Jordan Levesque Making sure your business is PCI compliant

Transcription

1 Jordan Levesque Making sure your business is PCI compliant

2 Brief overview of PCIDSS What's new in PCI DSS 3.2 Why is PCI important? Dive in! Simple things you can do to be secure Tomorrows session: What RCS does to keep your data secure

3 Overview of PCIDSS Payment Card Industry Data Security Standard Mandated by card brands Framework for applying good security posture

4 What's new in 3.2? Greater focus on Multifactor Authentication All remote access must have MFA All local administrator access must have MFA PAN masking requirements Pushed out SSL/TLS 1.0 migration deadline to from June 2016 to June 2018

5 Why is PCI important?

6 Risk Overview 62% more breaches in 2013 than in 2012, over 553 million identities stolen, up from 93 million in 2012, an increase of more than 594% = 20 million

7 Risk Overview Threats are becoming more advanced, and attacks are becoming more frequent

8 Breach Overview Avg cost per record for retailers $172 Avg cost per breach $4 million Average time to detection of a breach 197 days Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan 1 Jul 17

9 Dive into PCI! Scary at first, but when you take a step back, not so much!

10 What are the 12 Standards? Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses information security for all personnel

11 Initial Reaction

12 Standard 1: Simplified Install and maintain a firewall configuration to protect cardholder data More than just having one in place It is commercial grade It is configured properly It is monitored It is updated It is logged

13 Standard 2: Simplified Do not use vendor-supplied defaults for system passwords and other security parameters Username: administrator Password: password Username: corpnetadm Password: NAUGHTY NICE

14 Standard 2: Solutions NAUGHTY NICE

15 Standard 3 Protect stored cardholder data Mostly application-based Simply using CounterPoint is not enough. Ensure that: It is up to date It is configured properly Its users are trained NCR is implementing new features in current version of CounterPoint to address this Standard P2P encryption EMV NCR Securepay

16 Standard 3: CounterPoint Features P2P encryption EMV NCR Securepay Encrypts card data at the swipe. Decrypted at the processor. Technical standard for smart payment cards Data stored on integrated circuits rather than magnetic stripes. Payment gateway service Card data is never collected or stored by NCR Retail Online, which means your online store is considered out of scope for PCI assessments. Once implemented, no card data is stored! Only personal and business information, therefore reducing your PCI scope.

17 Standard 4: Simplified Encrypt transmission of cardholder data across open, public networks Your company and VPNs sittin` in a tree E-N-C-R-Y-P-T

18 Standard 5: Simplified Use and regularly update anti-virus software or programs Bonus points if: Its centrally managed by dedicated personnel Its lightweight on system resources

19 Standard 6: Simplified Develop and maintain secure systems and applications The big takeaway here: Document and demonstrate policies and procedures CHANGE CONTROL

20 Standard 7: Simplified Restrict access to cardholder data by business need to know Principle of least-privilege: Only grant access to what is legitimately needed by each person

21 Standard 8: Simplified Assign a unique ID to each person with computer access This one is easy: Don t share logins Use Multi-Factor Authentication (MFA) Username is jen123, here's my password Lol thanks!

22 Standard 8: MFA Solutions Something you know Something you have Something you are Password RSA Token Digital Certificate YubiKey Phone & Duo Security Iris Fingerprint Voice

23 Standard 9: Simplified Restrict physical access to cardholder data The dream: Reality: Fence PIN Biometric

24 Standard 10: Simplified Track and monitor all access to network resources and cardholder data Tricky to turn into meaningful data, but standard security hygiene will help get you there: Maintain and store logs from everything Store records before logs are overwritten due to storage limitations Audit where possible Windows server security logs are a great start

25 Standard 11: Simplified Regularly test security systems and processes Request a network evaluation and a penetration test pentest Have a plan in the event of an incident At the very least: Isolate affected systems

26 Standard 12: Simplified Maintain a policy that addresses information security for all personnel Similar to Standard 6: Document policies and procedures Host periodic security awareness events that identify prominent threats such as phishing

27 Standard 12: Solution Phishing is an extremely common attack vector, where users are tricked into giving up their credentials Duo Security has made it easy to raise awareness of phishing:

28 External Resources & Huge Thanks Duo Security IBM ZDNET

29