PCI DSS
What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.
What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Purpose: Intended to help organizations proactively protect customer account data
PCI DSS Without proactive security controls you are left in a reactive security position.
History of PCI DSS
History of PCI DSS Originally developed by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International to help facilitate the broad adoption of consistent data security measures on a global basis.
History of PCI DSS The PCI Security Standards Council is born. - an independent body formed to develop, enhance, disseminate and assist with implementation. PCI DSS Version 1.1 released September 2006.
PCI DSS Goals and Requirements Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security
Why do PCIDSS exist? BREACHES HAPPEN! There were 327 reported data breaches in 2006 48,419,936 records compromised in 2006 52 breaches in Higher Education There have been breaches at IU!
What is a credit card compromise? An unauthorized individual taking advantage of a flaw in a system that: Processes Transmits, or Stores cardholder data To gain access to: Card Numbers Expiration Dates CVV2/CVC2/CID Track Data
Compromise Statistics Cases by Card Acceptance Card Not Present 22% About 3 out of 4 cases is a traditional Brick and Mortar environment. Card Present Merchants are not aware of these risks! Card Present 78%
Compromise Statistics Cases by Industry Food Service Retail Universities Other Entertainment Web hosting Petroleum Government Payment Processing Media
Compromises Small merchants are the source of less than 5% of potentially exposed cardholder accounts from data thefts, however they are the source of 80% of identified compromises.
Theft of Payment Card Data is Thriving The Perpetrators The Tools The Gaps Utilize To Find International Crime Syndicates Malicious Third Parties Employees Scanners Port Vulnerability Web application Weak configurations Operating system flaws Programming errors Lack of staff training Flawed policies Negligence Poor change control procedures Application induced Backdoors Nearby systems/networks
Top Problems Mis-configuration Most compromises are a result of human error or interaction. Over 90% of security exploits are carried out through vulnerabilities for which there are known patches Gartner Group
Top Problems 1. Lack of firewall No firewall installed Firewall rules changed for troubleshooting Firewall hardware upgrades 2. Anti Virus not up to date or running 3. Systems/Application not patched or updated. Anti Virus expires after annual subscription IT department chooses not to put AV on some systems AV not loading properly during startup No IT staff Unaware of current security threats Patching not a priority Development doesn t want to make associated changes Users don t want downtime * Ambiron TrustWave, 2006
Top Ten Ways Criminals gain unauthorized access to cardholder data 1. Through a vulnerability created by malware (such as a backdoor or Trojan) downloaded on a system 2. Due to the lack of or improper configuration of a firewall 3. Via remote access programs with lax or improperly configured security controls 4. Querying a database using SQL injection 5. Launching a password brute force attack * Based on over 200 compromise investigation performed by Ambiron TrustWave.
Top Ten Ways Criminals gain unauthorized access to cardholder data 6. Using File Transfer Protocol (FTP) software to download cardholder data from an improperly configured FTP Server 7. Utilizing automated tools to exploit remote control software 8. Logging in with disclosed login credentials 9. By way of wireless access points with lax or improperly configured security controls 10. Stealing physical records or systems that contain cardholder data * Based on over 200 compromise investigation performed by Ambiron TrustWave.
Top Five Data Security Vulnerabilities Leading to Compromises 1. Storage of Track Data (and other sensitive data) 2. Missing or outdated security patches 3. Vendor-supplied default settings and passwords 4. SQL injections 5. Unnecessary and vulnerable services on servers * According to Visa USA
Breaches in Higher Education Ouside Hackers 18% Insider Malfeasance 15% 46% Human/Software Incompetence Theft (non-laptop) 19% 2% Laptop Theft
Challenges in Higher Education Open networks Large number of merchants Decentralized environments Leveraging of 3 rd Parties for various services Budgetary constraints
Best Practices Maintain open networks while securing assets Aim for segmentation of all critical data Need to know access for payment info Build boundaries around segments
Best Practices 3 rd Parties Ensure the 3 rd Party Entity signs an Agreement Require all 3 rd Parties to meet all PCI security standards Service Provider Compliance Audit Payment Application Best Practices Lists available at www.visa.com/cisp
Do PCIDSS apply to IU? Applies to all members, merchants, and service providers that store, process or transmit cardholder data
How do we comply with PCIDSS? REMEMBER: It is against University Policy VI-110 to store credit card numbers on any computer, server, or database If you store credit card numbers, please contact pmtcards@indiana.edu IMMEDIATELY for an assessment
PCI DSS - Why Comply? Required by our processing contract with US Bank. Receive Safe Harbor from card associations
PCI DSS - Why compliance matters Loss of data Disruption of operations Disclosure of sensitive info Damage to reputation Denial of service to customers Individual executive liability Risk of closure/loss of business
PCI DSS Risk of non-compliance Large monetary fines Impose restrictions on card acceptance Permanently prohibit card acceptance for department Permanently prohibit card acceptance for university Loss of faith in IU name
PCI DSS Risk of non-compliance Other possible costs: Coming into compliance Annual Audit Average Investigation Cost: $14,000 Average Remediation Cost: $35,000 Quarterly network scans Card replacement Notification mailings Credit monitoring for affected customers Fraudulent charges as a result of your breach Other?
PCI DSS The short term cost of action is always less than the long term cost of inaction.
PCI DSS Tips Manual swipers are not in compliance with Visa/MC rules and regulations Manual swiper receipts contain the full account number Manual swipers should be returned to Payment Card Services
PCI DSS Tips Treat credit card receipts like cash Keep credit card data secure and confidential Restrict access to card data to those who need to know Secure your terminal Have technology changes approved by Office of the Treasurer Don t store cardholder data on computers, networks, email, etc.
PCI DSS Tips Don t transmit cardholder data insecurely (email, unsecured fax, campus mail?) Store credit card receipts for no more than 2 years Destroy receipts so that account info is unreadable and can not be reconstructed Attend trainings! Report suspected or known security breaches.
PCI DSS Summary Data Security is critical to the success of the mission Security is actively supported by senior management Requirements are well communicated to everyone in the organization It is a management problem that cannot be solved with technology alone There is no silver bullet or quick fix - it is a process