Mais conteúdo relacionado Semelhante a Latests status on pci and pcipa 2010 (20) Mais de Retail Trends (7) Latests status on pci and pcipa 20102. Agenda
Overview of PCI SSC
– Changes to the Standards
– Relationship between PCI and PA DSS
EMEA Fraud Trends
PA DSS Case Study
PCI DSS Case Study
About Trustwave
– Compliance Solutions
– Choosing a QSA
Summary
© 2010
4. Who is the SSC?
Founded in 2006 by American Express, Discover,
JCB, MasterCard and Visa
They are governed by an Executive Committee
comprised of representatives from those card brands
Their primary objectives include:
– Custodian of the PCI DSS, PA-DSS and PTS
– QSA/PTS Lab education, certification and quality assurance
– Final validation and listing maintenance for PA-DSS validated
applications
© 2010
5. Overview of Standards Changes
October 28, 2010 – PCI DSS 2.0 Released
January 1, 2011 – PCI DSS 2.0 Effective
December 31, 2011 – PCI DSS 1.2.1 Retired
July 1, 2012 – Risk Ranking (PCI DSS 6.2) sunrise* *
Affects PA-DSS 5.2.6 and 7.1
© 2010
6. Reasons for Change
Improve clarity
Improve flexibility
Align with industry best practices
Eliminate redundancy
Manage evolving risks / threats
© 2010
7. Change Categories
Additional guidance (2)
Explanations and/or definitions to increase understanding or provide further information
on a particular topic (e.g. scoping requirements).
Evolving requirements (3)
Changes to ensure that the standards are up to date with emerging threats and changes in
the market (e.g. data search for scope confirmation, vulnerability risk ranking).
Clarification (52)
Clarifies intent of requirement. Ensure that concise wording in the standards portray the
desired intent of requirements (e.g. encryption related to PAN, addition of ‘and router’
in 1.2).
© 2010
9. Frequent Questions
• Why is PA DSS compliance ‘suddenly’ important?
PA-DSS has always been important, as insecure applications are the number one cause of data
loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face
penalties from the merchants acquiring bank.
© 2010
10. Frequent Questions
• Why is PA DSS compliance ‘suddenly’ important?
PA-DSS has always been important, as insecure applications are the number one cause of data
loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face
penalties from the merchants acquiring bank.
• If I use a PA DSS compliant application am I PCI DSS compliant?
No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate
their compliance with PCI DSS by showing that the application has been installed as per the
vendor’s Installation Guide.
© 2010
11. Frequent Questions
• Why is PA DSS compliance ‘suddenly’ important?
PA-DSS has always been important, as insecure applications are the number one cause of data
loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face
penalties from the merchants acquiring bank.
• If I use a PA DSS compliant application am I PCI DSS compliant?
No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate
their compliance with PCI DSS by showing that the application has been installed as per the
vendor’s Installation Guide.
• Does PA-DSS compliance save me money with PCI DSS compliance validation?
Yes. Applications that are not PA-DSS compliant must be FULLY assessed and validated against
the PCI DSS, which is complex and therefore time consuming. With PA-DSS compliant
applications, the assessor need only confirm that the installation is as per the Installation
Guide.
© 2010
12. Frequent Questions
• Why is PA DSS compliance ‘suddenly’ important?
PA-DSS has always been important, as insecure applications are the number one cause of data
loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face
penalties from the merchants acquiring bank.
• If I use a PA DSS compliant application am I PCI DSS compliant?
No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate
their compliance with PCI DSS by showing that the application has been installed as per the
vendor’s Installation Guide.
• Does PA-DSS compliance save me money with PCI DSS compliance validation?
Yes. Applications that are not PA-DSS compliant must be FULLY assessed and validated against
the PCI DSS, which is complex and therefore time consuming. With PA-DSS compliant
applications, the assessor need only confirm that the installation is as per the Installation
Guide.
• Does PA DSS compliance reduce the scope of my PCI DSS validation?
No. PA-DSS only SUPPORTS PCI compliance, all devices that transmit, process, or store
cardholder data are in scope for PCI compliance. PA DSS Applications reduce the risk to
cardholder data but the systems on which they run must be secure.
© 2010
13. Get the Details
PCI SSC Website: www.pcisecuritystandards.org
•List of Qualified Security Assessors (QSA)
•List of compliant Payment Applications
•Participating Organisations
•List of QSAs in remediation
•All standards and guidelines (some language support)
•FAQs
Trustwave Webinar Archive: www.trustwave.com
•PA DSS 2.0: What do you need to know?
•PCI DSS 2.0: What can you expect?
•PCI DSS Expert Panel: Your Questions Answered
1 December for EMEA
© 2010
15. Incident Response –The Sample Set
218 Investigations
• 24 countries
• 18% Found Inconclusive
– No evidence of critical data leaving
– Many factors impact an inconclusive case
• Average of 156 Day Lapse Between Initial Breach and Detection!
© 2010
16. Incident Response – The Sample Set
Countries Represented in 2009
Australia
Belgium
Canada
Chile
China
Cyprus
Denmark
Dominican Republic
Ecuador
Germany
Greece
Ireland
Luxembourg
Malaysia
Puerto Rico
Saudi Arabia
South Africa
Sri Lanka
Switzerland
Ukraine
United Arab Emirates
United Kingdom
SpiderLabs visited 24 different
United States
Virgin Islands
countries in 2009 to perform © 2010
17. Incident Response – The Sample Set
Industries
L4 Merchants make up
over 90% of Trustwave
investigations
© 2010
18. Incident Response – Investigative Conclusions
Types of Data at Risk
Payment Card Data is a target
for criminals looking to turn
data into cash quickly.
© 2010
19. Incident Response – Investigative Conclusions
Types of Target Assets
While many POS vendors have
patched their systems to support
security controls, many companies
are still running very old software.
© 2010
20. Incident Response – Investigative Conclusions
System Administration Responsibility
Third Party vendors are often negligent in their administration of security controls and best practices.
© 2010
21. Summary
• Attackers are using old vulnerabilities
• Attackers know they won’t be detected
• Organizations do not know what they own or how
their data flows
• Blind trust in 3rd parties is a huge liability
• Fixing new/buzz issues, but not fixing older issues
• This is just the ‘low hanging fruit’, as PCI takes
effect, the thieves will move on to easier targets
© 2010
23. PA-DSS Case Study
Type: Payment Application Provider
• Compliance Issues:
− Ensure security of online and back-end processing
− Address common data breach attack vectors (SQL injection, cross-site
scripting)
− Ensure SSL encryption for all transactions
• Trustwave Solution
− Analyzed IT architecture to properly scope for compliance validation
needs prior to assessment activity
− Performed application penetration testing and PA DSS assessment
− Provided an EV SSL certificate for necessary encryption with
the highest degree of identify validation
© 2010
24. PCI Case Study
Type: Level 4 Merchant (Hospitality)
•Compliance Issues:
− Hospitality environment holds inherent risks
− Multiple, often vastly distributed, locations – difficult to manage
− Legacy systems, multiple third party providers
•Trustwave Solution:
− Engaged TrustKeeper® compliance tool to easily manage scanning and
questionnaires for multiple locations
− Installed Unified Threat Management (UTM) at each location for ongoing
perimeter management and protection, including firewall, intrusion
prevention, content filtering, virtual private network
− Pragmatic approach to assessment services utilising significant industry
knowledge and experience
© 2010
26. Choosing a QSA
Choosing the RIGHT QSA is
difficult, choosing the wrong QSA
is disastrous.
Questions you should be asking
your QSA include:
• How many of your QSAs have submitted a compliant RoC to either an acquirer or Card Scheme?
• How many RoCs has your company submitted?
• How do you compensate for the differing opinions of QSAs (based on their unique skill-sets)?
• How many assessments has your company performed in my industry vertical?
• Do you provide any other compliance related services? © 2010
• How do you help clients maintain compliance?
27. The leader in
compliance and data
MSSP with more than 1,400 devices under management
Monitor more than 18 million events per day
security
Top 10 global Certificate Authority with more than 40,000 SSL certificates issued
Performed more than 4,000 network and application penetration tests
Conducted more than 740 forensic investigations
Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series
PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40 percent of Payment Apps.
Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); OIRA (2005)
© 2010
31. Summary
• The PCI SSC is making it easier for you to understand the PCI and PA
DSS standards
• PA DSS compliant applications do not automatically make you PCI DSS
compliant
• Compromises are going undetected and hackers are using old
vulnerabilities to get in
• Choosing the right QSA is difficult but many have the tools and skills
to help you achieve compliance
• Trustwave is a good resource for any merchant for information on PCI
and PA DSS
© 2010