1 / 29

Roadmap for PCI Data Security Compliance SCITDA Spring Conference

Roadmap for PCI Data Security Compliance SCITDA Spring Conference. David C. Reavis Office of South Carolina State Treasurer. March 5, 2018. The Enemy. Major Card Breaches TJ-Max Equifax Target NC Ferry Division. As merchants, governments are: To be PCI compliant

mandya
Download Presentation

Roadmap for PCI Data Security Compliance SCITDA Spring Conference

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Roadmap for PCI Data Security Compliance SCITDA Spring Conference David C. Reavis Office of South Carolina State Treasurer March 5,2018

  2. The Enemy Major Card Breaches • TJ-Max • Equifax • Target • NC Ferry Division As merchants, governments are: • To be PCI compliant • Subject to fines by card brands Subscription to a PCI Compliance Validation service is now required Fraud is rampant across the country Governments easy targets Hacker / Fraudster

  3. Responses After Card Security Breach • I thought the IT Department was taking care of PCI compliance, since it deals mostly with IT stuff • I thought outsourcing processing to a vendor relieved me of PCI responsibility • I didn’t know I was required to give all new hires PCI Awareness training, and provide refresher training annually • I didn’t know the contract with our third-party service provider had to specify their responsibility for PCI compliance • I didn’t know I had to complete a self-assessment questionnaire (SAQ) annually and provide it to the card processor • I didn’t know the IP addresses for our POS software had to undergo quarterly vulnerability scans • I didn’t know we had to have a security incident plan tested annually • I didn’t know we could be fined for not being PCI compliant

  4. Treasurer’s Policy on PCI Compliance • SC State Treasurer issued policy July 2016 • Specifies participants’ responsibilities regarding PCI compliance • Subscription to a PCI Compliance Validation service is a requirement to continue participating in the new statewide contract • Utilize First Data’s “PCI Rapid Comply” service; or • Select a vendor of choice (for extensive services) • STO issued a PCI Roadmap document providing guidance in complying with PCI • Designed for the business staff, more so than the IT staff • Adherence is responsibility of the business office

  5. Source of PCI Compliance Requirements • Participants in the Merchant Card Services Agreement are contractually: • Considered “merchants” • Subject to card association rules (Visa, Master, etc.) • Rules specifically require all merchants to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS) • Issued by PCI Security Standards Council • Council formed by card brands • Failure to comply with PCI-DSS can result in substantial fines (Up to $500,000 per brand)

  6. Fines for PCI Non-Compliance • Card brands can ask for proof of compliance at any time • Merchant must provide proof of compliance • Must respond within specified time frame • Visa and MasterCard at their discretion may levy non-compliance assessments if compliance not validated

  7. Three Components of PCI DSS • Compliance – Adherence to the standard • Applies to every merchant regardless of volume • Applies to both technical and business practices • Validation – Verification that merchant is compliant • Depends upon type of card capture method(s) utilized • Two types of Validation • Self-Assessment Questionnaire (SAQ) Annually – Applies to every merchant • External Vulnerability Scanning Quarterly – Applies if external-facing IP addresses are involved (Web and POS Software) – Must be performed by a Qualified Scanning Vendor (QSV) • Attestation – Providing proof of validation to card processor • Card processor reports to Visa and MasterCard • Attest whenever requested by the card processor

  8. PCI Compliance Responsibilities • Business problem with an IT solution • Imperative there be a coordination of all parties and activities involved in the validation process • Best practice is to have a PCI Oversight committee comprised of both business and IT staff • Business staff (who signed merchant card contract), not IT, is responsible for attestation

  9. Card Volumes Determine Level of Compliance • Four levels of merchants • Determined by each card brand, not by PCI council • Based upon annual volume of the highest brand, not all brands combined (Visa is normally higher than MasterCard • State agencies and universities are either a level 3 or 4 • Level 4 - Fewer than 20,000 e-commerce transactions and all other channels less than one million transactions • Level 3 - 20,000 or more e-commerce transactions annually • Both levels require annual SAQ and vulnerability scans • Levels 1 & 2 requires on-site security assessment • One million transactions of highest brand

  10. Cardholder Data Environment (CDE) • Identify all capture methods / merchant numbers • Ecommerce vs Non-ecommerce • In-house vs Outsourced • Identify all capture methods with IP addresses • Ecommerce • POS Software

  11. Third-party Service Providers • Outsourcing limits PCI scope, not eliminates • If service provider is not compliant, then merchant is not compliant • Fines for breaches accessed to merchant not to the service provider • However, service provider can require merchant to be compliant also • Requirement 12.8/12.9 requires merchant to “manage” the service provider: • Maintaining a “written agreement” specifying the service provider’s and merchant’s responsibility for compliance • Best practice is to also address “liability” for non-compliance • Monitoring the service provider’s ongoing compliance status • Two Levels of Service Providers

  12. Service Provider Arrangements • Two Types of Arrangements with Service Providers • Depends upon who is the “merchant of record” – Agency or Service Provider • Agency is “Merchant of Record” • Agency executes a “Participation Agreement” to participate in First Data’s contract • Agency is assigned one or more merchant numbers by First Data • Service Provider is “Merchant of Record” • Agency has an agreement with service provider only • Service Provider has one merchant number with First Data for all its clients • SC.Gov (SC Interactive, LLC) provides both types of arrangements • Agency has an agreement with service provider only • Service Provider has one merchant number with First Data for all its clients • PCI-DSS liability to agency applicable under both arrangements • Scope is limited is service provider is merchant of record • Service provider’s agreement with agency still requires agency to be PCI compliant

  13. Internal Service Providers • Definition of Service Provider - “Business entity … directly involved in the processing, storage, or transmission of cardholder data. This includes companies that provide service that control or could impact the security of cardholder data.” • External-facing IP addresses require external vulnerability scanning • By an “Approved Scanning Vendor” (ASV) • Regardless of who houses the server(s) • DTO’s Role in PCI Compliance • Server housed and managed by DTO • DTO considered an internal service provider • DTO arranges for scanning • Server housed by DTO but managed by agency • Agency arranges for scanning

  14. Card Capture Devices • New Requirement 9.9 effective July 2015 • Pertains to physical protection of devices • Maintain an updated list of devices • Periodically inspect device surfaces to detect: • Tampering • Substitution • Provide training to employees to be aware of attempted tampering or substitution. • Perform inventory of devices utilized and stored

  15. POS Software Applications • PA-DSS • Payment Application Data Security Standard • Different than PCI DSS • Pertains to software application • Ensure application listed on the PCI Security Council’s Website • Ensure the version utilized is consistent with the current version indicated on the Council’s Website • Ensure the application is configured correctly. • Perform inventory

  16. PCI Compliance Security Policy • Requirement 12.1 • Develop • Publish • Disseminate • Employee expectations • Full-time • Part-time • Consultants • Volunteers • STO has a sample policy available for state agencies

  17. Employee Awareness Program • Requirement 12.6 • Formal Awareness Training • Upon Hire • Annual Refresher • Employee must acknowledge training • In writing • Electronically • Two options for training • Third-party vendor • In-house developed (STO has a power point module for use)

  18. Security Incident Plan • Requirement 12.10 • General IT Security Incident Plan not sufficient • Should incorporate card brands’ requirements • Visa requires proof of compliance within 48 hours of a breach • Forensic investigation may be required if breached • Must be tested annually • Timely notification most important – Fines higher if not • STO has a sample policy available for state agencies

  19. IT Related Issues • Vulnerability Scanning • Penetration Testing • Firewalls • Encryption & Tokenization • Two types of encryption - E2E and P2P • E2E better: Combines encryption with tokenization • TransArmor provided by First Data • Utilizes E2E (Fee is $.01 per transaction) • Reduces PCI Scope by eliminating certain SAQ questions • https://www.firstdata.com/downloads/marketing-merchant/TransArmor-FAQs.pdf • Business area should ensure that IT staff is complying with PCI DSS

  20. Some Scanning Vulnerabilities • SSH Protocol Version - Cryptographic problems • Telnet Accessibility - Plaintext (unencrypted) management channels • Data Base Accessibility - Open port • SSH Protocol Version – Prior to Version 2 • Open SSH X11 Session Hijacking Vulnerability • Remote Desktop Man In The Middle • IIS .cnf - Allows remote users to read sensitive information • MySQL Server Date_Format Function Format String Vulnerability • PHP prior to 5.2.6 Multiple Vulnerabilities - Buffer overflows • Apache Prior to Version 2.2.8 Multiple Vulnerabilities • SSLv2 Supported - Cryptographic weaknesses • Darwin Streaming Server < 5.5.5 Multiple Vulnerabilities

  21. Penetration Testing • Became requirement with version 3.2 standard – July 2015 • Pertains to capture methods associated with SAQs A-EP, C, and D • Primarily to demonstrate proof of “segmentation” of networks • Performed annually or when significant system change • Cover both application and network layer threats • Can be performed by in-house staff • The persons must by qualified staff members who are organizationally independent from those responsible for the security of the systems • Refer to PCI Council’s document https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf

  22. Chip Card (EMV) Technology • Designed to reduce fraud for Card Present transactions only • POS Terminals – Terminal only or terminal with attached PIN Pad • POS Software – Different manufactures must certify their product • EMV “capable” different than EMV “enabled” • Fraud liability shift became effective October 1, 2015 • Party that does not support EMV takes on certain fraud liabilities • Party is either bank that issued the card or merchant that accepts the card • Not an industry requirement, but a best practice • Has no effect on PCI liability for smaller merchants • Fraud liability is not considerably more than it was prior to the October 2015 • Merchants were responsible for most fraud anyway • Card counterfeit fraud protection is provided by all brands • However, lost/stolen fraud protection is only provided by MasterCard and Discover (not Visa or Amex)

  23. Validating PCI Compliance • Validating compliance with PCI DSS • SAQ and External Vulnerability Scanning • Two options • First Data’s PCI Rapid Comply – Online Portal • Contract with a QSA • Extensive PCI Related Services may be needed • Example – PCI Gap analysis and penetration testing • Not available from PCI Rapid Comply • Explanation of eight SAQs • Depends upon capture methods utilized

  24. Eight SAQs Choose the SAQ that applies to your organization Link to Council’s guidelines for selection of SAQ: https://www.pcisecuritystandards.org/documents/SAQ-InstrGuidelines-v3_2.pdf

  25. PCI Rapid Comply Portal • Read FAQs at following website: https://cloversecurity.com/faq.html • Watch Educational Videos and read Educational Articles • Gather merchant statement and identify the Agency’s unique MID (chain #) • Register the agency using the agency’s MID (chain number) • All merchants numbers associated with the MID will be displayed • Only one SAQ for the entire agency (chain level) is to be prepared • If multiple capture methods (e.g., Website, Mail/Telephone, In person) • Prepare a paper SAQ for each method or merchant number - Offline • Use paper SAQs to prepare one SAQ online through the portal

  26. PCI Rapid Comply Screen Similar to TurboTax, questions prompted next depend upon items selected Document repository useful to upload proof of compliance (policies, security incident plans, scan results, devices inventory, etc.

  27. First Steps for PCI • Establish a PCI Oversight Committee (Business & IT staff) • Identify cardholder data environment (CDE) • Identify service providers and obtain written agreements • Inventory card capture devices • Inventory POS software • Develop a security policy • Develop an employee awareness training program • Develop a security incident plan – specific to PCI • Verify IT’s compliance • Vulnerability Scanning if applicable • Penetration Testing if applicable • Subscribe to a “validation” service • PCI Rapid Comply, or • Qualified Security Assessor • Complete the proper SAQ annually • Ascertain anniversary date - for expiration • Required within 90 days of implementation Close the Barn Door

  28. Not Recommended

  29. Resources PCI Security Council Web Site https://www.pcisecuritystandards.org/ Visa’s CISP Web Site https://usa.visa.com/support/small-business/security-compliance.html MasterCard SDP Web Site http://www.mastercard.com/us/sdp/index.html PCI Rapid Comply Service https://cloversecurity.com/faq.html SC State Treasurer’s PCI Policy and Road Map Document http://treasurer.sc.gov/government/banking-division/ Consider securing the services of a Qualified Security Assessor (QSA) Banking Division SC State Treasurer’s Office David Reavis – david.reavis@sto.sc.gov

More Related