The future is mission critical
Solutions your way
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
MphasiS PCI DSS Offerings
Bhaskar Maddala
Associate Vice President
MphasiS Australia Pty Ltd – a HP Company
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Agenda
What is PCI DSS?
What it means for us/ Who gets affected?
Meaning for me and who does it affect?
How to be compliant?
What if not compliant
PCI compliance for Non Stop
MphasiS PCI service approach and Service offerings
Case Studies
3
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What is PCI DSS?
The PCI DSS is a multifaceted security
standard that includes requirements for
security management, policies, procedures,
network architecture, software design and
other critical protective measures.
This comprehensive standard is intended to help
organizations proactively protect customer
account data.
PCI DSS is primarily concerned with the
Processing, Storage and Transmission of the
Primary Account Number (PAN) on the front of
every Debit and Credit Card, and its protection.
4
•
Joint effort of
–
–
–
–
–
•
•
•
VISA International
MasterCard Worldwide
American Express
Discover Financial Services
JCB
Includes 12 security requirements (approx 327
sub-requirements) grouped into six control
objective.
First version (1.0) published in December
2004, second version(1.2) in October 2008.
Current version of standard is 2.0 (October
2010)
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Primary PCI DSS Role Players
5
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
PCI DSS, WHY?
Response to an alarming increase in the theft of payment card data
 Several high profile cases in US
– TJX Companies (January 2007, +45 million customers affected)
– Hannaford Brothers(March 2008, +4 million customers affected)
Payment card processors had security breaches too
– Heartland Payment Systems ( January 2009, 100 million transactions per month)
 Security breached at small business as well
 Limited public information in Australia
– RosesOnly (September 2007, 20,000 customers affected)
– Bottle Domains (February 2009, 60,000 customers affected)
Note: In some of the cases above (Hannaford and Heartland) the comprised entity was PCI DSS Compliant
6
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Benefits of compliance
•
Protect customers’ personal data
•
Boost customer confidence through a higher level of data
security
•
Lower exposure to financial losses and remediation costs
•
Maintain customer trust and safeguard the reputation of the
brand
•
Provide a complete “health check” for any business that stores
or transmit customer information
7
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What are criminals after?
Most of bad entities want to obtain the track data :
Magnetic Track Data:
–
–
–
–
PAN
USERNAME
EXPIRY DATE
CVC 1/ CVC 2
And especially the PIN
Why this information
•
•
8
Multiple stripe cards can be made using the track 2 data,
can be used to perform ‘card not present fraud
PIN can be used with the counterfeit cards for any transactions
(cash withdraw etc…)
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Common challenges to become PCI
•Compliance
Fully understand and document the processes and payment environment
•
Tracking and monitoring of access to payments card systems and data
•
Controlling logical access (authentication) to systems containing payment card data
•
Security event monitoring across a disparate environment
•
Limited security capabilities (authentication, monitoring, etc…) of legacy systems
•
Remediation of controls across large (often legacy) distributed environments
•
Encryption of payment card data
•
Putting PCI contractual language in place for third party service providers
•
Obtaining management support to perform remediation
9
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Typical Authorisation/ Clearing and
Settlement process
10
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Trends in PCI Compliance market
State of compliance:
How is the PCI DSS perceived
and prioritised in business?
• Businesses are still not taking
data security seriously and are
struggling with compliance
costs
• Business units own
compliance assessment
budgets, but IT security
responsible for compliance
• Few organisations fail
compliance, but many rely on
mechanisms not prescribed by
the PCI DSS
Achieving compliance:
How are businesses living up
to PCI DSS requirements?
• Restricting access to card data
is the most important PCI DSS
requirement, but also the most
difficult to achieve
• Firewalls and encryption are
the most effective
technologies for achieving
compliance
• Cost of annual audits
averages $225,000 per year
for the large merchants
Protecting cardholder data:
Where is data at risk and how is it
being protected?
• Handling charge backs still
requires storage of cardholder
data
• Cardholder data is most at risk
traveling across merchant
networks and stored in
databases
• Encryption is the favored
technology for achieving end-toend cardholder data protection
• Controlling access to encryption
keys is the most difficult key
management task
Ref: http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/PCIDSSTrends-QSAInsights010310.pdf
11
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
PCI =
Convergence of
Technology,
People and
Process
12
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
12 rules of
compliance
Build and Maintain a Secure Network
Requirement 1
Install and maintain a firewall configuration to protect cardholder data
Requirement 2
Do not use vendor supplied defaults for system passwords and other security
parameters
Protect Cardholder Data
Requirement 3
Protect stored cardholder data
Requirement 4
Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5
Use and regularly update anti-virus software or programs
Requirement 6
Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7
Restrict access to cardholder data by business need to know
Requirement 8
Assign a unique ID to each person with computer access
Requirement 9
Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 11
Track and monitor all access to network resources and cardholder data
Requirement 11
Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12
Maintain a policy that addresses information security for all personnel.
NEW VENTURES - PAYMENTS
13
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
MphasiS – PCI Service Approach
The PCI DSS Management Services Offering contains the following packages:
PCI DSS Integrated
Management Services
PCI DSS Discrete
Management Services
A comprehensive package of base
infrastructure related services,
ensuring that processes, and overall
security controls are in place and that
compliance is provided with PCI Data
Security Standards.
This service covers all requirements
related to infrastructure support that
can be outsourced by the client.
A set of standalone security services
each addressing a certain set of PCI
Data Security Standards that clients
can select for addressing specific
PCI DSS requirements.
14
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
MphasiS GNIS – Service Offerings
PCI related services for first time
clients
PCI related services for already
certified customers
–
–
–
–
– Provide continuum services
– Ensure that the
certifications remains valid
– Conduct bi annual mock audits
– Help in pre assessment and
assessment audits with certified QSA
–
–
–
–
15
PCI consulting
PCI DSS Pre Compliance Assessment
PCI DSS Gap Analysis
PCI DSS Implementation
[Custom solutions, Point Solutions]
Formulating policies in line
with PCI requirements
PCI DSS Pre Audit & Audit Preparation
PCI Training
Penetration Testing and
Vulnerability assessment
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
In Short ….
• A number of NonStop customers have passed PCI certification audits on
their systems!
• However, there is no standard process or single security product that
automatically achieves PCI compliance on any system
• PCI DSS compliance is achieved by a combination of enforced policies,
process and technology
• Organizations must create and implement appropriate security-related
policies and practices for their business
• Selecting and making proper use of security products can help ensure
that policies and best practices are met
16
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Why MphasiS ?
• An integrated approach which is vendor neutral and with
customers interests in mind
• We have delivered PCI compliance services for
several customers successfully
• An approach that could help meet your Nonstop Security & PCI
needs at optimal costs – reusable components and specific
methodologies
• A strong team that has knowledge of some of the world renowned
security standards. - 182 Security Consultants; 17 FTEs in PCI
COE (SME + Technical team)
• Strong focus on Payments business unit
• Provides alternatives that match the security awareness of your
organization with a gradual increase in consciousness
17
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
MphasiS GNIS Infosec and PCI COE Team
MphasiS GNIS is operational for 5 years.
This team is involved both in developing
security capabilities as well as delivering
ongoing security services for HP and HP
clients.
MphasiS ITO GNIS Security
team is staffed with:
• Total 500+ energetic workforce in GNIS
• Dedicated group of 182+ MS/MBA Security Engineers,
Consultants, PM & Analysts in IS
• Technical members having skills in security engineering
and software platforms used in development
• More than 10 ongoing Security Projects dedicated &
Leveraged Security Project Management professionals
18
Competency Matrix
Total Head
Count
Certified Information Systems Auditor (CISA)
6
Certified Information System Security Professional (CISSP)
15
Certified Information Security Manager (CISM)
5
Security engineers with Infrastructure /App security development expertise
12
Project Management Professionals (PMP)
6
IDAM Identity Management and SSO : IMS LM (FIM)CA, IBM Tivoli, Sun,
HP, RSA, OIM, CA Etrust,, AD
53
Managed Security Services Professional
SIM: NetIQ Security Manager, Arc sight, Net Forensics, eSecurity etc.
Endpoint Security: Symantec/Sygate,Cisco CSA, Mcafee
Vulnerability Management: NetIQ VM, Symantec VM etc.
Critical Component Mgt: Checkpoint, RealSecure IDS, Cisco PIX, Macfee
HIPS etc.
Content Filtering: SurfControl Web and Email Filter, Trend Micro IMSS
(SPS) etc. PKI : Verisign , RSA , Sun, Entrust etc,
IDS/IPS : ISS, Cisco, Symantec, McAfee, Enterasys
Firewall : Cisco, Checkpoint, Sygate
Anti virus : McAfee, Symantec, TrendMicro
156
Technical Workforce
182
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Case Studies (Selective)
• BNTB – IT Security/Compliance and IT Operations (Completed)
• Pegasus (Completed )
• National City GSN (Completed)
• HP ECS : HP Enterprise Cloud Services (Ongoing)
• TOPs Retails Chains (Completed)
• Luxottica
• DCNA 2.1 /HSP 3.1 (Assessment Completed)
19
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
BNTB – IT Security/Compliance and IT
Operations
Services Featured
Customer Overview
Bank of N.T. Butterfield & Son Limited
(BNTB) : The Butterfield Group is a full
service community bank and a provider of
specialized international financial services.
Project Overview
HP entered into a new agreement with
BNTB to transform their security
infrastructure to meet the PCI DSS
standards/ requirements. MphasiS and
HP PCI architects and engineers
designed the solution with 2 PCI
compartments and drive the process to
meet the standards.
Security Management:
A. User Provisioning & De-provisioning
B. Centralised management of identity data in a
heterogeneous environment of 600+ Servers
C. Automated Workflow
D. Auditing and reporting
E. SRF & Digital Workflow Tool
Compliance
A: PCI DSS compliant solutions/compartment.
Incident Management
A. Analysis , Resolution and closure
B. Acceptance and responding
C. Capture, Logging and routing
Problem Management
A. Handling escalated Incidents
B. Incident trend analysis
20
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
BNTB – Security Office Team
Challenges
Benefits Delivered
• Lack of security policies
• Significant reduction in cost overhead
due to effective best shoring
• Customized applications used for card
processing
• PCI DSS ready solution
• Partially automated workflows
• No Regulation in flow of request
• Delayed approval of request from role owners
21
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
Bhaskar Maddala
Associate Vice President
MphasiS Australia Pty Ltd – a HP
Company
Mob: +61 424761703
Bhaskar.Maddala@hp.com,
Bhaskar.maddala@mphasis.com
www.MphasiS.com
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.