PCI DSS Compliance in 2013 - csuaoa.org DSS Compliance in 2013 ... PCI QSA, consultant, blogger, ... Three SIGs in 2012 - Risk assessment - Cloud computing

Walter Conway, QSA

403 Labs, LLC

PCI DSS Compliance in 2013

California State University

Auxiliary Organizations Association

January 17, 2013

California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 2

Agenda  PCI and Higher Ed

 Mobile commerce

 Point-to-Point Encryption

 Special Interest Group guidance

 PCI DSS v 3.0 this year


Walt Conway, 403 Labs  PCI QSA, consultant, blogger, trainer, speaker, author

-  Former Visa VP -  Represent NACUBO at PCI Council -  Help schools become PCI compliant

 403 Labs: Security consulting firm -  All things PCI: QSA, PA-QSA, ASV, PFI


PCI DSS: 6 Goals, 12 Requirements


Some PCI DSS Basics   Payment Card Industry Data Security Standard

  Goal is to protect Cardholder Data -  And to keep you out of the headlines -  PCI does not make you secure

  If you take plastic, PCI applies to you

  PCI scope includes -  Any system that “stores, processes, or transmits” cardholder data -  Any connected system

  PCI is a program, not a project

  Two things you need to accept about PCI -  Your costs have gone up -  You will change the way you do business


Mobile Commerce is Here  Smartphones and tablets are

ubiquitous

 The dongles are winning

 Sleds are an option with some POS system providers

 One problem: None of the devices is PCI DSS compliant -  Devices not secure -  Applications not secure -  Dongles not encrypting card data


Mobile Commerce: The Way Forward  PCI Council approach: P2PE

 A secure solution, which has its own issue: -  Approved secure card readers and approved P2PE

solution providers are in short supply


Mobile Commerce: The Way Forward  May 2012: MasterCard guidance to merchants -  Introduced “Payment Facilitator” (e.g., Square) -  Limitations on activity -  PCI compliance presents a “unique challenge”…

 June 2012: Visa clarifications -  Use the payment application only as intended -  Restrict device access -  Don’t install malware (i.e., bye-bye Angry Birds) -  Application should adhere to principles of PCI


Mobile Commerce: The Way Forward

ADVANCING INNOVATION ADVANCING COMMERCE

MASTERCARD BEST PRACTICES FOR MOBILE POINT OF SALE ACCEPTANCE

AUDIENCEThis document is intended for all entities that develop, deploy, or use MPOS solutions. Audiences include:

MAY 2012

APPROXIMATELY 75% OF THE ESTIMATED 1.2 MILLION MPOS SOLUTIONS SHIPPED TO MASTERCARD MERCHANTS GLOBALLY, THROUGHOUT 2010 AND 2011, WENT TO MERCHANTS WHO DID NOT PREVIOUSLY ACCEPT PAYMENT CARD TRANSACTIONS.75%

Mobile Point-of-Sale Solutions

product features to provide a consumer payment experience that is simple, safe,

MasterCard Rules


Mobile Commerce: The Way Forward  PCI Council issued payment

application developer guidelines -  Look for secure apps(?)

 Dongles are not risk-free -  Check the fine print!

 Mobile POS device is an option for some merchants

 Monitor P2PE for more options


Point-to-Point Encryption: Definition   Point-to-point encryption (P2PE):

-  People, processes and technology -  That encrypt and decrypt cardholder or sensitive authentication data

  “Point” – One designated and independently validated encryption device or location (the source, or encryption point)

  “to” – The data are subsequently sent as unreadable ciphertext for decryption to…

  “Point” – A second designated and independently validated decryption device or location (the destination, or decryption point)

  “Encryption” – the algorithmic process of transforming plaintext into unreadable ciphertext

  Note: there is no such thing as “End-to-End” encryption…


P2PE In Theory

Source: PCI SSC


P2PE In Theory  Ideally, P2PE encrypts data everywhere in

merchant environment - Merchant has no access to card data -  Data remain encrypted between the merchant and the

processor -  No decryption is feasible at any point between the

source and the destination

 The payoff: P2PE can reduce the cost of PCI compliance -  Self-Assessment Questionnaire just for P2PE


P2PE: Where We Are Today


P2PE: Where We Are Today, part 2  Can acquirer or vendor options reduce PCI

scope, maybe as well as P2PE? -  They encrypt card data at POS - Merchant cannot access cleartext card data

 To find out, merchant must perform due-diligence on solution and provider -  Examine technical and operational characteristics -  Service provider capabilities, PCI compliance

 Risk: Everything depends on FAQ 10359

 Risk: Service Level Agreement


Special Interest Group (SIG)  Three SIGs in 2012 -  Risk assessment -  Cloud computing -  eCommerce

 Two SIGs for 2013 -  Staying PCI compliant - Managing third parties

!

!

Standard: PCI Data Security Standard (PCI DSS)

Version: 1.0

Date: November 2012

Author: Risk Assessment Special Interest Group (SIG) PCI Security Standards Council

Information Supplement:

PCI DSS Risk Assessment Guidelines


What Is New in 2013  Comments on v 2.0 received from Participating

Organizations

 PCI DSS v 3.0 will be effective in October -  Both v 2.0 and v 3.0 in effect in 2014 -  PCI DSS may not change significantly -  SAQs may change, possibly a great deal


How Schools Address PCI  Secure top management commitment

-  Develop your pitch: PCI is a business not a security issue -  Budget adequately: PCI is a program not a project

 Build a dedicated, multidisciplinary team

  Inventory data, processes, vendors -  Ask, interpret, verify, explore where stuff is, where it goes

 Engage stakeholders, communicate -  Hold users accountable for behavior (consequences)

 Outsource payment functions, but do it carefully -  Payment processors -  Payment applications you host


Where’s My Silver Bullet?   Minimize PCI scope (aka, PCI “Requirement 0”) -  Store no cardholder data (even paper) -  Segment your network -  Change processes and procedures -  Map your cardholder data flow -  Perform a PCI Gap Analysis to identify non-compliant

processes and systems

  Emerging technologies -  Tokenization -  Point-to-Point Encryption

  Get trained: -  PCI Council training -  Treasury Institute PCI Workshop

(May 13-15, 2013)


Resources   PCI Council:

-  https://www.pcisecuritystandards.org/ -  RSS Feed:

https://www.pcisecuritystandards.org/news_events/index.php

  Visa: -  http://usa.visa.com/merchants/risk_management/cisp.html -  RSS Feeds: http://usa.visa.com/merchants/merchant_resources/

data_security_rss_feed.html

  MasterCard: -  http://www.mastercard.com/us/sdp/merchants/index.html

  Treasury Institute for Higher Education -  http://www.treasuryinstitute.org/ -  http://treasuryinstitutepcidss.blogspot.com/ -  PCI Listserv: Chrissy Woodward, University of Arkansas, Fayetteville

[email protected]


Thank You  Your comments? Questions? Thoughts?

email: [email protected]

 Follow my PCI column at storefrontbacktalk.com

 Higher Education PCI blog (Treasury Institute) treasuryinstitutepcidss.blogspot.com

Documents

PCI DSS Compliance in 2013 - csuaoa.org DSS Compliance in 2013 ... PCI QSA, consultant, blogger, ... Three SIGs in 2012 - Risk assessment - Cloud computing