PCI: SHRINK TO FIT

Expectations

THE STANDARD

6 Goals

12 Requirements

288 Controls

THE STRUCTURE

The PCI DSS standard is based upon the following 6 core principles and 12 requirements: 288 controls

Build and Maintain a Secure NetworkRequirement 1: Install and maintain a firewall configuration to protect cardholder data.Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder DataRequirement 3: Protect stored cardholder data.Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly update anti-virus software.Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need-to-know.Requirement 8: Assign a unique ID to each person with computer access.Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder data.Requirement 11: Regularly test security systems and processes.

Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security

THE APPROACH

• Risk-based prioritisation of implementation of the controls

• Milestone 1: Identify what you have, where you have it and write policies to protect it.

• Milestone 2: Network integrity• Milestone 3: Code integrity• Milestone 4: Logs & records• Milestone 5: Incidents• Miles 6: Auditing & testing

THE SCOPE

• Any systems that process, store or transmit cardholder data (credit or debit)

• Any systems that connect to them

DISCOVER & DOCUMENT

IDENTIFY LEAKAGE

Endpoint

Social Engineering

Data-In-Motion

Data-At-Rest

Physical

Data Loss

Laptop / DesktopServerCD / DVD

USB iPodMemory Stick

PCMCIAMemory Card Readers

Communication

BluetoothInfraredFirewireSerial / Parallel Ports

Virtual Machine

Other Threat Vectors

Screen ScrapersTrojansKey LoggersPhishing / Spear Phishing

PiggybackingDumpster (Skip) Diving

ContractorsRoad Apple

Eavesdropping

E-MailHTTP/S

SSHFTP

IMVoIPP2P

Blogs

DatabasesFile Systems

File ServersNAS

SANs / iSCSI StorageVoice Mail

Video Surveillance

PrintersBackup Tapes / CD / DVDLaptop / Desktop / ServerFaxPhotocopierMobile Phone / PDADigital Camera (incl. Mobile Phone Cameras)Incorrect DisposalPrinted Reports

#2 DESTROY & DE-SCOPE

Both hard & soft copies If you don’t need it – delete it. Take your time. Use your CDE map. Stakeholders sign off Remember: VoIP & mail servers, MS Outlook archives,

fax, scanner & copier memory cards Include 3rd parties & back up systems Be ruthless (without Ruth)

#3 OUTSOURCE & OVERSIGHT

• What can you outsource?• Risk transference vs. risk mitigation• Compliance requirement in SLA• Should not be cost plus• See proof (ask for copy of their RoC)• Conduct annual onsite audit• Still need program • The liability is still yours

#4 SEPARATE & SEGMENT

Led by “need to know” Always ask: Why? Should not be vendor led Firewall, VLAN, software… Subnets Wireless networks 3rd party suppliers!

“Any systems connected” to the CDE

POINT-2-POINT ENCRYPTION

ENCRYPTION

• Card brand specific technology requirements• PoS configuration requirements• Bank-owned vs. Merchant-owned devices• Compliance requirement in contract & SLA• Who’s responsible for a breach?• Still have compliance validation requirement

#5 TOKENISE

• Can significantly downsize scope• Card data replaced by “token” (surrogate value)• Card data stored in centralised vault • Servers processing, storing or transmitting card holder data in

scope• Servers processing, storing or transmitting surrogate values not

in scope

MODEL

TOKENISATION

• Where tokens and card data meet = in scope• Tokenisation hosting solution critical• Be careful of “hybrid” solutions• See PCI Standards Council site for guidance• Test the solution!• This is no silver bullet • Validation still required

5 WAYS TO REDUCE PCI

Discover & DocumentDestroy & De-scope

Outsource & OversightSeparate & Segment

Tokenisation

BEST WAY

Understand that the PCI DSS is a “risk management framework”

Not a checklist

www.riskfactory.com0800 978 8139

A DIFFERENT PERSPECTIVE FROM:

www.riskfactory.com0800 978 8139