PCI DSS - Verifone Support Portal
advertisement
PCI DSS & Card Security VeriFone Partner Forum Dubai: 21 May 2008 Brad Harris Regional Development Manager Agenda • • • • • • Trustwave Ltd Relevant Headlines PCI DSS: the standard PCI PED Compromise Statistics Questions & Answers Trustwave Corporation © Copyright 2007 Confidential 2 Global Organization EMEA Regional Headquarters: London Locations in Budapest, Hungary; Stockholm, Sweden; the Netherlands; Dublin; and Pretoria, South Africa Headquartered in London, Trustwave Ltd has more than North America Corporate Headquarters: Chicago Over 20 Locations throughout the US Toronto, Canada 20 office locations across EMEA to serve our diverse client base South America Trustwave Corp. HQ is in Chicago, USA. Trustwave Corporation © Copyright 2007 Regional Headquarters: Miami Asia Regional Headquarters: Singapore Location in Shanghai, China Confidential 3 Blue-chip Customers globally Trustwave Corporation © Copyright 2007 Confidential 4 0 1 2 Chief Security Officers Coalfire Systems 3 Trustwave Corporation © Copyright 2007 2 1 0 Ernst & Young Fagan & Associates Confidential 1 0 Mission Critical Systems 5 Lockheed Martin 1 3 2 2 PriceWaterhouseCoopers Protiviti RSM McGladrey Savvis 2 1 Vectra Corporation 12 20 VeriSign 1 Symantec 1 Specialized Security Services Solutionary 24 Self-Assessment 9 Security Metrics 3 PRESIG 12 12 Payment Software Company 7 KPMG, LLP 3 K3DES 0 Jefferson Wells Internet Security Systems 20 Information Exchange 4 Foundstone 7 Fortrex Technologies 2 DynTek 2 Dynamics Research Corporation Digital Resources Group Deioitte & Touche Cybertrust 1 Crowe Chizek 0 Computer Task Group 1 BDO Seidman 4 ASA Consulting 140 ATW 5PEG Compliant Service Providers on Visa website: Jan ‘07 131 120 100 80 60 40 16 7 5 Recent Headlines Trustwave Corporation © Copyright 2007 Confidential 6 Is PCI DSS Important to you? PCI DSS auditors see lessons in TJX data breach • TJX Companies Inc. violated some of the basic tenets of the PCI Data Security Standard (PCI DSS) and according to several PCI auditors, it will pay a heavy financial price. They said companies should study the TJX security breach for clear lessons on what not to do with customer data. • Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting, said fines will almost certainly be imposed on TJX because it was clearly negligent in holding onto unencrypted cardholder data, a direct violation of the PCI DSS. - Tech-News daily, 29 Sept 2007 • To-date there has not been a data compromise on a PCI Compliant organisation* Trustwave Corporation © Copyright 2007 Confidential 7 An unwanted E-Commerce HOW MUCH DOES A VISA OR MASTERCARD NUMBER GO FOR THESE DAYS? By Jacob Leibenluft Posted Thursday, April 24, 2008, at 6:18 PM ET Security experts at the InfoSecurity Europe conference are drawing attention to "data supermarkets" that sell stolen credit card numbers for a fixed price. According to a BBC story, "credit card details are cheap" on the black market while "the logfiles of big companies can go for up to $300." Trustwave Corporation © Copyright 2007 Confidential 8 Retail Nightmare Hannaford data thieves planted malware on 300 servers Other retailers may be vulnerable By Dan Goodin → More by this author Published Friday 28th March 2008 22:39 GMT The data breach at Hannaford, the US grocery chain, which enabled the theft of info on more than 4.2 million credit card accounts was caused by a sophisticated piece of malware that attackers installed in all the company's retail outlets. Installed on more than 300 servers in at least six states, the malware was able to intercept credit card data while customers paid for purchases using plastic and transmit the information overseas, The Boston Globe reports. The rogue software was installed on servers in close to 300 different locations, though the company isn't saying how it got there. Trustwave Corporation © Copyright 2007 Confidential 9 Non-Compliance: Risks, Fines, Fees, Costs, Loss Non-compliant, compromised business could expect the following: • Damage to their brand/reputation • Investigation costs • Remediation costs • Fines and fees -Non-compliance (each brand issues separate fines) -Re-issuance -Fraud loss • Ongoing compliance audits • Victim notification costs • Financial loss • Data loss • Charge-backs for fraudulent transactions • Operations disruption • Sensitive info disclosure • Denial of service to customers • Individual executives held liable • Possibility of business closure Trustwave Corporation © Copyright 2007 Confidential 10 PCI Compliance Can Protect Against Fines •Members receive “Safe Harbor” For Compromised Merchants Found To Be PCI-Compliant At Time Of Breach Trustwave Corporation © Copyright 2007 Confidential 11 Trustwave & VeriFone TRUSTWAVE VALIDATES PAYWARE POS APPLICATION • VeriFone’s PAYware Software Application is validated as PABP Compliant • VeriFone continues to validate new versions and releases to keep its customer’s safe from product-specific data compromise Trustwave Corporation © Copyright 2007 Confidential 12 PABP to PA-DSS PABP/PA-DSS: comprehensive set of security requirements designed for payment application software vendors to facilitate their customer’s PCI DSS compliance • Updates – August 2008: PA-DSS published – “Grand-father” Scheme: (i) Validated to PABP v1.4 = 24 months (ii) Validated to PABP v1.3 = 18 months (iii) Validated to PABP v1.2 or before = 12 months – Changes from PABP to PA-DSS are still being solidified * There is no business advantage to waiting for PA-DSS to validate Copyright Trustwave 2008 Confidential 13 PCI DSS – Overview The PCI DSS consists of twelve basic requirements supported by more detailed sub-requirements. Compliance is mandatory for all Merchants and Service Providers that store, process or transmit credit cardholder data. Applies to all acceptance channels including face-toface, MOTO and ecommerce. Trustwave Corporation © Copyright 2007 Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business needto-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security Confidential 14 PCI DSS - Data Storage Clarification Storage Permitted Protection Required Req 3.4 Applies PAN YES YES YES Expiration Date* YES YES NO Service Code* YES YES NO Cardholder Name* YES YES NO Full Magnetic Strip NO N/A N/A CAV2/CVC2/CVV2/CID NO N/A N/A PIN NO N/A N/A Component Cardholder Data Sensitive Authentication Data * Data elements must be protected when stored in conjunction with PAN Trustwave Corporation © Copyright 2007 Confidential 15 The Mandate: CEMEA Merchant Levels Defined Level 1 CEMEA Merchant Classification Criteria Any merchant regardless of acceptance channel that: Processes > 6 million transactions by most prevalent card-type Has suffered a hack or an attack that resulted in an account data compromise Any merchant the Card Brands determine should meet Level 1 merchant requirements Has been identified by any other payment card brand as Level 1 VALIDATION: (i) Annual Onsite Audit by QSA (ii) Quarterly Network scan by QSA or ASV Deadline: 31 December 2007 Any merchant regardless of acceptance channel that processes < 6 million transactions by most prevalent card-type 2 VALIDATION: (i) Annual Self-Assessment Questionnaire (ii) Quarterly Network scan by QSA or ASV Deadline: 31 December 2007 Trustwave Corporation © Copyright 2007 Confidential 16 CEMEA Service Provider Levels Level 1 2 Criteria Validation Actions Validated By VISA: All VisaNet processors (member and Nonmember) and all payment gateways Annual On-Site Audit Qualified Security Assessor MC: Third Party Processors (TPP) & Data Storage Entities (DSE) that store account data on behalf of Level 1 or Level 2 merchants Visa: Any SP not in Level 1 and stores, processes, or transmits more than 600, 000 transactions annually MC: All DSEs that store account data on behalf of Level 3 merchants 3 Visa: Any SP not in Level 1 and stores, processes, or transmits fewer than 600,000 transactions annually MC: All other Data Storage Entities not included in Level 1 or Level 2 Trustwave Corporation © Copyright 2007 Quarterly Network Scan Annual On-Site Audit 31/12/2008 QSA or ASV Qualified Security Assessor 31/12/2008 Quarterly Network Scan QSA or ASV Annual PCI SelfAssessment Questionnaire Service Provider Quarterly Network Scan Confidential Deadline Approved Scanning Vendor 31/12/2008 17 The Mandate: CEMEA Issuers Level 1 CEMEA Issuer Classification Criteria Issuers who meet the following criteria: VisaNet processors Has suffered a hack or an attack that resulted in an account data compromise Has been identified by any payment card brand as Level 1 VALIDATION: (i) Annual Onsite Audit by QSA (ii) Quarterly Network scan by QSA or ASV Deadline: 31 December 2008 Any other Issuer: 2 VALIDATION: Can self-validate Deadline: 31 December 2008 Trustwave Corporation © Copyright 2007 Confidential 18 PCI DSS Compliance Validation Programme Trustwave Corporation © Copyright 2007 Confidential 19 Compliance Programme Life Cycle Generate awareness of PCI DSS among key stakeholders inside the business such as risk, compliance, financial and legal Determine your risk or which merchants pose the greatest risk for loss. 1. Education 2. Risk Analysis Risk Mitigation Execution and Management through tools required to validate compliance with PCI DSS in the quickest, most efficient manner possible. Trustwave Corporation © Copyright 2007 4. Compliance 3. Communication Confidential Convey compliance messages internally and to all affected merchants through a robust communication program to drive the message. 20 Compliance Validation Service - CVS Action External Vulnerability Scanning Self-Assessment Questionnaire (SAQ) Onsite Audit (for Level 1s) / Gap Analysis Remediation Description • Scan of externally-visible IP addresses Must pass an external scan quarterly (monthly scans recommended) Report produced and analysed in TrustKeeper • Interactive questionnaire about card holder environment • Updated for 2008 based on Merchant or Service Provider classification • A successful SAQ means a positive answer to every question • Onsite visitation of 2-5 days by Qualified Consultant Strict audit and review process Major deliverable: Remediation Spreadsheet/Roadmap • Network Penetration Test, Internal Vulnerability Scanning, SSL Cert Develop Remediation Project Plan Client or 3rd Party must Project Manage & Implement actions Report on Compliance (ROC) • THE MAJOR DELIVERABLE of a CVS Achieved upon compliance Written and submitted by QSA A poorly written ROC will not pass through to compliance Maintaining Compliance • Continuation of monthly scanning Regular Support Calls with QSA Analysis of effect on changes to network and infrastructure Annual Pen Tests, regular Internal Scans, etc. Trustwave Corporation © Copyright 2007 Confidential 21 Most Common PCI Requirements Not Met Requirement 1: Install and maintain a firewall to protect cardholder data Requirement 3: Protect stored data Requirement 6: Develop and maintain secure systems and applications Requirement 8: Assign a unique ID to each person with computer access 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Req. 1 Req. 2 Req. 3 Req. 4 Req. 5 Req. 6 Req. 7 Req. 8 Req. 9 Req. 10 Req. 11 Req. 12 *Percentage of Compromised Merchants That Failed To Meet Each PCI DSS Requirement Requirement 10: Track and monitor access to network and card data Requirement 11: Regularly test security systems and processes Trustwave Corporation © Copyright 2007 *Data gathered from more than 250 card compromise investigations conducted by Trustwave Confidential 22 PCI Pin Entry Device (PED) PCI PED: comprehensive set of security requirements designed for POS devices to facilitate their customer’s PCI DSS compliance • Members (or their Agents) have until 01 July 2010 to ensure that all of their installed attended POS PED models have been approved by Visa. PEDs must be on the current approved list at www.pcisecuritystandards.org/pin VeriFone continues to be a leader in PED Security Copyright Trustwave 2008 Confidential 23 Who is at Risk? Trustwave Corporation © Copyright 2007 Confidential 24 25 Case Analysis: Merchant Level While larger merchants represent greater transaction volume, smaller merchant have greater risk due to many factors discussed in this presentation. Trustwave’s analysis is derived from more than 350 cardholder data compromise investigations performed in over 14 different countries. Copyright Trustwave 2007 Confidential Case Analysis: Industry Food Service Industry represents the majority of the compromises Retail Industry is the next largest industry seeing compromises Copyright Trustwave 2007 Confidential 27 Compromise Statistics: System Type Majority of the cases involved a compromise of a Software POS system Not one of these systems was Visa PABP validated or PCI DSS compliant Copyright Trustwave 2007 Confidential Case Analysis: Track Data Storage Brick & Mortar Merchants running NonCompliant software packages are storing Track Data and they do not know until it is too late! Track Data storage is never permitted in any environment post authorization Copyright Trustwave 2007 Confidential 29 SUMMARY • The biggest threat to growth of Plastic, Mobile, e-commerce payments is Fraud • PCI DSS covers ALL organisations that STORE, TRANSMIT, or PROCESS credit card data • Organisations should validate their own internal compliance AND insist on doing business with PCI DSS & PABP / PA-DSS compliant suppliers • The validation is becoming easier, but the standard is becoming stricter – WAITING PUTS YOUR ORGANISATION AT RISK Copyright Trustwave 2007 Confidential Questions?
