Minimizing the PCI Footprint: Reduce Risk and Simplify Compliance

Similar documents
Evolution of Cyber Attacks

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Dan Lobb CRISC Lisa Gable CISM Katie Friebus

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

The Future of PCI: Securing payments in a changing world

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

PCI DSS v3. Justin

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

Data Sheet The PCI DSS

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

PCI DSS COMPLIANCE 101

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Daxko s PCI DSS Responsibilities

PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Opting Out. Avoid Becoming the Next Breach Statistic. Copyright 2014 MAC. All Rights Reserved.

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Maintaining Trust: Visa Inc. Payment Security Strategy

Merchant Guide to PCI DSS

Payment Card Industry (PCI) Point-to-Point Encryption

Will you be PCI DSS Compliant by September 2010?

Site Data Protection (SDP) Program Update

Navigating the PCI DSS Challenge. 29 April 2011

June 2012 First Data PCI RAPID COMPLY SM Solution

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

Jordan Levesque Making sure your business is PCI compliant

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Business Context: Key for Successful Risk Management

INTELLIGENCE DRIVEN GRC FOR SECURITY

Carbon Black PCI Compliance Mapping Checklist

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

David Jenkins (QSA CISA) Director of PCI and Payment Services

University of Sunderland Business Assurance PCI Security Policy

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Complying with PCI DSS 3.0

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Total Security Management PCI DSS Compliance Guide

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

The PCI Security Standards Council

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard

Escaping PCI purgatory.

A QUICK PRIMER ON PCI DSS VERSION 3.0

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Simplify PCI Compliance

Cipherithm LLC 2013 PCI SSC North America Community Meeting Notes

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Payment Card Industry (PCI) Point-to-Point Encryption. Template for Report on Validation for use with P2PE v2.0 (Revision 1.1) for P2PE Solution

The Convergence of Security and Compliance

INFORMATION SECURITY BRIEFING

Compliance Audit Readiness. Bob Kral Tenable Network Security

GUIDE TO STAYING OUT OF PCI SCOPE

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

How To Build or Buy An Integrated Security Stack

PCI Compliance Assessment Module with Inspector

in PCI Regulated Environments

PCI COMPLIANCE IS NO LONGER OPTIONAL

Insurance Industry - PCI DSS

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

Google Cloud Platform: Customer Responsibility Matrix. December 2018

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Webinar: How to keep your hotel guest data secure

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

The Realities of Data Security and Compliance: Compliance Security

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

White Paper. Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Understanding PCI DSS Compliance from an Acquirer s Perspective

Request for Comments (RFC) Process Guide

Protect Your Organization from Cyber Attacks

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

Qualified Integrators and Resellers (QIR) TM. QIR Implementation Statement, v2.0

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

PCI compliance the what and the why Executing through excellence

Information Technology Procedure IT 3.4 IT Configuration Management

2017 Annual Meeting of Members and Board of Directors Meeting

Achieving PCI Compliance: Long and Short Term Strategies

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Achieving PCI-DSS Compliance with ZirMed financial services Darren J. Hobbs, CPA and James S. Lacy, JD

SECURITY PRACTICES OVERVIEW

How to Use PCI DSS for a Stronger IT Security Posture and Streamline your Compliance Efforts. April 24, 2018

Jordan Levesque - Keeping your Business Secure

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

What makes a good KRI? Using FAIR to discover meaningful metrics

Best Practices & Lesson Learned from 100+ ITGRC Implementations

Segmentation, Compensating Controls and P2PE Summary

Best Practices for PCI DSS Version 3.2 Network Security Compliance

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

PCI Compliance Updates

Managing Risk in the Digital World. Jose A. Rodriguez, Director Visa Consulting and Analytics

The Honest Advantage

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Payment Card Industry (PCI) Data Security Standard

Access Control and Physical Security Management. Contents are subject to change. For the latest updates visit

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Transcription:

SESSION ID: GRC-F02 Minimizing the PCI Footprint: Reduce Risk and Simplify Compliance Troy Leach CTO PCI Security Standards Council

Agenda Today s Landscape Reducing the Card Holder Data Footprint How to Measure the Reduction 2015 Goals Get Involved

Agenda Today s Landscape Reducing the Card Holder Data Footprint How to Measure the Reduction 2015 Goals Get Involved

Where the Footprint Begins 66% of data breaches, the organization didn t know the data was on the compromised system VERIZON DATA BREACH INVESTIGATIONS REPORT

More Efficient security Reducing the cardholder data footprint Less Complicated for PCI DSS

Ways to Reduce Footprint Business process Reduce the need or ability to store or transmit cardholder data Outsource Simplify Render Unreadable

Approach to PCI DSS Simplicity Reduce the attack surface Continuous Awareness & Protection Prevent New Types of Exposure Measure success and identify opportunity

Approach to PCI DSS Simplicity Reduce the attack surface Continuous Awareness & Protection Prevent New Types of Exposure Measure success and identify opportunity

Common Misconceptions & Misunderstandings I am compliant therefore I am secure My data is out of scope because <insert silver bullet here> I know where all my CHD is it s in my CDE My vendors do my compliance for me

Easier Said Than Done Why we fail to maintain secure environments Lack of awareness by IT practitioners Incentive to keep security a primary focus Quickly evolving technology landscape Rapid development and distribution of new solutions Still unnecessary exposure of CHD

Eliminate the Simple 92% of compromises were simple 96% were avoidable through simple or intermediate controls 92% 96% Verizon Business Data Breach Investigations Report

Results from a Concentrated Focus on PCI Concentrated focus on PCI can prevent one mistake leading to mass data compromise

Reduce the Attack Surface Continually Identify the environment Maintain a CHD Dataflow Diagram Meet regularly with those able to create cardholder data pathways DLP Methodology

Partner with Trusted Experts Verify claims of PCI DSS compliance Require agreements to maintain skillset Verify all third-party access

Defining and Following Best Practices Are you asking the right questions? How does the cardholder data flow? Where is there storage of data? Where is there available connectivity? Is all cardholder data classified as such? What are our dependencies? What features are installed by default? Have Clear Asset Identification of Payment Account Data

Third Party SIG Guidance 18

How Old is Your Business Process? 19

You Can t Attack What Isn t There Confirm there is still need to retain Verify with your financial partners Evaluate opportunities to use surrogate values to replace PAN

Don t Need It Don t Store It Is that Account Number worth more than a cheeseburger? 21

Render Cardholder Data Unreadable 22

Render Cardholder Data Unreadable Approved PED Approved Secure Card Reader Smart Phone or Tablet P2PE Solution Provider Encrypted Cardholder Data Encrypted Cardholder Data 23

Render Cardholder Data Unreadable 24

Agenda Today s Landscape Reducing the Card Holder Data Footprint How to Measure the Reduction 2015 Goals Get Involved

How Do We Measure Success?

ROSI: It s a Measurement Problem Risk is hard to quantify Data may not be easily available Growing complexity of technology make metrics also complex

Goal for Security Metrics To move from a culture of fear and uncertainty Security Metrics: Removing Fear, Uncertainty and Doubt by Andrew Jacquith to a culture of awareness and then a culture of measurement 28

Goal for PCI Security Metrics To move from uncertainty of where cardholder data is Security Metrics: Removing Fear, Uncertainty and Doubt by Andrew Jacquith to a culture of awareness and then a culture of measuring improvement 29

Bad Metrics Unclear Inconsistently measured Costly Does the metric improve cost of investment? Unusable Incomplete numbers

Measure Success and Identify Opportunities Create Good Metrics Consistently measured Reasonable to gather Quantitative NIST SP 800-55 Must be relevant

What Consistent Metrics can Provide Frequency is just as important as metric Constant measuring reduces deviation in security practices

PCI Security Metrics Should Help Reduce Attack Surface to Cardholder Data One of the main goals of building secure systems and applications is to minimize the Attack surface The smaller the attack surface, the more difficult it is for the attacker to leverage a vulnerability into a successful attack Consider ways to quantify that

Measure Success and Identify Opportunities Examples of PCI metrics Req 1 Number of systems with direct connectivity to CDE Req 2 Req 3 % of connections to/from unauthorized hosts Mean time to complete configuration changes Average frequency of firewall review

Measure Success and Identify Opportunities Examples of PCI metrics Req 1 Number of systems with direct connectivity Ratio of attacks per e-commerce sessions Req 2 Number of default passwords 6 months after ROC % of systems configured to system hardening standards Req 3

Measure Success and Identify Opportunities Examples of PCI metrics Opportunity to sell senior leadership Req 1 Req 2on the idea of tokenization or P2PE by demonstrating numerically Number of how systems many systems Number will no longer of accounts touch with direct plaint-text CHD with no owners connectivity Percentage of Ratio of attacks per systems not patched e-commerce within 30 days sessions Req 3 Percentage of systems containing cardholder data Number of business units with access to cardholder data

Metrics Improve Behavior and Consistency audit standard attack threshold attack threshold Assessment effectiveness of controls time

Metrics are a Tradeoff The maximal favorable result at minimal cost

Reasonable Collection Methods Manual collection is not only costly but higher likelihood of error and difficult to sustain Automated tools can provide consistency to collection methods

Tools to Help Collect Where to Find Measurement Data? Tools: Source code analyzers Dynamic application scanners Attack Surface Analyzer ASV scan report Threat Modeling Tool File Fuzzing Tools Regex Fuzzer Visual Studio Code Analysis Locations: System inventory Security vulnerability scans Logs Report of Compliance Other audit reporting IT bug tickets Incident Response

Most Importantly: Relevant Contextually specific Are meaningful to the user and relevant to the decision-making process

Cost Effectiveness CE = COST new strategy COST current practice BENEFIT new strategy BENEFIT current practice CE < 1.0 favorable

What is your TCO for PAN Retention? What is the cost to retain PAN? What is the value of retention? What is the liability for retention?

A Single ROC is Simply a Measurement Measurement is just one point in time Metrics compare at least two or more Value in analytics to compare year-over-year? Can support trends in progress for securing CHD

PCI Security Score Per PCI Security Compliance Scorecard Department Identified Lead Req 1 Req 2 Req 3 Req 4 Req 5 Req 6 Req 7 Req 8 Req 9 Req 10 Req 11 Req 12 Payment Services Alice Marketing Bob Sales Bob Human Resources Alice Unattended Alice In Compliance In Progress Out of Compliance 45

PCI Security Score Per PCI Security Compliance Scorecard Department Identified Lead Req 1 Req 2 Req 3 Req 4 Req 5 Req 6 Req 7 Req 8 Req 9 Req 10 Req 11 Req 12 Payment Services Alice Marketing Bob Sales Bob Human Resources Alice Unattended Alice In Compliance In Progress Out of Compliance 46

PCI Security Score Per PCI Security Compliance Scorecard Department Identified Lead Req 1 Req 2 Req 3 Req 4 Req 5 Req 6 Req 7 Req 8 Req 9 Req 10 Req 11 Req 12 Payment Services Alice Marketing Bob Sales Bob Human Resources Alice Unattended Alice In Compliance In Progress Out of Compliance 47

PCI Security Score Per PCI Security Compliance Scorecard Department Identified Lead Req 1 Req 2 Req 3 Req 4 Req 5 Req 6 Req 7 Req 8 Req 9 Req 10 Req 11 Req 12 Payment Services Alice Marketing Bob Sales Bob Human Resources Alice Unattended Alice In Compliance In Progress Out of Compliance 48

PCI Security Score Per PCI Security Compliance Scorecard Department Identified Lead Req 1 Req 2 Req 3 Req 4 Req 5 Req 6 Req 7 Req 8 Req 9 Req 10 Req 11 Req 12 Payment Services Alice Marketing Bob Sales Bob Human Resources Alice Unattended Alice In Compliance In Progress Out of Compliance 49

Communicating Results Clear & Concise Context

Good Rules Remove clutter Emphasize one or two points Put positive spin rather than negative 18 Total Number of Vulnerabilities 15 12 9 6 3 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Systems with CHD Systems unpatched Number of systems without CHD

Balanced PCI Scorecard What are the security versions of the four corners of a balanced scorecard: Financial v Security Internal business processes v Security Learning and growth v Security Customer v Security

Remember when using metrics Only use metrics that will be used to change behavior Find ways to automate relevant metrics Keep It Simple and remember your audience You have to decide what works best for your organization

May discover ways to simplify the process Any exposure of cardholder data beyond acceptance? Reduce number of departments and individuals with direct access

Simplify the environment Remove unnecessary systems Use compliant service providers and partners

Simplify payment application development Development team aware of need to protect data Lab Validated Applications

Installation consistently aligns with policy Installed to specification by a qualified professional Simplify the implementation

Lab Accredited Devices Aware of skimming attacks Use of trusted devices

Agenda Today s Landscape Reducing the Card Holder Data Footprint How to Measure the Reduction 2015 Goals Get Involved

2015 Goals of the PCI Security Standards Council

2015 Goals PCI DSS Revision April 2015

2015 Goals Designated Entities

2015 Goals Token Service Providers (TSP) Tokenization

2015 Goals - P2PE v.2.0 and Tokenization Point-to-Point Encryption (P2PE) Tokenization Best Practices Enhanced Security

Overview of P2PE v2.0 Simplified requirements and eliminated redundancy Refocused, function-specific domains New Domain 4 for merchant-managed solutions Simplified merchant PIM requirements Consolidated both P2PE standards into one HW/HW and HW/Hybrid Increased alignment with PCI PIN standard New optional listings for P2PE Component Providers

PCI Listings for P2PE v2.0 Current P2PE Listings P2PE Solutions P2PE Applications P2PE v2.0 Listings P2PE Solutions Solution assessed to all domains (excluding 4) May use PCI-listed components P2PE Applications (Domain 2) P2PE Components Device management component providers (Domain 1 & 6 + Annex A) Decryption management component providers (Domain 5 & 6 + Annex A) KIF component providers (Annex B of Domain 6) CA/RA component providers (Domain 6 + Annex A) 66

2015 Goals - SMB Taskforce

2015 Goals - Payment Application

How to Apply Educate + Learn = Apply Industry Expertise Listen Examine and revamp your security efforts 69

Apply What You Have Learned Today Next week you should: Begin to consider how to minimize risk of exposing cardholder data in your environment In the first three months following this presentation you should: Define strategies for minimizing your footprint of cardholder data Within six months you should: Begin minimizing the security footprint and strengthen your organization Have an approach to measure your effort and communicate effectively the results 70

Please visit our website at www.pcisecuritystandards.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback