SlideShare uma empresa Scribd logo

Latests status on pci and pcipa 2010

Retail Trends
Retail Trends

The document discusses PCI DSS and PA DSS compliance. It provides an overview of the PCI Security Standards Council, changes to PCI DSS 2.0, and the relationship between PCI DSS and PA DSS. It notes that while using a PA DSS compliant application supports PCI DSS compliance, a merchant is still responsible for validating their own PCI DSS compliance. The document also summarizes investigative findings from incident responses and provides two case studies on achieving PCI DSS and PA DSS compliance with assistance from Trustwave.

1 de 32
Baixar para ler offline
Compliance Update - The importance of PCI DSS and PA DSS Brooks Wallace 25 November 2010 © 2010
Agenda  Overview of PCI SSC – Changes to the Standards – Relationship between PCI and PA DSS  EMEA Fraud Trends  PA DSS Case Study  PCI DSS Case Study  About Trustwave – Compliance Solutions – Choosing a QSA  Summary © 2010
Payment Card Industry Security Standards Council (PCI SSC) © 2010
Who is the SSC? Founded in 2006 by American Express, Discover, JCB, MasterCard and Visa  They are governed by an Executive Committee comprised of representatives from those card brands  Their primary objectives include: – Custodian of the PCI DSS, PA-DSS and PTS – QSA/PTS Lab education, certification and quality assurance – Final validation and listing maintenance for PA-DSS validated applications © 2010
Overview of Standards Changes  October 28, 2010 – PCI DSS 2.0 Released  January 1, 2011 – PCI DSS 2.0 Effective  December 31, 2011 – PCI DSS 1.2.1 Retired  July 1, 2012 – Risk Ranking (PCI DSS 6.2) sunrise* * Affects PA-DSS 5.2.6 and 7.1 © 2010
Reasons for Change Improve clarity Improve flexibility Align with industry best practices Eliminate redundancy Manage evolving risks / threats © 2010
Change Categories  Additional guidance (2) Explanations and/or definitions to increase understanding or provide further information on a particular topic (e.g. scoping requirements).  Evolving requirements (3) Changes to ensure that the standards are up to date with emerging threats and changes in the market (e.g. data search for scope confirmation, vulnerability risk ranking).  Clarification (52) Clarifies intent of requirement. Ensure that concise wording in the standards portray the desired intent of requirements (e.g. encryption related to PAN, addition of ‘and router’ in 1.2). © 2010
Frequent Questions © 2010
Frequent Questions • Why is PA DSS compliance ‘suddenly’ important?  PA-DSS has always been important, as insecure applications are the number one cause of data loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank. © 2010
Frequent Questions • Why is PA DSS compliance ‘suddenly’ important?  PA-DSS has always been important, as insecure applications are the number one cause of data loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank. • If I use a PA DSS compliant application am I PCI DSS compliant?  No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate their compliance with PCI DSS by showing that the application has been installed as per the vendor’s Installation Guide. © 2010
Frequent Questions • Why is PA DSS compliance ‘suddenly’ important?  PA-DSS has always been important, as insecure applications are the number one cause of data loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank. • If I use a PA DSS compliant application am I PCI DSS compliant?  No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate their compliance with PCI DSS by showing that the application has been installed as per the vendor’s Installation Guide. • Does PA-DSS compliance save me money with PCI DSS compliance validation?  Yes. Applications that are not PA-DSS compliant must be FULLY assessed and validated against the PCI DSS, which is complex and therefore time consuming. With PA-DSS compliant applications, the assessor need only confirm that the installation is as per the Installation Guide. © 2010
Frequent Questions • Why is PA DSS compliance ‘suddenly’ important?  PA-DSS has always been important, as insecure applications are the number one cause of data loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank. • If I use a PA DSS compliant application am I PCI DSS compliant?  No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate their compliance with PCI DSS by showing that the application has been installed as per the vendor’s Installation Guide. • Does PA-DSS compliance save me money with PCI DSS compliance validation?  Yes. Applications that are not PA-DSS compliant must be FULLY assessed and validated against the PCI DSS, which is complex and therefore time consuming. With PA-DSS compliant applications, the assessor need only confirm that the installation is as per the Installation Guide. • Does PA DSS compliance reduce the scope of my PCI DSS validation?  No. PA-DSS only SUPPORTS PCI compliance, all devices that transmit, process, or store cardholder data are in scope for PCI compliance. PA DSS Applications reduce the risk to cardholder data but the systems on which they run must be secure. © 2010
Get the Details PCI SSC Website: www.pcisecuritystandards.org •List of Qualified Security Assessors (QSA) •List of compliant Payment Applications •Participating Organisations •List of QSAs in remediation •All standards and guidelines (some language support) •FAQs Trustwave Webinar Archive: www.trustwave.com •PA DSS 2.0: What do you need to know? •PCI DSS 2.0: What can you expect? •PCI DSS Expert Panel: Your Questions Answered  1 December for EMEA © 2010
Global Security Report - 2010 On the Trustwave Web site https://www.trustwave.com/whitePapers.php © 2010
Incident Response –The Sample Set 218 Investigations • 24 countries • 18% Found Inconclusive – No evidence of critical data leaving – Many factors impact an inconclusive case • Average of 156 Day Lapse Between Initial Breach and Detection! © 2010
Incident Response – The Sample Set Countries Represented in 2009 Australia Belgium Canada Chile China Cyprus Denmark Dominican Republic Ecuador Germany Greece Ireland Luxembourg Malaysia Puerto Rico Saudi Arabia South Africa Sri Lanka Switzerland Ukraine United Arab Emirates United Kingdom SpiderLabs visited 24 different United States Virgin Islands countries in 2009 to perform © 2010
Incident Response – The Sample Set Industries L4 Merchants make up over 90% of Trustwave investigations © 2010
Incident Response – Investigative Conclusions Types of Data at Risk Payment Card Data is a target for criminals looking to turn data into cash quickly. © 2010
Incident Response – Investigative Conclusions Types of Target Assets While many POS vendors have patched their systems to support security controls, many companies are still running very old software. © 2010
Incident Response – Investigative Conclusions System Administration Responsibility Third Party vendors are often negligent in their administration of security controls and best practices. © 2010
Summary • Attackers are using old vulnerabilities • Attackers know they won’t be detected • Organizations do not know what they own or how their data flows • Blind trust in 3rd parties is a huge liability • Fixing new/buzz issues, but not fixing older issues • This is just the ‘low hanging fruit’, as PCI takes effect, the thieves will move on to easier targets © 2010
Compliance Case Studies © 2010
PA-DSS Case Study Type: Payment Application Provider • Compliance Issues: − Ensure security of online and back-end processing − Address common data breach attack vectors (SQL injection, cross-site scripting) − Ensure SSL encryption for all transactions • Trustwave Solution − Analyzed IT architecture to properly scope for compliance validation needs prior to assessment activity − Performed application penetration testing and PA DSS assessment − Provided an EV SSL certificate for necessary encryption with the highest degree of identify validation © 2010
PCI Case Study Type: Level 4 Merchant (Hospitality) •Compliance Issues: − Hospitality environment holds inherent risks − Multiple, often vastly distributed, locations – difficult to manage − Legacy systems, multiple third party providers •Trustwave Solution: − Engaged TrustKeeper® compliance tool to easily manage scanning and questionnaires for multiple locations − Installed Unified Threat Management (UTM) at each location for ongoing perimeter management and protection, including firewall, intrusion prevention, content filtering, virtual private network − Pragmatic approach to assessment services utilising significant industry knowledge and experience © 2010
About Trustwave © 2010
Choosing a QSA Choosing the RIGHT QSA is difficult, choosing the wrong QSA is disastrous. Questions you should be asking your QSA include: • How many of your QSAs have submitted a compliant RoC to either an acquirer or Card Scheme? • How many RoCs has your company submitted? • How do you compensate for the differing opinions of QSAs (based on their unique skill-sets)? • How many assessments has your company performed in my industry vertical? • Do you provide any other compliance related services? © 2010 • How do you help clients maintain compliance?
The leader in compliance and data MSSP with more than 1,400 devices under management Monitor more than 18 million events per day security Top 10 global Certificate Authority with more than 40,000 SSL certificates issued Performed more than 4,000 network and application penetration tests Conducted more than 740 forensic investigations Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40 percent of Payment Apps. Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); OIRA (2005) © 2010
TrustKeeper Merchant Experience www.trustwave.com © 2010
TrustKeeper Merchant Experience  Help and Guidance www.trustwave.com © 2010
TrustKeeper Merchant Experience  Help and Guidance www.trustwave.com © 2010
Summary • The PCI SSC is making it easier for you to understand the PCI and PA DSS standards • PA DSS compliant applications do not automatically make you PCI DSS compliant • Compromises are going undetected and hackers are using old vulnerabilities to get in • Choosing the right QSA is difficult but many have the tools and skills to help you achieve compliance • Trustwave is a good resource for any merchant for information on PCI and PA DSS © 2010
Thank You © 2010

Recomendados

PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009
Jason Edelstein
 
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate CertificationAchieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Thomas Bronack
 
How to Overcome the 3 Biggest PCI Compliance Challenges
How to Overcome the 3 Biggest PCI Compliance ChallengesHow to Overcome the 3 Biggest PCI Compliance Challenges
How to Overcome the 3 Biggest PCI Compliance Challenges
VISIHOSTING
 
Web Application Security: Connecting the Dots
Web Application Security: Connecting the DotsWeb Application Security: Connecting the Dots
Web Application Security: Connecting the Dots
InnoTech
 
Digi cert newsletter-2013-02
Digi cert newsletter-2013-02Digi cert newsletter-2013-02
Digi cert newsletter-2013-02
Pittayakom Sa-ingtong
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
Amanda Squires@Pod1
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
Shanmugavel Sankaran
 

Recomendados

PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009
Jason Edelstein
 
Achieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate CertificationAchieving Enterprise Resiliency and Corporate Certification
Achieving Enterprise Resiliency and Corporate Certification
Thomas Bronack
 
How to Overcome the 3 Biggest PCI Compliance Challenges
How to Overcome the 3 Biggest PCI Compliance ChallengesHow to Overcome the 3 Biggest PCI Compliance Challenges
How to Overcome the 3 Biggest PCI Compliance Challenges
VISIHOSTING
 
Web Application Security: Connecting the Dots
Web Application Security: Connecting the DotsWeb Application Security: Connecting the Dots
Web Application Security: Connecting the Dots
InnoTech
 
Digi cert newsletter-2013-02
Digi cert newsletter-2013-02Digi cert newsletter-2013-02
Digi cert newsletter-2013-02
Pittayakom Sa-ingtong
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
Amanda Squires@Pod1
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
InfinIT - Innovationsnetværket for it
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
Cadre pci
Cadre pciCadre pci
Cadre pci
Scott Mcilwaine
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
Credit Card Processing for Small Business
Credit Card Processing for Small BusinessCredit Card Processing for Small Business
Credit Card Processing for Small Business
Mark Ginnebaugh
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
Risk Crew
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
Tariq Juneja
 
Pci dss in retail now and into the future
Pci dss in retail now and into the futurePci dss in retail now and into the future
Pci dss in retail now and into the future
VisionID
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
Larry Slobodzian
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicable
VISTA InfoSec
 
PCI at the POS / What’s New, What’s Next, and What Merchants Can Do to Simpl...
PCI at the POS / What’s New, What’s Next, and What Merchants Can Do to Simpl...PCI at the POS / What’s New, What’s Next, and What Merchants Can Do to Simpl...
PCI at the POS / What’s New, What’s Next, and What Merchants Can Do to Simpl...
Ingenico Group
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
Mark Pollard
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The Standard
John Bedrick
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. Visa
Internet Security Auditors
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
ControlCase
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCI
Ben Rothke
 
Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0
SureCloud
 
Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...
Benoît H. Dicaire
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
Retail Trends & Technology Evolution
Retail Trends & Technology EvolutionRetail Trends & Technology Evolution
Retail Trends & Technology Evolution
Retail Trends
 
Eiliu valdymas realiu laiku
Eiliu valdymas realiu laikuEiliu valdymas realiu laiku
Eiliu valdymas realiu laiku
Retail Trends
 

Mais conteúdo relacionado

Semelhante a Latests status on pci and pcipa 2010

Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
Credit Card Processing for Small Business
Credit Card Processing for Small BusinessCredit Card Processing for Small Business
Credit Card Processing for Small Business
Mark Ginnebaugh
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
Risk Crew
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
Mark Pollard
 
Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...
Benoît H. Dicaire
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 

Semelhante a Latests status on pci and pcipa 2010 (20)

Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Cadre pci
Cadre pciCadre pci
Cadre pci
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Credit Card Processing for Small Business
Credit Card Processing for Small BusinessCredit Card Processing for Small Business
Credit Card Processing for Small Business
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
Pci dss in retail now and into the future
Pci dss in retail now and into the futurePci dss in retail now and into the future
Pci dss in retail now and into the future
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
Webinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicableWebinar - PCI DSS Merchant Levels validations and applicable
Webinar - PCI DSS Merchant Levels validations and applicable
 
PCI at the POS / What’s New, What’s Next, and What Merchants Can Do to Simpl...
PCI at the POS / What’s New, What’s Next, and What Merchants Can Do to Simpl...PCI at the POS / What’s New, What’s Next, and What Merchants Can Do to Simpl...
PCI at the POS / What’s New, What’s Next, and What Merchants Can Do to Simpl...
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The Standard
 
Payment System Risk. Visa
Payment System Risk. VisaPayment System Risk. Visa
Payment System Risk. Visa
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCI
 
Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0
 
Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 

Mais de Retail Trends

Retail Trends & Technology Evolution
Retail Trends & Technology EvolutionRetail Trends & Technology Evolution
Retail Trends & Technology Evolution
Retail Trends
 
Kaip padidinti lojalumo programų teikiamą naudą
Kaip padidinti lojalumo programų teikiamą naudąKaip padidinti lojalumo programų teikiamą naudą
Kaip padidinti lojalumo programų teikiamą naudą
Retail Trends
 
Pos trends in retail ulrich spaan ehi
Pos trends in retail ulrich spaan ehiPos trends in retail ulrich spaan ehi
Pos trends in retail ulrich spaan ehi
Retail Trends
 
Ncr retail trends 20. maj 2010
Ncr retail trends 20. maj 2010Ncr retail trends 20. maj 2010
Ncr retail trends 20. maj 2010
Retail Trends
 
Relatório nielsen elementos protecćųo seguranća produtos 20092010_en
Relatório nielsen elementos protecćųo seguranća produtos 20092010_enRelatório nielsen elementos protecćųo seguranća produtos 20092010_en
Relatório nielsen elementos protecćųo seguranća produtos 20092010_en
Retail Trends
 
Whats hot in retail 2011+
Whats hot in retail 2011+Whats hot in retail 2011+
Whats hot in retail 2011+
Retail Trends
 

Mais de Retail Trends (7)

Retail Trends & Technology Evolution
Retail Trends & Technology EvolutionRetail Trends & Technology Evolution
Retail Trends & Technology Evolution
 
Eiliu valdymas realiu laiku
Eiliu valdymas realiu laikuEiliu valdymas realiu laiku
Eiliu valdymas realiu laiku
 
Kaip padidinti lojalumo programų teikiamą naudą
Kaip padidinti lojalumo programų teikiamą naudąKaip padidinti lojalumo programų teikiamą naudą
Kaip padidinti lojalumo programų teikiamą naudą
 
Pos trends in retail ulrich spaan ehi
Pos trends in retail ulrich spaan ehiPos trends in retail ulrich spaan ehi
Pos trends in retail ulrich spaan ehi
 
Ncr retail trends 20. maj 2010
Ncr retail trends 20. maj 2010Ncr retail trends 20. maj 2010
Ncr retail trends 20. maj 2010
 
Relatório nielsen elementos protecćųo seguranća produtos 20092010_en
Relatório nielsen elementos protecćųo seguranća produtos 20092010_enRelatório nielsen elementos protecćųo seguranća produtos 20092010_en
Relatório nielsen elementos protecćųo seguranća produtos 20092010_en
 
Whats hot in retail 2011+
Whats hot in retail 2011+Whats hot in retail 2011+
Whats hot in retail 2011+
 

Latests status on pci and pcipa 2010

  • 1. Compliance Update - The importance of PCI DSS and PA DSS Brooks Wallace 25 November 2010 © 2010
  • 2. Agenda  Overview of PCI SSC – Changes to the Standards – Relationship between PCI and PA DSS  EMEA Fraud Trends  PA DSS Case Study  PCI DSS Case Study  About Trustwave – Compliance Solutions – Choosing a QSA  Summary © 2010
  • 3. Payment Card Industry Security Standards Council (PCI SSC) © 2010
  • 4. Who is the SSC? Founded in 2006 by American Express, Discover, JCB, MasterCard and Visa  They are governed by an Executive Committee comprised of representatives from those card brands  Their primary objectives include: – Custodian of the PCI DSS, PA-DSS and PTS – QSA/PTS Lab education, certification and quality assurance – Final validation and listing maintenance for PA-DSS validated applications © 2010
  • 5. Overview of Standards Changes  October 28, 2010 – PCI DSS 2.0 Released  January 1, 2011 – PCI DSS 2.0 Effective  December 31, 2011 – PCI DSS 1.2.1 Retired  July 1, 2012 – Risk Ranking (PCI DSS 6.2) sunrise* * Affects PA-DSS 5.2.6 and 7.1 © 2010
  • 6. Reasons for Change Improve clarity Improve flexibility Align with industry best practices Eliminate redundancy Manage evolving risks / threats © 2010
  • 7. Change Categories  Additional guidance (2) Explanations and/or definitions to increase understanding or provide further information on a particular topic (e.g. scoping requirements).  Evolving requirements (3) Changes to ensure that the standards are up to date with emerging threats and changes in the market (e.g. data search for scope confirmation, vulnerability risk ranking).  Clarification (52) Clarifies intent of requirement. Ensure that concise wording in the standards portray the desired intent of requirements (e.g. encryption related to PAN, addition of ‘and router’ in 1.2). © 2010
  • 9. Frequent Questions • Why is PA DSS compliance ‘suddenly’ important?  PA-DSS has always been important, as insecure applications are the number one cause of data loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank. © 2010
  • 10. Frequent Questions • Why is PA DSS compliance ‘suddenly’ important?  PA-DSS has always been important, as insecure applications are the number one cause of data loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank. • If I use a PA DSS compliant application am I PCI DSS compliant?  No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate their compliance with PCI DSS by showing that the application has been installed as per the vendor’s Installation Guide. © 2010
  • 11. Frequent Questions • Why is PA DSS compliance ‘suddenly’ important?  PA-DSS has always been important, as insecure applications are the number one cause of data loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank. • If I use a PA DSS compliant application am I PCI DSS compliant?  No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate their compliance with PCI DSS by showing that the application has been installed as per the vendor’s Installation Guide. • Does PA-DSS compliance save me money with PCI DSS compliance validation?  Yes. Applications that are not PA-DSS compliant must be FULLY assessed and validated against the PCI DSS, which is complex and therefore time consuming. With PA-DSS compliant applications, the assessor need only confirm that the installation is as per the Installation Guide. © 2010
  • 12. Frequent Questions • Why is PA DSS compliance ‘suddenly’ important?  PA-DSS has always been important, as insecure applications are the number one cause of data loss. A July 2012 deadline is in place for all merchants to use PA-DSS validated software or face penalties from the merchants acquiring bank. • If I use a PA DSS compliant application am I PCI DSS compliant?  No. PA-DSS only SUPPORTS PCI compliance, not ensures it. The merchant still has to validate their compliance with PCI DSS by showing that the application has been installed as per the vendor’s Installation Guide. • Does PA-DSS compliance save me money with PCI DSS compliance validation?  Yes. Applications that are not PA-DSS compliant must be FULLY assessed and validated against the PCI DSS, which is complex and therefore time consuming. With PA-DSS compliant applications, the assessor need only confirm that the installation is as per the Installation Guide. • Does PA DSS compliance reduce the scope of my PCI DSS validation?  No. PA-DSS only SUPPORTS PCI compliance, all devices that transmit, process, or store cardholder data are in scope for PCI compliance. PA DSS Applications reduce the risk to cardholder data but the systems on which they run must be secure. © 2010
  • 13. Get the Details PCI SSC Website: www.pcisecuritystandards.org •List of Qualified Security Assessors (QSA) •List of compliant Payment Applications •Participating Organisations •List of QSAs in remediation •All standards and guidelines (some language support) •FAQs Trustwave Webinar Archive: www.trustwave.com •PA DSS 2.0: What do you need to know? •PCI DSS 2.0: What can you expect? •PCI DSS Expert Panel: Your Questions Answered  1 December for EMEA © 2010
  • 14. Global Security Report - 2010 On the Trustwave Web site https://www.trustwave.com/whitePapers.php © 2010
  • 15. Incident Response –The Sample Set 218 Investigations • 24 countries • 18% Found Inconclusive – No evidence of critical data leaving – Many factors impact an inconclusive case • Average of 156 Day Lapse Between Initial Breach and Detection! © 2010
  • 16. Incident Response – The Sample Set Countries Represented in 2009 Australia Belgium Canada Chile China Cyprus Denmark Dominican Republic Ecuador Germany Greece Ireland Luxembourg Malaysia Puerto Rico Saudi Arabia South Africa Sri Lanka Switzerland Ukraine United Arab Emirates United Kingdom SpiderLabs visited 24 different United States Virgin Islands countries in 2009 to perform © 2010
  • 17. Incident Response – The Sample Set Industries L4 Merchants make up over 90% of Trustwave investigations © 2010
  • 18. Incident Response – Investigative Conclusions Types of Data at Risk Payment Card Data is a target for criminals looking to turn data into cash quickly. © 2010
  • 19. Incident Response – Investigative Conclusions Types of Target Assets While many POS vendors have patched their systems to support security controls, many companies are still running very old software. © 2010
  • 20. Incident Response – Investigative Conclusions System Administration Responsibility Third Party vendors are often negligent in their administration of security controls and best practices. © 2010
  • 21. Summary • Attackers are using old vulnerabilities • Attackers know they won’t be detected • Organizations do not know what they own or how their data flows • Blind trust in 3rd parties is a huge liability • Fixing new/buzz issues, but not fixing older issues • This is just the ‘low hanging fruit’, as PCI takes effect, the thieves will move on to easier targets © 2010
  • 23. PA-DSS Case Study Type: Payment Application Provider • Compliance Issues: − Ensure security of online and back-end processing − Address common data breach attack vectors (SQL injection, cross-site scripting) − Ensure SSL encryption for all transactions • Trustwave Solution − Analyzed IT architecture to properly scope for compliance validation needs prior to assessment activity − Performed application penetration testing and PA DSS assessment − Provided an EV SSL certificate for necessary encryption with the highest degree of identify validation © 2010
  • 24. PCI Case Study Type: Level 4 Merchant (Hospitality) •Compliance Issues: − Hospitality environment holds inherent risks − Multiple, often vastly distributed, locations – difficult to manage − Legacy systems, multiple third party providers •Trustwave Solution: − Engaged TrustKeeper® compliance tool to easily manage scanning and questionnaires for multiple locations − Installed Unified Threat Management (UTM) at each location for ongoing perimeter management and protection, including firewall, intrusion prevention, content filtering, virtual private network − Pragmatic approach to assessment services utilising significant industry knowledge and experience © 2010
  • 25. About Trustwave © 2010
  • 26. Choosing a QSA Choosing the RIGHT QSA is difficult, choosing the wrong QSA is disastrous. Questions you should be asking your QSA include: • How many of your QSAs have submitted a compliant RoC to either an acquirer or Card Scheme? • How many RoCs has your company submitted? • How do you compensate for the differing opinions of QSAs (based on their unique skill-sets)? • How many assessments has your company performed in my industry vertical? • Do you provide any other compliance related services? © 2010 • How do you help clients maintain compliance?
  • 27. The leader in compliance and data MSSP with more than 1,400 devices under management Monitor more than 18 million events per day security Top 10 global Certificate Authority with more than 40,000 SSL certificates issued Performed more than 4,000 network and application penetration tests Conducted more than 740 forensic investigations Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40 percent of Payment Apps. Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); OIRA (2005) © 2010
  • 28. TrustKeeper Merchant Experience www.trustwave.com © 2010
  • 29. TrustKeeper Merchant Experience  Help and Guidance www.trustwave.com © 2010
  • 30. TrustKeeper Merchant Experience  Help and Guidance www.trustwave.com © 2010
  • 31. Summary • The PCI SSC is making it easier for you to understand the PCI and PA DSS standards • PA DSS compliant applications do not automatically make you PCI DSS compliant • Compromises are going undetected and hackers are using old vulnerabilities to get in • Choosing the right QSA is difficult but many have the tools and skills to help you achieve compliance • Trustwave is a good resource for any merchant for information on PCI and PA DSS © 2010
  • 32. Thank You © 2010