
Risk Analysis
- Defined methodology
- Assessments and actions aligned to frameworks
- Assets Defined- Threats and
vulnerabilities assigned to assets
- CAPs identified and prioritized
- Controls maturity measurement- Locations and functions- Technologies and projects- Pen Testing- Vendors
Assets and Priorities
Direction on what to monitor and how
Feedback on control effectiveness; identification of new risk areas
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
IMPLEMENTING THE SECURITY CHANGE
© 2019 RSM US LLP. All Rights Reserved.
What is information security governance?
Framework of established security
elements to protect data
Alignment of cyber security strategy with
business strategy
Establishes risk and asset managements
parameters
Effective and efficient management of cyber
risks
Policies, procedures and guidelines
Oversight to govern critical data assets
Efficient implementation of processes in a cost
effective mannerOrganizational structure
and skills alignmentRoles and
responsibilities
Visibility to risk mitigation, resolution
and remediation efforts
Cyber capability and maturity
Real-time reporting and KPIs
26
© 2019 RSM US LLP. All Rights Reserved.
LACK OF GOVERNANCE AND COMMONUNDERSTANDING OF RISKS
Questions: Who should own the security for cyber assets and what should be the governance mechanisms in place? Is cyber asset security an IT problem?
CHALLENGE 1
INHERENT ARCHITECTURAL LIMITATIONS
Questions: How do we approach different generations of systems (i.e., legacy systems with inherent limitation and end of life) and consistently apply security controls?
CHALLENGE 4
ASSETS/DEVICE CONTROLS
Questions: Do we have a complete inventory of our assets, their current security state and do we have clearly documented controls for these assets?
CHALLENGE 5
TECHNICAL SECURITY CONTROLS
Questions: How do we implement technical security controls across all the different systems, components and modules?
CHALLENGE 2ONGOING MAINTENANCE THROUGHOUT
THE ASSET LIFECYCLE
Questions: Do we understand the new threat vectors introduced by system changes? Do we always conduct change driven risk assessments?
CHALLENGE 3
LACK OF CENTRALIZED COMPLIANCEMONITORING AND IMPROVEMENT
INITIATIVES
Questions: Do we know how many systems currently comply with security guidelines and how many are vulnerable?
CHALLENGE 6
HIGH RELIANCE ON VENDORS
Questions: Do we understand the way the vendors connect and use our systems?
CHALLENGE 7
Tactical challenges
27
© 2019 RSM US LLP. All Rights Reserved.
FRAMEWORK ELEMENT DESCRIPTION
A structure through which an organization directs, manages and reports its security management activities. It encompasses clearly defined roles and responsibilities, decision rights, the risk governance operating model, and reporting lines. Further, allows for conscious decision to use risk management to enable the achievement of business plans, goals and strategic objectives. It includes a risk appetite statement supported by risk tolerances, limits and associated breach protocols to control risk levels throughout the organization.
Values and behaviors present throughout an organization that shape security decisions. A security aware culture influences the decisions of management and employees, even if they are not consciously weighing risks and benefits. A strong security culture helps to encourage strategic decisions that are in the long-term best interest of the organization, its shareholders and employees.
People
Over Sight
The activities in place that allow an organization to identify, assess and quantify known and emerging security risks. The risk assessment and measurement processes allow organizations to consider the extent to which potential events may have an impact on achievement of objectives. It encompasses qualitative and quantitative approaches, processes, tools and systems that organizations develop and implement to identify, assess, and measure security risks.
Process
Management of risk data that can be translated into meaningful risk information for stakeholders. It includes the development and deployment of risk management tools, software, databases, technology architecture, and systems that support risk management activities. Technology
Security domains
28
© 2019 RSM US LLP. All Rights Reserved.
RSM security framework
29
ProcessOver Sight People Technology
Board & Executive Oversight
Security Awareness & Training Identity & Access Management Security Architecture & Design
Security Governance & Strategy
Incident Management
Regulatory & Legislative Compliance
Vulnerability & Malware Management
Public Relations
Sourcing & Vendor Management
Cyber Insurance
Information Asset Management
Litigation & Investigation
Coordination with Law Enforcement
Effective management of Cyber Risk
Understanding of Cyber Threats
Organizational Culture
Communications
Roles & Responsibilities
Security Organization Structure
Security Skills & Competency Application & System Development
Business Continuity
Physical Security
Security Monitoring
Threat Modelling
Intrusion Detection & Prevention
Configuration Management
End Point Security
Data Loss Prevention
RSMs Security Governance Framework
© 2019 RSM US LLP. All Rights Reserved.
Weak Sustainable Mature Integrated Advanced
Oversight
People
Process
Technology
Example risk maturity continuum
30
Weak Sustainable Mature Integrated Advanced Security governance pre-
requisites for a formal security management framework are not in place.
Security processes and frameworks are siloed.
Undocumented & inconsistent processes are used.
Security activities are not aligned with business strategy.
Security capabilities are dependent on individuals.
Cyber risks are not consistently considered as business decisions are made.
The business does the minimum to meet the expectations of internal and external stakeholders.
Select security activities are defined; some of which are aligned with business strategy.
Security capabilities vary across the “three lines of defense.”
There is limited and inconsistent use of supporting technology. There is limited focus on emerging risks and/or scenario analysis.
The board and executives are increasingly confident that security risks are being effectively managed based on emerging threats, external benchmarking, and the use of risk appetite, tolerances and limits.
Risk management activities are aligned with business strategy. Security management functions demonstrate a level of consistency, but remote operations or business entities are not integrated. Use of technology is not integrated.
Security management capabilities and activities are integrated and coordinated across corporate and remote operations and business entities.
Security management objectives and value proposition are consistently aligned with business strategy.
Common tools and processes are used with enterprise-wide risk monitoring, measurement and reporting.
Risk management activities are fully embedded in strategic planning, capital allocation, and in daily decision-making.
An early warning system is in place to notify the board and management of risks above established thresholds.
Security management serves as a source of competitive advantage.
Incentive compensation formally considers risk management.
RSM’s cyber maturity evaluation methodology is adaptable and will encompass evaluation against industry-leading security standards, e.g. FFIEC, PCI, ISO, NIST, IEC, NERC CIP, SANS etc.
© 2019 RSM US LLP. All Rights Reserved.
The road to sustainable security
• Standardization of enterprise-wide security processes• Consistent deployment of security standards and initiatives across
the enterprise• Identification of gaps in current skill sets• Incorporating industry-leading practices to secure systems• Enabling senior management to monitor effectiveness of security
controls and processes• Better informing personnel and enhance company-wide security
awareness• Improved security skill sets through targeted training• Increased security of assets and control systems• Reduction or avoidance of noncompliance fines• People and change—a security-minded culture
3131
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
BREAK
32
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
SHEDDING LIGHT ON THE DARK WEB
© 2019 RSM US LLP. All Rights Reserved. ©2016 RSM US LLP. All Rights Reserved.
SHEDDING LIGHT ON THE DARK WEB
© 2019 RSM US LLP. All Rights Reserved.
Quick shout out
35
Wanda Archy− Current: Cyber threat intelligence at RSM− Location: Washington, DC− Background: Dark web investigations− Education: Georgetown University, M.A.,
intelligence, B.S., sci/tech/int’l affairs− Previous: Threat intelligence consultant, financial
institution security analyst− Certifications: CISSP, CEH, Security+− Other: Native Russian speaker, yoga enthusiast
[email protected]/in/wandaarchy
*All screenshots are original.
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
OVERVIEW & BACKGROUND
© 2019 RSM US LLP. All Rights Reserved.
What is the “dark web”?
• The dark web is the part of the web that requires anonymizing software to access.
• The dark web is a subset of the deep web, which is unindexed by conventional search engines.
• Where criminals live!
37
© 2019 RSM US LLP. All Rights Reserved.
Examples of TOR sites
• These include any goods sold on dark web.• (money, drugs, hit men, exploits, “hacker clothes”)Marketplaces
• Discussions are held here.• (lots of valuable intelligence that affects companies)Forums
• Unlike open web paste sites, these data dump treasure chests are not removed.Paste Site
• The Googles and Wikipedias of the dark web help you navigate to where you want to go.Search Engines/Wikis
• Different from forums, here actors can discuss whatever they wish in private.
Social Media, IRC Networks, Chat Rooms
38
© 2019 RSM US LLP. All Rights Reserved.
Let’s find stuff!
39
Anything—absolutely anything.
© 2019 RSM US LLP. All Rights Reserved.
Examples of information/items
• Personally Identifiable Information (PII)• Personal Health Information (PHI)• Payment Card Information (PCI)• Company blueprints• Company and customer credentials
Sensitive Information
• Physical goods• Hit men• Drugs• Exploits/vulnerabilities• Hacking tools
Merchandise
• Brand chatter• Imminent threats (e.g., DDoS, SWATing, physical attacks)• Other subversive actions (e.g., theft of merchandise,
possible fraud)
Reputational Damage
40
© 2019 RSM US LLP. All Rights Reserved.
Threat actor types
41
AdvancedPersistent
Threat (APT)
Criminals Hacktivists Terrorist Sympathizers
Insiders Researchers
Motive Espionage, reconnaissance
Financial gain Political protest Spreading propaganda
Accidents, financial gain, political cause
Curiosity,bounty programs
Attack type Spearphishing, backdoor Trojans
Social engineering, phishing, ransomware
Web defacement, SQLi, XSS
Web defacement
Exfiltration of data
Vulnerability exploits
The dark web is operated by the following adversaries.
© 2019 RSM US LLP. All Rights Reserved.
Actors are always on!!!
42
Actors are continuously operating on the dark web.
© 2019 RSM US LLP. All Rights Reserved.
And obviously the crazies are there
43
They’re on Google too though.
Took too many ‘PartyPoppers’
© 2019 RSM US LLP. All Rights Reserved.
Russian criminal underground
Majority of dark web is русский!!!Lone Hackers Criminal Groups Criminals sponsored by
nation-state-Bored, want more fun-DDoS, spam, SQLi, XSS-Want more $$
Ex:-w0rm-Oleg Nikolaenko
-Organized, very cartel-like-Million dollar profits-Forum administrators
Ex: -ZeuS botnet gang-Russian Business Network
-Group 2 working with Russia’s intelligence agencies (FSB, SVR, GRU)-Advanced Persistent Threats
Ex: -2007 Estonia attacks-2008 Georgia attacks-2014 Ukraine attacks-2016 U.S. election?
44
© 2019 RSM US LLP. All Rights Reserved.
Are YOU a target today???
45
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
CASE STUDIES
© 2019 RSM US LLP. All Rights Reserved.
Data breach example: Ashley Madison
47
Data from Ashley Madison (popular extramarital site) was exposed by Impact Team and later dumped on the dark web. Have you searched the dump for your friends or exes?
© 2019 RSM US LLP. All Rights Reserved.
Carding forum
48
Joker’s Stash is the most popular “carding” forum on the dark web. Wow, cards for a dollar!
© 2019 RSM US LLP. All Rights Reserved.
Did you think tax season was over?
49
Not on the dark web…This information is found on the “Wall Street” of the dark web.
© 2019 RSM US LLP. All Rights Reserved.
Drugs are everywhere
50
But that is in the real world too.
© 2019 RSM US LLP. All Rights Reserved.
Personal information for sale
51
So much information about you out there, so little time…
Did they really have to steal my Starbucks—FOR FREE?!
© 2019 RSM US LLP. All Rights Reserved.
Company information for sale
52
Companies across all sectors are targeted.
© 2019 RSM US LLP. All Rights Reserved.
Feels like Amazon…
53
© 2019 RSM US LLP. All Rights Reserved.
But isn’t Amazon…
54
© 2019 RSM US LLP. All Rights Reserved.
Rent-A-Hacker
55
If you can’t do it yourself—have someone do it for you. This guy seems great.
© 2019 RSM US LLP. All Rights Reserved.
Bad guys need love too
56
Who doesn’t want more friends on social media?
I would do this…
Everyone is looking for friends.
© 2019 RSM US LLP. All Rights Reserved.
Hacking services
57
Exploits are very common to buy on the dark web.
© 2019 RSM US LLP. All Rights Reserved.
Health records
58
Rarer to find, but becoming more available. Expensive in comparison to personal information or credit cards.
© 2019 RSM US LLP. All Rights Reserved.
What happened when President Trump took over?
59
After President Trump’s rise, lots of new forums started popping up…
USA citizenship for $5900Fake IDs, holograms too…
Fake forums advertising leaks from Trump campaign scandal(s)
Weird things…
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
WHAT DOES MY ORGANIZATION DO NOW?
© 2019 RSM US LLP. All Rights Reserved.
Five steps for effective cyber threat intelligence
1. Create threat actor profiles to monitor malicious actors.
2. Perform due diligence sweeps across open and closed sources for your data.
3. Perform dark web investigations on an ad hoc basis depending on your sector and industry.
4. Conduct intelligence briefings and C-suite level reporting to keep executives informed.
5. Build out internal threat intelligence capabilities to improve overall cybersecurity strategy and determine exposure risks (see next slide).
61
© 2019 RSM US LLP. All Rights Reserved.
Determining intelligence criticality
62
Risk Examples
Critical
• Client administrative-level credentials• Sensitive data breach dumps, including full PII, PHI, emails, or company blueprints• Zero-day exploits discovered that are not known by the client• Malicious indicators (IPs, botnets, malware) directly linked to the organization that imply compromise.• Imminent attacks planned by actors• Active company credit cards (corporate and customer) sold on closed sources
High
• Other leaked credentials, such as employee or customer passwords• Company goods (excluding credit cards) sold on closed sources• ”Doxed” information on high-level executives• Potential for company to be linked to a malicious technical indicator that requires further investigation.• Company ID badges (to be used for impersonation)
Medium
• Known exploits or vulnerabilities being used by threat actors to target the organization• Leaked credentials that are not in cleartext or able to be decrypted by the RSM team• Seemingly credible threats against the organization• Technical data dumped to pastesites that requires further analysis.• Inactive company credit cards sold on closed sources
Low• Chatter on closed sources, such as the dark web and IRC networks• Dumps containing only usernames• Company signatures (to be used for social engineering campaigns)
NonIssue/Observation
• Chatter on open sources, such as social media• False positives associated with the company• Company events (to be used for social engineering campaigns)
© 2019 RSM US LLP. All Rights Reserved.
General cybersecurity recommendations
• Always ask why someone needs your information. − Do you really want spam email anyways? Why are you wearing a nametag?
• Don’t get lazy: Avoid clicking links within unsolicited emails or text messages; go to the legitimate site and type in URL.
− https://www.bankofamerica.com—Correct− http://www.bankofmerica.com—Incorrect
• Use strong passwords and change them often.− We advocate for passphrases.
• Do not use public Wi-Fi (note Pineapple!!).• Start with physical security.
− We do actually “dumpster dive”?
• Avoid geolocation tagging in photos or Tweets.− How many pictures of your cat do I need?
• Make your social media as private as possible.• Don’t talk publicly about your company.
− Happy hours are perfect targets!!63
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
UNDERSTANDING THE CARD PAYMENT PROCESS
© 2019 RSM US LLP. All Rights Reserved.
Payment industry—key terms
• PCI DSS—Payment Card Industry Data Security Standard• Payment cards—the credit card
− Visa− MasterCard Worldwide− American Express− Discover Financial Services− JCB International
• Merchant—entity that accepts payment cards for payment• Acquirer—(merchant bank or acquiring bank) typically a
financial institution that processes payment card transactions for merchants
• Issuing bank—financial institution issuing credit card
65
© 2019 RSM US LLP. All Rights Reserved.
Payment industry—key terms
• Service provider—business entity not directly involved with processing of payments (e.g. managed firewall service provider)
• Cardholder data environment (CDE)—stores, processes, or transmits cardholder information
• Qualified Security Assessor (QSA)—PCI-trained and certified assessor
• Report on Compliance (ROC)—report generated by QSA for Level 1 assessments
• Self Assessment Questionnaire (SAQ)—reporting for Level 2-4 assessments
• PAN—primary account number or the credit card #
66
© 2019 RSM US LLP. All Rights Reserved.
Credit Cards—Primary Account Number
1. Major-industry identifier2. Issuer identification number
• Amex—3xxx xx• Visa—4xxx xx• MasterCard—5xxx xx• Discover—6xxx xx
3. Account number4. Check digit/checksum
Often on receipts you may see only the last four digits displayed or the first six and last four digits. All others should be masked.
67
© 2019 RSM US LLP. All Rights Reserved.
What is the PCI Security Standards Council (SSC)?
• The PCI SSC is an independent industry standards body providing oversight of the development and management of the PCI DSS on a global scenario. The PCI SSC founding payment brands include:
• Visa• MasterCard Worldwide• American Express• Discover Financial Services• JCB International68
© 2019 RSM US LLP. All Rights Reserved.
PCI Standards
69
© 2019 RSM US LLP. All Rights Reserved.
What is the PCI DSS?
• The PCI DSS defines the technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.
• PCI standards are required by the card brands and administered by the PCI SSC.
• It was created to increase controls around cardholder data to reduce credit card fraud.
70
© 2019 RSM US LLP. All Rights Reserved.
Why PCI compliance?
• Hackers and large international organized crime targeting merchants and their payment channels
• High fees for noncompliance with PCI DSS• The fallouts of a card data breach:
− The resulting costs can be significant, including fines/penalties, termination of your ability to accept payment cards, lost customer confidence, legal costs, settlements and judgments, fraud losses, etc.
− Breach could result in an average cost of $200 per card number lost− Long-term reputational effects to your company
• Payment cards were the most frequently exposed data in 2017, but over the past year or so has fallen and only account for 9 percent of total records exposed in 2018, according to the RSM and NetDiligence 2018 Cyber Claims Study.
71
© 2019 RSM US LLP. All Rights Reserved.
PCI DSS requirements
72
© 2019 RSM US LLP. All Rights Reserved.
PCI DSS validation levels
• Merchant levels− Defined by the payment brands based on transaction
volume− Transaction volume is determined by the acquirer
• Service provider levels− Defined by the payment brands based on transaction
volume and/or type of service provider− Determined by the payment brands or acquirer and,
in some cases, the service provider• Compliance validation requirements will vary by
the payment brand
73
© 2019 RSM US LLP. All Rights Reserved.
PCI levels—merchant (in general)
74
Level Annual Transactions Validation Actions Validated By
1 6 to 20 million • Annual on-site security audit (ROC)
** AND **• Quarterly network
scan
• Independent assessor (QSA) or IA with PCI training
• Scans conducted by ASV
2 1 to 6 million• Annual SAQ
** AND **• Quarterly network
scan• Merchant (Self
Assessment)• Scans conducted
by ASV
3 20,000 to 1 million
4 20,000 or less • Annual SAQ and network scan recommended
© 2019 RSM US LLP. All Rights Reserved.
PCI SAQ
• The SAQ is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the PCI DSS.
• There are multiple versions of the PCI DSS SAQ to meet various scenarios.
• The SAQ is a validation tool for merchants and service providers that are not required to submit an on-site data security assessment ROC.
75
© 2019 RSM US LLP. All Rights Reserved.
PCI SAQ types
• The type of SAQ depends on the type of merchant environment:− A: card not present merchants (e-commerce or mail/telephone
order)− A-EP: e-commerce merchants who outsourced payment
processing to third parties− B: merchants using a) imprint machines, or b) stand-alone, dial-
out terminals− B-IP: standalone, PTS-approved payment terminals− C-VT: manually enter a single transaction at a time virtual
payment (not e-commerce)− C: payment applications connected to the internet; no electronic
cardholder data storage− P2PE: hardware payment terminals managed by P2PE solution
(not e-commerce)− D: all merchants not included in the above
76
© 2019 RSM US LLP. All Rights Reserved.
ROC vs. SAQ
• The merchant’s bank or card brand will determine the level (1 through 4).
• Level 1 merchants must have a ROC completed by a PCI QSA (independent assessment).
• Other levels (2 through 4) can have a SAQ.
77
ROC SAQ
The acquirer can require a full ROC for a level 2 through 4 merchant.
© 2019 RSM US LLP. All Rights Reserved.
PCI levels—service providers (in general)
78
Level Validation Actions Validated By
1Payment Gateways and
Processors
• Annual on-site security audit
** AND **• Quarterly network scan
• Independent assessor (QSA) or IA with PCI training
• Scans conducted by ASV
2(storage/transmission/pro
cess above 1million transactions)
• Annual SAQ
** AND **
• Quarterly network scan
• Self Assessment
• Scans conducted by ASV
3(storage/transmission/pro
cess below 1million transactions)
© 2019 RSM US LLP. All Rights Reserved.
Service providers
• A business that is not a payment brand and is directly involved in the processing, storage or transmission of cardholder data
• Performs these duties on behalf of another entity• Includes companies that provide services to merchants, other
service providers, or other entities which control or could impact the security of card holder data
• Examples include:− Data centers− Transaction processors− Managed service providers (MSP)− Payment gateways− Vendors that provide POS maintenance
• Level 1 do ROC, Levels 2 & 3 do SAQ D (in general)
79
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
CURRENT THREATS AND TRENDS IN PAYMENT CARD SECURITY
© 2019 RSM US LLP. All Rights Reserved.
Payment card theft
• Stolen card: Card is physically stolen and attempted to be used.
• Online fraud: Card information is stolen and used by the thief to make purchases with the stolen card.
• Skimming: An illegal device is used to collect the information from the magnetic stripe on your ATM, debit or credit card.
81
© 2019 RSM US LLP. All Rights Reserved.
Skimming
• A skimming device is a camouflaged counterfeit card reader to record the card’s information.
• It will still allow the card holder to perform their transaction.
• It is used at ATM machines, retail stores, restaurants and taxis.
• Can sometimes be a hand-held skimmer small enough to fit into a pocket.
82
© 2019 RSM US LLP. All Rights Reserved.
It’s not always malicious
• 25 percent of breaches were due to insiders• Of those, 19 percent were unintentional
83
© 2019 RSM US LLP. All Rights Reserved.
Lack of PCI compliance can cost
84
© 2019 RSM US LLP. All Rights Reserved. © 2019 RSM US LLP. All Rights Reserved.
85