PCI DSS

1
PCI DSS

• Payment Card Industry Data Security Standard
• HTNG
• Vienna
• 7th November 2008

2
Agenda

• What is PCI DSS
• Why we must be compliant
• Why is the Business Case difficult?
• Containing the Cost
• Part of a compliance framework
• Eliminate, Segregate and Isolate Card Data
• A word on Comms Flat Network problems

3
What is PCI DSS?
Payment Card Industry Data Security Standard

• A global requirement originally defined by
  MasterCard Visa, and endorsed by the other
  payment brands.
• Its purpose is to ensure card data is
• handled securely.
• protected from theft fraudulent use.
• Implementation of the standard will limit
  compromise of payment systems.

4
What is PCI DSS about?

• PCI DSS it is about securing the environment
  where card data is processed for both
• Customer Present
  
• and
• Customer Not Present"
• card payments.

• It was
• introduced in Dec 2004,
• announced in Europe Feb 2005

5
Why bother?

• You want to ensure that YOUR card is secure when
  you pay for goods and services.

If you want your card to be secure when you use it
You must also make sure your customers cards
are secure in your environment.

6
PCI - DSS

• The basis is - cloned cards must never again be
  capable of being created from stored data, thro
  compromise or eavesdrop
• One can store elements of the Track II i.e. a
  card number, expiry date, when required for
  particular cards.
• In no circumstances should the CVV or the PIN
  verification value data elements be stored.

Do not store Track II Data, the 3/4-digit code
or PIN verification value data elements
7
Who is affected?

• Any entity that captures, stores, processes, or
  transmits cardholder data -
• Issuers, Card Acquirers, Merchants,
• Card Service Providers.
• must ensure compliance with PCI-DSS

8
What is affected?

• Every area the cardholder data touches has to be
  secure. - such as Network Component, Server,
  POS, Card Application and equally important -
  your environment where you handle,
  Reconciliation, Queries, Refunds, Chargebacks and
  perhaps provide Management Information.
• The Enterprise must be completely secure
• The merchant must complete an audit if
• it handles volumes of data.

9
What does protecting Cardholder Data for PCI DSS
entail?
In Addition
Requirement 2 Avoid program defaults
Requirement 12 Security Policy
10
Why is Business Case difficult?

• Because PCI DSS is perceived as a card payments
  compliance requirement alone
• This is not where it should be
• It is just a bit more prescriptive than ISO
  27001/2,
• COBIT INFOSEC
• If you are already working to these security
  standards, you will already be compliant with
  many of the elements of PCI DSS

11
Existing Legal Obligation to Protect Data.

• European Union Directive on Data Protection
  Directive 95/46/EC
• UK Data Protection Act 1998

12
(No Transcript)
13
Get rid of it to minimise costs

• 1. Find the data
• Take the transaction journey from POS to
  Settlement
• Track the cardholder data right across the
  business
• Trace the journey taken to manage queries
  reconciliation, chargebacks, fraud MI
• 2. Map it
• Map the systems, applications databases that
  support these transactions in both directions
  onto network diagrams

14
How to Minimise Costs

• 3. Analyze it
• Investigate if it is really needed
• 4. Change it
• When perceived as needed, identify if it is
  needed in cardholder data format if not change
  the format to render it unusable.
• Even assuming he could get at it, if it is there
  but is encrypted, hashed or truncated, it has no
  criminal value
• Then carry on as before

15
How to Minimise Costs

• 5. Get Rid of it
• Eliminate any duplicate or unnecessary storage of
  real data
• 6. Isolate Protect what is left
• If it is really needed
• Isolate cardholder data environment from rest
  of business
• then protect it.

16
Guiding principal

• If you dont need it.
• dont store it
• 
  BIN IT Securely
• If you do need it.
• protect / encrypt it or both
• Lock it
  up
• 
  Jumble it up
• (But in as few places as possible)

17
The Resolution

• If it is not there.
• it does not need to be protected.
• The criminal will walk on by,
• and will not waste time targeting it.

18
Reduce the cardholder environment
Then it becomes Achievable, Manageable Maintainab
le
19
Security First

• The main consideration when addressing PCI DSS
  must be Security
• Build your systems, networks securely and ensure
  you have enforced relative security processes and
  procedures and you will naturally exceed
  compliance
• Aim to just reach compliance, and you will most
  likely fail to be secure!

20
Shared Networks
21
Shared Network Recourses

• A network that is shared by other services cannot
  be considered secure.
• Control of connectivity is no longer in the hands
  of System Managers outside of the Data Centre.
• So
• whatever we think of our wider network, we cannot
  fully trust it
• any connections across those parts that may be
  shared with other services need to be able to
  take this into account
• Such connections should be engineered to be
  "channel independent.

22
Channel Independence

• This is to treat all of the WAN as you would the
  Internet
• you have very little control over what may be
  connected
• and even if you think you do, that is probably
  giving you a false feeling of security
• Protect the services being accessed as if they
  were in a web environment.
• There are short-term costs but
• design is simplified (saving on development)
• flexibility is maximised (ready for deployment in
  any environment)
• security is assured
• Protect the data between trusted endpoints (e.g.
  the EPOS and back-end application) by
• authenticating them
• protecting (encrypting) the traffic passing
  between them

23
How?

• VLANs?
• still in the physical network domain
  (ports/switches/routers)
• reliant upon being in control of the actual
  network ports to which devices may be connected
• offer no protection against interception of the
  signal on the wire
• a very useful tool for separating traffic in the
  datacentre as you have that level of control
• SSL/TLS?
• enables the authentication of both end-points and
  maintenance of a secure session between them (if
  configured correctly)
• can require some re-engineering of the
  application
• SSH?
• can establish a secure connection in the same way
  as TLS
• operates at a different level of the Operating
  System and thus not requiring the same
  application changes.
• Any approach still requires the devices in the
  data centre to be protected behind a firewall of
  some description and for the secure tunnel to be
  terminated within that boundary.
• Both TLS and SSH can be configured to provide
  authentication and encryption that at least meets
  the PCI-DSS requirements

24
SSL/SSH Illustration
Data is protected in the tunnel from the EPOS to
the Web server in DMZ
25
Summary

• Treat any network where you do not have physical
  control over the connection points as untrusted
• Establish secure tunnels between trusted
  endpoints
• Both TLS and SSH can be configured to provide
  authentication and encryption that at least meets
  the PCI-DSS requirements

26
Conclusion

• However much or little it costs you to PCI it
• it will always be a lot less than
• the cost of a security breach
• in terms of / and reputation

27
Final Thoughts

• Above all, PCI DSS Compliance is not about
  avoiding penalties and fines
• It is another step in protecting the
• Brand and Reputation
• of your Individual Organisations
• As part of your overall Security Posture

28
Thank you
Questions?