Compliance With the PCI DSS Credit Card Security StandardsPCI DSS Credit Card Security Standards...
Transcript of Compliance With the PCI DSS Credit Card Security StandardsPCI DSS Credit Card Security Standards...
Compliance With the PCI DSS Credit Card Security Standards
Presented By:
This manual was created for online viewing. State specific information in this manual is used for illustration and is an example only.
mail: P.O. Box 509 Eau Claire, WI 54702-0509 • telephone: 866-352-9539 • fax: 715-833-3953email: [email protected] • website: www.lorman.com • seminar id: 394531
Branden R. Williams, CISSP, CISM, Sysnet Global Solutions
Compliance With the PCI DSS Credit Card Security Standards
©2014 Lorman Education Services. All Rights Reserved.
All Rights Reserved. Lorman programs are copyrighted and may not be recorded or transcribed in whole or part without its express prior written permission. Your attendance at a Lorman seminar constitutes your agreement not to record or transcribe all or any part of it.
Full terms and conditions available at www.lorman.com/terms.php.
This publication is designed to provide general information on the topic presented. It is sold with the understanding that the publisher is not engaged in rendering any legal or professional services. The opinions or viewpoints expressed by faculty members do not necessarily reflect those of Lorman Education Services. These materials were
prepared by the faculty who are solely responsible for the correctness and appropriateness of the content. Although this manual is prepared by professionals, the content and information provided should not be used as a substitute for professional services, and such content and information does not constitute legal or other professional
advice. If legal or other professional advice is required, the services of a professional should be sought. Lorman Education Services is in no way responsible or liable for any advice or information provided by the faculty.
This disclosure may be required by the Circular 230 regulations of the U.S. Treasury and the Internal Revenue Service. We inform you that any federal tax advice contained in this written communication (including any attachments) is not intended to be used, and cannot be used, for the purpose of (i) avoiding federal tax penalties imposed by
the federal government or (ii) promoting, marketing or recommending to another party any tax related matters addressed herein.
mail: P.O. Box 509 Eau Claire, WI 54702-0509 • telephone: 866-352-9539 • fax: 715-833-3953email: [email protected] • website: www.lorman.com • seminar id: 394531
Prepared By:Branden R. Williams, CISSP, CISM, Sysnet Global Solutions
Truste
d by
1.4 Milli
on Customers
Get Starte
d Today
Ph: 800-678-3940
With more than 26 years of experience and 1.4 million customers and counting, we here at Lorman Education Services still have one core belief: learning drives development and innovation. So at no cost to you the Lorman Affiliate Program allows you to earn extra revenue while expanding continuing
education offerings to your organization and customers.
Personalized Affiliate Portal Marketing Assistance
Dedicated Account Manager Revenue Share
• Easily filter through all of the courses Lorman offers so you only promote the courses your members and customers are interested in
• In-depth analytics allows you to sell more effectively by tracking who, how much and what course they purchased
• Our staff will help create turnkey marketing emails and social media promotions to help you get your marketing off the ground and working
• We can provide you with a list of courses that are doing well to help increase your sales because when you win we win
• We believe that a true partnership is two parties working together so that is why every Affiliate Partner, no matter the size, is assigned their own dedicated account manager
• Our account managers will reach out to you and act as your go to resource for any questions or concerns
• Why wait for your money? Lorman sends out your commission check monthly so you can reinvest in your organization and grow
• We want you to succeed so that is why we have an aggressive revenue share program that gives you the ability to offer discounts to your organizationand subscribers
Become a
AffiliateEDUCATION SERVICES
R
A DIVISION OF LORMAN BUSINESS CENTER, INC.
www.lorman.com/affiliateprogram/
For more information please check out our Lorman Affiliate video.
Lead
ersh
ipM
anag
emen
torganization
trust
productivity
Live Webinars60 to 100-minute live streaming programs
OnDemand WebinarsStreaming programs available anytime
Live SeminarsOne and two-day programs in your area
Save 30% on your next purchase.
Use Discount ID: SeminarAttendee
(Discount ID valid for 30 days after day of seminar)
Contact a membership specialist to guarantee the best rate:
[email protected] or call 1-877-296-2169
www.lorman.com/membership-sales/
train
develop
grow
educatemotivate
Be Part of
Something
BIGengage
Fuel Your ProfessionalDevelopment With AllThat Lorman Offers:• Live Seminars
• Live Webinars
• OnDemand Webinars
• Audio, Manuals & Books
Lorman MembershipsLorman has a membership for everyone.Contact a membership specialist to seewhich one best fits your needs and startgetting more training for less!
What is the cost of in-house training?Our pricing is structured to meet the distinct needs of each client. Since each customer experience is different, we will work with you to get you the most affordable price based on your training needs.
How many employees should we train?We recommend a minimum of 10 employees to be trained at one time; however, there is no limit to the number of employees that can be trained at any event. A higher number of attendees benefits the group dynamics and increases your cost efficiency.
How long does the training last?You determine the schedule. We can provide training for half-day, full-day and multiday sessions; and we even present in-house training via live webinar. Every attempt will be made to accommodate any schedule requirement you may have.
Getting started ... Get an initial consultation quickly. We will determine your individual training needs, expectations and the timeframe you would like to schedule the event.Call our in-house training account manager at 877-214-9727 or email us at [email protected].
Lorman In-House Training
• Train together in the convenience of your office• Confidential, convenient and cost-effective• Choose from programs already designed or customize your
agenda• Credits available for various programs• Expert speakers
Contact us at 877-214-9727 or [email protected]
Train More for LessDo you need training for your staff,
but can’t send them all to a pre-scheduled event? Stay compliant while saving money
by having the experts come right to you.
Compliance With the PCI DSS Credit Card Security Standards
What you need to know to survive!
Dr. Branden R. Williams
@BrandenWilliams
http://brandenwilliams.com
1
2
Agenda
Payment Card Industry Compliance – What has changed in PCI DSS 3.0?
– What does this mean for ongoing compliance programs?
– What’s missing?
Brand Enforcement– What are the brands doing to enforce PCI Compliance?
– What does PCI compliance mean globally?
Scope Reduction, Speedy Compliance– What are some common scope reduction techniques?
– What is Tokenization, and how can it benefit me?
– Are there any shortcuts to compliance?
Briefly: What is PCI DSS?
3
Credit Card Security
PCI DSS has 12 main security requirements.
It’s akin to locking doors, setting alarms, and protecting your valuables.
Better yet, it’s like running a clean restaurant.
The difference, is card data doesn’t belong to you, yet you use it for the exchange of goods & services.
Many breaches forced the creation of the standard.
The History Leading to 3.0
Key Dates for 2013:– Release date: November 7, 2013
– Draft published to POs on September 12
– Most of the changes published there are intact
Lifecycle Notes– 2010 changed from 2 years to 3
– No errata published in 2.0
– Review/Feedback lead to 3.0
Effective date, 1/1/2014
PCI DSS 2.0 retire date: 12/31/2014
4
Key Facts/Info Sources
PCI Council Website: http://www.pcisecuritystandards.org
Visa CISP Program:http://www.visa.com/cisp
Branden’s Bloghttp://blog.brandenwilliams.com/
6 6
What has Changed?
5
Keys to remember from PCI DSS 2.0
PCI DSS is on a 3-year lifecycle
Virtualization Included in PCI DSS– But nothing on cloud
– This extends to mobility
Third Party Due Diligence– Expect continued increases to inspection to third parties
MORE INSPECTION by your QSA!
Themes that drove PCI DSS v3.0 changes
Education and Awareness
Increased Flexibility
Security as a Shared Responsibility
Fix the following:– Lack of education and awareness
– Weak passwords and authentication practices
– Third party risks
– Limited capability to detect breaches and/or malware
– Lack of consistency in assessment
6
What are the New Developments?
P2PE Solutions now available– Focuses on HW/HW
– Needs SW/HW
– It’s up to you to help drive direction!
Alternative Payment Schemes– Square
– Paypal
– SRED (how to use iPad/iPod?)
Where is PCI going?– ASV Task Force
Some Words on Scoping
Responsibility for scoping is that of the organisation under assessment
A QSA does not define the scope of an assessment
A QSA validates the scope that has been determined by the organisation as part of the assessment
7
Now, here’s something strange…
Biggest complaint about PCI DSS process:– Too Restrictive (let me do risk mgt)
– Too Loose (tell me what I have to do)
– Too much interpretation variance
Two sides to every room:– TOO RESTRICTIVE
– TOO OPEN FOR INTERPRETATION
Council waged war: “should” & “periodic”
New version reverses trend:– Periodic: 20 times (up from 8)
– Should: 103 times (up from 27)
Some of the Great Additions
From the “How do you do this without these instructions” dept– Cardholder Data Flow diagrams required Don’t do this on a network diagram
See “Data Flows Made Easy”
– Managing list of in-scope systems Helps with scoping overall
Cloud/Virtualization.. Whaaaa?
Could be a challenge
Overall, the documentation requirements are much higher
Be sure to allocate time and resources to this (automation potential!)
8
Some of the Ugly, Weird, or Questionable
Malware discovery:– On platforms NOT commonly affected
– Yes, you read that right
– Interpretation will be interesting
Penetration Testing:– Approved methodology
– Approved by…
– Why not reference SP800-115?
Lack of Linkage to Emerging Tech– Where is Mobile?
– What about NFC?
What is missing?
No mention of Cloud– Yet virtualization makes an appearance
Sampling Remains an Issue– Up to QSA to define and stick to a methodology
– Causes variance in “feel-goodery”
Wireless IDS/IPS
DLP/Scope Clarification
9
Impacts to Ongoing Compliance
Current compliance programs should finish by December 31, 2014
New programs begin January 1, 2015
Discuss specific impacts with pending changes– Requirement 9.9, June 2015
Brand Enforcement
10
Brand Enforcement: VISA
US: Visa CAP– Dates passed
– Fines for Levels 1 & 2 merchants
Global: Visa CAP– Not including EU
– Fines for Levels 1 & 2 merchants
– Additional fines at discretion
Problems:– Payment systems vary vastly among geos
– Must enforce!
Brand Enforcement: MasterCard
Global:– Fines are in process, selectively
– Levels 1, 2, & 3 affected
– Reciprocity with Visa
Heavier fines than Visa
All global, but selective enforcement
No more Level 1 & 2 Self Assessments without certification (ISA)
11
Brand Enforcement: Others
Selective enforcement from other brands
Focus on Visa/MasterCard
actually.... focus on SECURITY, then get COMPLIANCE free
© Branden Williams. All rights reserved CONFIDENTIAL
Global PCI Compliance
12
Global PCI Compliance
US-Based companies have a leg-up
Global companies with US Entities may retrofit knowledge into their orgs
Hot regions:– South Africa (country and continent)
– Australia
Enforcement will be GEO based
Nike: “Just Do It.”®
Dr. B: “Just Outsource It.”
Scope Reduction /Speedy Compliance
13
Common Scope Reduction Ideas
Segmentation– Still the most effective way to reduce scope
24
24
VPNs
Used in conjunction with segmentation
Create zones of cardholder data in separate physical or logical locations
14
Outsourcing
In what world should someone who is successful at being a merchant take on building a complex payment processing environment?
Consider complete outsourcing of payments for both card present and card not present transactions
Data Discovery and Deletion
Data discovery tools help validate and reduce PCI Scope
Find data you didn’t know existed (yet are still responsible for securing!)
Validate that no data exists in out of scope environments
Assistance in mapping of data flows
15
Tokenization
What is Tokenization?
A method by which live PANs are replaced with dummy values, or “Tokens”
Tokens are then used throughout the environment to track a payment
Tokens could be unique per transaction or unique per payment instrument
16
What to look for in a token?
Tokens should NOT have any mathematical relationship to the original value– Why not hashes?
– Why not encrypted values with no key?
Who is responsible for a breach with mathematically related values?
Why a token?
Using tokens devalues data
Still accomplish business analytics
Reduced security on token values– Laptops
– Spreadsheets
– Cloud
DRAMATIC scope reduction potential
17
Is there a shortcut to compliance?
Short answer?
18
Long answer:
Compliance with any standard should be a function of security
Focusing on security will get you to compliance faster
Compliance will become a tweak to your company, not an overhaul
Questions?
19
214.727.8227
brandenwilliams.com
@BrandenWilliams
facebook.com/BrandenRWilliams
linkedin.com/in/bwilliams
This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Branden R. Williams reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
This work is an unpublished work and contains confidential, proprietary and trade secret information of Branden R. Williams. Access to this work is restricted to Branden R. Williams and any employee who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected or adapted without the prior written consent of Branden R. Williams.
20
Notes