/
Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards - PowerPoint Presentation

kittie-lecroy
kittie-lecroy . @kittie-lecroy
Follow
349 views
Uploaded On 2019-06-29

Payment Card Industry Data Security Standards - PPT Presentation

ISACA January 8 2013 IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor ISA Certification September 2010 Annual recertification Currently responsible for SOX ID: 760785

security pci dss card pci security card dss compliance access brands isa requirements audit internal chd report score controls

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Payment Card Industry Data Security Stan..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Payment Card IndustryData Security Standards

ISACA January 8, 2013

Slide2

IT Auditor at Cintas CorporationInternal Audit DepartmentInternal Security Assessor (ISA) Certification September 2010Annual re-certificationCurrently responsible for SOX IT and PCI testing as well various Corporate auditsBoard of Governors, IIA Cincinnati Chapter

Cheryl Becker

Slide3

The PCI DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.Applies to any entity that stores, processes and/or transmits CHD.

What is PCI DSS?

Slide4

Slide5

PCI is not government legislation.  It is an industry regulation. The major Card Brands (Visa, MC, Discover, Amex) decided to create regulations which were initially agreed upon by the Card Brands in 2004.PCI DSS version 1 is dated December 2004.On June 30, 2005, the regulations took effect.The PCI Security Standards Council came into existence in 2006. 

History Lesson

Slide6

The Council became responsible for the development, management, education and awareness of the PCI Data Security Standards.Each of the Card Brands (Visa, MC, Discover, Amex, JCB) have their own compliance programs in accordance with their own security risk management policies as well as their own definitions of the “levels” and their own penalizing/fining procedures for companies who have a breach.

PCI Security Standards Council

Slide7

4Little credit card businessSome Card Brands do not have this levelAnnual Compliance Validation3Less than a million credit card transactionsSome Card Brands do not have this levelAnnual Self-Assessment

Merchant

Levels Overview

Slide8

2Millions (1+ to <6) credit card transactionsAll Card Brands have this levelMust internally audit with a PCI certified Internal Security Assessor (ISA) using PCI DSS1Many millions (2.5+ to 6+) credit card transactionsAll Card Brands have this levelMust audit either using a PCI certified external Qualified Security Assessor (QSA) OR Internal Audit with ISA certification using PCI DSS

Merchant

Levels Overview

Slide9

The PCI SSC Sponsor Company Internal Security Assessor Program is a PCI DSS training and qualification program for eligible internal audit security professionals. The course helps participants improve their organization's understanding of PCI DSS and validate and maintain ongoing compliance through:Enhancing the quality, reliability, and consistency of internal PCI DSS self-assessments Supporting the consistent and proper application of PCI DSS measures and controls Effectively facilitating interactions with QSAs https://www.pcisecuritystandards.org/index.php

PCI

ISA Training Program

Slide10

Version 2.0 as of October 2010Version will be on a three year basisThe PCI documentation (end result) has changed every year

PCI

DSS Versioning

Slide11

Build and Maintain a Secure NetworkProtect Card Holder DataMaintain a Vulnerability Management ProgramImplement Strong Access Control MeasuresRegularly Monitor and Test NetworksMaintain an Information Security Policy

PCI DSS Six

Goals

Slide12

1) Install and Maintain a firewall configuration to protect Card Holder Data (CHD)Firewall and Router configuration standardsReview Network DiagramFirewall and Router connections are restricted (inbound/outbound traffic)No direct internet connection to CHD (DMZ)2) Do not use vendor supplied defaultsAttempt to sign on with defaultsHardening standards and system configurationNon-console admin access is encrypted

12 Requirements

Slide13

3) Protect stored CHDRetention Policy and ProceduresQuarterly process for deleting stored CHD Sample incoming transactions, logs, history files, trace files, database schemas and contentDo not store full track, CVV or PINRender PAN unreadable (mask/truncate)Encryption and key management4) Encrypt transmission of CHDVerify encryption and encryption strengthVerify wireless is industry best practice (no WEP)

12

Requirements

Slide14

5) Use and regularly update Antivirus softwareAll system have AVAV is current, actively running and logging6) Develop and maintain secure systems and applicationsPatch management – current within one monthID new security vulnerabilities with risk ratingCustom code is reviewed prior to releaseChange management processDevelopers are trained in secure coding techniques

12

Requirements

Slide15

7) Restrict access to CHD by need-to-knowReview access policiesConfirm access rights for privileged usersConfirm access controls are in placeConfirm access controls default with “deny-all”8) Assign a unique ID to each userVerify all users have a unique IDVerify authentication with ID/PW combinationVerify two-factor authentication for remote accessVerify terminated users are deletedInspect configurations for PW controls

12

Requirements

Slide16

9) Restrict physical access to CHDAccess to computer rooms and data centersVideo cameras are in place and video is secureNetwork jacks are secure – not in visitor areaProcess for assigning badgesStorage locations are secure (offsite media)10) Track and monitor all access to network resourcesReview audit trails – actions, time, date, user, etc.Time server updates and distributionProcess to review security logs

12

Requirements

Slide17

11) Regularly test security systemsTest for wireless access pointsInternal and external network vulnerability scansInternal and external penetration testing annuallyFile integrity monitoring tools are used12) Maintain security policiesPolicies are reviewed at least annuallyExplicit approval is required for accessAuto disconnect for inactivity-internal and remoteSecurity awareness program is in placeIncident Response Plan

12

Requirements

Slide18

~260 testsPCI DSS gives both the requirement and the testEvery test has to have an answerEvery bullet within each test must have an answerIf the requirement is not in place, a target date and comments must be madeIf there are compensating controls, a Compensating Control Worksheet must be completed

PCI

DSS Tests

Slide19

Attestation of ComplianceExecutive Summary Score Report on ComplianceTest Procedures Score Sheet Report on Compliance

PCI Documentation

Slide20

This is the document that is submitted to the appropriate companiesScanning vendorMerchant (i.e. Bank)Card Brand Company (i.e. Amex)Signed by ISA/QSA and Officers of the CompanyBrief overview of Company and Cardholder Data EnvironmentNot a website copy/pasteMy summation of the company (business, DC, locs)

Attestation of Compliance

Slide21

Brief overview of how the company stores, processes and/or transmits cardholder dataTerminalsApplicationsThird partiesState if we are compliantAll 12 Requirements are listed stating “in place” or “not in place” and “special” like N/AAt the bottom explain special – N/A may be ‘not a service provider’

Attestation of Compliance

Slide22

Within the Attestation of ComplianceThe “special” column is where to state if it is a compensating control“NOTE: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance”Ex: cannot do 7 character pw on mainframe

Compensating Control Worksheet

Slide23

Detailed overview of CHDE – explain the flow from ‘swipe’ Phone ordersOnline ordersMonthly chargesAny other way CHD is processedNetwork diagram prepared by ISA/QSAValidate and explain scope – flat vs. segmentValidate myself

Executive

Summary Score Report on Compliance

Slide24

Explain the environmentPersonnelPayment channelsIT EnvironmentLocationsExplain sampling methodExclusions and why they were excludedWholly-owned EntitiesInternational locationsWireless Environment

Executive Summary Score Report on Compliance

Slide25

Service providersThird-party applicationsIndividuals interviewed with titlesList of documentation reviewedMy contact informationQuarterly scan informationFindings and observations

Executive Summary Score Report on Compliance

Slide26

How each control was testedObservation – configuration or processSamplingInterview with whomDocument reviews

Test

Procedures Score Sheet Report on Compliance

Slide27

Give yourself enough time to complete the final reportsAnswer all of the points in each testKnow your scopeInventory the environmentUse a firewall to segmentIf you are getting your QSA/ISA, complete the training and studyUsers/coworkers/employees do not understand IT security (i.e. email)

Lessons Learned

Slide28

IT AuditorCintas Corporationbeckerc@cintas.com

Cheryl Becker