Solutions for PCI Compliance

John Bedrick, AccuCode

Agenda

• About AccuCode• PCI DSS Requirements – revisited• Common Areas of Failure for PCI Compliance• Some Solutions for Addressing PCI DSS Requirements• Summary• Next Steps• Question and Answer Session

AccuCode the Company

• Founded 1995• VAR, Professional & Managed Services, Commercial

Software Products • National leader in application of retail systems,

security & compliance, wireless networking, mobile computing, bar code & RFID technologies

• Fastest Growing Privately Held Company in the U.S.• Trusted Advisor Delivering Guaranteed Outcomes

AccuCode Customers & Partners

AccuCode has hundreds of customers & thousands of end-users!

PartnersManufacturingRetail Transportation

PCI DSS Requirements - Revisited

PCI DSS Requirements - SummaryBuild and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other

security parameters

Protect Cardholder Data 3. Protect stored cardholder data4. Encrypt transmissions of cardholder data

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

Common Areas of Failure For PCI Compliance

98.4%97.5%

83.6%74.6%

8.1% 7.4%

68.9%

90.9%

48.4%

92.6%99.2%

95.1%

PCI DSS Requirement Failures

Source: Trustwave - 2011 Global Security Report

Some Solutions For Addressing PCI DSS Compliance

Firewalls and Routers Install Firewalls between Network and Internet

• Use Stateful Inspection• Use Network Address Translation (NAT)• Install “personal” firewall software on all computer systems

Segmentation – NO “Flat” Networks• Isolate POS & Processing systems from rest of network

• VLANS (Create separate “zones”)• Create a DMZ for further segmentation

Eliminate non-required Ports and Protocols Utilize the Firewalls and Routers IPSec and/or VPN support to protect

network traffic Document the network

• Create network diagrams showing data flows – especially for Card Holder Data (CHD)

Remove From PCI Scope

Card Holder Data• Encrypt CHD if locally stored -- or better yet -- don’t store it at all

• End-to-End Encryption: from “swipe” all the way to Payment Processor• Verify with your POS/Pin Pad Vendors

• End-to-End Encryption? • PA DSS Certified? Check online at:

https://www.pcisecuritystandards.org/approved_companies_providers/index.php

• Don’t forget simple fixes like:• Hardware/Software Storage Encryption (including backups)• Communication Encryption (e.g., SSL, SSH, S-FTP, HTTPS, IPSec,

and VPNs)

Remove From PCI Scope – Cont.

Card Holder Data - Continued • Use “Tokenization”• Hardcopies

• Keep locked up when needed• Shred when no longer needed

Outside Hosting

3rd Party Processing (PCI DSS Compliant?):• Payment Gateways• Aggregators• “Managed” Processing

Managed Technology Can Help

Anti-Virus Software• Monitored and Actionable• Automatically Updated• Always up-to-date• Available at both Network & Computer System level

Firewalls• Can combine multi functions (e.g., UTM)• Monitored and Actionable• Automatically Updated• Always up-to-date• Available at both Network & Computer System level

Managed Technology Can Help – Cont.

Security Information and Event Monitoring (SIEM)• Alerts and Logs are Monitored and Actionable

File Integrity Monitoring (FIM)• Alerts and Logs are Monitored and Actionable

Computer Systems Patch Management• Monitored and Actionable• Automatically Updated• Always up-to-date

Vulnerability Scanning• Can be automatically scheduled to occur

• External, Internal and Wireless• Monitored and Automatic Report Generated and Sent

Access Control

Limiting CHD access to a “Need-to-Know” basis

Monitor areas where CHD might be• POS areas• Server room / Data Center

Provide UNIQUE user IDs / credentials• NO sharing!• Use multi-factor authentication• Enforce STRONG passwords

Access Control – Cont.

Secure the Environment where CHD resides• Lock doors/windows to secure areas• Use safes• Block unused network ports• Lock down wireless network access

Hire right – Train often• Background checks• Reference checks• Security training – alertness training

• Avoid Social Engineering

Monitor and Test, Test, Test Security is only a deterrent – NOT an absolute!

• Locks keep honest people honest• Make it as difficult as possible

Early warnings can reduce your risks and the damages• The earlier you find out the quicker you can respond• Ignorance is NOT bliss

How do you know if things are working correctly?• Would you get into your motor vehicle without knowing the brakes and engine are working correctly?

• Regular inspections and testing provide comfort

Policies and Procedures

Yes, you need them

Yes, they are required• You can hire someone to write them for you• You can get “templates” to help you get started• Or you can write them yourself from scratch

Once created, you must train your staff

After your staff is trained, you must enforce them

No exceptions, and No free passes

Summary

There’s no “silver bullet” for PCI Compliance and Security• But there’s lots of solutions available to help

There’s no “magic wand” to turn you into an instant PCI Compliance and Security expert

• But there’s no reason you shouldn’t try

The “bad guys” are always looking for opportunities to steal from you and your customers

• You need to try and keep at least one step ahead of them• At least make it so hard they go for easy targets

You must do the best you can – and don’t forget that you are not alone• Hire experts to assist you• That’s what we are here for

AO:Compliance™ and Next Steps

AO:Compliance Makes PCI Compliance as Easy as:

1

•Assess & Analyze

2

•Close GAPs

3

•Stay Compliant

Next Steps, If You Need Help

AccuCode and our partners are ready to assist you with getting and staying PCI Compliant.

• Go to the AO:Compliance website to find out more information about our compliance and security offerings www.aocompliance.com

• Contact Us: compliance-info@accucode.com

If you need help with other technology issues, AccuCode can also assist you with that as well.

• Visit the AccuCode website for more information about our other products and services www.accucode.com

PCI Standards: https://www.pcisecuritystandards.org/

Questions and Answers