Presentation Materials - Introduction

advertisement
DRAFT
PCI DSS Version 3.0
For Controllers and Business Users
November 10, 2014
Luke Harris, Office of State the Controller
David Reavis, UNC General Administration
PCI DSS Version 3.0
For Controllers and Business Users
• Not intended to:
– Educate you on what PCI is
• Standard has been in effect since 2005
• Info available on PCI Council’s website
– Scare you into becoming PCI compliant
• Target and Home Depot sufficient examples
• Potential fines and loss of employment sufficient
• Intended to focus on responsibilities of the business office
(Campus Controller)
2
PCI DSS Version 3.0
For Controllers and Business Users
Whose Responsibility is PCI?
• PCI is a business problem, primarily with an IT solution
– Vulnerability Scanning, Penetration Testing
– Firewalls, encryption, software updates, etc.
– Business should be familiar with various IT requirements
• However, some elements require the business office (campus
controller) involvement
–
–
–
–
Ensuring/monitoring of service providers’ compliance
Physical protection of capture devices and cardholder data
Employee awareness training and attestation
Security Incident Response Plan and annual testing
• Coordination between IT and business staff critical
3
PCI DSS Version 3.0
For Controllers and Business Users
What’s New – 3.0
• Business-as-usual theme – Emphasis on being security
aware on a continuous basis, not just once per year
• Clarification of some requirements, with added subrequirements
• Required penetration testing, in addition to vulnerability
scanning
• Physical protection of card capture devices
• Eight SAQs instead of four
• Version 3.0 Assessment Document
https://www.pcisecuritystandards.org/documents/PCI_DSS_v
3.pdf
4
PCI DSS Version 3.0
For Controllers and Business Users
Penetration Testing Vs. Scanning
• Requires quarterly external vulnerability scanning of external
IP addresses by an ASV
• Requires quarterly internal vulnerability scanning (Req. 11-2)
– Can be performed internally
• After first year, four quarters of passing vulnerability scans
must have occurred to be considered compliant
• Effective July 2015, requirement 11.3.4 requires annual
external and internal penetration tests to validate that
segmentation methods are “operational and effective.”
(Advanced hacker techniques to bypass security controls.)
• Business office should inquire of IT if vulnerability scanning
and penetration testing is required/performed.
5
PCI DSS Version 3.0
For Controllers and Business Users
Physical Protection of Devices
• 9.9. Protect devices that capture payment card data via direct
physical interaction with the card from tampering and
substitution
– New requirement effective July 2015
– Card reading devices for card-present transactions POS
terminals
– Required for swipe devices, but recommended for key devices
such as keyboards and POS keypads
6
PCI DSS Version 3.0
For Controllers and Business Users
Protection of Devices – Cont.
• 9.9.1. Maintain an up-to-date list of devices
• 9.9.2. Periodically inspect device surfaces to detect tampering
(for example, addition of card skimmers to devices), or
substitution (for example, by checking the serial number or
other device characteristics to verify it has not been swapped
with a fraudulent device).
• 9.9.3. Provide training for personnel to be aware of attempted
tampering or replacement of devices
– Verify the identity of any third-party persons claiming to be repair
or maintenance personnel
– Be aware of suspicious behavior around devices (for example,
attempts by unknown persons to unplug or open devices)
7
PCI DSS Version 3.0
For Controllers and Business Users
Service Providers
• 12.8. Maintain and implement policies and procedures to
manage service providers with whom cardholder data is
shared, or that could affect the security of cardholder data, as
follows:
– 12.8.1. Maintain a list of service providers.
– 12.8.2. Maintain a written agreement that includes an
acknowledgement that the service providers are responsible for
the security of cardholder data the providers possess or
otherwise store, process or transmit on behalf of the customer,
or to the extent that they could impact the security of the
customer’s cardholder data environment.
8
PCI DSS Version 3.0
For Controllers and Business Users
Service Providers – cont’d
• 12.8.3 Ensure there is an established process for engaging
service providers including proper due diligence prior to
engagement
• 12.8.4. Maintain a program to monitor service providers’ PCI
DSS compliance status at least annually
• 12.8.5 Maintain information about which PCI DSS
requirements are managed by each service provider and
which are managed by the entity
9
PCI DSS Version 3.0
For Controllers and Business Users
Security Incident Plan
• Target’s breach criticism was not responding timely
• 12.10.1. Create the incident response plan to be implemented
in the event of system breach. Ensure the plan addresses the
following, at a minimum: (Edited for business office)
– Roles, responsibilities, and communication and contact
strategies in the event of a compromise including notification of
the payment brands…
– Analysis of legal requirements for reporting compromises
– Reference or inclusion of incident response procedures from the
payment brands
• 12.10.2. Test the plan at least annually
10
PCI DSS Version 3.0
For Controllers and Business Users
OSC’s Policy for Incident
• Notify OSC immediately (within 24 hours)
• OSC will coordinate notification to card processor and the
card brands
• Applicability of NC Identity Theft Act to be considered
• Campus’s legal council to be involved
• OSC will advise of timing of any press releases
http://www.osc.nc.gov/policy/EC/500.10_Merchant_Cards_Security_Incident_Plan.pdf
11
PCI DSS Version 3.0
For Controllers and Business Users
Face-to-Face and MOTO Only
eCommerce Only
B
POS analog not connected to IP
*
A
Card-not-present fully outsourced *
B-IP
POS connected to IP * #
AEP
Outsourced, but website redirect
can impact security of payment * #
C-VT
Virtual Terminal IP, dedicated or
segmented, and keyed only * #
C
POS Software connected to IP,
dedicated or segmented* #
P2PE
-HW
POS hardware managed w/
Point to Point Encryption *
D
Cardholder data is stored #
D
Cardholder data is either
processed, transmitted, or stored #
Combination of Face-to-Face and eCommerce
D
All merchants not included entirely in any one of the above, or where cardholder data is
stored (Systems are connected / Not segmented) #
12 * Indicates cardholder data is not stored; # Indicates vulnerability scanning required.-
PCI DSS Version 3.0
For Controllers and Business Users
SAQ A vs. SAQ A-EP
• SAQ A and SAQ A-EP are for merchants that use
eCommerce channels only (no face-to-face)
• Initial interpretation of standard was that a website that has a
“redirect” to a payment gateway is required to prepare SAQ AEP, which requires vulnerability scanning.
• May 2014 guidance document, however, clarifies that a “URL
redirect” (e.g., TouchNet) can still use SAQ-A, if cardholder
data is not entered on merchant’s website.
• However, if merchant also has face-to-face applications in
addition to eCommerce, SAQ-D applies anyway
13
PCI DSS Version 3.0
For Controllers and Business Users
Impact of New SAQs
• Under 3.0, SAQ required is determined
– eCommerce channel only
– Face-to-face and MOTO only
– Combination of eCommerce and face-to-face
• Some campuses currently use SAQ-D and will continue to do
so
• Most campuses currently using A, B, and C will now have to
use SAQ-D, since combination
• SAQ-D should not scare you, as it has a column for N/A
14
PCI DSS Version 3.0
For Controllers and Business Users
New Validation Portal
• Appropriate SAQ will still be answered at the doing business
as level or chain level
• OSC is in the middle of the RFP process and bids are
currently being evaluated.
• Communication will be sent out to participants once an award
is finalized.
15
PCI DSS Version 3.0
For Controllers and Business Users
Contact Information:
16
David Reavis
Luke Harris
Office of Compliance and Audit Services
Statewide Accounting
UNC General Administration
North Carolina Office of the State Controller
140 Friday Center Drive
1410 Mail Service Center
Chapel Hill, NC 27517
Raleigh, NC 27699-1410
Cell: 919-801-9417
Phone: 919-707-0667
Email: dcreavis@northcarolina.edu
Email: luke.harris@osc.nc.gov
Download