Protecting Credit Card Information

Protecting Credit Card Information
IT Security Roundtable
January 14, 2011
Harvard Townsend
Chief Information Security Officer
Why we should care
Payment card industry (PCI)
expectations of merchants
Overview of PCI Data
Security Standards (PCI DSS)
PCI compliance at K-State
Open discussion
The Risks
Stolen credit card information and the major
costs associated with a breach
Notifying/compensating victims ($30 each)
Damages/liability for lost credit card numbers
Fines (depends on card brand or bank;
range from $10K to $200K per month)
Additional compliance reporting/auditing
requirements (may move to level 1 merchant)
Bank or credit card company may refuse to
do business with us
Identity theft
Damage to reputation – perhaps more
expensive/important than any of the above
Economics of a breach
A hypothetical merchant compromises 10,000 accounts
• Notify clients
$30 x 10,000 = $300,000
• Fines and penalties
• Increased audit needs
$25,000 x 3 years = $75,000 (minimum)
• Fraud liability
500 accounts x $1,000 = $500,000
• Reputation Loss
PCI Expectations
[PCI = Payment Card Industry]
 PCI Data Security Standards compliance
 Validate our compliance
Annual Self-Assessment Questionnaire
Quarterly network scans by an external
vendor (“Approved Scan Vendor”, or ASV)
Validation method dependent on our
“Merchant Level”, which is a reflection of
the number of transactions per year
K-State now a level 3 merchant (several individual merchant IDs > 20,000
transactions per year in FY2010, cumulative ~ 280,000)
PCI Expectations
This means every K-State entity with a
merchant ID (i.e., any department that
accepts credit card payments) must:
Protect cardholder information (ultimate goal)
Fill out an SAQ every year
Have its credit card technical infrastructure
scanned for vulnerabilities by an approved
scan vendor four times a year
Ensure compliance with PCI DSS
K-State currently has 47 merchant IDs
PCI Expectations
Are 4 types of SAQs based on how card info is accepted
The Players
“Payment Card Industry” encompasses all the
organizations that store, process and transmit
cardholder data
PCI Security Standards Council (PCI SSC)
Card brands (VISA, MasterCard, etc.)
Banks (Bank of America, Chase, etc.)
Service Providers (manage the transactions for the
banks, like PayPal, FirstData, VeriSign)
Merchants (like K-State – the entity that takes the
credit card info from the customer)
PCI Assessors (Qualified Security Assessor – QSA)
Approved Scan Vendor (ASV)
Overview of PCI DSS
Six goals with 12 general security
~150 detailed requirements
288 testing procedures to assess whether a
requirement is “in place”
Is a substantial set of requirements designed
to provide adequate protection of “cardholder
Many are technical, but some are process and
policy oriented; requirement 12 even dabbles
in contract law
Compliance = implementing all the
Overview of PCI DSS
Build and Maintain a Secure Network
 Establish firewall and router configuration standards…
Restrict connections between untrusted networks and
any system components in the cardholder data
… review firewall and router rule sets at least every six
… verify that inbound and outbound traffic is limited to that
which is necessary for the cardholder data environment,
and all other traffic is specifically denied (ie, use an explicit
“deny all” or implicit deny after allow statements)
Prohibit direct public access between the Internet and
any system component in the cardholder data
Protect Cardholder Data
 Do not store sensitive authentication data
after authorization (even if encrypted)…
… card verification value (3-digit code on back
of the card), PIN, or mag stripe content
Render PAN [Primary Account Number]
unreadable anywhere it is stored…
… examine a sample of removable media (for
example, back-up tapes) to confirm that the
PAN is rendered unreadable
Maintain a Vulnerability Mgmt Program
 Use and regularly update antivirus software…
Ensure that all system components and software are
protected from known vulnerabilities by having the
latest vendor-supplied security patches installed…
… we can handle this one!!!
… interview responsible personnel to verify that processes
are implemented to identify new security vulnerabilities and
rank them based on risk
Follow change control processes and procedures for all
changes to system components…
… for a sample of system components and recent
changes/security patches, trace those changes back to
related change control documentation
Implement Strong Access Control Measures
 Limit access to system components and cardholder
data to only those individuals whose job requires such
Incorporate two-factor authentication for remote
… confirm that privileges are assigned to individuals based
on job classification and function
… observe an employee connecting remotely to the
network and verify that two of the three authentication
methods are used
Ensure proper user identification and authentication
management for non-consumer users and
administrators on all system components…
… change ser passwords at least every 90 days
Regularly Monitor and Test Networks
 Implement automated audit trails for all
system components…
… verify all individual access to cardholder data is
logged, along with all actions taken by any
individual with root or administrative privileges
Review logs for all system components at
least daily
Retain audit trail history for at least one year,
with a minimum of three months immediately
available for analysis
Regularly Monitor and Test Networks continued…
Test for the presence of wireless access points and detect
unauthorized wireless access points on a quarterly basis
Run internal and external quarterly network scans at least quarterly
and after any significant change in the network
Perform internal and external penetration testing at least once a
… via an Approved Scanning Vendor (ASV) approved by the PCI
Security Standards Committee
… at the network layer and application layer
Use intrusion-detection systems, and/or intrusion-prevention systems,
to monitor all traffic at the perimeter of the cardholder data
environment as well as at critical points inside of the cardholder data
Deploy file-integrity monitoring tools to alert personnel to
unauthorized modification of critical system files, configuration files,
or content files
Maintain an Information Security Policy
 Establish, publish, maintain, and disseminate
a security policy…
Implement a formal security awareness
program to make all personnel aware of the
importance of cardholder data security…
… that addresses all PCI DSS requirements
…verify that personnel attend awareness training
upon hire and at least annually
Screen potential personnel prior to hire to
minimize the risk of attacks from internal
K-State Compliance Plan
Perform baseline survey audit of credit card
handling, led by Internal Audit – starting March
Reduce scope of network exposure (for the
quarterly scan)
Contract with a QSA (PCI consultant) to do gap
analysis and help develop a compliance plan
Contract with ASV to perform initial quarterly
network scan (late spring)
Fill out SAQs (by June)
Tackle full compliance in strategic, prioritized
manner over next few years
Points to Ponder
PCI DSS compliance is NOT optional
Protecting credit card information is a serious matter
requiring considerable effort and expense
It is a university-wide effort – we must work together
to move toward compliance as quickly as possible
Is challenging since K-State has many merchants
spread out all over campus with many ways of
handling credit cards
Many will have to change how they operate; some
may find compliance too burdensome/expensive
It’s not about complying with some arbitrary industry
standard – these are reasonable security controls
necessary for properly protecting confidential
K-State does have a policy for credit
card handling:
Includes a section on PCI compliance which
states that departments must comply, do the
quarterly scans, and fill out the SAQ (see
“.070 Payment Card Industry
Division of Financial Services
Jennyfer Owensby
Information Security and Compliance
Harvard Townsend
What’s on your mind?