Title: PCI Compliance
1PCI Compliance
- ATM Security in the Americas 2007
- Las Vegas 11 September 2007
- Wayne Varga
wayne.varga_at_k3des.com 801-386-3520
2PCI Compliance
- Avoiding PCI Compliance Traps
- Tips for Buying PCI Compliant Products
- Linking PCI Compliance to IT Governance
- Achieving PCI Compliance with Minimal Staff
- A Software Developers Perspective on PCI
Compliance
3Avoiding PCI Compliance Traps
- Trap 1 PCI compliance doesnt apply to me.
- PCI applies to all organizations that are
involved in the payment card industry in any way
that touches account numbers. - If your organization has access to full account
numbers of any form of payment card, then PCI
applies to you.
4Avoiding PCI Compliance Traps
- Trap 2 PCI compliance only applies to big
companies. - PCI compliance is required of all companies that
touch full account numbers. - The only difference between large and small
companies is how they validate compliance.
5Avoiding PCI Compliance Traps
- Trap 3 I can get PCI compliant on my own.
- PCI compliance is complex enough that very few
can do it effectively without outside help. - Engage an assessor early. They can help you focus
in the right areas. This can drastically simplify
the compliance process (and maybe reduce the
cost).
6Avoiding PCI Compliance Traps
- Trap 4 Hiring an assessor is the most expensive
part of becoming PCI compliant. - Assessors can be expensive. But their fees are
small compared with the other costs. - Compliant hardware and software
- Network security (firewalls, IDS)
- Central logging and monitoring
- Engage an assessor early. They can help you focus
in the right areas. This can drastically simplify
the compliance process (and maybe reduce the
cost).
7Avoiding PCI Compliance Traps
- Trap 5 PCI assessors cant help me become
compliant - The assessors are your advocates with the card
associations and their members - They can and should assist you in becoming
compliant - There are not the same independence requirements
as in financial audits. The card associations
encourage assessors to consult with their clients
and assist them become compliant.
8Avoiding PCI Compliance Traps
- Trap 6 Only applications and systems that
handle card numbers must be compliant. - PCI security requirements apply to any network
component, server, or application included in, or
connected to, the cardholder data environment - Without internal network segmentation, every
system and application must meet PCI security
requirements.
9Avoiding PCI Compliance Traps
- Trap 7 Buying PCI-compliant products make you
PCI compliant - It is possible for your organization to NOT be
PCI compliant, even when using PCI-Compliant
products. - It is possible to be PCI Compliant, even if using
no PCI-Compliant products (today). - PCI-Compliant products must be installed and
maintained according to vendor instructions in
order to be considered compliant.
10What is a PCI-Compliant Product?
- The general definitionA PCI-Compliant product
is any product that helps an organization meet
one or more of the PCI requirements. - The specific definitionA PCI-Compliant
product is any product that has been tested by an
approved testing entity to demonstrate compliance
with specific requirements as put forth by Visa
or another standards body. These are also called
Validated or Approved products.
11Validation Process
- The product is installed and tested in a
laboratory against specific technical
requirements. - Supplied documentation is also reviewed for
accuracy and completeness. - The validation process ensures that a company
implementing this product is able to be
compliant. - The existence of non-compliant features or
insecure operating modes does not necessarily
disqualify a product. - The vendor must prepare PCI implementation
instructions for what the customer must do to
meet PCI requirements
12Validated PCI Products
- Payment Applications
- Not currently required, but highly recommended
See future requirements posted by VISA required
no later than 7/2010 - It is possible to use a non-validated application
and still be PCI compliant - It is possible to use a validated application and
not be PCI compliant - PIN Entry Devices
- Currently required
- Requirements are becoming tighter
- It is not possible to be compliant without using
validated products.
13PIN Entry Devices
- Effective nowAll newly deployed devices must be
on the list of approved devices.Newly deployed
means installed for the first time in your
organization. - July 1, 2010All attended devices must be on the
list of approved devices. This means all attended
devices must be compliant, regardless of when
they were installed. - There is no date set for installed unattended
devices, such as ATMs, kiosks, or automated fuel
dispensers
14Buying PCI Compliant Products
- Check the approved lists on Visas
websitewww.visa.com/cisp (Payment
Applications)www.visa.com/pin (PIN Entry
Devices) - Work closely with your assessor.
- Before purchasing, review the vendors PCI
implementation documentation. Make sure what is
required to meet PCI requirements matches your
expectations. - Get everything in writing (PCI approvals,
installation requirements, maintenance
requirements, etc.) - Do not buy non-approved PIN Entry Devices, except
as replacement for existing devices of the same
model.
15Linking PCI Compliance to IT Governance
- PCI compliance is first about policy, second
about implementation. - Without strong organizational policies and
enforcement of those policies, it is impossible
to achieve PCI compliance. - Therefore, PCI Compliance is inseparably linked
to IT Governance, and vice versa. - It is impossible to be PCI Compliant without
effective IT Governance.
16PCI Compliance With Minimal Staff
- Certain PCI requirements are difficult with a
small staff - Separation of duties (req. 6.3.3)
- Code review by someone other than the author
(6.3.7) - Some PCI requirements are very time consuming
- Keep current on security vulnerabilities (6.2)
- Change Control (6.4)
- Review all logs at least daily (10.6)
- Perform daily security procedures (12.2)
17PCI Compliance With Minimal Staff
- Automate as much as you can
- Log analysis tools
- System logs
- IDS logs
- File Integrity Monitoring logs
- Subscribe to newsgroups, industry publications on
security and PCI. - Make the PCI requirements standard operating
procedure. - Involve everyone, including management. Not
everything in PCI is technical.
18Software Development
- PCI mandates good software development processes
- PCI has many requirements on how software is
developed - Requirement 6 covers software development
- Keep everything current with latest patches
- Secure by design, not by inspection
- Follow a formal Software Development Life Cycle
(SDLC) - Strict change control
19Software Development
- Developers either love or hate PCI
- Why developers love PCI
- It gives them an excuse to buy cool tools
- It requires management to follow defined
processes in dealing with developers. - It limits their access to production
environments. - Why developers hate PCI
- It requires them to use limiting tools
- It requires them to follow defined processes in
developing and testing applications. - It requires others to review and critique their
work. - It limits their access to production environments.
20PCI Compliance
- ATM Security in the Americas 2007
- Las Vegas 11 September 2007
- Wayne Varga
wayne.varga_at_k3des.com 801-386-3520