© 2011 TISA All Rights Reserved

TISA Pro-Talk

คร ัง้ที ่1/2554

หวัขอ้ “Update latest PCI/DSS (v 2.0)"

โดย

สมหมาย ฟองน า้ทพิย ์

CISSP, CISA, CISM, CEH, ITIL-F

© 2011 TISA All Rights Reserved

Transaction process for approval model

© 2011 TISA All Rights Reserved

Getting Start

• Create an additional level

of protection for card issuers

by ensuring that merchants

meet minimum levels of

security when they store,

process and transmit

cardholder data.

• founded on December 2004

• version 1.1 – September 2006

• version 1.2 – October 2008

• version 1.2.1 – July 2009

• version 2.0 – October 2010 https://www.pcisecuritystandards.org/

© 2011 TISA All Rights Reserved

Comply VS Not Comply

© 2011 TISA All Rights Reserved

PCI Grief

© 2011 TISA All Rights Reserved

MYTH about PCI

1. One Vendor or one product can make us compliant

2. Outsourcing card make us compliant

3. PCI DSS is an IT Project

4. PCI DSS will make us SECURE

5. It unreasonable and too hard because require to much

© 2011 TISA All Rights Reserved

Important mandate (deadline)

• Merchant must not use vulnerable payment application (have list in web site) and VNP (January 2008)

• Merchant must not store sensitive information in their system (September 2009)

• VNP and agents must certify all vulnerable Payment Application (October 2009)

• Acquirer (bank) must ensure Merchant and VNP use certify Payment Application (July 2010)

• Large Merchant (L1) must be PCI compliant (September 2010)

• Acquirer (bank) must not store sensitive information (September 2010)

• Acquirer (bank) must submit level of PCI compliant (September 2011)

• PCI DSS v 1.2.1 will sunset on December 2011

• Acquirers must ensure all their merchants (new and existing) utilize PA-DSS compliant payment applications (July 2012)

© 2011 TISA All Rights Reserved

Fraud Reduction initiatives

October 14, 2011 8

• Card Present – EMV

– 3DES encryption

– PAN truncation Biggest Fraud is Counterfeit card fraud

• Card Not Present – 3D Secure

Biggest Fraud is eCommerce purchases using stolen / counterfeit card details

We need to address the data leakage at the source.

© 2011 TISA All Rights Reserved

Roadmap for the implementation of PCIDSS – the changing landscape of fraud

October 14, 2011 9

Acquirers &

Issuers TPPs

Data Storage

Entities Merchants

Hacking

PC/Server

Theft

Shoulder

Surfing

Mail

Theft

Skimming Phishing

Cardholders

PC Attacks

Hijack Database

Shopping cart

exploitation

© 2011 TISA All Rights Reserved

PCI Compliant is not a product…

Card Holder Information

Store | Transmit | Process

© 2011 TISA All Rights Reserved

Purpose of PCI requirement

The twentieth century U.S. criminal Willie Sutton was said to rob banks because

“that’s where the money is.” The same motivation in our digital age makes

merchants the new target for financial fraud. Occasionally lax security by some

merchants enables criminals to easily steal and use personal

consumer financial information from payment card transactions and processing

systems.

© 2011 TISA All Rights Reserved

Cardholder Data store criteria

© 2011 TISA All Rights Reserved

PCI Security standard series

© 2011 TISA All Rights Reserved

© 2011 TISA All Rights Reserved

Building blocks of the PCIDSS standard (contd)

Information Security Policy (Requirement 12)

Protect Card Data

Protect data in

storage

(Requirement 3)

Protect data in

transit

(Requirement 4)

Strong Access controls •Restrict Access (Requirement 7)

•Unique IDs and passwords (Requirement 8)

•Restrict physical access (Requirement 9)

© 2011 TISA All Rights Reserved

Building blocks of the PCIDSS standard (contd)

16

Develop & Maintain secure systems & Applications (Requirement 6)

Build & Maintain a Secure network

Firewalls (Requirement 1)

Change Vendor

Default passwords (Requirement 2)

Use Anti Virus Software & Scan your network regularly (Requirement 5)

Track & Monitor all access to data (Requirement 10)

Regularly Test Security Systems (Requirement 11)

© 2011 TISA All Rights Reserved

© 2011 TISA All Rights Reserved

Pin Entry Device Requirements

© 2011 TISA All Rights Reserved

© 2011 TISA All Rights Reserved

Relations between series

© 2011 TISA All Rights Reserved

Prioritize by Risk Base Approach

© 2011 TISA All Rights Reserved

Samples of priority with PCI/DSS

© 2011 TISA All Rights Reserved

CARDHOLDER DATA ENVIRONMENT (CDE)

© 2011 TISA All Rights Reserved

Definition

Cardholder data environment (CDE): • Area of computer system network that possesses cardholder

data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission.

• Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment and thus the scope of the PCI assessment

Source: https://www.pcisecuritystandards.org/security_standards/glossary.shtml

© 2011 TISA All Rights Reserved

Sample general CDE

Cardholder path

© 2011 TISA All Rights Reserved

WLAN Access Point

x No WLAN activities = Rouge AP

© 2011 TISA All Rights Reserved

Network segmentation

x

Firewall is part of back office

© 2011 TISA All Rights Reserved

© 2011 TISA All Rights Reserved

ISA compare QSA

© 2011 TISA All Rights Reserved

Copyright © 2011 TISA and its respective author (Thailand Information Security Association)

Please contact : info@tisa.or.th

http://www.TISA.or.th

© 2011 TISA All Rights Reserved

PCI DSS Validation Enforcement Table