©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and...
-
Upload
roberta-lamb -
Category
Documents
-
view
219 -
download
0
Transcript of ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and...
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity™
The Payment Card Industry:(PCI) Compliance 101
Name: John CebulskiTitle: Security Engineer
Contact: [email protected]
puresecurity™2©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
Today’s AgendaToday’s Agenda
Modern history of PCI
PCI Data Security Standard v1.1– Version 1.1 updates– Compensating controls– General roles and responsibilities– PCI compliance validation process
» Network scanning» Company audit» Report of compliance
Why worry about PCI DSS?
The challenges of PCI compliance– Customer challenges of PCI compliance– Devices affected– Results of PCI challenges– Companies in the PCI spotlight
Tips for facing the compliance challenge
puresecurity™3©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
Modern History of the Payment Card IndustryModern History of the Payment Card Industry
Mid-1980s
– Rapid growth in payment card industry, fraud increases
– Individual companies begin early fraud detection and prevention efforts
1990s
– Sophistication of networks increases
– Fraud and detection technologies grow
– Fraud continues to increase
– 1999: Gramm-Leach-Bliley Act
2000s
– 2000: Visa Cardholder Information Security and Account Information Security programs
– 2000: MasterCard: Site Data Protection program
– Early 2000s: Major fraud disclosures*
– 2002: Sarbanes–Oxley Act
– 2005: MasterCard and Visa jointly release PCI Data Security Standard 1.0
– 2006: PCI Security Standards Council, PCI 1.1 released
puresecurity™4©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
Increased fraud– Fraud is big business!!Fraud is big business!!
– 2005*» 9.3 million US victims» $54.4 billion total fraud costs in one year
Regulatory requirements– Increased pressure
– Vague implementation guides
Confusing payment card efforts– Overlapping requirements and
duplicated activities
– Increased confusion on part of merchants and providers
*Source: Javelin Strategy & Research, January 2006
Buys and sells payment card data
Cardersmarket.comCardersmarket.comAs of May 2007—still running
Sales of stolen and counterfeit IDs
ShadowcrewShadowcrewOctober 2004
Credit card hacking site
Carderplanet.comCarderplanet.comSeptember 2004
Caught with more than 80,000 credit card accounts
Ukrainian Roman Ukrainian Roman Vega aka ‘BOA’Vega aka ‘BOA’
June 2004
OffenseOrganizationDate
Drivers for PCI Data Security StandardizationDrivers for PCI Data Security Standardization
puresecurity™5©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
PCI Data Security Standard v1.1 TodayPCI Data Security Standard v1.1 Today
Six Categories 12 Sections
• Many subsections PCI DSS is only part of compliance
If a Primary Account Number (PAN) is stored,
processed, or transmitted, the PCI DSS requirements
APPLY.
PCI Compliance for VISA
• PCI DSS
• Visa’s Cardholder Information Security Program (CISP)
http://usa.visa.com/merchants/risk_management/cisp.html
PCI Compliance for MasterCard
• PCI DSS
• MasterCard’s Site Data Protection Program (SDP)
http://www.mastercard.com/us/sdp/index.html
puresecurity™6©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
New to PCI 1.1 (Sept. 2006)New to PCI 1.1 (Sept. 2006) Clarification of vague language Application firewalls required by June 30, 2008 (6.6) Malicious software, like spyware and adware, are included in antivirus
capabilities (5.1.1) New “compensating controls” section (Appendix B) Penetration testing to include application and network layers (11.3)
VISA and MasterCard ComplianceVISA and MasterCard Compliance
“Leading the Charge” for PCI compliance Emphasis on Level 1, 2, and 3 Merchants Acquirers should have submitted a summary of their L4 Merchants’
PCI compliance plan by July 30, 2007
What’s New to the PCI Landscape?What’s New to the PCI Landscape?
COMPLIANCE TIMEFRAME
Level 1 Merchant/Service Provider deadline: • September 30, 2007
Level 2 Merchant/Service Provider deadline:• December 31, 2007
Level 3 Merchant/Service Provider deadline:• Contact acquirer or card vendor
Level 4 Merchant deadline: • Summary of PCI compliance plan, via acquirer, by July 30, 2007
puresecurity™7©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
Example: Compensating ControlExample: Compensating Control
Source: Appendix C Compensating Controls WS
puresecurity™8©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
PCI Security Standards CouncilPCI Security Standards Council
• Independent body
• Eliminates competing and overlapping brand-specific requirements
• Members include American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa Int’l
• Defines security and process requirements and other general security guidelines
• Certifies Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) and maintains certification lists
QSAs and ASVsQSAs and ASVs
• Assess and validate compliance
• Reports given to customers
• Listed on the council Web site
Participating OrganizationsParticipating Organizations (accept credit/debt card payments) (accept credit/debt card payments)
• Merchants, Service Providers› Any organization that stores, processes, or transmits cardholder data
• Merchant or Service Provider Categorization
• Levels›1–4 for Merchants›1–3 for Service Providers
• Varying levels of audits, scans, and assessments based on level status
Payment Card BrandsPayment Card Brands
• Enforcement arm (and acquirers)• Can levy stiff fines• Prohibit process of credit card transactions
• To what degree must they be compliant?
Acquirers Acquirers (banks that process transactions) (banks that process transactions)
• Enforcement arm • Can levy stiff fines• Prohibit processing of credit card transactions
• Manage Merchant’s compliance programs• MasterCard's SDP program
PCI Today—RolesPCI Today—Roles
DEFINE
ENFORCE
AUDIT
IMPLEMENT
www.pcisecuritystandards.org
puresecurity™9©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
PCI Compliance ValidationPCI Compliance Validation
Audits and Self-Assessments Network Scans Report on Compliance
puresecurity™10©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
Merchant Service Provider
Level 1 2 3 4 1 2 3
Description Over 6M annual transactions
Security breach resulting in data compromise
Based on vendor’s choice
15,000 to 6M annual transactions
20,000 to 150,000 annual transactions
All others All processors and payment gateways
Not in level 1
Stores, processes, or transmits over 1M accounts annually
Not in level 1
Stores, processes, or transmits less than 1 M accounts annually
On-Site Security Audit
Annually Annually Annually
Self Assessment
Annually Annually Annually Annually
Network Scans
Quarterly Quarterly Quarterly Quarterly Quarterly Quarterly Quarterly
PCI Compliance ValidationPCI Compliance Validation
puresecurity™11©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
PCI Compliance Validation:What can I expect from an audit?PCI Compliance Validation:What can I expect from an audit?
Company XYZ is audited
by QSA
QSA completes audit based on
PCI Audit Procedures
Company passes audit
Company XYZ keeps audit and submits to
Card Vendor or Acquirer
Company receives report From QSA with
“Open Items” and“Target Resolution Dates”
QSA reassesses
puresecurity™12©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
› Performed by a certified auditor
› Externally facing IP addresses
› Scan of ALL 65,535 ports
› Severity Levels 3–5 must be remedied Technical report with vulnerabilities and steps for resolution PCI-approved compliance statement to Vendor or Acquirer
PCI Compliance ValidationPCI Compliance Validation
puresecurity™13©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
PCI Report on Compliance and Visa:Level 1–3 MerchantsPCI Report on Compliance and Visa:Level 1–3 Merchants
Level 1 Merchants (via Acquirer)– On-site PCI data security assessment completed by QSA– Letter signed by a merchant officer – Confirmation of report accuracy form completed by QSA – Acquirer accepts ROC and submits confirmation ROC form and
acceptance letter to Visa
Level 1, 2, and 3 Merchants– Acquirers responsible for ensuring quarterly network security scans for
Level 1, 2, and 3 Merchants– Quarterly network security scans may be required of Level 4 Merchants as
specified by their acquirers
Level 2 and Level 3 Merchants– Must complete the annual PCI self-assessment questionnaire– Level 4 Merchants may be required by their acquirers to complete the PCI
self-assessment questionnaire
puresecurity™14©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
PCI Report on Compliance and Visa:Service ProvidersPCI Report on Compliance and Visa:Service Providers
Level 1 and Level 2 Service Providers– Annual self-assessment questionnaire– Annual on-site PCI data security assessment– Supply to the acquirer, serving as a template for the ROC– Employ a QSA to complete the Report on Compliance
Level 1, 2, and 3 Service Providers– ASV performs a quarterly network scan on the Internet-facing
network perimeter systems
Level 3 Service Providers– Complete the annual PCI self-assessment questionnaire
puresecurity™15©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
Reduce the risk of incidents– Prevent a “CNN moment”
» Negative publicity
– Loss of revenue– Placed in higher Level, requiring
more frequent compliance measures– Fines and penalties levied
» From acquirer to acceptor
Barred from processing credit card transactions
Higher processing fees
Why Worry About PCI DSS?Why Worry About PCI DSS?
puresecurity™16©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
The PCI Challenge for Merchants and Service ProvidersThe PCI Challenge for Merchants and Service Providers
All or Nothing:All or Nothing: 99 percent compliance is still failing. PCI DSS v1.1 begins to address this issue (Compensating Controls) and is the new standard as of January 1, 2007.
Cost Effective and Unified:Cost Effective and Unified: Purchasing and integrating point solutions takes time and effort. Many companies do not have the in-house staff to address this challenge. TCO must be addressed.
Performance Becomes a ConcernPerformance Becomes a Concern
Multiple Standard RequirementsMultiple Standard Requirements
puresecurity™17©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
Sarbanes - OxleySarbanes - Oxley
LiabilityLiability GLBAGLBA
HIPAAHIPAA
EU data protectionEU data protection
Industry regulationIndustry regulation
Business continuityBusiness continuity
Operational riskOperational risk
PrivacyPrivacy
ISO17799ISO17799
Basel IIBasel II
Data retentionData retention
InvestmentInvestment
Physical securityPhysical security
AuditsAudits
ComplianceCompliance Credit riskCredit risk
TerrorismTerrorism
ReputationReputation
Data StorageData Storage
SB1386SB1386
Businesspartners
Businesspartners
BS7799BS7799
COSO/COBITCOSO/COBIT
Intellectualproperty
Intellectualproperty
Informationsecurity
Informationsecurity
The PCI Challenge: One of ManyThe PCI Challenge: One of Many
Growing lists of regulations Growing lists of regulations can deplete resourcescan deplete resources
Sarbanes-Oxley Act of 2002 Gramm-Leach-Bliley
Homeland Security Act
FISMA
HIPAA
Computer Security Act
Computer Fraud and Abuse Act
IASB/FASB NASD 3110
SEC Rules 17a-3 and 17a-4
TREAD Act Canada’s PIPEDA
U.S. Patriot Act
Fair and Accurate Credit Transactions Act (FACT)
E.U. Data Protection Directive
Foreign Corrupt Practices Act
Basel II
FDA 21 CFR 11
Customs C-TPAT
EPA
CA SB 1386, 1950
U.K .Public Records Office DOD 5015.2
PCI DSSPCI DSS
puresecurity™18©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
“Network component” refers to firewalls, network appliances, routers, switches, wireless access points, and other network and
security components
Servers include, but are not limited to authentication, database, domain name service (DNS), email, network time protocol (NTP),
proxy, and Web servers
Applications include all purchased andcustom applications, including internal and external (Web) applications
The PCI DSS v1.1 requirements apply to ALL “system components,” defined as any network component, server, or application included in,
or connected to, the cardholder data environment
The PCI Challenge:Devices affectedThe PCI Challenge:Devices affected
puresecurity™19©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
A Very Complicated, Sprawling Network to ManageA Very Complicated, Sprawling Network to Manage
Firewalls, OS servers, routers, switches, IPS, antivirus, Web servers, policies, and rules
Gigabytes to terabytes of data in different formats
The PCI Challenge - Result
puresecurity™20©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
Bank of AmericaBank of America BJ’s Wholesale ClubBJ’s Wholesale Club Cardsystems SolutionsCardsystems Solutions ChoicePoint (NOT CHECK POINT)ChoicePoint (NOT CHECK POINT) CitiGroupCitiGroup DSW SHOW WarehouseDSW SHOW Warehouse Hotels.comHotels.com LexisNexisLexisNexis WachoviaWachovia Polo–Ralph LaurenPolo–Ralph Lauren
Source: Qualys http://www.qualys.com/forms/wp/pci/?lsid=6880
Companies in the PCI SpotlightCompanies in the PCI Spotlight
FinesFines
2005 Visa levied fines of$3.4 million
2006 Visa levied fines of$4.6 million
Source: Visa (USA) SAN FRANCISCO–December 12, 2006
puresecurity™21©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
Tips for Facing the PCI ChallengeTips for Facing the PCI Challenge
Build/leverage relationships with VARs and other resellers
Attend seminars and guest speaking engagements– Nuggets of information– Network with peers
Use existing regulatory compliance programs– ISO 27001 certifications and Sarbanes-Oxley audits look at many of the
same requirements as PCI DSS v1.1– PCI DSS offers areas of cross compliance with HIPAA and SOX
Books and periodicals (the ol’ Amazon.com search)
Take the “plunge,” register for vendor white papers– Valuable nuggets contained within vendor
Utilize PCI security standards resources– www.pcisecuritystandards.org– Self-assessments– Review scanning and audit procedures
puresecurity™22©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
Resources and ResearchResources and Research
PCI Security Council Web site– www.pcisecuritystandards.org– PCI DSS v1.1, What’s new in v1.1, Scanning and Auditor validation requirements
Qualys– White paper: Winning the PCI Compliance Battle– www.qualys.com/forms/wp/pci/?lsid=6880
Check Point– www.checkpoint.com/securitycafe/readingroom/general/pci_compliance.html
Still Secure– www.stillsecure.com/pci/index.php?rf=pcihp– PCI Compliance: A Technology Overview (management best practices)
www.pcicomplianceguide.org– A 5-step guide for PCI compliance
SANS– www.sans.org– Using SIM systems for PCI compliance
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity™
THANK YOU!!
Questions?
puresecurity™24©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
Appendix and LinksAppendix and Links
See below
puresecurity™25©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
Regulatory Cross ComplianceRegulatory Cross Compliance
HIPAA 164.308– Administrative Safeguards
» Security and access management» Secure incident handling
HIPAA 164.312– Technical Safeguards
» Access and audit control, integrity
Sarbanes-Oxley sections 404, 409, 302– Effective controls on data privacy– Real-time disclosure– CEO and CFO responsibilities for secure certification
PCI Data Security Standard Section 10– Tracking and monitoring all access to cardholder data– Implement audit trails– Record, secure, and review various audit trails for system components
PCI Data Security Standard section 11– Use NIDS, NIPS, HIDS, HIPS to monitor and alert to compromises
» Require SIEM solutions that can effectively tie in point product data back