TISA Pro-Talk_1-2554-K.Sommai_pci-dss
-
Upload
tisa -
Category
Economy & Finance
-
view
210 -
download
2
Transcript of TISA Pro-Talk_1-2554-K.Sommai_pci-dss
© 2011 TISA All Rights Reserved
TISA Pro-Talk
คร ัง้ที ่1/2554
หวัขอ้ “Update latest PCI/DSS (v 2.0)"
โดย
สมหมาย ฟองน า้ทพิย ์
CISSP, CISA, CISM, CEH, ITIL-F
© 2011 TISA All Rights Reserved
Transaction process for approval model
© 2011 TISA All Rights Reserved
Getting Start
• Create an additional level
of protection for card issuers
by ensuring that merchants
meet minimum levels of
security when they store,
process and transmit
cardholder data.
• founded on December 2004
• version 1.1 – September 2006
• version 1.2 – October 2008
• version 1.2.1 – July 2009
• version 2.0 – October 2010 https://www.pcisecuritystandards.org/
© 2011 TISA All Rights Reserved
Comply VS Not Comply
© 2011 TISA All Rights Reserved
PCI Grief
© 2011 TISA All Rights Reserved
MYTH about PCI
1. One Vendor or one product can make us compliant
2. Outsourcing card make us compliant
3. PCI DSS is an IT Project
4. PCI DSS will make us SECURE
5. It unreasonable and too hard because require to much
© 2011 TISA All Rights Reserved
Important mandate (deadline)
• Merchant must not use vulnerable payment application (have list in web site) and VNP (January 2008)
• Merchant must not store sensitive information in their system (September 2009)
• VNP and agents must certify all vulnerable Payment Application (October 2009)
• Acquirer (bank) must ensure Merchant and VNP use certify Payment Application (July 2010)
• Large Merchant (L1) must be PCI compliant (September 2010)
• Acquirer (bank) must not store sensitive information (September 2010)
• Acquirer (bank) must submit level of PCI compliant (September 2011)
• PCI DSS v 1.2.1 will sunset on December 2011
• Acquirers must ensure all their merchants (new and existing) utilize PA-DSS compliant payment applications (July 2012)
© 2011 TISA All Rights Reserved
Fraud Reduction initiatives
October 14, 2011 8
• Card Present – EMV
– 3DES encryption
– PAN truncation Biggest Fraud is Counterfeit card fraud
• Card Not Present – 3D Secure
Biggest Fraud is eCommerce purchases using stolen / counterfeit card details
We need to address the data leakage at the source.
© 2011 TISA All Rights Reserved
Roadmap for the implementation of PCIDSS – the changing landscape of fraud
October 14, 2011 9
Acquirers &
Issuers TPPs
Data Storage
Entities Merchants
Hacking
PC/Server
Theft
Shoulder
Surfing
Theft
Skimming Phishing
Cardholders
PC Attacks
Hijack Database
Shopping cart
exploitation
© 2011 TISA All Rights Reserved
PCI Compliant is not a product…
Card Holder Information
Store | Transmit | Process
© 2011 TISA All Rights Reserved
Purpose of PCI requirement
The twentieth century U.S. criminal Willie Sutton was said to rob banks because
“that’s where the money is.” The same motivation in our digital age makes
merchants the new target for financial fraud. Occasionally lax security by some
merchants enables criminals to easily steal and use personal
consumer financial information from payment card transactions and processing
systems.
© 2011 TISA All Rights Reserved
Cardholder Data store criteria
© 2011 TISA All Rights Reserved
PCI Security standard series
© 2011 TISA All Rights Reserved
© 2011 TISA All Rights Reserved
Building blocks of the PCIDSS standard (contd)
Information Security Policy (Requirement 12)
Protect Card Data
Protect data in
storage
(Requirement 3)
Protect data in
transit
(Requirement 4)
Strong Access controls •Restrict Access (Requirement 7)
•Unique IDs and passwords (Requirement 8)
•Restrict physical access (Requirement 9)
© 2011 TISA All Rights Reserved
Building blocks of the PCIDSS standard (contd)
16
Develop & Maintain secure systems & Applications (Requirement 6)
Build & Maintain a Secure network
Firewalls (Requirement 1)
Change Vendor
Default passwords (Requirement 2)
Use Anti Virus Software & Scan your network regularly (Requirement 5)
Track & Monitor all access to data (Requirement 10)
Regularly Test Security Systems (Requirement 11)
© 2011 TISA All Rights Reserved
© 2011 TISA All Rights Reserved
Pin Entry Device Requirements
© 2011 TISA All Rights Reserved
© 2011 TISA All Rights Reserved
Relations between series
© 2011 TISA All Rights Reserved
Prioritize by Risk Base Approach
© 2011 TISA All Rights Reserved
Samples of priority with PCI/DSS
© 2011 TISA All Rights Reserved
CARDHOLDER DATA ENVIRONMENT (CDE)
© 2011 TISA All Rights Reserved
Definition
Cardholder data environment (CDE): • Area of computer system network that possesses cardholder
data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission.
• Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment and thus the scope of the PCI assessment
Source: https://www.pcisecuritystandards.org/security_standards/glossary.shtml
© 2011 TISA All Rights Reserved
Sample general CDE
Cardholder path
© 2011 TISA All Rights Reserved
WLAN Access Point
x No WLAN activities = Rouge AP
© 2011 TISA All Rights Reserved
Network segmentation
x
Firewall is part of back office
© 2011 TISA All Rights Reserved
© 2011 TISA All Rights Reserved
ISA compare QSA
© 2011 TISA All Rights Reserved
Copyright © 2011 TISA and its respective author (Thailand Information Security Association)
Please contact : [email protected]
http://www.TISA.or.th
© 2011 TISA All Rights Reserved
PCI DSS Validation Enforcement Table