PCI DSS Security Awareness

Transcript

1. R. Ardiansyah Natakusumah April, 18th 2016 Security Awareness Payment Card

   Industry Data Security Standard

2. A Brief History • In 2005, the Federal Trade Commission

   (FTC) received more than 685,000 complaints of fraud and identity theft that totaled more than $680 million in stolen assets • nearly all of these losses stemmed from data breaches associated with credit cards • Companies that accepted Visa, MasterCard, Discover and American Express had to conform to four different information security standards, each with different requirements and reporting • this placed a significant burden on merchants

3. PCI SSC • Payment Card Industry Security Standards Council •

   Open global forum that is responsible for the development, management, education, and awareness of the PCI DSS and other standards that increase payment data security • Created in 2006 by the founding payment card brands American Express, Discover Services, JCB International, MasterCard and Visa Inc

4. PCI DSS • Payment Card Industry Data Security Standard •

   provides a baseline of technical and operational requirements designed to protect account data • applies to all entities involved in payment card processing (merchants, processors, acquirers, issuers, and service providers) • applies to all other entities that accept, store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) • 6 key areas, 12 requirements, more than 200 sub requirements

5. Levels • Level 1 • more than 6 million Visa

   and/or MasterCard transactions processed per year • Level 2 • 1 - 6 million Visa and/or MasterCard transactions processed per year • Level 3 • 20,000 - 1 million Visa and/or MasterCard e-commerce transactions processed per year • Level 4 • less than 20,000 Visa and/or MasterCard e-commerce transactions processed per year all other companies that process up to 1 million Visa transactions per year

6. Validation Requirements • Level 2-4: • Annual Self Assessment Questionnaire

   (SAQ) • Quarterly PCI Approved Scanning Vendor (PCI ASV) scan • Attestation of Compliance (AoC) • Level 1: • Annual Report on Compliance (RoC) by PCI Qualified Security Assessor (QSA) • onsite audit • Quarterly PCI ASV scan • AoC

7. Self Assessment Questionnaire • A • Card-not-present Merchants – all

   Cardholder data functions are outsourced • B • Merchants with no electronic Cardholder data storage, imprint machines only, or stand- alone/ dial-out terminals • C • Merchants with payment application systems connected to the internet with no electronic Cardholder data storage • C-VT • Merchants using only web-based virtual terminals with no electronic Cardholder data storage • D • All other merchants not included in SAQ types A through C-VT defined by a payment brand eligible to complete an SAQ, and the Attestation of Compliance (AOC)

8. Key Areas • Build and Maintain a Secure Network and

   Systems • Protect Cardholder Data • Maintain a Vulnerability Management Program • Implement Strong Access Control Measures • Regularly Monitor and Test Networks • Maintain an Information Security Policy

9. Requirements 1. Install and maintain a firewall configuration to protect

   cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel

10. How to comply? • Scoping • determine which system components

    and networks are in scope • Assessing • examine the compliance of system components in scope following the testing procedures for each requirement • Reporting • assessor and/or entity submits required documentation (SAQ, RoC, compensating controls) • Clarification • assessor and/or entity clarifies/updates report statements (if applicable) upon request of the acquiring bank or payment card brand

11. What is in scope? • All personnel with access to

    cardholder data • All system components that capture, store, process, or transmit cardholder data • applications, servers, network devices, security devices, workstation, along with anything on the same network segment

12. Guidelines for Cardholder Data Elements

13. Benefits • Peace of mind • you won't have to

    worry quite as much about any potential vulnerabilities in your system • Increasing consumer trust • more business = increase revenue • Protecting image and reputation • Account Data Compromise (breach), requires a Merchant to communicate an incident to their customers

14. Real story? • PCI DSS is an “All or Nothing”

    Standard • a single sub requirement not being met = Non‐compliance • 2.3 years • average time it takes merchants to become PCI compliant • Heartland Payment System • certified as compliant but lacked strong security measures • 130 million credit card and debit card numbers stolen • $ 200 million in costs to companies, banks and insurers • Zappos • certified as PCI DSS compliant • 24 million customers’ account personal information stolen • multiple lawsuits and negative publicity

15. Credit Cards are Being Sold on the Internet

16. Credit Card Data Breach

17. Fines issued • VISA • Non-compliance: $ 25,000/ mo (level

    1), $ 5,000/ mo (level 2) • Breach: • $ 100,000 - failure to report compromise • $ 500,000 - egregious violation • $ 50,000 - initial fine, and $ 100,000/ mo until issue is resolved • MasterCard • Level 1 and 2: $ 25,000 (Q1), $ 50,000 (Q2), $ 100,000 (Q3), $ 200,000 (Q4) • Level 3: $ 10,000 (Q1), $ 20,000 (Q2), $ 40,000 (Q3), $ 80,000 (Q4)

18. Our Goals • Use strong password and don’t share it

    with co-workers • Protect your confidential data and personal information • Don’t email confidential information • Don’t open malicious email attachments • Stay away from malicious website • Lock your laptop or PC screen when you leave your desk • Keep your desk clear of any sensitive materials • ...

19. • All security related: • PCI DSS, Documents (Policy, Standards,

    Procedures, Guidelines, Forms, etc), Vulnerability Scanning, Penetration Testing, Incident, etc • Email: [email protected]

20. References • PCI DSS Requirements and Security Assessment Procedures version

    3.1 • PCI DSS Quick Reference Guide: Understanding the PCI DSS version 3.1 • PCI DSS Information Supplement: Best Practices for Implementing a Security Awareness Program version 1.0 • PCI DSS Infographic, Dell SecureWorks • Cal Poly PCI DSS Compliance Training and Information • GTT: PCI Compliance, Protection Against Data Breaches

21. Thank You