260 likes | 430 Views
The Pain of PCI Lessons Learned and How to Ease the Pain Thomas Lewis, QSA. Welcome and Agenda. Agenda Why should you care about security or PCI What happens if I don’t care or comply How do I prove compliance Recent breach studies and lessons learned. 90%.
E N D
The Pain of PCILessons Learned and How to Ease the PainThomas Lewis, QSA
Welcome and Agenda Agenda • Why should you care about security or PCI • What happens if I don’t care or comply • How do I prove compliance • Recent breach studies and lessons learned
90% Of organizations have experienced a computer security incident in the last 12 months. Cybercrime statistics from 12th Annual Computer Crime and Security Survey
71% Of organizations have no external insurance coverage to cover computer security incidents losses. Cybercrime statistics from 12th Annual Computer Crime and Security Survey
$1B Cybercrime profits – that have surpassed those of drug smuggling in a year. Cybercrime statistics from 12th Annual Computer Crime and Security Survey
$234,244 Annual average loss due to security incidents per respondent Cybercrime statistics from 2009 CSI Computer Crime and Security Survey
64.3% Suffered a significant Malware infection Cybercrime statistics from 2009 CSI Computer Crime and Security Survey
Incidents Increase DownEconomy Conventional wisdom would state security is more important in a down economy when issues are more prevalent. Cybercrime statistics from 12th Annual Computer Crime and Security Survey
80% Of cyber attacks are preventable according to the National Security Agency (NSA) by performing configuration management and good network monitoring. Senate Panel, Nov 2009
Why should I care? • What is PCI? • Who has to comply? • When does this impact me? • How much does this cost? • What happens if I don’t care or comply?
What is Protected? What is the Protected Cardholder Data? • The Full Contents of the Magnetic Stripe • The Credit Card Account Number • Also known as the: PAN or Primary Account Number • What is and what is not a PAN (first 6 and up to last 4 digits not a PAN) • Cardholder Name • The Card Security Code (aka: CVV2, CVC2 or CID) • The Expiration Date
How do I prove compliance (Shown from least painful to most painful) • Self Assessment Questionnaire (SAQ) • Results from an Approved Scanning Vendor (ASV) • Qualified Security Assessor (QSA) Report on Compliance (RoC)
Lessons Learned (Same stuff different day) PCI Compliance is simply about Risk Mgmt • If there is a breach all parties suffer (Merchant, QSA, Processor, Merchant Bank, Card Brand) • Tackle the big risks first and then work your way down to the lower risk items • Follow the Prioritized Approach to Compliance • Learn from past breaches what is working for the bad guys and stop it (Verizon Report)
Lessons Learned IF YOU DON’T NEED IT, DON’T KEEP IT!!! • Most organizations do not need full “protected cardholder data” • Masking (first 6 and last 4 digits = no PAN) • Tokenization • Outsource that part of the process (some of the processors have end-to-end security options) • You will be Sad if you keep SAD (Sensitive Authentication Data)
Lessons Learned • If you do have to have Cardholder Data, limit it aggressively and protect it aggressively • Isolate your Cardholder Data Environment as much as humanly possible to reduce your Risks and the Costs of compliance • The Blocking and Tackling of Information Security will go tremendously far in reducing your risks (more to follow)
Lessons Learned Verizon Report Shows several issues leading to successful breaches including: • Use of outdated and non-compliant payment applications and devices • Improperly segmented networks (flat networks) • Insecure remote access (vendor and employee access) • Unprotected web applications vulnerable to SQL injection attacks • Failure to update or change default passwords • No implementation or monitoring of intrusion detection or anti-virus • Malware installed to capture passwords and cardholder data
Lessons Learned Additional information from the Verizon Report shows: • Large (Level 1) merchant and processor breaches account for majority of compromised accounts, yet small (Level 4) merchants account for over 85% of compromise events • Attack methods include intercepting cardholder data in transit through the use of packet sniffers, memory parsers and other malware • Once intruders gain entry to steal cardholder data, identification of the incident is difficult to detect • Effective monitoring controls are not being used which makes detection nearly impossible
PCI SSC’s Prioritized Approach • Remove Sensitive Data • Key area of risk for compromised data • Protect the perimeter, internal, and wireless networks • Controls points of access for most compromises • Secure payment applications • Weakness in these areas are “easy prey” . • Monitor and control access to systems • Who is accessing the network 5. Protect stored cardholder data • If you must store it, implement the key controls 6. Finalize remaining compliance efforts, and ensure all controls are in place • Policies, process and procedures
Recent Positive Observations PCI SSC Quality Assurance Program • Crack down on “easy graders” • 2009 training emphasizes testing and documentation procedures • Better consistency between QSAs with guidance to merchants Compensating Controls better understood and permitted • Must be thoroughly documented and tested by a QSA
LBMC’s Approach LBMC and ClientPlanning Meeting Off-Site Documentation Review Readiness Results Review Cycle Remediation (if needed) PCI Full Scope Audit PCI Report on Compliance (ROC)
Useful Resources • Better Business Bureau (BBB) • http://www.bbb.org/us/corporate-engagement/security/ • Download a copy of: Security & Privacy - Made Simpler™ - A document “targeting Small Business Owners with ‘digestible’ information about securing their customer and employee data. Seven (7) major corporations partnered with the BBB on this initiative.”
Useful Resources • PCI Security Standards Council • Main • http://www.pcisecuritystandards.org • FAQ’s • https://www.pcisecuritystandards.org/about/faqs.htm#q1 • Site Map • https://www.pcisecuritystandards.org/map/index.htm
Useful Resources • Visa • Main CISP Page • http://usa.visa.com/merchants/risk_management/cisp.html • Merchant Information • http://usa.visa.com/merchants/risk_management/cisp_overview.html • MasterCard • Main Security Page • http://www.mastercard.com/us/merchant/security/index.html
LBMC Contacts Contact Names for more information: • Marcie Angle; mangle@lbmc.com; 615.690.1993 • Thomas Lewis; tlewis@lbmc.com; 615.309.2296 Contact us for a no obligation free consultation