Presented by. Tim Gurganus. Amanda Richardson

Transcription

1 Presented by Tim Gurganus Amanda Richardson

2 Facts about NCSU and PCI-DSS Compliance We have around 120 Merchants We have over 225 Merchant IDs 30% of merchants have less than 100 transactions a year We are classified as a Level 3 Merchant (processing less than 1,000,000 online transactions annually) We generally assess merchants as SAQ A, SAQ B or SAQ D

3 Understanding the PCI-DSS The standard is composed of 6 major areas of security 1. Build and Maintain a secure network 2. Protect Cardholder data 3. Maintain a Vulnerability Management Program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy Each area has specific requirements (there are 12 major requirements) Each requirement contains a number of specific security controls (there are over 200 controls)

4 Some PCI-DSS v2.0 Daily Requirements Maintain a current network diagram Use the approved firewall configuration standard for all systems in-scope Use the approved router configuration standard for all systems in-scope Use the approved remote access standard for access to the Cardholder Data Environment (CDE) from untrusted networks Use the change management process for additions and changes to the network configuration Use wireless network configuration standard for all wireless components in-scope Use OS security configuration standard to install servers and workstations Install applications using the PA-DSS implementation guide Follow PCI DSS compliant procedures for storing and handling cardholder data on paper and electronically Conduct a background check on all new employees Check POS systems (fixed and handheld devices) for signs of tampering

5 Some PCI-DSS v2.0 Daily Requirements - 2 Render unreadable and credit card numbers that are stored or transmitted Store encryption keys securely Update antivirus definitions on all in-scope systems Develop applications using the approved secure coding guidelines Follow change management procedures for all code changes and patches installed Remove accounts from in-scope systems if they are no longer needed Maintain passwords for accounts on in-scope systems per requirement 8.5 Follow the PCI compliant visitors policy identifying all visitors to the areas that store cardholder data electronically. Conduct a daily log review of the logs from all in-scope systems, antivirus, IDS, firewalls and applications - detect and investigate anomalies Synchronize new router configurations per our router configuration standard Maintain access to payment applications following need to know principles

6 Some PCI-DSS v2.0 Weekly Requirements Detect changes to critical system files and configuration files that control security features of applications Analyze reports from file integrity monitoring software running on all inscope systems

7 Some PCI-DSS v2.0 Monthly Requirements Install critical security patches according to patch management standard on all in-scope system components (servers, workstations, routers, firewall devices and POS systems, etc.) Rank new vulnerabilities based on their threat to the NCSU inscope systems using risk ranking procedure

8 Some PCI-DSS v2.0 Quarterly Requirements Perform internal and external vulnerability scans of all in-scope systems and remediate all high ranked vulnerabilities detected Use an approved scanning vendor (ASV) to perform external vulnerability scans from the internet and remediate all high ranked vulnerabilities detected Detect rogue wireless devices in the area around all networks and devices that are in-scope Change passwords for accounts that allow access to the cardholder data or systems that provide security functions to the cardholder data environment Verify that stored card holder data is still needed and storing it does not exceed the card data storage retention period

9 Some PCI-DSS v2.0 Six Month Requirements Review firewall and router rules and verify rules have a documented list of ports with business justification Review firewall and router rules and compare against vulnerability scans and pen-test results Verify that connections inbound and outbound are limited to that which is necessary for the cardholder data environment and that the restrictions are documented Periodically review inventory of stored card holder data to determine it is accurate

10 Some PCI-DSS v2.0 Yearly Requirements Change encryption keys for wireless network at Carter Finely stadium Complete Self Assessment Questionnaire for each merchant Use credit card data discovery tools to verify what systems are storing or transmitting credit card numbers Review and update all information security policies needed for PCI compliance Check the physical security of locks on rooms used to store backups and cardholder data Archive visitor logs and collected logs from all in-scope systems Perform a pen test to verify that security controls prevent unauthorized access to cardholder data Conduct an incident response walk through to test the incident response plan Conduct an annual risk assessment identifying new risks and threats Conduct annual security awareness training and distribute security policies

11 Assessor Responsibilities Validate scope of the assessment Conduct PCI DSS assessments to determine if PCI requirements are in place or not in place Verify all technical information given by stakeholders Use independent judgment to confirm requirements have been met Provide support and guidance during the compliance process Be on-site for the duration of any relevant assessment procedure Review the work product that supports the assessment procedures Evaluate compensating controls

12 Payment Card Industry Terminology Merchant individual merchants and the University Organization accepting the payment card for payment during purchase Review and Understand the PCI Security Standards Understand the compliance, validation, and reporting requirements defined by the card brands (level determines what these are) Validate and report compliance to the acquirer Maintain ongoing compliance, not just during assessment Acquirer Bank or entity the merchant uses to process their payment card transactions. Receive authorization requests from merchant and forward to Issuer for approval Provide authorization, clearing and settlement services NC State University s acquirer is First Data Acquirer is responsible for Merchant Compliance Ensure that their merchants understand PCI-DSS compliance requirements and track compliance efforts Work with merchants until full compliance has been validated Merchants are not compliant until all requirements have been met and validated Acquirer is responsible for providing merchant compliance status to the payment brands

13 Payment Card Industry Terminology - 2 Merchant Bank NC State University s merchant bank is SunTrust Payment Processor NC State University s Payment Processor is First Data Card Brands - Visa, MasterCard, Discover, American Express, Japanese Credit Bureau Compliance - state of having all PCI-DSS requirements in place Reporting - documentation of compliance status provided to the merchant bank Verification - procedure to test and document that a specific requirement is in place and working Validation - required actions merchant s must take to demonstrate compliance with the standard Assessment it is the responsibility of a merchant s security assessor to determine compliance Remote Access - accessing the cardholder data environment from an untrusted network Network Segmentation - isolating system components that store, process or transmit cardholder data from systems that do not. Trusted network - network of an organization that is within the organization s ability to control or manage Procedures - Descriptive narrative for a policy. Procedure is the how to for a policy and describes how the policy is to be implemented.

14 Payment Card Industry Terminology - 3 PAN - Primary Account Number is the payment card number (credit or debit) that identifies the issuer and the particular cardholder account. CDE - The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components PA-DSS - Payment Application Data Security Standard PA-DSS applications have an Implementation Guide describing how an application is to be implemented in order to comply with PCI-DSS. PCI-DSS - Payment Card Industry Data Security Standard PA-PTS - Payment Application PIN Transaction Security PCIP - PCI Professionals - Certified to understand the PCI-DSS and how to implement it QIR Qualified Installer Reseller QIR will produce a QIS (Qualified Implementation Statement ) that explains how the application, service or device was set up to be PCI compliant and how it should be maintained.

15 PA-DSS v2.0 Summary Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CIV2, CW2) or PIN block data. Provide secure password features. Protect stored cardholder data. Log application activity. Develop secure applications. Protect wireless transmissions. Test applications to address vulnerabilities. Facilitate secure network implementation. Do not store cardholder data on a server connected to the Internet. Facilitate secure remote software updates. Facilitate secure remote access to application. Encrypt sensitive traffic over public networks. Encrypt all non-console administrative access. Maintain instructional documentation and training programs for customers, resellers and integrators.

16 Payment Card Industry Terminology - 4 Service Provider - any organization that stores, transmits or processes cardholder data on behalf of merchants or other service providers. Also other organizations that could impact merchant security (even if they don t have direct access to cardholder data) Reporting and validation requirements for service providers tend to be stricter than those of merchants because they provide services for more than one organization There are two service provider levels Level 1 - store, transmit or process greater than 300,000 total combined transactions annually. Level 1 validation is via annual QSA audit and quarterly ASV scan. Level 2 - store, transmit or process less than 300,000 total combined transactions annually. Level 2 validation is via SAQ and quarterly ASV scans. NCSU merchants should always use Level 1 service providers

17 Service Provider Management and Compliance Service Provider - any organization that stores, transmits or processes cardholder data on behalf of merchants or other service providers. Also other organizations that could impact merchant security (even if they don t have direct access to cardholder data) January 11, 2011 University of Connecticut, HuskyDirect.com Storrs, Connecticut Customers who used their credit cards on UConn's Huskydirect.com sports gear website may had their personal information exposed in a data security breach. A hacker was able to access the Huskydirect.com customer database and may have viewed billing information with names, addresses, telephone numbers, credit card numbers, expiration dates, security codes and addresses. The Huskydirect.com database is run by an outside vendor. Forensics investigation revealed that Fandotech, the company that was hosting and managing the site, was not following correct web security procedures. Number of credit cards breached: 18,059

18 Terms Used in the PCI-DSS and What they Mean Standard(s) - Approved, consistent process for doing something in a repeatable manner Process - a systematic series of actions that allow for a consistent, repeatable result Mechanism - routine methods or procedures Management - the act or manner of managing, handling direction or control Control - to adjust to a requirement; regulate Approves - to consent to officially or formally; confirm or sanction Obtain - collect documentation such as policies, procedures, system configurations or application documentation Examine - perform interviews and review documentation and/or system configuration Verify/Confirm - confirm documentation and/or system configuration meets testing procedures through observation and testing

19 Merchant Responsibilities Review and Understand the PCI Security Standards PCI Compliance for Dummies - Understand the compliance, validation, and reporting requirements defined by the card brands NCSU Merchants report compliance by completing SAQ every year Maintain ongoing compliance, not just during assessment Maintain payment card readers used to swipe and collect card data Ensure that third party providers, their applications and systems are PCI compliant Merchants will be responsible for any fines or penalties for non-compliance. Fines can easily exceed $100,000

20 Roles and Responsibilities OIT responsibilities - OIT is responsible for operating and maintaining a PCI compliant environment This covers infrastructure items like log management and enterprise antivirus, firewalls, Intrusion Detection Systems and more. This also covers administrative requirements like incident response plan and technology use policies Service provider responsibilities - similar to OIT responsibilities for merchants hosting applications off site (log management, IDS system, antivirus, vulnerability scanning) Controller s Office responsibilities - issuing new merchant IDs and ID life cycle management (add, delete, rename, deactivate) To obtain a merchant ID, items on the merchant checklist must be completed. This includes the initial data flow diagram, initial Self Assessment Questionnaire and other documentation Approver of service providers and payment applications Point of Contact for all merchant service requests and questions

21 Merchant Services From the Controller s Office

22 From the Controller s Office Answers to who, what, when, how, and why

23 Who? Cash Management Unit Merchant Services Team Amanda Richardson Taylor Chappell What? Initial Request for Merchant Account Modifications to existing merchants Notification of changes to merchant infrastructure or personnel

24 When? How? Plan early!!! Before you sign any contract with a third party From start to finish takes approximately 2 to 3 months before account is ready for use Decide if credit card payments are right for you Review the credit card procedures on Controller s website Contact merchant service team for consultation

25 Why???? To avoid fines that could reach six figures Vice Chancellor Leffler has stated that any fines incurred will be the responsibility of the Merchant PCI compliance is the goal so we can continue to accept credit cards as a payment method

26 Why PCI compliance is important to you Compliance is required by chain of contracts from Card Brands to Merchant Bank to Acquirer to State of NC OSC to NCSU Controllers Office to Merchant Maintaining merchant account = Agreeing to be PCI Compliant There can be fines for non-compliance, incidents and breaches Recently, a small Mexican restaurant that fell victim to a data breach and was forced to shut down after incurring a $100,000 fine. some breach stories - including USC dining and SUNY dining

27 Consider the Cost of Non-Compliance Penalties for Non-compliance (Visa and MasterCard). The credit card companies may impose penalties or fines on members, merchants, or their agents. Members or merchants are subjected to fines up to $500,000 per incident if there is a compromise on their network resulting in the loss or theft of cardholder information, and the network was subsequently found to be non-compliant at the time of the compromise. Also, if a member or merchant fails to immediately notify credit card companies of suspected or confirmed loss or theft of transaction information, the member or merchant will be subject to a penalty of $100,000 per incident.

28 Credit Card Theft and Fraud Nov 2012: CVV Plaza video - U.S. VISA cards are by far the most prevalent on the black market, representing at least 75% of the supply on each of the forums monitored by CloudeyeZ, which isn t that surprising considering that Visa is the world s largest card network with 302 million cards in circulation and a nearly 50% market share, according to Card Hub statistics. Each forum lists more than 15,000 U.S. credit cards for sale. Unlike Visa, MasterCard, and American Express cards, which are priced fairly uniformly across forums Visa (roughly $2.60 per card), MasterCard ($3.30), and Amex ($2.80) Discover cards range anywhere from $1.50 to $3.15 per card.

29 Potential Financial Impact To Compromised Merchant Forensic examination Remediation efforts, including installation of new systems and procedures. Fines and penalties from Card Brands Termination of the ability to accept payment cards Legal settlements Cost of credit monitoring service for affected card holders Loss of customer/public confidence Loss of business

30 Two Kinds of PCI-DSS Requirements There are two kinds of PCI requirements: Technology and Process Security technology consists of software, hardware and third-party services used to implement purpose-built applications that protect cardholder data from various threats. Security process is a specific set of operational procedures used to implement and maintain protection, which may or may not require a particular type of security technology. Quite often, technology and process go hand-in-hand. Example Requirement 5: Maintain antivirus software on all systems commonly affected by malware. This requires both kinds of controls, technology and process Technology: Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). Process: Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.

31 How is a Requirement met? Using Requirement 5 as an example: Determine the scope of requirement Inventory all devices where antivirus software must be installed and maintained Determine how the antivirus software creates and transmits logs Collect the logs Examine the logs everyday, also detect if logs are missing Respond to incidents Annual assessment for Requirement 5: Software detects all kinds of malware required? Scope is correct? Software is installed on all inscope systems? Software is being updated regularly and producing logs? Logs are being kept secure and stored for the required period? Logs are being analyzed? Incident response procedure is in place, reviewed annually? Incident response procedure is being followed? Requirement 5 isn t on my SAQ, why do I have to comply?

32 Dedicated Payment Workstation Separate restricted function computer used only for entering CCN Will not have access to outside networks Will be on a separate VLAN and separate network port Will not have any applications installed that are not necessary for payment application work Will not have access to , IM or Google drive Will implement Application Whitelisting Will have no removable storage May not have local file storage unless needed Will have no copy/paste functions unless needed Will have to have full logging and monitoring for PCI compliance Intrusion Detection System monitoring File Integrity Monitoring Windows, Application and Antivirus Logs Will have to change login password every 90 days Will have to have security patches installed in 30 days from release

33 Infrastructure for Meeting Critical Requirements These technologies have been chosen to meet specific PCI requirements: Trustwave external vulnerability scans - requirement 11.2 All public facing hosts must be scanned Qualys vulnerability scanner - scanning all in-scope servers, devices, workstations and networking hardware (routers and firewalls) to meet requirement 11.2 All internal hosts and devices must be scanned Remedy change management - Requirements 1,6 and 8 Veracode - code review methodology, developer training - Requirement 6.5 VigiTrust - PCI security training/awareness Requirement 12.6 Identity Finder - assist in validating scope Requirement 0 CCFN webserver - Requirements 1, 2 and 6 standard, separate web server environment

34 Infrastructure for Meeting Critical Requirements These technologies have been chosen to meet specific PCI requirements: HyTrust - requirement 2 (standard configuration), req. 10 (central logging), req 7 (access control) Cisco FWSM - requirement 1 (network segmentation and DMZ) Cisco VPN for 2-factor logins - requirement 8.3 Splunk - requirement 10 Secunia - requirement 6 install security patches in 30 days Snort - IDS requirement 11.4 Aruba Airwave - wireless IPS and rogue wireless detection requirement 11.1 Officescan - requirement 5 maintain up to date antivirus software OSSec - FIM requirement 11.5

35 Compliance Strategies How will we Deal with New Demands and Technology? Wireless networking - reduce use of wireless to an absolute minimum, only allow additions with specific approval from OIT-ISS NCSU plans to use CAM table dump and compare with approved devices as compensating control for requirement 11 On-site registrations - use a payment terminal with Cell phone networking (exceptions require specific approval) Web Hosting providers - use Level 1 PCI compliant service providers Address PCI compliance and specific requirement responsibilities in service contracts Tokenization / P2PE - these reduce risk since card data is not stored and transmitted card data cannot be decrypted by merchant systems P2PE = Point to Point Encryption Virtualization - Virtualization has many risks not present with real hardware the benefits of virtualization (power saving, space saving, greater uptime) must be weighed against the cost and expense of HyTrust VM and separate Hypervisor needed for complaint VM environments

36 Compliance Strategies How will we Deal with New Demands and Technology? Mobile payment applications - Use only PA-DSS listed applications and PA-PTS listed hardware Nearly all mobile applications have security vulnerabilities since they are written for function, not compliance Dedicated Payment Workstations - If entering full card numbers or viewing full card numbers Code Review requirement OIT will write and adopt secure coding guidelines for web applications and other programs used to automate or administer payment applications All programmers will need to learn and use these guidelines Periodically, there will be a refresher course to address new vulnerabilities and attacks Risk Ranking requirement This requirement will be met by joint effort from OIT- ISS, OIT-SHS and Comtech

37 Compliance Strategies How will we Deal with New Demands and Technology? Standardize commonly needed merchant applications like event management Get ready for EMV by October 2015 (affects POS - card present transactions ) Rent new terminals if they don t support EMV Don t buy one that doesn t support EMV

38 Compliance Strategies Scoping and the NCSU networks Primary scope Systems and network devices that store, process and transmit cardholder data ( plus anything on the same network segment as primary scope) Examples: Servers storing card data, Cash Register in Bookstore Primary Scope must meet all PCI-DSS requirements Secondary scope Systems that connect to primary scope Systems that primary scope connects to Systems used to administer primary scope Systems that provide security functions to primary scope Examples: Log Management Server Admin Workstation used to modify Merchant website Secondary scope devices must meet some PCI-DSS requirements Secondary scope requirements are dependent on the riskiness of the connection Common secondary scope requirements: 30 day patching 90 day password change Quarterly vulnerability scanning Antivirus software Some logging - authentication

39 Compliance Strategies Scoping and the NCSU networks - ways to reduce scope and requirements 1. Do not store credit card data Do not store credit card data longer than needed 2. Use a service provider that is already on the approved list (being used by other NCSU merchants) 3. Do not use wireless network technology Exceptions and changes require specific special approval Scoping impact of using a fax to service

40 Things We Need Every Merchant to Do: Build a data flow diagram - let us know when it changes. - A data flow diagram depicts Merchant business processes and show where CCN data goes (NOT A TECHNICAL DIAGRAM) Tell us everywhere you enter credit card numbers (for orders, refunds, divided payments) Software and Hardware inventory - use for vulnerability management and standardization. Make a list of service providers - let us know when it changes. Give us Technical/IT Staff contact information

41 Creating a Card Data Flow Diagram Start with boxes for each physical location (office, store) In each location show computer workstation, credit card terminal, telephone, mailbox, fax machine Show card gateway Show archival storage Show websites and hosting providers Show where data backups are stored (if CCN data in backups) Show on campus data center Show media disposal (if CCN data is stored on paper) Label each physical location (use building name, room name number or address, URL) Draw arrows (in different color or dashed lines) showing where card data enters the system Label method of acquiring card data (phone call, fax, card reader, paper form, online) Draw arrows showing where card data moves or is copied to after it enters the system Draw arrows showing where card data leaves the network Draw arrows showing where card data is destroyed Example Example 2 -

42 Creating a Card Data Flow Diagram Consider all scenarios including: All types of sales ( website, walk-up, mail order, fax, telephone), Refunds, Returns Process used when system offline or network down Label each data flow to indicate action and if the full card number (PAN) is transmitted Label devices at each location with an abbreviation that matches device inventory Label dial up connections differently than data network Send completed Data Flow diagrams via to: deborah_booth@ncsu.edu by March 15 th, 2013.

43 Things We Need Every Merchant to Do: Software and Hardware inventory - use for vulnerability management and standardization. Make a list of service providers - let us know when it changes. Give us Technical/IT Staff contact information

44 Things We Need Every Merchant to Do: Software and Hardware inventory Send this information Merchant Account Name Name of Payment software or hardware Name of Developer or Vendor Version of software or firmware Type of Product (hardware, software, hosted service, etc.) Is the software or hardware needed for a specific payment application? Card Gateway Connected with this hardware or software Short Description of Usage To deborah_booth@ncsu.edu by March 15 th, Note: let us know if this changes

45 Things We Need Every Merchant to Do: Software and Hardware inventory Send this information Merchant Account Name NCSU Ticket Office Name of Payment software or hardware NetOp Security Server Name of Developer or Vendor NetOp Version of software or firmware NetOp version 9.0 Type of Product (hardware, software, hosted service, etc.) Software Is the software or hardware needed for a specific payment application? No Card Gateway Connected with this hardware or software none Short Description of Usage Remote access control software using two-factor (password and token) authentication. Vendor technical support login via this software for periodic maintenance. Logins are only enabled when needed.

46 Things We Need Every Merchant to Do: Make a list of service providers Send this information Merchant Account Name Outside service provider name Type of Product (hardware, software, hosting service, card gateway, etc.) Is the service needed for a special payment application? Card Gateway Connected with this Service Provider Short Description of Usage To deborah_booth@ncsu.edu by March 15 th, Note: let us know if this changes

47 Things We Need Every Merchant to Do: Make a list of service providers Example: Merchant Account Name Foundations Online Giving Outside service provider name Convio Type of Product (hardware, software, hosting service, card gateway, etc.) Software and hosting service Is the service needed for a special payment application? Yes; handles recurring payments Card Gateway Connected with this Service Provider Paypal Short Description of Usage: Hosted CRM application and hosting provider used by Advancement for tracking online giving. Card numbers are stored at Paypal. Convio uses data from the EAS advancement database.

48 Things We Need Every Merchant to Do: Give us Technical/IT Staff contact information Send this information: Merchant Account Name Merchant Technical Support Name Technical Support Address Technical Position Title Merchant Technical Work Phone Number To by March 15 th, 2013 Note: Let Us know when it changes

49 Things We Need Every Merchant to Do: Read and understand the PCI policies and procedures of the University. These will be presented to each merchant as part of an annual PCI-DSS training class. Complete and Sign Self Assessment Questionnaire annually. Each merchant will complete an annual PCI- DSS training class and then submit a completed SAQ. If you are using a PA-DSS listed application, get compliance documentation from vendor before annual assessment If you know someone else that should see this presentation, have them sign up for Jan. 15 th, 2013 at