1 / 0

PCI DSS

PCI DSS. The WPM PCI DSS Conference . KILRUSH C onsultancy Ltd. Independent Card Consultancy founded 1993 Focused operational design & implementation of card systems at Point of Sale Issuer & Acquirer background so well acquainted with Visa & MasterCard operating regulations

evelyn
Download Presentation

PCI DSS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI DSS

    The WPM PCI DSS Conference
  2. KILRUSHConsultancyLtd Independent Card Consultancy founded 1993 Focused operational design & implementation of card systems at Point of Sale Issuer & Acquirer background so well acquainted with Visa & MasterCard operating regulations In-depth knowledge & understanding of the challenges/ difficulties merchants face in adhering to card scheme requirements & mandates Experience in retail, hospitality & service environments
  3. KILRUSHConsultancyLtd Founded /chair of Hospitality Forum for Chip & Pin. Extensive Dynamic Currency Conversion Experience Currently focused on PCI DSS. Participating organisation in PCI SSC Chair of UK Merchant PCI Working Group – Thirty Five Level 1 retailers Led Post Office program to gain its PCI RoC in 2010 Consultant with UK Cards [APACS]
  4. Making PCI DSS a more positive journey In the UK most level 1 merchants are well on the way to becoming PCI compliant. I chair a group of 35 Level 1 retailers who meet 4 times per year to discuss progress and share experiences. A positive exercise which has helped develop a better understanding of PCI It helps us to share experience and thus learn from each others mistakes It gives us more confidence in the process of becoming compliant It relieves us from being totally reliant on the QSA’s.
  5. Security First The main consideration when addressing PCI DSS must be Security. By building systems & networks securely & by ensuring that we have documented and enforced security processes and procedures, we can exceed compliance requirements. If we only aim to gain compliance, we will most likely fail to be secure! Putting security first reduces the cost of PCI compliance and reduces the effort in creating a Business Case for PCI, because security is a cost to the whole business not just the card business. 5
  6. What is affected? Every area the card data touches has to be secure. - eg. network components, servers card applications that handle the card data.
  7. Approach to Protect Cardholder Data Policies Technology Process People Change Control Security Awareness DMZ Procedures for Policies Human Resource Training Incident Response Productive Environment Reviews Pen Testing Perimeter Report of Compliance [ROC] Self Assessment Questionnaire [SAQ]
  8. In Addition On how many systems? On how many systems? Requirement 4 Encrypt transmitted Data Requirement 2 Avoid program defaults Requirement 1 Maintain Firewall Requirement 5 Update anti-virus Requirement 6 Secure Application Requirement 11 Regular Test Security Requirement 12 Security Policy Requirement 3 Protect Data Requirement 7 Restrict Access to cardholder data Requirement 10 Track & Monitor Access Requirement 9 Restrict Physical Access Requirement 8 Unique User ID On how many systems? On how many systems? What does it entail?
  9. 1. Find the data Take the transaction journey from POS to Settlement Track the cardholder data right across the business Trace the journey taken to manage queries: reconciliation, chargebacks, fraud & MI 2. Map it Map the systems, applications & databases that support these transactions in both directions onto network diagrams Minimise Costs
  10. Minimise Costs 3. Analyze it Investigate if it is really needed 4. Change it When perceived as needed, identify if it is needed in cardholder data format… …if not change the format to render it unusable. Even assuming it can be got to, if it is there but is encrypted, hashed or truncated, it has no criminal value Then carry on as before
  11. Minimise Costs 5. Get Rid of it Eliminate any duplicate or unnecessary storage of real data 6. Isolate & Protect what is left If it is really needed Isolate cardholder data & environment from rest of business… …then protect it.
  12. Minimise Costs Respect your databases Protect them Customer data is the most precious asset in the business
  13. Guiding principal If you don’t need it…. don’t store it BIN IT If you do need it…. protect / encrypt it or both Lock it up Jumble it up (But in as few places as possible)
  14. Requirement 5 Update anti-virus Requirement 6 Secure Application Requirement 4 Encrypt transmitted Data Requirement 3 Protect Data Requirement 1 Maintain Firewall Requirement 1 Maintain Firewall Requirement 7 Restrict Access to cardholder data Requirement 10 Track & Monitor Access Isolate it and lock it up Requirement 11 Regular Test Security Requirement 11 Regular Test Security Requirement 4 Encrypt transmitted Data Requirement 5 Update anti-virus Then it becomes: Achievable, Manageable Maintainable Requirement 6 Secure Application Requirement 3 Protect Data Requirement 7 Restrict Access to cardholder data Requirement 10 Track & Monitor Access Requirement 9 Restrict Physical Access Requirement 9 Restrict Physical Access Requirement 8 Unique User ID Requirement 8 Unique User ID Reduce the cardholder environment
  15. The Resolution If it is not there…. it does not need to be protected. The criminal will “walk on by”, and will not waste time targeting it.
  16. Achieve Compliance It is reasonably easy to identify the transaction journey from Point of Sale to Acquirer Much more difficult to track the transaction journey in Reconciliation, Chargeback, Queries, Refund & MI. Identifying every part of the network, servers and applications and producing the correct documentation for an audit is a huge challenge.
  17. £ £ £ £ £ £ £ £ £ £ £ Challenges A budget to do it Difficult as no perceived increase on bottom line Need to sell it as an investment rather than a cost Resource to do it Invariably it is difficult to encourage staff to buy into doing even more work to achieve and maintain compliance Expertise to Achieve it External Expertise needed to help achieve compliance cost effectively Effort to maintain it Difficult to evidence the security posture in BAU, i.e. demonstrate that the regular repeatable activities that evidence the security posture are done to the frequency required by the standard. Address Emerging Threats in a Timely Manner Keeping ahead of the emerging threats is a real challenge
  18. Minimise costs – The environment Piggyback & Merge Piggyback on existing compliance & regulatory requirements Merge PCI DSS with the protection of personal data by strengthening information security policies and procedures Focus on what is already required under the terms of existing contracts, policy & a security framework then identify what is needed in addition! For new projects incorporate the funding for PEN tests and Quarterly scans into business cases for new projects.
  19. Minimise costs - Risk Management The ISO 27001security standards require we: identify, assess and rank risks to the business manage the major Information Security risks to the business to identify: the harm likely to result from a security failure including consequences of a loss of confidentiality, integrity or availability of the information and other assets the realistic likelihood of such failure vs. prevailing threats & vulnerabilities against the controls currently implemented Merging PCI DSS with ISO 27001: Ensures better control and Helps maintain compliance more easily & more cost effectively
  20. Minimise costs –PolicyProcess Procedures PCI DSS requires same policies, processes and procedures as ISO 27001… …albeit PCI DSS is more prescriptive Merging requirements of PCI DSS strengthens existing ISO policy, processes & procedures Both can be maintained & managed in the same cost base
  21. How to master PCI? Good network segmentation Proper management of policy as part of the Security Environment Application security Vulnerability Management & Testing Use a purpose built GRC tool to manage day to day tasks in an automated framework Ensure the regular, repeatable activities that PCI requires to evidence a security posture is being maintained becomes a BAU activity from the beginning of the journey not after compliance is achieved. Experience shows maintaining compliance is a huge issue
  22. Benefits of PCI DSS Strengthens the Security framework Policies Incident response plans Compliance reporting Stronger Security Posture Ties activities to person rather than an event. Better 3rd party control Increasing awareness of the need to make 3rd parties responsible for cardholder data. – more focus on 3rd party risk assessments, policies , processes and procedures than already required under ISO.
  23. Summary If the only place that has cardholder data is a little corner of a data centre, then there is not much to protect and it does not cost a lot In the meantime, through the process of becoming PCI DSS compliant, you will enhance your Information Security policies and streamline your processes and procedures – a Win-Win situation Maintaining PCI DSS compliance is about maintaining a secure infrastructure which should be the cornerstone of every organisation, not just applied to card data
More Related