IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

Similar documents
The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Navigating the PCI DSS Challenge. 29 April 2011

PCI COMPLIANCE IS NO LONGER OPTIONAL

University of Sunderland Business Assurance PCI Security Policy

Will you be PCI DSS Compliant by September 2010?

PCI compliance the what and the why Executing through excellence

Site Data Protection (SDP) Program Update

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Merchant Guide to PCI DSS

PCI Compliance: It's Required, and It's Good for Your Business

PCI DSS COMPLIANCE 101

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

GUIDE TO STAYING OUT OF PCI SCOPE

PCI Compliance Updates

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

The Honest Advantage

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

Payment Card Industry (PCI) Data Security Standard

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Managing Risk in the Digital World. Jose A. Rodriguez, Director Visa Consulting and Analytics

PCI DSS v3. Justin

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Evolution of Cyber Attacks

How PayPal can help colleges and universities reduce PCI DSS compliance scope. Prepared by PayPal and Sikich LLP.

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Payment Card Industry Data Security Standards Version 1.1, September 2006

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

The PCI Security Standards Council

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

ASSESSMENT LAYERED SECURITY

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Maintaining Trust: Visa Inc. Payment Security Strategy

Understanding PCI DSS Compliance from an Acquirer s Perspective

Section 1: Assessment Information

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

Opting Out. Avoid Becoming the Next Breach Statistic. Copyright 2014 MAC. All Rights Reserved.

White paper PCI DSS. How do you manage your customers payment card details securely and responsibly?

How do you manage your customers payment card details securely and responsibly? White paper PCI DSS

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Payment Card Industry (PCI) Data Security Standard

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Payment Card Industry (PCI) Data Security Standard

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Payment Card Industry (PCI) Compliance

Commerce PCI: A Four-Letter Word of E-Commerce

A QUICK PRIMER ON PCI DSS VERSION 3.0

Webinar: How to keep your hotel guest data secure

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Point-to-Point Encryption

GLBA, information security and incident response a compliance perspective

PCI Compliance. What is it? Who uses it? Why is it important?

Payment Card Industry (PCI) Data Security Standard

Credit Union Service Organization Compliance

Cybersecurity The Evolving Landscape

Payment Card Industry - Data Security Standard (PCI-DSS)

Wireless Networking and PCI Compliance

Table of Contents. PCI Information Security Policy

Data Security Standard

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Daxko s PCI DSS Responsibilities

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

The Future of PCI: Securing payments in a changing world

Payment Card Industry (PCI) Data Security Standard

Target Breach Overview

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Payment Card Industry (PCI) Data Security Standard

FFIEC Guidance: Mobile Financial Services

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Smart Cards and Authentication. Jose Diaz Director, Technical and Strategic Business Development Thales Information Systems Security

Payment Card Industry (PCI) Data Security Standard

The IT Search Company

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Introduction to the PCI DSS: What Merchants Need to Know

Payment Card Industry (PCI) Data Security Standard

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

T M I LAN SAQ HEA FOIA FERPA FDCPA 9/25/2017

Payment Card Industry (PCI) Data Security Standard

Section 1: Assessment Information

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

PCI DSS COMPLIANCE DATA

Best Practices (PDshop Security Tips)

Payment Card Industry (PCI) Data Security Standard

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Addressing PCI DSS 3.2

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

Transcription:

IT Audit and Risk Trends for Credit Union Internal Auditors Blair Bautista, Director Bob Grill, Manager David Dyk, Manager 1

AGENDA Internet Banking Authentication ATM Security and PIN Compliance Social Media Trends PCI Compliance and Cardholder Security Questions and Answers 2

AGENDA TOPIC: INTERNET BANKING AUTHENTICATION CHANGES 3

THE PROBLEM Dramatic rise in Internet Banking fraud in 2009-2011, due to improvements in malware Cross-channel fraud Commercial channel focus, with ACH and Wires being highest risk Some risk with consumer accounts and small business accounts with bill payment and account transfers to money mules 4

UPDATED FFIEC GUIDANCE Regulators and examiners have been considering this issue in recent years, and provided updated guidance in June 2011 Regulatory scrutiny in the area has increased, and institutions should carefully examine their Internet banking to determine if they are going to need to increase the security of high risk transactions such as ACH batches and wire transfers Recent June 2011 guidance is being used by examiners beginning in 2012 5

OVERVIEW OF THE GUIDANCE - 1 Differentiation between retail and business transaction risk o Agencies recommend that institutions offer multifactor authentication to their business customers. Continued focus on Risk Assessment Continued, increasedemphasis on Layered Security Programs 6

OVERVIEW OF THE GUIDANCE - 2 Controls in Layered Security o Fraud detection and monitoring systems oinclude consideration of customer history and behavior and enable a timely, effective institution response odual customer authorization through different access devices o Out-of-band verification for transactions ouse of positive pay, debit blocks, and other techniques to appropriately limit the transactional use of the account oenhanced controls over account activities, such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows (e.g., days and times) 7

OVERVIEW OF THE GUIDANCE - 3 Controls in Layered Security (continued) ointernet protocol (IP) reputation-based tools opolicies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud oenhanced control over changes to account maintenance activities performed by customers either online or through customer service channels oenhanced customereducation to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk 8

OVERVIEW OF THE GUIDANCE - 4 Guidance downplays two common controls o Device authentication o Challenge questions: Encourages remaining challenges to focus on out of wallet questions 9

AGENDA TOPIC: ATM SECURITY AND PIN COMPLIANCE 10

AGENDA Background PIN Compliance o STAR o Pulse o NYCE o Other Networks Common Findings How to Add Value ATM Logical Security Trends 11

PIN SECURITY AND KEY MANAGEMENT BACKGROUND (1) Requirements have been in place by the ATM networks that have created a large crosssection of the financial institution segment that must have regular audits of the PIN security and encryption key management function for their ATMs. These requirements also extend beyond financial institutions to organizations that are involved in the PIN security and encryption key management processes. 12

PIN SECURITY AND KEY MANAGEMENT BACKGROUND (2) Technical Guideline #3 (recently renamed Technical Report #39 or TR39) is an audit program guideline for PIN security and key management based on two ANSI Standards: X9.24 on key management and X9.8 for PIN security. 13

WHO IS REQUIRED TO COMPLY STAR (1) Any financial institution or merchant who is a processing member of the STAR network, directly or indirectly, is required to have a TG3/TR39 audit on a bi-annual basis and submit their report, done by a CTGA auditor, to STAR. The TG3/TR39 due date for STAR members is December 31 of every even numbered year, unless the network grants an extension to that member. 14

WHO IS REQUIRED TO COMPLY PULSE (1) Any financial institution or merchant who is a processing member of PULSE, directly or indirectly, is required to have this audit on a biannual basis and submit their report electronically by a CTGA auditor to PULSE network through their Website. For processing entities, the auditor must be a CTGA auditor. 15

WHO IS REQUIRED TO COMPLY NYCE NYCE: Any member of NYCE who is processing transactions and is directly connectedtonyce is mandated to have this audit. If a financial institution is processing transactions, but is indirectly connectedto NYCE, it is not mandated to have this audit. The TR39/TG3 due date for NYCE members is every two years from its first TG3 audit, by December 31 of that year. 16

WHO IS REQUIRED TO COMPLY OTHER NETWORKS In addition, other ATM network service providers require customers to comply with their own customized version of the PIN security and encryption key management requirements. For example, CO-OP clients are required to complete a self-assessment and submit the results via the CO- OP online reporting tool. The due date for CO-OP self assessments is December 31 of every even numbered year. 17

COMMON FINDING (1) Almost every control in the PIN audits includes the statement documented procedures exist and are followed. The most common finding is a lack of written procedures relating to the controls and procedures surrounding PIN and encryption key management. Most findings can be avoided by ensuring that the processes in place are documented. 18

COMMON FINDING (2) The PIN standards require that PIN numbers be entered and encrypted within the PIN Encryption Device (PED). Many ATM PIN pads do not meet this standard. A list of approvedpedsis available online. Procedures should ensure that all new ATMs contain approvedpedsas part of the purchasing and installation process. 19

HOW CAN THE AUDIT ADD VALUE? (1) The TR39 reviews cover numerous technical and operational areas. While the questions are specific to the scope of the encryption management process, the areas involved can be used as a temperature check for many other critical functions in the organization. 20

HOW CAN THE AUDIT ADD VALUE? (2) Areas that are addressed (either directly or indirectly) during the audit: Policies and Procedures Vendor Management GLBA Information Security Segregation of Duties System Access Rights Physical Security 21

HOW CAN THE AUDIT ADD VALUE? (3) By approaching the audit as an opportunity to provide valuable feedback regarding best practice and improvement opportunities, you can turn the audit into something more than just a compliance checklist. You can turn this mandatory audit into an opportunity to further enhance the controls in place in the IT environment. 22

ATM LOGICAL SECURITY TRENDS Increasing number of data breaches involving ATM devices Regulator expectation that ATMs will be segmentedfrom the financial institution network Concern regarding antivirus, security monitoring, and patch management for ATM operating systems (partly driven by PCI) 23

AGENDA TOPIC: SOCIAL MEDIA TRENDS IN CREDIT UNIONS 24

THE LANDSCAPE Social networking sites are increasing o Facebook 500 million active users that spend 700 billion minutes per month and share 30 billion pieces of content. 550,000 active applications within more than 1million websites. More institutions have their own presence on Facebook, LinkedIn and Twitter Business units within companies are using social media for public relations, marketing, and sales programs Social networking is heading down the same path as online banking 25

THE PROBLEM Lack of visibility and control o Identifying and controlling user access Widening attack surface o Lack of effective way to inspect streaming content for malicious code Data loss potential o Little control since policies do not cover what users contribute 26

CASE STUDY: FACEBOOK DATA USE POLICY IMPACT ON CREDIT UNIONS The Facebook privacy policy is 6 pages long and is very ambiguous. The policy indicates that they can find out (enumerate in hackerterms) the following information that are often be used as authenticators when a consumer calls the credit union: o Home address taken from cell phone 911 settings o Date of birth Facebookcan read any information sent in messages, used in conversation, or by searching your friends information to find your identifiers commonly used in Credit Union interactions with customers; such as mother s maiden name or other identifiers used All this data is shared with advertising partners, facebooksays they do not include name but with other information, such as address, you can determine the name easily or just match withfacebookinformation you choose to make public or cross reference with the phone book. The Privacy policy does not say it hides your friends names. 27

FACEBOOK MONITORING 28

CONCLUSION IMPACT ON CREDIT UNIONS UseFacebookand they can figure out your password reset identifiers Facebookadvertisers can also determine the information from the information given to them by Facebook 29

CONCLUSION IMPACT ON REGULATIONS Gramm Leach Bliley California Financial Privacy Act: Senate Bill 1 Red Flag Rule 30

AGENDA TOPIC: PCI COMPLIANCE FOR CREDIT UNIONS 31

CARD BREACHES ARE ON THE RISE Source: Trustwave s Global Security Report 2010 32

NOTABLE CARD BREACHES TJX Companies 2007 Hackers compromised wireless network to steal information on approximately 94 million card transactions. Heartland Payment Systems 2008 Hackers attacked system used to process card transactions. Inserted malware. Up to 100+ million transactions compromised. Lush Cosmetics 2010 Ecommerce website hacked. 5,000 card transactions accessed. Led to shutdown of their ecommerce operations. Sony PS Network 2011 Hackers accessed an old database containing consumer info and credit card info. Millions of customers information stolen. 33

PCI OVERVIEW PCI Security Standards Council (PCI SSC or the Council) founded in 2006 is responsible for the development, management, education, and awareness of the PCI Security Standards. PCI Data Security Standard (PCI DSS) is a comprehensive set of international security requirements for protecting cardholder data. Payment Application Data Security Standard (PA-DSS) is a set of requirements for software vendors to develop secure payment applications. PCI PIN Transaction Security (PCI PTS) is a set of requirements for device vendors and manufacturers for all personal identification number (PIN) terminals, including POS devices, encrypting PIN pads, and unattended payment terminals. 34

PCI OVERVIEW Not a federal regulation, but an industry regulation. In some states, they are state laws. Purpose is to help prevent credit card fraud and maintain public confidence in payment cards. All entities that process, store, or transmit payment card information need to comply. (Primary Account Number (PAN) is the deciding factor.) Card transaction players: card brands, merchants, service providers, acquirers, and issuers. Effective compliance dates vary depending on merchant level or service provider level and card brand. All deadline enforcement will come from the acquiring credit union. Card brands have their own compliance programs and are responsible for compliance tracking, enforcement, penalties, and fees. 35

THE PAYMENT CARD TRANSACTION Service Provider 36

ROLES OF THE QSA AND ASV QSA Qualified Security Assessor o Certified to validate compliance with PCI-DSS o Qualified Security Assessor companies have been qualified to have their employees assess compliance to the PCI-DSS standard o Qualified Security Assessors are employees of these organizations who have been certified to validate an entity s adherence to the PCI-DSS ASV Approved Scanning Vendor o Approved Scanning Vendors are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet-facing environments of merchants and service providers. 37

PCI DSS REQUIREMENTS 38

SERVICE PROVIDERS Service Provider Level Description 1 VisaNet processors or any service provider that stores, processes, and/or transmits over 300,000 Visa transactions annually. 2* Any service provider that stores, processes, and/or transmits less than 300,000 Visa transactions annually. Posted on Visa s Global List of Validated Service Providers Yes No* * Level 2 service providers may choose to validate as a Level 1 service provider in order to be listed on Visa s Global List of Validated Service Providers. 39

QUESTIONS? blair.bautista@mossadams.com 415-677-8322 bob.grill@mossadams.com 916-503-8127 david.dyk@mossadams.com 503-478-2145 40

QUESTIONS? francis.tam@mossadams.com 310-295-3852 bob.grill@mossadams.com 916-503-8127 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback