you know you need pci compliance help when…

You Know You Need PCI Compliance Help When…

Presented By:Peter Spier

Manager Professional ServicesFortrex Technologies

Jim RaubSenior Director of Information Security and Compliance

PAETEC Holding Corporation

© 2010. All rights reserved.

• Instructor Biographies• Background On Fortrex• Background on PAETEC• Overview of the PCI DSS• 3 Challenges• Common Scenarios• Time to Seek Help• Compliance Roles• Assessment Preparation• PCI DSS 2.0

Agenda


Instructor Biography

• Peter Spier is President of the ISACA Western New York Chapter and Manager Professional Services at Fortrex Technologies (www.fortrex.com) based in Frederick, Maryland.

• Certifications include: CISSP, CISM, PMP, QSA, PA-QSA, ITILFv3, and CSF Assessor

• Masters degree from Syracuse University School of Information Studies

• 15 years of experience


http://www.isacawny.org/exchweb/bin/redir.asp?URL=https://web.fortrex.com/CorporateWebsite�

Instructor Biography


• Jim Raub is Sr. Director, Information Security and Compliance at PAETEC (www.paetec.com) based in Fairport, NY.

• Current Certifications include: CISSP, CISA, & CTM. Past certifications from Cisco, Microsoft, Informix, CompTIA and others.

• Bachelors degree, Summa cum Laude, from Syracuse University, with coursework towards Masters at University of Rochester

• 35 years of experience in management, consulting, security, software development, IT infrastructure, networks, and database administration

http://www.paetec.com/�

Background on Fortrex

General Facts• IT Security, Operational Risk and Governance Consulting• Founded in 1997• Headquarters in Frederick, Maryland• Privately Held• Approaching 1,000 Customers

Baltimore to Alaska to Guam

• Broad Industry Coverage• QSA, PA-QSA & ASV• Abundance of References

Integrity, Excellence, Empowerment, Teamwork and

Thankfulness


Background on PAETEC


Caring Culture, Open Communication, Unmatched Service, Personalized Solution

General Facts• Founded in 1998• Headquarters in Fairport, New York• Publicly Traded (Nasdaq: PAET)• Serving over 84 of the top 100 Metropolitan Statistical Areas (MSAs) in the U.S. with personalized communications solutions• Core offerings include data, voice, and Internet communications services• Value-added solutions encompass data center colocation, communications management software, equipment, security and financing programs

Overview of the PCI DSSReviewing PCI DSS Compliance Requirements For The First Time Can Be A Daunting Task

The “Dirty Dozen”

Build and Maintain a Secure NetworkRequirement 1: Install and maintain a firewall configuration to protect cardholder dataRequirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder DataRequirement 3: Protect stored cardholder dataRequirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly update anti-virus softwareRequirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need-to-knowRequirement 8: Assign a unique ID to each person with computer accessRequirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder dataRequirement 11: Regularly test security systems and processes

Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security


Challenge #1

Are you a Merchant or a Service Provider?


Merchants Defined

• Merchant - Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.


Service Providers Defined

• Service Provider - Business entity that is not a payment card brand member or a merchant directly involved in the processing, storage, transmission, and switching or transaction data and cardholder information or both. o This also includes companies that provide services to

merchants, services providers or members that control or could impact the security of cardholder data. Examples include managed service providers that provide managed

firewalls, IDS and other services as well as hosting providers and other entities.

Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded


When Merchants Are Also Service Providers

• A merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.

For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers


Challenge #2

What compliance level are you?


MerchantCompliance Levels

Level Visa MasterCard Discover American Express JCB

1

Merchants processing over 6 million Visa

transactions annually (all channels) or

Global merchants identified as Level 1 by any Visa region

•Any merchant that has suffered a hack or an attack that resulted in an account data compromise•Any merchant having greater than six million total combined MasterCard and Maestro transactions annually•Any merchant meeting the Level 1 criteria of Visa•Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system

•All merchants processing a total of more than 6 million card transactions annually on the Discover network. •Any merchant Discover, in its sole discretion determines should meet the Level 1 compliance validation and reporting requirements•All merchants required by another payment brand to validate and report their compliance as a Level 1 merchant

2.5 million American

Express Card transactions or

more per year; or any Merchant that has had a

data incident; or any Merchant that American

Express otherwise deems

a Level 1

One million JCB

transactions or more per

year

2Merchants processing 1 million to 6 million

Visa transactions annually (all channels)

•Any merchant with greater than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually•Any merchant meeting the Level 2 criteria of Visa

•All merchants processing a total of 1 million to 6 million card transactions annually on the Discover network.•All merchants required by another payment brand to validate and report their compliance as a Level 2 merchant

50,000 to 2.5 million American

Express Card transactions per

year

Less than one million

JCB transactions

per year


MerchantCompliance Levels


3Merchants processing

20,000 to 1 million Visa e-commerce transactions

annually

•Any merchant with greater than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro ecommerce transactions annually•Any merchant meeting the Level 3 criteria of Visa

•All merchants processing a total of 20,000 to 1 million card-not-present only transactions annually on the Discover network•All merchants required by another payment brand to validate and report their compliance as a Level 3 merchant

Less than 50,000 American


year

N/A

4

Merchants processing less than 20,000 Visa e-

commerce transactions annually and all other

merchants processing up to 1 million Visa

transactions annually

All other merchants All other merchants N/A N/A


Service ProviderCompliance Levels


1VisaNet processors or any

service provider that stores, processes and/or transmits

over 300,000 Visa transactions annually

•All TPPs •All DSE’s that store, transmit, or process greater than 300,000 total combined MasterCard and Maestro transactions annually

All TPPs All TPPs All TPPs

2Any service provider that stores, processes and/or

transmits less than 300,000 Visa transactions annually

Includes all DSE’s that store, transmit, or process less than

300,000 total combined MasterCard and Maestro transactions annually

N/A N/A N/A


Challenge #3

What requirements apply?


MerchantReporting Requirements


1

•Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)•Quarterly network scan by Approved Scan Vendor (“ASV”)•Attestation of Compliance Form

•Annual On-site Assessment1

•Quarterly network scan by Approved Scan Vendor (“ASV”)

•All merchants processing a total of more than 6 million card transactions annually on the Discover network. •Any merchant Discover, in its sole discretion determines should meet the Level 1 compliance validation and reporting requirements•All merchants required by another payment brand to validate and report their compliance as a Level 1 merchant

2.5 million American Express Card transactions

or more per year; or any Merchant that

has had a data incident; or any Merchant that

American Express otherwise deems a

Level 1

One million

JCB transactions or more per year

2

•Annual Self-Assessment Questionnaire (“SAQ”)•Quarterly network scan by ASV•Attestation of Compliance Form

•On-site Assessment (At Merchant Discretion)•Annual Self-Assessment Questionnaire (“SAQ”)2

•Quarterly network scan by Approved Scan Vendor (“ASV”)

•All merchants processing a total of 1 million to 6 million card transactions annually on the Discover network.•All merchants required by another payment brand to validate and report their compliance as a Level 2 merchant

50,000 to 2.5 million American


year

Less than one

million JCB

transactions per year

1 Effective 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.

2 Effective 30 June 2011, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.


MerchantReporting Requirements


3•Annual SAQ•Quarterly network scan by ASV•Attestation of Compliance Form

•Annual SAQ•Quarterly network scan by ASV

•All merchants processing a total of 20,000 to 1 million card-not-present only transactions annually on the Discover network•All merchants required by another payment brand to validate and report their compliance as a Level 3 merchant

Less than 50,000 American Express Card transactions

per year

N/A

4

•Annual SAQ recommended•Quarterly network scan by ASV if applicable•Compliance validation requirements set by acquirer


All other merchants N/A N/A


Service ProviderReporting Requirements


1

•Annual On-site security assessment by QSA•Quarterly network scans by ASV.


•Annual On-site security assessment by QSA (or internal auditor if signed by officer of Service provider). OR Annual Self-Assessment Questionnaire D•Quarterly network scans by ASV

•Annual On-site security assessment by QSA (or internal auditor if signed by officer of Service provider).•Quarterly network scans by ASV.


2•Annual SAQ•Quarterly network scan by ASV


N/A N/A N/A


Realization

• Each card brand’s transaction-driven tiering and corresponding requirements differs from one brand to the other

• For Self Assessment Questionnaire (SAQ) merchants, if you employ more than one transaction type, you’re obligated to use SAQ D

• For Level 2 Service Providers, you’re obligated to use SAQ D

• SAQ D is the long one…


Suppose

• You have bandwidth to spare• Your internal audit personnel possess broad and

deep compliance framework experience• A team member has successfully completed a

PCI DSS compliance assessment in the past

When should you consider bringing in expert assistance from the outside?


When Compliance Looks Easy

• Familiar with ISO:27001?• Spoken with a colleague who indicated that their

SAQ was a simple matter of checking all the ‘Yes’ boxes and signing it?

• PCI DSS can be mapped to other frameworks, but its focus is explicitly cardholder data security

• Compliance is never as easy as just checking all the ‘Yes’ boxes


When You Receive An E-mail Identifying Still Another Data Repository

• Unidentified data repositories can: o Threaten momentumo Lower moraleo Derail compliance efforts.

• Late-in-the-game discoveries might cause you to: o Miss your target dateso Incur unforeseen penaltieso Require re-work to remediate issues

• Recommendation: Identify all payment flows through a combination of both human and automated meanso Surveyso Interviews o Data analytics


When You Are Not Certain Where Your Cardholder Data Environment Begins Or Ends

• Does an unsolicited customer email automatically bring a system into the Cardholder Data Environment (CDE)?

• If an end-user chooses to record a call and save it to local or LAN file, is the PC or fileserver in scope?

• If the CDE firewall allows insecure protocols, is the scope reduced?

• Is a workstation part of the CDE if it is used only to key in the Payment Account Number (PAN) to a hosted application through an encrypted channel?

When You Re-Read The SameRequirement And Interpret It In Yet Another Way

• Read the PCI DSS? • Attended seminars? • Poured over various forum threads and blog

postings?• Was that requirement really non-applicable? • Does your planned compensating control truly go

above and beyond the rigor and intent of the original requirement?

• Is your “business justification” for leaving open a particular port or protocol sufficient?


Time To Seek Help

• Good counsel may at first seem to be in abundance, but identifying the appropriate resource to provide accurate direction is critical

• A different business’s compliance approach probably does not apply to your own environment

• You can not simply repeat last year’s response• It probably does take an expert to address the “low

hanging fruit”• Consulting a QSA prior to an assessment may prove to

be the shortest path to achieving compliance


Suggested Compliance Roles•Audit

•Complete Self Assessment Questionnaire or Level 1 or 2 assessment•Periodic review of controls

•Governance•Compliance oversight•Policy development and distribution•Coordination of organizational business units

•Security Operations•Management and monitoring of controls•Internal vulnerability scanning and/or penetration testing•Log Review•Incident Response

•System Administration•Account and authentication management•Access control management•Configuration management

•Application Developers•Development and Testing•Code review•Revision control

•Database Administrators•Record management•Access control management

•Project Managers•Assessment and validation planning•Stakeholder coordination and reporting•Resource scheduling•Reporting

•Senior Management•Report On Compliance review•Sign Attestation Of Compliance

•Qualified Security Assessors•On-site assessment•Validation•Report On Compliance creation•Submission to the payment brands•Countersign Attestation Of Compliance

•Approved Scanning Vendors•External quarterly vulnerability scans


Assessment PreparationScope

•Scope of the cardholder data environment is defined as all system components which transmit, process, or store cardholder data.

•Limiting the scope of the cardholder data environment may reduce the scope of assessment and ongoing compliance efforts.

•Scope reduction strategies may include:•Network Segmentation•Tokenization

•All systems receiving cardholder data directly and performing tokenization are in scope•End-to-End Encryption

•All systems receiving cardholder data directly and performing encryption are in scope


Network Segmentation

Unsegmented Segmented


Tokenization


End-to-End Encryption


Assessment PreparationPrioritized Approach Methodology

•Roadmap of compliance activities based on risk associated with storing, processing, and/or transmitting cardholder data.

•Assists in prioritization of efforts to achieve compliance

•Establishes milestones

•Lowers the risk of cardholder data breaches sooner in the compliance process

•Helps acquirers to objectively measure compliance activities and risk reduction by merchants, service providers, and others

•Pragmatic approach that allows for “quick wins”

•Supports financial and operational planning

•Promotes objective and measurable progress indicators

•Suitable for merchants who choose an on-site assessment or use SAQ D.


Assessment PreparationMilestone Goals

1

Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication data and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it.

2 Protect the perimeter, internal, and wireless networks. This milestone targets controls for points of access to most compromises – the network or a wireless access point.

3Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data.

4Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment.

5Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protections mechanisms for that stored data.

6Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone Six is to complete PCI DSS requirements and finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment.


PCI DSS 2.0Requirement Reason for

Change Change Category

IntroductionClarify Applicability of

PCI DSS and cardholder data.

Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN.

Align language with PTS Secure Reading and Exchange of Data (SRED) module.

Clarification

ScopeEnsure all locations of

cardholder data are included in scope of PCI

DSS assessments

Clarify that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment. Guidance

Introductionand Various

Provide guidance on virtualization.

Expanded definition of system components to include virtual components. Updated requirement 2.2.1 to clarify intent of “one primary function per

server” and use of virtualization. Guidance

1 Further clarification of the DMZ.

Provide clarification on secure boundaries between internet and card holder data environment. Clarification

3.2Clarify applicability of PCI DSS to Issuers or

Issuer Processors.

Recognize that Issuers have a legitimate business need to store Sensitive Authentication Data. Clarification


PCI DSS 2.0(Continued)

Requirement Reason for Change Change Category

3.6 Clarify key management processes.

Clarify processes and increase flexibility for cryptographic key changes, retired or replaced keys, and use of split control and dual knowledge. Clarification

6.2Apply a risk based

approach for addressing vulnerabilities.

Update requirement to allow vulnerabilities to be ranked and prioritized according to risk.

Evolving Requirement

6.5

Merge requirements to eliminate redundancy and

Expand examples of secure coding standards

to include more than OWASP.

Merge requirement 6.3.1 into 6.5 to eliminate redundancy for secure coding for internal and Web-facing applications.

Include examples of additional secure coding standards, such as CWE and CERT.

Clarification

12.3.10Clarify remote copy, move, and storage of

CHD.

Update requirement to allow business justification for copy, move, and storage of CHD during remote access. Clarification


Thank You.


you know you need pci compliance help when…

Technology

security of cardholder

cardholder information

transmitting cardholder

services providers

transaction data

computer access requirement

security systems

test networks requirement