PCI Security Compliance Simplified How to Protect Yourself from Data Security Breach

PCI Security Compliance Simplified
How to Protect Yourself from Data
Security Breach
Presented By:
Rick Allen CISSP
PCI Compliance Director
Payment Processing Incorporated
Newark, California. USA
1
Payment Processing, Inc. is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA;
National Bank of Canada, Montreal, PQ; and Canadian Imperial Bank of Commerce, Toronto, ON.
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
Presenters Background



Rick Allen
CISSP



2
PCI Compliance Director for PPI
PCI Security Standards Council
Participating Member
ETA Fraud / Risk Committee Service
Payments Industry Security Speaker &
Author
Experienced Data Breach Incident
Response & Forensic Examination
Over 15 years security management
experience with payment card issuers,
member banks, Big 5 audit & consulting
firms
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
PCI- Data Breach Trends & Risks
What’s the big deal?
 Over 285M payment cards were compromised 2009
 26% or 1 out of 4 consumers received a data breach
notification in 2009
 Majority of merchants experiencing a breach were small to
medium sized businesses – 90% in 2010
 Attackers focus on small merchants because they don’t
employ IT staff - 8 out of 10 don’t
 87% were considered avoidable thru intermediate controls
 99.9% of records were compromised from servers and
applications
 25% of merchants have PAN data stored on systems
3
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
Our Agenda Today

What is PCI Compliance & Why Should I care ?

What’s driving PCI Security Compliance

How Validated Software Helps Keep You Secure

Risk liability & cost of data breach Incident

10 Practical Tips to Protect Your Business

Making PCI Validation Easy

Questions & Answers
4
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
What is PCI Compliance & Why Should I Care

Payment Card Industry Data
Security Standard (PCI-DSS)

PCI-DSS compliance is required of all
merchants by the Card Associations.

It Protects you from those intent on
doing your business harm

Ignoring PCI Compliance makes you
an easy target for unauthorized
access to computers that handle your
customers payment card data

Merchants who validate PCI DSS
compliance help keep customer
payment card data safe & sound!
5
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
What is PCI Compliance & Why Should I Care

Security Holes are easily exploited !

Falling victim to default windows
computer settings enables bad
things to happen to good people !

Insecure Remote Access

Key Loggers & Weak Passwords

Unnecessary insecure services running

Malware Custom Attack Code Engines
6
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
What's driving PCI Security Compliance
Customer wants to open
merchant account
Because POS
Software not
PADSS
Validated
Name of POS
Software Vendor
Due to Visa
Security
Mandates
7
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
How Validated Software Helps Keep You Secure

8
The “Hollywood A List” of Validated Payment Applications
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
Risk & Liability Cost of Data Breach Incident


9
Merchants Breach of Payment Card Account Data
is a significant adverse event that can jeopardize
your business livelihood.
Merchants found “PCI Non-Compliant” are liable
and exposed to pay costs associated with …

Non-Compliance Fines & Penalties

Forensic Audit & Incident Response Fees

Cost of Fraudulent Transactions

Costs to Reissue Payment Cards

State & FTC Customer Privacy Breach Notifications

Potential Ongoing PCI Level 1 Validation costs
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
10 Practical Tips to Protect Your Business

1. Secure Remote Access


10
Use Remote Access applications that require two
independent forms of authentication

User ID & Password

One Time PIN

Authorized person onsite to “allow” the remote
access session
Use Network Encryption (VPN) Virtual Private Network
to secure Remote Access sessions.
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
10 Practical Tips to Protect Your Business

11
2. Default, Weak, Nonexistent Passwords

Often vendors will setup many different sites with the
same weak passwords.

Default password is often “password” or none at all.

Anyone can discover random weak passwords which
are easily broken by hackers using simple password
cracking software

When installing POS computers & systems, change all
default passwords

Ensure all users have unique user accounts and strong
passwords
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
10 Practical Tips to Protect Your Business

12
3. Anti Virus Software

Attackers who access secure POS systems can install
malware and capture payment card data when swiped
at the terminal before encryption.

Updated Anti Virus Software often will detect and
prevent this type of attack

Ensure all POS workstations and servers are setup with
Anti Virus Software

Ensure Anti Virus Software is configured to update
periodically to learn about new emerging malware
threats
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
10 Practical Tips to Protect Your Business

13
4. Firewalls

Ensure firewalls are properly setup to prevent bad
things from getting in

Just as critical, ensure firewall setup prevents the
wrong things from getting out

Once hackers are in they need to get the “goods” out

Properly setup firewalls make it difficult for hackers to
get in

And even harder to export the data “goods” out
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
10 Practical Tips to Protect Your Business

14
5. Payment Processing Software

Ensure your vendor provides a software version that’s
been security validated to PADSS compliance
standards

Ensure that payment software is setup according to the
secure implementation guide; so that the software is
operated in a PCI compliant manner.

Ask the vendor to ensure that payment software DOES
NOT store primary account numbers and sensitive
authentication data

When upgrading software have vendor perform a
secure delete to ensure no payment card data remains
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
10 Practical Tips to Protect Your Business

6. Wireless

This was the “Achilles heal” of TJ Maxx, the US retailer
who suffered card data breach of 45 million accounts to
hackers…

Ensure that Wireless Access Points use the highest
grade of encryption available

WPA2 using PSK (pre shared key) with 256bit
AES encryption keys
15

No WEP or TKIP allowed.

Turn off SSID broadcast and adhere to general
WLAN security best practices.
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
10 Practical Tips to Protect Your Business

7. Employees


16
22% of US Employees say they would feel comfortable
selling their employers data according to Sail Point
Research…

Background Checks, Security Cameras, Unique
Employee login Credentials will help you monitor
employee conduct.

Employees need to know their actions are being
monitored and anyone committing acts of data theft
will be terminated and prosecuted
Ensure your business has an employee acceptable use
guidance in your information security policy.
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
10 Practical Tips to Protect Your Business

17
8. Event Logging

Compromised merchants ask “what are the chances
you will catch the party responsible for breach…

Likelihood is tied to quality / granularity of event logging

Keep 4 months of event logs on hand and 12
months of logs in backup storage

Review logs for malicious activity at least weekly

Ensure all employee users have individual accounts
/ passwords and never share user accounts and
passwords.
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
10 Practical Tips to Protect Your Business

18
9. Outsourced IT Needs

Many businesses rely on independent IT companies to
ensure they’re compliant with industry security
standards

Ensure your IT company provides full disclosure and
transparency about security systems and setups

Some IT companies provide agreed upon service levels
and response time. Make sure that you document
these in writing

Make sure that you validate that the IT companies
security work is actually secure. (See #10)
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
10 Practical Tips to Protect Your Business

19
10. PCI DSS Compliance & Validation

Remember that “compliance” is a point in time
measurement

True “security” is a continuous process of improvement
based on actual and emerging threats according to the
level of business risk tolerance.

Compliance is easy once you have actually secured
from risk threats

Validation of Compliance provides industry
stakeholders “proof” that security controls are in place
to protect your business and safe harbor from fines &
penalties when account data is breached.
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
Making PCI Validation Easy!
PayPros PCI Compliance for Business

The Trustwave portal is used to complete the PCI Scan
requirement. It finds and provides remediation to resolve
vulnerabilities. Once identified issues are fixed, scan
again to successfully validate compliance.

Complete the appropriate version of the Self-Assessment
Questionnaire based on how you accept payment card at
your business.

Submit the scan and questionnaire results to their
acquirer

Continue to monitor security & compliance status
– Compliant Network Scans are due quarterly.
– Annual submission of self-assessment questionnaire
21
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
Making PCI Validation Easy!
PayPros PCI Compliance for Business

As POS systems are upgraded or replaced PCI DSS
compliance will change, requiring merchants to revalidate
to maintain PCI DSS compliance.

Only merchants with validated compliance have safe
harbor from PCI-DSS non compliance fines and penalties
associated with cardholder data breach.

Our Merchants using PADSS validated payment software
that maintain PCI DSS compliance validation can benefit
from Paypros Breach Reimbursement Guarantee. (Note:
Terms & Conditions Apply)

22
If you don’t validate, you take on risk liability and may
jeopardize your ability to accept payment cards!
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential
For Additional Information or Questions
Contact Rick Allen at rallen@paypros.com or call 1800-774-6462 Ext 4977
Thank You!
Its Time for Questions
& Answers
23
Payment Processing, Inc. is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA;
National Bank of Canada, Montreal, PQ; and Canadian Imperial Bank of Commerce, Toronto, ON.
© 2009 Payment Processing, Inc. All Rights Reserved.
PPI Confidential