Embed Size (px)
Citation preview
© 2010
Compliance Update- The importance of PCI DSS and PA DSS
Brooks Wallace25 November 2010
© 2010
Agenda
Overview of PCI SSC– Changes to the Standards– Relationship between PCI and PA DSS
EMEA Fraud Trends PA DSS Case Study PCI DSS Case Study About Trustwave– Compliance Solutions– Choosing a QSA
Summary
© 2010
Payment Card Industry Security Standards Council (PCI SSC)
© 2010
Founded in 2006 by American Express, Discover, JCB, MasterCard and Visa
Who is the SSC?
They are governed by an Executive Committee comprised of representatives from those card brands
Their primary objectives include:– Custodian of the PCI DSS, PA-DSS and PTS
– QSA/PTS Lab education, certification and quality assurance
– Final validation and listing maintenance for PA-DSS validated applications
© 2010
Overview of Standards Changes October 28, 2010 – PCI DSS 2.0 Released
January 1, 2011 – PCI DSS 2.0 Effective
December 31, 2011 – PCI DSS 1.2.1 Retired
July 1, 2012 – Risk Ranking (PCI DSS 6.2) sunrise* *
Affects PA-DSS 5.2.6 and 7.1
© 2010
Reasons for Change
Improve clarity
Improve flexibility
Align with industry best practices
Eliminate redundancy
Manage evolving risks / threats
© 2010
Change Categories Additional guidance (2)
Explanations and/or definitions to increase understanding or provide further information
on a particular topic (e.g. scoping requirements).
Evolving requirements (3)
Changes to ensure that the standards are up to date with emerging threats and changes in
the market (e.g. data search for scope confirmation, vulnerability risk ranking).
Clarification (52)
Clarifies intent of requirement. Ensure that concise wording in the standards portray the
desired intent of requirements (e.g. encryption related to PAN, addition of ‘and router’
in 1.2).
© 2010
Frequent Questions
© 2010
Frequent Questions
• Why is PA DSS compliance ‘suddenly’ important? PA-DSS has always been important, as insecure applications are the number one cause of data
loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank.
© 2010
Frequent Questions
• Why is PA DSS compliance ‘suddenly’ important? PA-DSS has always been important, as insecure applications are the number one cause of data
loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank.
• If I use a PA DSS compliant application am I PCI DSS compliant? No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate
their compliance with PCI DSS by showing that the application has been installed as per the vendor’s Installation Guide.
© 2010
Frequent Questions
• Why is PA DSS compliance ‘suddenly’ important? PA-DSS has always been important, as insecure applications are the number one cause of data
loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank.
• If I use a PA DSS compliant application am I PCI DSS compliant? No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate
their compliance with PCI DSS by showing that the application has been installed as per the vendor’s Installation Guide.
• Does PA-DSS compliance save me money with PCI DSS compliance validation? Yes. Applications that are not PA-DSS compliant must be FULLY assessed and validated against
the PCI DSS, which is complex and therefore time consuming. With PA-DSS compliant applications, the assessor need only confirm that the installation is as per the Installation Guide.
© 2010
Frequent Questions
• Why is PA DSS compliance ‘suddenly’ important? PA-DSS has always been important, as insecure applications are the number one cause of data
loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank.
• If I use a PA DSS compliant application am I PCI DSS compliant? No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate
their compliance with PCI DSS by showing that the application has been installed as per the vendor’s Installation Guide.
• Does PA-DSS compliance save me money with PCI DSS compliance validation? Yes. Applications that are not PA-DSS compliant must be FULLY assessed and validated against
the PCI DSS, which is complex and therefore time consuming. With PA-DSS compliant applications, the assessor need only confirm that the installation is as per the Installation Guide.
• Does PA DSS compliance reduce the scope of my PCI DSS validation? No. PA-DSS only SUPPORTS PCI compliance, all devices that transmit, process, or store
cardholder data are in scope for PCI compliance. PA DSS Applications reduce the risk to cardholder data but the systems on which they run must be secure.
© 2010
Get the Details
PCI SSC Website: www.pcisecuritystandards.org•List of Qualified Security Assessors (QSA)•List of compliant Payment Applications•Participating Organisations•List of QSAs in remediation•All standards and guidelines (some language support)•FAQs
Trustwave Webinar Archive: www.trustwave.com •PA DSS 2.0: What do you need to know?•PCI DSS 2.0: What can you expect?•PCI DSS Expert Panel: Your Questions Answered
1 December for EMEA
© 2010
Global Security Report - 2010
On the Trustwave Web site https://www.trustwave.com/whitePapers.php
© 2010
Incident Response –The Sample Set
218 Investigations
• 24 countries
• 18% Found Inconclusive– No evidence of critical data leaving– Many factors impact an inconclusive case
• Average of 156 Day Lapse Between Initial Breach and Detection!
© 2010
Incident Response – The Sample SetCountries Represented in 2009
AustraliaBelgiumCanada
ChileChina
CyprusDenmark
Dominican RepublicEcuadorGermanyGreeceIreland
Luxembourg
MalaysiaPuerto RicoSaudi ArabiaSouth Africa
Sri LankaSwitzerland
UkraineUnited Arab Emirates
United KingdomUnited StatesVirgin IslandsSpiderLabs visited 24 different
countries in 2009 to perform compromise investigations.
© 2010
Incident Response – The Sample Set
Industries
L4 Merchants make up over 90% of Trustwave
investigations
© 2010
Payment Card Data is a target for criminals looking to turn
data into cash quickly.
Incident Response – Investigative Conclusions
Types of Data at Risk
© 2010
Incident Response – Investigative Conclusions
Types of Target Assets
While many POS vendors have patched their systems to support
security controls, many companies are still running very old software.
© 2010
Incident Response – Investigative Conclusions
System Administration Responsibility
Third Party vendors are often negligent in their administration of security controls and best practices.
© 2010
Summary
• Attackers are using old vulnerabilities
• Attackers know they won’t be detected
• Organizations do not know what they own or how their data flows
• Blind trust in 3rd parties is a huge liability
• Fixing new/buzz issues, but not fixing older issues
• This is just the ‘low hanging fruit’, as PCI takes effect, the thieves will move on to easier targets
© 2010
Compliance Case Studies
© 2010
PA-DSS Case Study
Type: Payment Application Provider• Compliance Issues:
− Ensure security of online and back-end processing
− Address common data breach attack vectors (SQL injection, cross-site
scripting)
− Ensure SSL encryption for all transactions
• Trustwave Solution
− Analyzed IT architecture to properly scope for compliance validation
needs prior to assessment activity
− Performed application penetration testing and PA DSS assessment
− Provided an EV SSL certificate for necessary encryption with
the highest degree of identify validation
© 2010
PCI Case Study
Type: Level 4 Merchant (Hospitality)•Compliance Issues:
− Hospitality environment holds inherent risks
− Multiple, often vastly distributed, locations – difficult to manage
− Legacy systems, multiple third party providers
•Trustwave Solution:
− Engaged TrustKeeper® compliance tool to easily manage scanning and
questionnaires for multiple locations
− Installed Unified Threat Management (UTM) at each location for ongoing
perimeter management and protection, including firewall, intrusion
prevention, content filtering, virtual private network
− Pragmatic approach to assessment services utilising significant industry
knowledge and experience
© 2010
About Trustwave
© 2010
Choosing a QSA
Choosing the RIGHT QSA is difficult, choosing the wrong QSA
is disastrous.
Questions you should be asking your QSA include:
• How many of your QSAs have submitted a compliant RoC to either an acquirer or Card Scheme?• How many RoCs has your company submitted?• How do you compensate for the differing opinions of QSAs (based on their unique skill-sets)?• How many assessments has your company performed in my industry vertical?• Do you provide any other compliance related services?• How do you help clients maintain compliance?• How do you support clients in an ‘emerging market’ without a qualified local presence?• Can you provide references of customers in a similar vertical or region?• How long does it take to get compliant?• Once compliant, can Trustwave help us with marketing and press coverage?
There are 20 questions in total, not all will be relevant to your
organisation.
Copies available on our stand or on request.
© 2010
Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series
MSSP with more than 1,400 devices under management
Monitor more than 18 million events per day
Top 10 global Certificate Authority with more than 40,000 SSL certificates issued
Performed more than 4,000 network and application penetration tests
Conducted more than 740 forensic investigations
PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40 percent of Payment Apps.
Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); OIRA (2005)
The leader in compliance and data
security
© 2010
TrustKeeper Merchant Experience
www.trustwave.com
© 2010
Help and Guidance
TrustKeeper Merchant Experience
www.trustwave.com
© 2010
Help and Guidance
TrustKeeper Merchant Experience
www.trustwave.com
© 2010
Summary
• The PCI SSC is making it easier for you to understand the PCI and PA DSS standards
• PA DSS compliant applications do not automatically make you PCI DSS compliant
• Compromises are going undetected and hackers are using old vulnerabilities to get in
• Choosing the right QSA is difficult but many have the tools and skills to help you achieve compliance
• Trustwave is a good resource for any merchant for information on PCI and PA DSS
© 2010
Thank You
