PCI Security Compliance Simplified How to Protect Yourself from Data Security Breach Presented By: Rick Allen CISSP PCI Compliance Director Payment Processing Incorporated Newark, California. USA 1 Payment Processing, Inc. is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA; National Bank of Canada, Montreal, PQ; and Canadian Imperial Bank of Commerce, Toronto, ON. © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential Presenters Background    Rick Allen CISSP    2 PCI Compliance Director for PPI PCI Security Standards Council Participating Member ETA Fraud / Risk Committee Service Payments Industry Security Speaker & Author Experienced Data Breach Incident Response & Forensic Examination Over 15 years security management experience with payment card issuers, member banks, Big 5 audit & consulting firms © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential PCI- Data Breach Trends & Risks What’s the big deal?  Over 285M payment cards were compromised 2009  26% or 1 out of 4 consumers received a data breach notification in 2009  Majority of merchants experiencing a breach were small to medium sized businesses – 90% in 2010  Attackers focus on small merchants because they don’t employ IT staff - 8 out of 10 don’t  87% were considered avoidable thru intermediate controls  99.9% of records were compromised from servers and applications  25% of merchants have PAN data stored on systems 3 © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential Our Agenda Today  What is PCI Compliance & Why Should I care ?  What’s driving PCI Security Compliance  How Validated Software Helps Keep You Secure  Risk liability & cost of data breach Incident  10 Practical Tips to Protect Your Business  Making PCI Validation Easy  Questions & Answers 4 © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential What is PCI Compliance & Why Should I Care  Payment Card Industry Data Security Standard (PCI-DSS)  PCI-DSS compliance is required of all merchants by the Card Associations.  It Protects you from those intent on doing your business harm  Ignoring PCI Compliance makes you an easy target for unauthorized access to computers that handle your customers payment card data  Merchants who validate PCI DSS compliance help keep customer payment card data safe & sound! 5 © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential What is PCI Compliance & Why Should I Care  Security Holes are easily exploited !  Falling victim to default windows computer settings enables bad things to happen to good people !  Insecure Remote Access  Key Loggers & Weak Passwords  Unnecessary insecure services running  Malware Custom Attack Code Engines 6 © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential What's driving PCI Security Compliance Customer wants to open merchant account Because POS Software not PADSS Validated Name of POS Software Vendor Due to Visa Security Mandates 7 © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential How Validated Software Helps Keep You Secure  8 The “Hollywood A List” of Validated Payment Applications © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential Risk & Liability Cost of Data Breach Incident   9 Merchants Breach of Payment Card Account Data is a significant adverse event that can jeopardize your business livelihood. Merchants found “PCI Non-Compliant” are liable and exposed to pay costs associated with …  Non-Compliance Fines & Penalties  Forensic Audit & Incident Response Fees  Cost of Fraudulent Transactions  Costs to Reissue Payment Cards  State & FTC Customer Privacy Breach Notifications  Potential Ongoing PCI Level 1 Validation costs © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential 10 Practical Tips to Protect Your Business  1. Secure Remote Access   10 Use Remote Access applications that require two independent forms of authentication  User ID & Password  One Time PIN  Authorized person onsite to “allow” the remote access session Use Network Encryption (VPN) Virtual Private Network to secure Remote Access sessions. © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential 10 Practical Tips to Protect Your Business  11 2. Default, Weak, Nonexistent Passwords  Often vendors will setup many different sites with the same weak passwords.  Default password is often “password” or none at all.  Anyone can discover random weak passwords which are easily broken by hackers using simple password cracking software  When installing POS computers & systems, change all default passwords  Ensure all users have unique user accounts and strong passwords © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential 10 Practical Tips to Protect Your Business  12 3. Anti Virus Software  Attackers who access secure POS systems can install malware and capture payment card data when swiped at the terminal before encryption.  Updated Anti Virus Software often will detect and prevent this type of attack  Ensure all POS workstations and servers are setup with Anti Virus Software  Ensure Anti Virus Software is configured to update periodically to learn about new emerging malware threats © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential 10 Practical Tips to Protect Your Business  13 4. Firewalls  Ensure firewalls are properly setup to prevent bad things from getting in  Just as critical, ensure firewall setup prevents the wrong things from getting out  Once hackers are in they need to get the “goods” out  Properly setup firewalls make it difficult for hackers to get in  And even harder to export the data “goods” out © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential 10 Practical Tips to Protect Your Business  14 5. Payment Processing Software  Ensure your vendor provides a software version that’s been security validated to PADSS compliance standards  Ensure that payment software is setup according to the secure implementation guide; so that the software is operated in a PCI compliant manner.  Ask the vendor to ensure that payment software DOES NOT store primary account numbers and sensitive authentication data  When upgrading software have vendor perform a secure delete to ensure no payment card data remains © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential 10 Practical Tips to Protect Your Business  6. Wireless  This was the “Achilles heal” of TJ Maxx, the US retailer who suffered card data breach of 45 million accounts to hackers…  Ensure that Wireless Access Points use the highest grade of encryption available  WPA2 using PSK (pre shared key) with 256bit AES encryption keys 15  No WEP or TKIP allowed.  Turn off SSID broadcast and adhere to general WLAN security best practices. © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential 10 Practical Tips to Protect Your Business  7. Employees   16 22% of US Employees say they would feel comfortable selling their employers data according to Sail Point Research…  Background Checks, Security Cameras, Unique Employee login Credentials will help you monitor employee conduct.  Employees need to know their actions are being monitored and anyone committing acts of data theft will be terminated and prosecuted Ensure your business has an employee acceptable use guidance in your information security policy. © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential 10 Practical Tips to Protect Your Business  17 8. Event Logging  Compromised merchants ask “what are the chances you will catch the party responsible for breach…  Likelihood is tied to quality / granularity of event logging  Keep 4 months of event logs on hand and 12 months of logs in backup storage  Review logs for malicious activity at least weekly  Ensure all employee users have individual accounts / passwords and never share user accounts and passwords. © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential 10 Practical Tips to Protect Your Business  18 9. Outsourced IT Needs  Many businesses rely on independent IT companies to ensure they’re compliant with industry security standards  Ensure your IT company provides full disclosure and transparency about security systems and setups  Some IT companies provide agreed upon service levels and response time. Make sure that you document these in writing  Make sure that you validate that the IT companies security work is actually secure. (See #10) © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential 10 Practical Tips to Protect Your Business  19 10. PCI DSS Compliance & Validation  Remember that “compliance” is a point in time measurement  True “security” is a continuous process of improvement based on actual and emerging threats according to the level of business risk tolerance.  Compliance is easy once you have actually secured from risk threats  Validation of Compliance provides industry stakeholders “proof” that security controls are in place to protect your business and safe harbor from fines & penalties when account data is breached. © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential Making PCI Validation Easy! PayPros PCI Compliance for Business  The Trustwave portal is used to complete the PCI Scan requirement. It finds and provides remediation to resolve vulnerabilities. Once identified issues are fixed, scan again to successfully validate compliance.  Complete the appropriate version of the Self-Assessment Questionnaire based on how you accept payment card at your business.  Submit the scan and questionnaire results to their acquirer  Continue to monitor security & compliance status – Compliant Network Scans are due quarterly. – Annual submission of self-assessment questionnaire 21 © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential Making PCI Validation Easy! PayPros PCI Compliance for Business  As POS systems are upgraded or replaced PCI DSS compliance will change, requiring merchants to revalidate to maintain PCI DSS compliance.  Only merchants with validated compliance have safe harbor from PCI-DSS non compliance fines and penalties associated with cardholder data breach.  Our Merchants using PADSS validated payment software that maintain PCI DSS compliance validation can benefit from Paypros Breach Reimbursement Guarantee. (Note: Terms & Conditions Apply)  22 If you don’t validate, you take on risk liability and may jeopardize your ability to accept payment cards! © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential For Additional Information or Questions Contact Rick Allen at [email protected] or call 1800-774-6462 Ext 4977 Thank You! Its Time for Questions & Answers 23 Payment Processing, Inc. is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA; National Bank of Canada, Montreal, PQ; and Canadian Imperial Bank of Commerce, Toronto, ON. © 2009 Payment Processing, Inc. All Rights Reserved. PPI Confidential