PCI Data Security Compliance Program Overview

1

• PCI Data Security Compliance Program Overview

Rick Dakin, QSA Rick.dakin_at_coalfiresystems.com M
ay 2008
2
Who is Coalfire?
Founded in 2001, with offices in Denver, Seattle
and NYC with over 30 full time IT Auditors
Clients include Fortune 100, retail, government,
education, financial, healthcare, Law Firm and
manufacturing
Security, Governance, Compliance Management,
Audit GLBA, SOX, PCI, HIPAA, SAS70 Government
IT Governance and Compliance Management
Practice areas Risk and Vulnerability
Assessment, E-discovery and Forensic Analysis
Solutions Policy Development, Data
Classification, Logging and Monitoring, Incident
Response, Etc.
Application Security PABP Certification, Code
Audits, Penetration Testing, SDL Development
3
Agenda
Questions
4
IT Governance at a Glance
Data Security and Compliance
Critical Drivers
Reduced Tolerance for Service Disruption
Increasing Cyber Threats
More Regulatory Requirements
5
Compliance Trends
The Regulatory Environment Represents a New
Enterprise Challenge
2000- Present
1970-1980

• COPPA
• USA Patriot Act 2001
• EC Data Privacy Directive
• CLERP 9
• CAN-SPAM Act
• FISMA
• Sarbanes Oxley (SOX)
• CIPA 2002
• Basel II
• NERC CIP 02-09)
• CISP
• Payment Card Industry (PCI)
• California Individual Privacy SB1386
• Other State Privacy Laws (38)

1990-2000

• Privacy Act of 1974
• Foreign Corrupt Practice Actof 1977

• EU Data Protection
• HIPAA
• FDA 21CFR Part 11
• C6-Canada
• GLBA

1980-1990

• Computer Security Act of 1987

6
Growth of Privacy Laws
7
State Privacy Laws
Businesses must establish basic information
security programs
In the event of an actual or suspected security
breach businesses have a legal obligation to
notify impacted consumers resulting in new
security requirements
Businesses must proactively manage their
confidential consumer information
Businesses must take steps to know when their
defenses have been breached
Compliant infrastructures are required!
8
Trends, Red Flags and War Stories
9
Unauthorized Users
10
Attack Vectors

• Virus Attack
• Spyware
• Worms and Trojans
• Image embedded Trojans
• Intentional installation
• Targeted attacks that exploit poor system
  configuration and vulnerabilities (don't get
  posted to a bulletin board on a bot network)
• Targeted attacks against a "friendly" who either
  loses your data or passes along the attack
• Physical theft
• System misuse by an authorized user
• Internal staff
• Third parties

11
Stolen Account Data Value
12
Scary Bedtime Stories What is the cost of
non-compliance

• Other headlines.
• TJ MAX causes several states to introduce new
  legislation to protect cardholder data.
• Card Systems International forced to sell
  operations at a loss.
• Ongoing compromises are driving changes in the
  DSS to include dual factor authentication and
  wireless security.

• DSW Shoe Warehouse customer database was hacked
  and 1.4 million records were stolen and records
  over 6.5 million reserve on 2005 financial
  statements.

• FTC fines Choice Point 10 million for unfair
  business practices for failure to protect
  consumer data.

13
Costs of a PCI Compromise
A hypothetical merchant compromises 100,000
accounts when a third party service provider has
a server stolen. What is the potential
financial impact?

• Notify Clients and Provide Privacy Guard
• Fines and Penalties
• Loss of Clients
• Fraud liability
• Reputation Loss

50 x 100,000 5 million 100,000 to 10
million 100,000 clients 15 15,000
clients 15,000 x 100 in fees 1.5m in lost
fees 1,000 accounts x 500 500,000 PRICELESS!
14
PCI Overview
15
Cardholder Verification Number (CVV2)
Cardholder Verification Number (CVN) (CID/CVV2/CVC
2)
CVV2
CVV
16
PCI Relationship Matrix
Acquiring Bank
Acquiring Bank
Issuing Bank
Merchant Cardholder Environment
Cardholder
App Vendors
Processor Gateway Service Provider
Merchant
17
PCI Data Security Standard
12 control objectives known as the Digital
Dozen More than 218 control activities that
must be tested with a no fail standard for any
control activity for each of the 12 control
objectives
18
Industry Alignment to PCI
CISP Compliance Requirements
CISP Validation Requirements
SDP Compliance Requirements
SDP Validation Requirements
Compliance Requirements
Compliance Requirements
PCI Security Standards Council
Compliance Requirements
ComplianceRequirements
19
PCI Compliance Levels
Any merchant processing over 6 million VISA or
MasterCard transactions per year OR identified as
any card brand as a Level 1 merchant.
Any merchant processing 1 to 6 million VISA or
MasterCard transactions per year.
Any merchant processing 20,000 to 1 million VISA
or MasterCard e-commerce transactions per year.
Any merchant processing less than 20,000 VISA or
MasterCard e-commerce transactions per year, and
all other merchants with less than 1 million
transactions
20
Compliance Validation Requirements
21
New Self Assessment Questionnaire (SAQ)
22
Visa Fine Schedule(other card associations have
different costs)

• Data compromise or non-compliance with PCI
  requirements
• First Violation -- Up to 50,000
• Second Violation -- Up to 100,000
• Third Violation -- At Visas discretion for
  more than two violations in 12 months
• Merchants who store full-track data
• Initial penalty of 50,000
• Thereafter Visa assesses fines up to 100,000
  monthly until track data is removed
• Representative fine structure based on public
  information distributed by Chase Paymentech.
  Actual fines to merchants may vary based on their
  acquirer.

23
Assessment Scope Where is the card holder data?
Customer
Production Environment
POS Terminals (card present in stores and parking
facilities)
Web Server (card not present)
Authorization
Transaction Servers or Payment Gateway Transaction
Record Archive
Phone, Fax, Email
Admin Environment
Batch Settlement

• Marketing
• Customer Service
• Ecommerce
• Phone / Fax
• Gift Cards
• Fraud
• Accounting / Administration

Application Servers Back Office Customer Svc
Data Warehouse Payment Gateway and Transaction
Database
Acquiring Bank Wells Fargo, BoA, Chase
Document Vaults Paper records
Portal Access to Reconciliation Data (Charge Back
/ Sales Audit)
24
New Visa Application Requirements
Oct 23 Announcement from Visa It is critical
that merchants and agents do not use payment
applications known to retain prohibited data
elements and that corrective action is
immediately taken to address any identified
deficiencies because these applications are at
risk of being compromised.
25
Summary

• Assessment vs - Audit
• Penalties for non-compliance is high but
  guidelines on Assessment procedures are
  marginal (sample size, evidence of control
  effectiveness, retention period, testing
  oversight)
• The testing procedures for each control
  activities are PRECRIPTIVE
• Self Assessment Questionnaire must track to the
  environment
• Organizations may not understand the cardholder
  environment
• Reporting process depends on the acquiring bank
• More risks to manage than test procedures measure
  (example Hannaford)

26
Safe Harbor Concept
Knowledge Action Negligence
Safe Harbor requires validation of compliance at
the time of compromise So far, no compromised
account has been compliant at the time of the
incident
26
27
Questions
Rick Dakin Rick.dakin_at_coalfiresystems.com 303.554
.6333 ext. 7001