The Future of PCI: Securing payments in a changing world

Transcription

1 The Future of PCI: Securing payments in a changing world Lauren Holloway 2014

2 Nature of the Threat About the Council PCI DSS Updates Staying Secure How You Can Participate In Closing Agenda

3 Nature of the Threat About the Council PCI DSS Updates Staying Secure How You Can Participate In Closing Agenda

4 Your Card Data is a Gold Mine for Criminals Types of Data on a Payment Card CID (American Express) CAV2/CID/CVC2/CVV2 (Discover, JCB, MasterCard, Visa) Chip Pan Cardholder Name Expiration Date Magnetic Strip (data on tracks 1 & 2)

5 Business Sectors With the Most Breaches Systems that store, process or transmit cardholder data remain primary targets for criminals Retail 45% Food & Beverage 24% Hospitality 9% Other 8% Financial Services 7% Nonprofit 3% Health & Beauty 2% High Technology 2% Source: Trustwave 2013 Global Security Report

6 Who s High Risk?

7 Top Mistakes Revealed by Forensic Audits Weak or default passwords Lack of employee education Security deficiencies introduced by third parties Slow self-detection Source: 2013 Trustwave Global Security Report

8 Complex Passwords Don t Have to be Complicated Password bigmac B1gMac B1gMac1 leb1gmac B1gMac399 B1gMacfries Bigmacandfries B1gMac&fries Time to Crack seconds (not a dictionary word) 14 seconds (uppercase, lowercase, number 14 minutes (7 characters) 15 hours ( 8 characters) 39 days (9 characters) 412 years (11 characters) 511 years (14 characters, but only letters) 344,000 years (12 characters)

9 PCI Standards Help Secure Your Data 92% of compromises were simple 97% were avoidable through simple or intermediate controls 92% 97% Source: Verizon 2012 Data Breach Investigations Report

10 Why? Why we fail to maintain secure environments Lack of awareness by IT practitioners Lack of incentive to keep security a primary focus Quickly evolving technology landscape Rapid development and distribution of new solutions Still unnecessary exposure of card holder data

11 Nature of the Threat About the Council PCI DSS Updates Staying Secure How You Can Participate In Closing Agenda

12 About the PCI Council Open, global forum Founded 2006 Guiding open standards for payment card security Development Management Education Awareness

13 PCI: Architecture for Payment Card Security Five major card brands drive efforts for payment card security PCI Security Standards Council manages the technical standards and process

14 PCI Security Standards Suite Protection of Cardholder Payment Data Manufacturers PCI PTS Card Production Pin Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments PCI Security & Compliance P2PE Ecosystem of payment devices, applications, infrastructure and users

15 PCI Standards Help Secure Your Data 9 out of 10 security pros recommend PCI DSS. PCI DSS has made comprehensive security controls more commonplace in larger organizations. Therefore, the organizations become more difficult to compromise. Source: 2013 Trustwave Global Security Report Source: Real Cost of Security Report, 451 Group 92% 97%

16

17 Nature of the Threat About the Council PCI DSS Updates Staying Secure How You Can Participate In Closing Agenda

18 PCI DSS Feedback Changes made per our lifecycle Open standards development process Feedback from our global PCI community Feedback period started in Fall of 2011

19 Why PCI DSS 3.0? Visit to view this infographic

20 Key Considerations What will improve payment security? Global applicability and local market concerns Appropriate sunset dates for other standards or requirements Cost/benefit of changes to infrastructure Cumulative impact of any changes

21 PCI DSS, PA-DSS 3.0 Key Themes Education Awareness Flexibility Security as a Shared Responsibility Emerging Threats Make PCI your compass, not your roadmap

22 At a Glance 12 core security principles of PCI DSS remain the same Several new sub-requirements that will impact PCI DSS security efforts Future implementation dates provided for more significant changes

23 Maintaining Compliance Best Practices for Implementing PCI DSS to Stay Secure Focus on security not compliance PCI DSS is not a once-ayear activity Don t forget about people

24 Understanding Intent of Requirements

25 Strong Authentication PCI DSS v2.0 PCI DSS v Provide authentication procedures and policies to all users 8.4 Include guidance for users: Selecting strong authentication credentials Protecting authentication credentials Not reusing previous passwords Changing passwords if suspicion of compromise

26 Security Policies and Procedures PCI DSS v2.0 PCI DSS v Maintain a security policy that addresses all PCI DSS requirements 12.2 Develop daily operational security procedures that are consistent with requirements in the PCI DSS 1.5 Security policies and operational procedures for managing firewalls are documented and in use 2.5 Security policies and operational procedures for managing vendor defaults and security parameters are documented and in use

27 Consistent Assessment Procedures Promote consistent validation methods Enhanced testing procedures Clarify what it means to verify a requirement has been met Improve reporting Combine template with reporting instructions Clarify level of detail required Reduce repetition

28 Flexibility: PCI DSS Requirements

29 Log Reviews PCI DSS v2.0 PCI DSS v Review logs for all system components at least daily Review at least daily: All security events Logs from systems that store, process, or transmit card holder data/sad Logs of system components that perform security functions Review other logs periodically as determined by the organization s annual risk assessment

30 Security as a Shared Responsibility Guidance Requirement 8 Outsourcing PCI DSS responsibilities. Service providers use unique credential per customer Requirement 12 Service providers acknowledge responsibility

31 Physical Security for POS Devices 9.9 Protect devices that capture payment card data from tampering and substitution Maintain an up-to-date list of devices Periodically inspect device surfaces to detect tampering or substitution Provide training for personnel to be aware of attempted tampering or replacement of devices

32 Penetration Testing and Effective Scoping 11.3 Implement a penetration testing methodology If segmentation is used, perform penetration tests to verify that the segmentation methods are operational and effective.

33 PA-DSS benefits for merchants PA-DSS applications facilitate PCI DSS compliance Better more meaningful Implementation Guides Release notes to describe changes Clearer listings of application versions

34 Effective Dates for v3.0 PCI DSS & PA-DSS Version 3.0 was effective on 1 January 2014 Version 2.0 is valid until 31 December 2014 Different supporting documents Check our website for the latest documents Do not mix and match

35 What s Next for 2014? Market implementation year Review v3.0 now! Feedback for v3.0 starts in November 2014

36 Nature of the Threat About the Council PCI DSS Updates Staying Secure How You Can Participate In Closing Agenda

37 Making Security a Priority

38 Making Security a Priority Quarterly to do: Check firewall Quarterly scan POS Training Check firewall Quarterly scan Training register Check firewall Quarterly scan Training register Check firewall Quarterly scan Training register

39 Making Security a Priority Quarterly to do: Check firewall Quarterly scan POS Training Check firewall Quarterly scan Training register Check firewall Quarterly scan Training register Check firewall Quarterly scan Training register

40 Maintaining Security is Running a Marathon, not a Sprint

41 Nature of the Threat About the Council PCI DSS Updates Staying Secure How You Can Participate In Closing Agenda

42 Training Highlights Online Internal Security Assessor (ISA) Training Corporate PCI Awareness Let Us Come To You! Online Awareness Training in Four Hours Qualified Integrators and Resellers (QIR) Program PCI Professional Program (PCIP) To learn more, visit:

43 Internal Security Assessor (ISA) Program A comprehensive PCI DSS training and qualification program for eligible internal audit security professionals that you asked for! Improves your understanding of PCI DSS and compliance procedures Helps your organization build internal expertise Teaches processes that can reduce the cost of compliance

44 Qualified Integrators and Resellers (QIR)

45 QIR Addresses Common Misconceptions I m using a PA-DSS validated application, so I must be OK. I m using a reputable 3 rd party, so they must be doing a secure installation. This applies only to brick and mortar establishments.

46 Payment Card Industry Professional (PCIP) Support your organization Professional credibility Competitive advantage Global directory Now Available

47 Stand Out From the Crowd Become a PO Benefits of Participating Organization (PO): Two free passes to Community Meetings Savings on Council training Ability to vote for Board of Advisors officers Opportunity to participate in SIGs And more!

48 Expanding Global Representation PCI Council Participating Organizations

49 Get Involved We Need Your Input Join Learn Input Network Nominate Vote Share Influence

50 Nature of the Threat About the Council PCI DSS Updates Staying Secure How You Can Participate In Closing Agenda

51 You are our future

52 Save the Dates 2014 Community Meetings North America Europe Asia-Pacific 9-11 September Orlando, Florida 7-9 October Berlin, Germany November Sydney, Australia

53 Questions? Please visit our website at