pci dss compliance: a step into the payment ecosystem and ...€¦ · a step into the payment...
TRANSCRIPT
PCI DSS Compliance: A step into the payment ecosystem
and Nets compliance program
”Continuous compliance through good governance”
Who are the PCI SSC?
• The Payment Card Industry Security Standard Council is an independent body providing oversight of the payment card security standards on a global basis. It was founded by American Express, Discover, JCB International, MasterCard, and Visa.
• The Council’s main standards are:
PCI Data Security Standard (PCI DSS)
PCI Pin Transaction Security Standard (PCI PTS)
Payment Application Data Security Standard (PA DSS)
Point-to-Point Encryption Standard (P2PE)
PUBLIC
What is PCI DSS?
• PCI is not government legislation. It is an industry regulation.
• PCI DSS was developed to enhance cardholder security and to provide a baseline to protect cardholder data.
• PCI DSS applies to any entity that stores, processes, or transmits cardholder data.
• The cardholder data environment is comprised of people, processes and technologies.
• For Nets, PCI DSS is like our license to operate. Without it we cannot conduct businesses.
PUBLIC
PCI DSS standards overview
The PCI DSS is based on six primary goals. 1. Build and maintain a secure network and systems 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy Each goal contains a set of requirements across 12 domains with a total of 350+ requirements.
PUBLIC
What is card holder data?
• PCI DSS applies wherever account data is stored, processed, or transmitted. Account Data consists of Cardholder Data and/or Sensitive Authentication Data, as depicted in the chart on this screen.
• Account data should be properly protected in compliance with PCI DSS or not stored at all.
Sensitive authentication data must not be stored.
PUBLIC
Actors across the payment ecosystem
PUBLIC
Malicious actor
PUBLIC
The Actors Defined
• Cardholder Customer purchasing goods/services as “card present” or “card not present” transactions
• Issuer Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard,
Visa) Payment brand issuing a payment card directly (e.g. Amex, Discover, JCB)
• Merchant Organization accepting the payment card during a purchase
• Acquirer Teller, subsidiary of Nets Group Entity the merchant uses to process the payment card transactions Receive authorization requests from merchant and forward to issuer for approval Provide authorization, clearing, and settlement services to merchants Also referred to as: merchant bank or Payment Brand (Amex, Discover, JCB)
• Payment processor / payment brank network Nets Group
PUBLIC
Which entities are in PCI scope?
• Issuer Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard,
Visa) Payment brand issuing a payment card directly (e.g. Amex, Discover, JCB)
• Merchant Organization accepting the payment card during a purchase
• Acquirer Bank or entity the merchant uses to process the payment card transactions Receive authorization requests from merchant and forward to issuer for approval Provide authorization, clearing, and settlement services to merchants Also referred to as: merchant bank or Payment Brand (Amex, Discover, JCB)
• Payment processor / payment brank network Nets Group
PUBLIC
PCI Governance at Nets
PUBLIC
Governance structure 2016+ This governance structure should be applicable to any kind of compliance management, but in this case PCI DSS compliance management is used as the example. Future scaling to multi-framework compliance management is more a matter of resourcing than anything else.
PUBLIC
Evidence is collected prior to and during the audit, and previously identified issues remediated.
Evidence Collection & Issue Remediation
Example evidence deliverable dates Example audit deadlines
The audit is a snapshot in time. PCI compliance must be achieved 365 days a year.
2016 2017
Pre-Audit Final Audit
ROC Signature
Jan Feb May Jun Jul Sep Oct Nov Aug Mar Apr Dec Jan Apr Feb Mar
Pre-Audit
Evidence Validation & Issue Closure
The audit looks back 12 months to verify compliance in the previous year.
PCI Compliance Annual Timeline
PUBLIC
PCI Compliance Wheel for BAU ANNUALLY Change cryptographic keys for keys that have reached the end of their crypto-period (PCI 3.6.4). Review public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes (PCI 6.6). Maintain logs of all media and conduct media inventory (PCI 9.7.1) Perform internal and external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (PCI 11.3.1 & 11.3.2). Perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE (PCI 11.3.4). Review the security policy and update the policy when the environment changes (PCI 12.1.1). Perform risk assessments on the following situations (PCI 12.2): - at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), - on identifies critical assets, threats, and vulnerabilities, and - create a formal, documented analysis of risk. Educate personnel on cardholder data security (PCI 12.6.1).. Monitor service provider compliance (PCI 12.8.4). Test incident response plan at least annually (PCI 12.10.2). Review and update service documentation.
SEMI-ANNUALLY Review firewall and router rule sets at least every six months (PCI 1.1.7). QUARTERLY Identify and securely delete stored cardholder data that exceeds defined retention periods that are required for legal, regulatory, and/or business requirements (PCI 3.1). Perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether systems continue to not require anti-virus software (PCI 5.1.2). Remove/disable inactive user accounts within 90 days (PCI 8.1.4). Change user passwords/passphrases at least once every 90 days (PCI 8.2.4). Test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points (PCI 11.1). Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel (PCI 11.2.1). Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved (PCI 11.2.2).
DAILY/WEEKLY/MONTHLY Review the following at least daily (PCI 10.6.1): - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). Install applicable critical vendor-supplied security patches within one month of release (PCI 6.2.a). Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date (PCI 11.4). Keep system configuration/settings updated.
PUBLIC
Fina
l As
sess
men
t
Pre-Assessment
PCI Compliance Wheel for Infosec Compliance Management
PUBLIC
BAU vs. Compliance Management Wheel
Compliance requirement fullfillment for corresponding area of responsibility Finding remediation Evidence collection (from recurring tasks completion & finding remediation)
PCI assessment cycle PCI audit management PCI finding remediation follow-up
BU/GU responsibility:
InfoSec’s responsibility:
PUBLIC
Key Takeaways
PCI is NOT just an IT issue A well-defined governance structure with key roles & responsibilities must be in place to support compliance across the organization
PCI Compliance validation is a review of the last 12 months thus cramming for the audit is not an option Requires continuous compliance 365 days a year with demonstrable evidence of compliant processes and procedures to achieve certification
PUBLIC
