PCI DSS COMPLIANCE 101 Pavel Kaminsky PCI QSA, CISSP, CISA, CEH, Head of Operations at Seven Security Group Information Security Professional, Auditor, Pentester
SEVEN SECURITY GROUP PCI QSA Сompany Own Implementation Team Own Penetration Testing Team
PCI DSS?
PCI DSS 101 PCI Security Standards Council VISA, MC, AMEX, JCB, DISCOVERY Comprehensive, in-depth, detailed Valid for 1 year, recertification
PCI SSC RESOURCES PCI DSS, PA-DSS, P2PE, PTS (POI, HSM & PIN), Card Production and supporting documents Registry of QSAs, PA-QSAs, PCIPs, ASVs, Validated Payment Applications, PTS Devices, P2PE Solutions PCI FAQ Education & Outreach Programs Participating Organization Membership, Community Meetings, Feedback https://www.pcisecuritystandards.org
PAYMENT BRANDS COMPLIANCE PROGRAMS Payment Brands: Have their own Compliance Program Are responsible for CP enforcement Define forensic investigations Respond to account data compromises Compliance Programs include: Tracking and enforcement Penalties, fees, compliance deadlines Validation process and who needs to validate Approval and posting of compliant entities Definition of merchant and service provider levels
PCI DSS - WHY IT S IMPORTANT? SEVERE PENALTIES: Security breaches cost a lot You can be suspended from processing credit card transactions You can face higher processing fees IN CASE OF A COMPROMISE, NON-COMPLIANT MEMBERS OR THEIR NON-COMPLIANT MERCHANTS OR AGENTS ARE LIABLE TO PAY: Non-compliance fine Forensic investigation costs Dispute resolution costs Card re-issuance penalties Breach notification costs
VERIZON PAYMENT SECURITY REPORT Of all the payment card data breaches the Verizon Threat Research Advisory Center team investigated over the past 12 years, not a single organization was fully PCI DSS compliant at the time of the breach.
THE REQUIREMENTS 6 CATEGORIES Build and maintain a secure network and systems Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy
PCI DSS COMPLIANCE PCI DSS Compliance is determined based on how your organization stores, processes, and/or transmits cardholder data across your infrastructure Compliance is based on Level and Type Level is based on the number of transactions performed in a 12-month period Type is defined by how your organization takes credit cards Depending on what Type of organization you are, you will have to address anywhere from 20 to 360 controls Depending on what Level of compliance you are, you will have to report your compliance with Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC) by QSA
LEVELS OF COMPLIANCE SERVICE PROVIDERS MERCHANTS ROC by QSA SAQ ROC by QSA SAQ SAQ SAQ
REPORTING ROC, SAQ
REPORTING ROC (Report on Compliance) SAQ (Self-Assessment Questionnaire) AOC (Attestation of Compliance) PENTESTING VULNERABILITY SCANNING (by ASV)
THE 12 REQUIREMENTS 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems against malware and regularly update antivirus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel
PCI DSS RECOMMENDED UNDERSTANDING PCI DSS TELLS YOU WHAT YOU NEED TO DO, WHAT CONTROLS YOU NEED TO MEET TO BE COMPLIANT PCI DSS does not tell you how to become compliant, that is individual to your situation and your environment: Your systems Your processes Your vendors Your customers BEING COMPLIANT DOES NOT NECESSARY MAKE YOU SECURE. BEING SECURE LEADS TO COMPLIANCE NOT THE OTHER WAY AROUND.
PCI DSS - COMMON PCI MYTHS We don t have enough card transactions to require compliance We outsource card processing so we are compliant PCI is an IT issue PCI is unreasonable / difficult PCI compliance makes us secure We are not a target
THIRD PARTY PROVIDERS/VENDORS MERCHANT SHARED SERVICE PROVIDER Third Party Vendor affecting security of CHD is always in scope EACH client can request SEPARATE auditing 3 RD PARTY PROVIDER Third party vendor own certification covers the applicable part REMEMBER: choose PCI-DSS certified counteragents for all solutions in scope, for example your datacenter, MSSP's, etc.
THE APPROACH (ON-SITE)
SCOPING SCOPING: Together with you, we analyze your cardholder data environment, which forms the scope of certification in order to minimize it as well as the necessary implementation work.
PRELIMINARY ASSESSMENT PRELIMINARY ASSESSMENT: Provides a check of the current state of the cardholder data environment for conformity with the PCI DSS requirements. The results reveal any necessary adjustments and additions that provide our customers with detailed and meaningful information that defines remedial actions for compliance.
FORMAL ASSESSMENT FORMAL ASSESSMENT: Mandatory on-site assessment, performed by Qualified Security Assessor (QSA) and resulting in the issuance of final PCI DSS compliance report (ROC) and Attestation of Compliance (AOC).
ONGOING SUPPORT ONGOING SUPPORT: We advise and support our customers in all matters relating to PCI DSS compliance and during the entire process of analysis, remediation and implementation of corrective measures and controls.
THE ASSESSMENT A TWO-HORSE SLED DESIGN AND IMPLEMENTATION: Documented policies and processes OPERATING EFFECTIVENESS: Evidence gathering and interviews with responsible personnel
YOU WOULD NEED TO PROVIDE... Network diagram(s) Cardholder data flow diagram(s) Physical locations Network and server equipment People involved Technologies used and your guys would need to participate too
KEEP CALM AND AND GET CERTIFIED Thank you! Pavel Kaminsky, PCI QSA, CISSP, CISA, CEH Head of Operations at Seven Security Group p.kaminsky@7sec.com www.7sec.com