eeffffeeccttiivvee ddaattaa sseeccuurriittyy
TRANSCRIPT
PHILIPPINES :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA
Effective Data Security Measures onEffective Data Security Measures onPayment Cards through PCI DSSPayment Cards through PCI DSS
Learning Bites
• Comprehend the foundations, requirements, and benefits of PCI-DSS
• Recognize the need for compliance and the issues and challenges that come with it
• Understand the documentation and audit requirements of the standard
• Demonstrate compliance to all legal and regulatory requirements.
• There were an estimated 33 million debit cards and 8 million creditcards in circulation in The Philippines in 2009.
• The number of credit cards in circulation enjoyed healthy growthin 2010 as financial companies kept interest rates low, similar to2009 levels.
• Also, industry players have introduced a “pay later”function, which creates a low interest rate climate to encourageusage of cards.
• With the growth of financial cards in circulation, the value of cardtransactions also increased, at the expense of cash transactionvalue as a proportion of total consumer expenditure.
• The value share growth of card payments is expected to continuein the forecast period as consumers increasingly becomingcomfortable using financial cards.
(Source: Euromonitor International, January 2010 & February 2011)
In the Philippines…In the Philippines…
Hacking Statistics – by Industry
38%
19%
14%
13%
5%4% 4% 2% 1%
Hospitality Services Financial Services Retail
food & Beverages Business Services Technology
Others Education Manufacturing
55%21%
16%
5% 3%
Outside Inside-Accidental
Inside-Malicious Unknown
Inside
Hacking Statistics – by Vector
Data Breaches StatisticsData Breaches Statistics
PCI security standards are technical and operational requirements set by the PCI SecurityStandards Council (PCI SSC) to protect cardholder data. The standards apply to allentities that store, process or transmit cardholder data
Payment Card Industry Security StandardsPayment Card Industry Security Standards
• Member of organizations who can be eitherAcquirers ofIssuers (or both)Visa & Mastercard
• Members of the Visa or Mastercard organizations whichhandle merchantsAcquirers
• Members of the Visa or Mastercard organizations thatissue the cards to CardholdersIssuers
Merchants
Cardholders
Service Providers
• Those entities who “accept” card transactions
• Well, cardholders…
• Entities that provide any service requiring theprocessing, storing or transport of card information on behalfof any of the above
TerminologiesTerminologies
and/or
AcquirerIssuer
Merchant Cardholder
is a member ofis a member of
providesprocessingservices to
uses card tobuy from
issues cards to
may or may not be the same as
Diagrammatically…Diagrammatically…
• About 130 individual requirements under the 12requirements
• With the major exception of the requirement toencrypt cardholder data, the requirements onlyrepresent generally accepted good securitypractice.
• PCI does not represent an onerous ideal but verymany organisations are still only fully compliant witha small proportion of the requirements
• The standard is very prescriptive (unlike egSOX, ISO27001) but compensating controls arepermitted in certain areas subject to acquirer’s orPayment Brand’s approval
PCI DSS RequirementsPCI DSS Requirements -- OutlinedOutlined
Build and Maintain a SecureNetwork
1. Install and maintain a firewall configuration to protect cardholderdata
2. Do not use vendor-supplied defaults for system passwords andother security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, publicnetworks
Maintain a VulnerabilityManagement Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong AccessControl Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and TestNetworks
10. Track and monitor all access to network resources and cardholderdata
11. Regularly test security systems and processes
Maintain an InformationSecurity Policy
12. Maintain a policy that addresses information security
PCI DSS is based on fundamental data security practices
PCI DSS GeneralPCI DSS General InformationInformation
The Prioritized Approach and its milestones areintended to provide the following benefits:
• Roadmap that an organization can use to address itsrisks in priority order
• Pragmatic approach that allows for “quick wins”
• Supports financial and operational planning
• Promotes objective and measurable progressindicators
• Helps promote consistency among Qualified SecurityAssessors
PCIPCI DSS Prioritized ApproachDSS Prioritized Approach
Build & Maintain a SecureNetwork
(Requirement1 & 2)
Protect Cardholder Data(Requirement3 & 4)
Maintain a VulnerabilityManagement Program(Requirement5 & 6)
Implement Strong AccessControl Measures
(Requirement7, 8 & 9)
Regularly Monitor & AccessNetworks
(Requirement 10 & 11)
Maintain an InformationSecurity Policy
(Requirement12)
Security Milestone # 1If you don’t need it,
don’t store it
Security Milestone # 2Secure the perimeter
Security Milestone # 3Secure applications
Security Milestone # 5Protect stored cardholder data
Security Milestone # 4Control access to your
systems
Security Milestone # 6Finalize remaining compliance
efforts & ensure all controlsare in place
12 PCI DSSRequirements
PrioritizedApproach
PCI DSS Requirements and MilestonesPCI DSS Requirements and Milestones
• Map out data flow• Gap Analysis& Risk Assessment
• Plan andimplement
remediation
• On-site Assessment• Self-Assessment Questionnaire(SAQ)
REPORT
Assess
• PCI DSS Framework and Scope ofAssessment
• Gap Analysis• Risk Assessment
Remediate
• Development of Remediation Plan• Implementation of Remediation Plan• PCI Security Scan (Pentest &
Vulnerability Assessment)• Physical Security Assessment
Report
• On-Site Assessment & Attestation ofCompliance
• Self Assessment Questionnaire (SAQ)
PCI Compliance,PCI Compliance, Phases & DeliverablesPhases & Deliverables
• PCI (Payment Card Industry) compliance - a requirement for accepting credit cardtransactions — can be difficult.
• About 65% of global enterprises are still working on their PCI compliance initiatives.
• But PCI compliance is an ongoing effort, not abounded IT security project.
Forrester ResearchSeptember 2008
PCI DSS Compliance:PCI DSS Compliance: Difficult & OngoingDifficult & Ongoing
• Identifying data locations(PAN, track 2, CVV2/CVC2)
• Encryption of cardholder data
• Monitoring cardholder dataaccess
• Changing business processes
• Changing technology
• Cost of compliance
18
Key ChallengesKey Challenges