Kelly Handerhan, Instructor
PAYMENT CARD INDUSTRY DATA SECURITY
STANDARD (PCI DSS) AGENDA
• PCI DSS: Why, What, How, and Who?
• Why do we need the PCI DSS?
• What is PCI DSS and what does it do?
• How does PCI-DSS protect financial and personal information?
• Who is affected by PCI DSS and to whom does it apply?
• A word on Social Engineering
• Wrap-Up
• Why do we need a standard to protect payment card information?
To Prevent:
• Fraud losses estimated to be in the BILLIONS
• Identity Theft
• Legal costs, settlements and judgments
• Higher subsequent costs of compliance
• Lost customer confidence
• Lost sales
• Cost of reissuing new payment cards
• Loss of ability to process payment cards
• Data in a payment system database
• Compromised card readers and PoS Systems
• Paper records improperly stored
• Hidden camera recording entry of authentication data
• Secret tap into your store’s wireless or wired network
• ATMs modified to contain software or hardware shims
• Residual Information in RAM of systems that accept payment card information (RAM Scraping)
• EVERYWHERE!!! Where there’s a will there’s a way!
• In 2012, about 40 million sets of PCI were compromised by a hack of Adobe
Systems .
• In July 2013, press reports indicated four Russians and a Ukrainian were indicted in
New Jersey for what was called “the largest hacking and data breach scheme ever prosecuted in the United States.”
• Between 27 November 2013 and 15 December 2013 a breach of systems at Target
Corporation exposed data from about 40 million credit cards. The information stolen included names, account number, expiry date and Card security code
• From 16 July to 30 October 2013, a hacking attack compromised about a million sets of payment card data stored on computers at Neiman-Marcus .
• On September 8, 2014, The Home Depot confirmed that their payment systems were compromised and released a statement saying a total of 56 million credit card numbers were disclosed as a result.
https://www.pcisecuritystandards.org/smb/why_secure.html
Risky Behavior A survey of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk.
81% store payment card numbers 73% store payment card expiration dates
71% store payment card verification codes
57% store customer data from the payment card magnetic stripe
16% store other personal data
Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC
TOOLS TO ENSURE PROPER PROTECTION OF PCI
• PCI SSC: The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security
• PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents.
• Qualified Security Assessors: QSAs are approved by the Council to assess compliance with the PCI DSS
• Self-Assessment Questionnaire: The “SAQ” is a validation tool for organizations that are not required to undergo an on-site assessment for PCI DSS compliance
• Payment Card Industry Data Security Standard
• The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data that is processed, stored or transmitted by merchants.
• The security controls and processes required by PCI DSS are vital for protecting cardholder account data, including the PAN – the primary account number printed on the front of a payment card.
WHAT ARE THE GOALS AND REQUIREMENTS?
https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
BUILD AND MAINTAIN A SECURE NETWORK
Historically, thieves had to have physical access to a building to steal financial records. Now information is stored on networks, and often transmitted across the internet. Protection of networks transmitting cardholder data is a prime concern.
1.
Install and maintain a firewall and router configuration to protect cardholder data
• Standards for configuration and testing
• “Deny all” from untrusted networks
• Prohibit direct public access between the Internet and any system component in the cardholder data environment
• Personal firewall software must be installed on mobile devices and/or employee owned computers used to access the organization’s network
BUILD AND MAINTAIN A SECURE NETWORK
CONTINUED
2.
Do not use vendor-supplied defaults for system passwords and other security parameters
• Most vendor defaults are simple and easy to guess
• Frequently designed for ease-of-use
• Passwords and other default settings should be changed before connected installing on network.
• Define and apply system base-lines and standard configurations addressing known vulnerabilities
• Encrypt all non-console administrative access
In general, no cardholder data should ever be stored unless it is necessary to meet the needs of the business, and then it should be rendered unreadable if possible.
3.
Protect stored cardholder data
• Limit storage and retention
• Don’t store sensitive authentication information after authorization
• Mask the PAN (Primary Account Number) when displayed (1 st six or
Last 4)
• If stored, the PAN should always be unreadable
• Protect keys used for encryption
• Document and manage all key management processes and procedures
PROTECT CARDHOLDER DATA CONTINUED
4.
Encrypt Transmission of Cardholder Data
• Use strong cryptography and transport protocols like
SSL/TLS or IPSEC for transmission over open, public networks (Internet, wireless, etc)
• Never send PANs unencrypted by end-user messaging technologies
MAINTAIN A VULNERABILITY MANAGEMENT
PROGRAM
Vulnerability Management is the process of systematically and continuously finding weaknesses in an organization’s payment card infrastructure. Security procedures, system design implementation, and internal controls are included.
5.
Use and regularly update anti-virus software or programs
• Deploy anti-virus software on all systems affected by malicious software
• Ensure that all anti-virus software is current, actively running and capable of generating audit logs
MAINTAIN A VULNERABILITY MANAGEMENT
PROGRAM CONTINUED
6.
Develop and maintain secure systems and applications
• Ensure all system components and software have the latest vendorsupplied patches (critical patches installed within a month)
• Establish a process to identify new vulnerabilities (Alert services, vulnerability scans/services)
• Develop software applications in accordance with PCI DSS based on industry best practices and incorporate information security throughout the software development life cycle
• Follow Change Control procedures for all changes to system components
• Develop web-based applications based on secure coding guidelines
• Ensure all public web-facing applications are protected
IMPLEMENT STRONG ACCESS CONTROL
MEASURES
Access control allows merchants to allow or restrict the use of cardholder data. Should include physical and technical controls
7.
Restrict access to cardholder data by business need-toknow
• Allow access only as job requires access
• Establish access control system for components with multiple users. Default to “deny all” unless specifically allowed
IMPLEMENT STRONG ACCESS CONTROL
MEASURES
8.
Assign a unique ID to each person with computer access
• Assign all users a unique user name before allowing them access
• Require authentication by password, passphrase, or two-factor authentication
• Implement two-factor authentication for remote access to the network by employees administrators and third parties.
• Render all passwords unreadable for storage and transmission
• Ensure proper user authentication and password management for non-consumer users and administrators on all system components
IMPLEMENT STRONG ACCESS CONTROL
MEASURES
9.
Restrict Physical Access to Cardholder data.
• Use facility controls to limit and monitor physical access in the data environment
• Develop procedures to help personnel easily distinguish between employees and visitors
• Ensure all visitors are authorized before allowing entry to sensitive areas
• Use a visitor log to maintain a physical audit trail
• Store media back-ups in a secure location
• Physically secure all paper and electronic media containing cardholder data
• Control internal/external distribution of any kind of media containing cardholder data
• Ensure that management approves moving secured media
• Maintain strict control over storage and accessibility of media
• Destroy media containing cardholder data when no longer needed
REGULARLY MONITOR AND TEST NETWORKS
Physical and wireless networks connect all endpoints and servers in the payment infrastructure. Vulnerabilities in these devices must be tested and monitored to prevent exploitation
10.
Track and monitor all access to network resources and cardholder data
• Link all access to an individual user
• Implement audit trails
• Record audit trail entries for each event including user id, type of event, date and time, success/failure, identity or name of affected date
Synchronize all critical system clocks and times
• Secure audit trails to prevent alteration
• Review logs for security functions (at least) daily
• Retain audit trail history for at least one year with 3 months being immediately available for analysis
REGULARLY MONITOR AND TEST NETWORKS
11.
Regularly test security systems and processes
• Test for unauthorized wireless access points at least quarterly
• Run internal and external network vulnerability scans
• Perform internal and external penetration testing
• Use Network IDS/IPS to monitor all traffic in cardholder data environment
• Deploy file integrity checkers to alert personnel to unauthorized modification of critical system files, configuration files or content files
MAINTAIN AN INFORMATION SECURITY
POLICY
A strong security policy sets expectation for an organization’s employees and informs them security-related duties.
12.
Maintain a policy that addresses information security for employees and contractors
• Establish, publish, maintain, and distribute a security policy that addresses all PCI DSS requirements
• Develop daily operational security procedures that are consistent with requirements of PCI DSS
• Develop usage policies for critical employee-facing technologies to define proper usage including remote access, wireless, removable media, laptops, handheld devices, etc
• Ensure the policy and procedures clearly define information security responsibilities for all employees and contractors
MAINTAIN AN INFORMATION SECURITY
POLICY CONTINUED
• Assign to an individual or team information security responsibilities
• Implement a formal security awareness program to make all employees aware of the importance of cardholder data security
• Screen employees prior to hiring
• If cardholder data is shared with service providers, then require them to implement PCI DSS policies and procedures
• Implement an Incident Response Plan
AND FINALLY…A WORD ON SOCIAL ENGINEERS
• Don’t forget to consider social engineering. Don’t be tricked!
• Leads to Identity Theft, Fraud, and Compromise
• According to a 2012 report from Verizon’s Data Breach
Investigation report, 7 percent of all breaches now involve social engineering, but the number grows to 22 for larger organizations.
• Compromises companies’ sensitive information’
• Often allows an attacker access to a sensitive system
• According to Tripwire.com there are five types of social engineering attacks that are on the rise.
• Phishing
• Pretexting
• Baiting
• Quid Pro Quo
• Tailgating
• Based on the idea that if you cast a large enough net, you are bound to catch some phish.
• Frequently attacks come through emails asking a user to respond with information, click on an infected link, or visit a compromised website.
• Be suspicious of unsolicited emails
• Don’t click on links. Go to the website through it’s known URL
• Don’t download attachments that aren’t digitally signed
• Report suspected phishing attempts to your security team
• If it sounds too good to be true, it probably is.
• An attacker uses the pretext that they have a legitimate need for the information.
For example, a credit card company calls and tells you that there has been a problem with your card. They then ask for your card number and other information
• A “service rep” calls and needs to reset your password because your system has been compromised
• An urgent need to gain access to a sensitive room due to a “gas leak” or some other environmental issue
• These attacks often use urgency as a tool to add pressure to the victim.
• Follow company policy. When in doubt refer to a supervisor to make the decision.
• Be skeptical.
• Don’t allow intimidation to work. No legitimate individual should force you to violate the company security policy
• Never disclose password information
• Promising something good in exchange for an action or information
• A USB stick found in the parking lot might have interesting information on it.
• Download this gaming app, when it actually contains malware
• Scan all downloaded items
• Avoid downloads from untrusted sources
• Avoid downloads that haven’t been digitally signed.
• Similar to Baiting, but offers a service rather than a good in exchange for information or an action
• I will help you with a bug in your system if you’ll just turn off your anti-virus program
• Allow me remote access to your system so I can show you how to install this file
• When in doubt follow policy and check with your IT Security department.
• Entering a building directly behind someone who has used their credentials for access.
• Often facilitated by users holding door open for someone behind them.
• Takes advantage of the fact that many people strive to be courteous
• Ask to see credentials, and if credentials can’t be provided, escort to security
• Require multifactor authentication
• Trust no one!
• Follow company policy
• When in doubt, call your security team
• If you make a mistake and divulge more information than intended, notify your security team
PAYMENT CARD INDUSTRY DATA SECURITY
STANDARD (PCI DSS) WRAP-UP
• PCI DSS: Why, What, How, and Who?
• Why do we need the PCI DSS?
• What is PCI DSS and what does it do?
• How does PCI-DSS protect financial and personal information?
• Who is affected by PCI DSS and to whom does it apply?
• A word on Social Engineering
• Wrap-Up
• The majority of material for this presentation was provided courtesy of the Payment Card Industry Security Standards Council via https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
• NOTE: This presentation is not and shall not be considered legal advice. Cybrary is providing you with general information about the rules and general information regarding the Payment Card Industry
Data Security Standard. Please make sure that for legal questions specific to your company, ensure you are working with your own legal counsel who can best represent your organization.