Payment Security & PCI DSS a Barclaycard perspective - London Transport Museum 31st January 2012
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Payment Security & PCI DSS
a Barclaycard perspective
London Transport Museum
31st January 2012
Matt Martin
Payment
y Security
y Manager
g
Barclaycard Global Payment Acceptance
Confidential
So what’s it all about? global payment acceptance
So what’s it all about? The Payment Card Industry Data Security Standard (PCI DSS) was introduced in 2004 to help protect businesses and their customers’ payment card information. PCI DSS is about preventing card payment information held by merchants, or their third parties, from being used fraudulently, and avoiding the consequent financial and reputational losses that can result. PCI DSS is not a standard for standards’ sake; it is a collection of good data security practices and controls that are often already in place. It just happens to focus specifically on payment card holder data. global payment acceptance
Some scary stuff! global payment acceptance
Threats of the digital era…
• By 2015 there will be more than 15 billion interconnected devices on the
planet, twice the world population.*
• In that period, the total amount of global Internet traffic will quadruple.*
• The most recent figures estimated that every year in the UK,
UK identity
fraud costs more than £2.7 billion and affects over 1.8 million people**.
• Every year
year, we share more of ourselves online.
online
• Each time we do this, we place our data and our faith in the security
measures taken byy those managing
g g it on our behalf.
* Cisco(R) Visual Networking g Index (VNI) Forecast (2010-2015), June 2011
* * National Fraud Authority, October 2010
global payment acceptance
It’s not just the big guys who’re targeted…
Sony Travelodge
Wordpress
United Nations Lulzsec
Epsilon
Anonymous TeaMp0isoN
RSA
Lush Dropbox
Citigroup
g p
Lockheed Martin
Infosec breaches have
become Betfair
a statistical certainty
global payment acceptance
Size doesn’t matter… global payment acceptance
It also affects the smaller guys
Smaller companies are often targeted, and are more vulnerable, to
cyber crime than larger companies.
global payment acceptanceFraud News…
☺
Debit and credit card fraud fell by nearly Crooks still got away with £1million/day.
£75M in 2010 to the lowest level for
a decade.
decade
This represents a 17% drop to £365M Compared to a 28% fall in 2009.
Phone, internet and mail
Phone mail-order
order fraud Compared to a 19% drop in 2009.
2009 CNP fraud
(Card Not Present) fell 15%. remains by far the biggest category.
“While another drop in fraud is good news, the crooks haven’t
shut up shop, which is why there can be no room for
complacency from the industry, shops or consumers.”
DCI Paul Barnard
Head of the Dedicated Cheque and Plastic Crime Unit
Source: UK Cards Association, March 2011
global payment acceptanceSo I need to get compliant…
That said, whichever way you cut it, achieving PCI DSS compliance is a
significant undertaking for any business. When first approaching the process,
many describe it as overwhelming, confusing and a little daunting in terms of
the time,
time resource and budget it seems to take.
take It
It’s
s no wonder many park the
paperwork at the back of a bottom drawer…
global payment acceptanceHelp is at hand…
hand
global payment acceptanceHelp is at hand…
hand
The g
good news is that help
p is at hand and if approached
pp in the right
g way,
y becoming
g
PCI DSS compliant does not have to be a painful process. Nor does it have to take as
much time or effort as you may have been led to believe.
The truth is that everyone involved in the PCI DSS process specifically, and in online
payments in general, has a vested interest in creating a safe and secure environment for
consumers. So there are plenty of people available that can help you achieve
compliance.
global payment acceptanceChoosing the right partners global payment acceptance
Choosing the right partners
As a very first step in simplifying merchant payment security endeavours,
Barclaycard always advises retailers to seek PCI DSS compliant service providers
(e.g. payment gateways, processors, managed hosting providers, shopping
carts).
But we understand that security can be tricky to navigate and businesses may
not always have the in-house expertise to embed information security in their
environments. As in everything, picking the right partners and advisers is key.
The key partnership you may need to consider when taking on PCI DSS
compliance is a Qualified Security Assessor (QSA)
Note that a QSA may not always be applicable for some small businesses with
simple payment processes, where self assessment may be the preferred route.
In this case our advice is to enrol with your acquiring bank’s merchant compliance
programme which will be run in conjunction with a QSA company.
global payment acceptanceChoosing the right QSA for you global payment acceptance
Choosing the right QSA for you
The Qualified Security Assessor or QSA is by far your most important partner. They are the trusted advisor
who guides you through the compliance process. They are there to help you define the scope of the project,
to identify
y the controls that need to p
put in p
place,, discover where the g
gaps
p are and essentially,
y, calculate the
cost of achieving compliance.
The problem is that some merchants view them as auditors and approach the
relationship as if that is what they are. This could not be further from the truth. PCI DSS is not an audit, it is
an assessment and as such,such the QSA is not an auditor who has been put on this earth to catch you out and
make your life a misery.
In fact, quite the opposite is true. Their aim is to ensure that the burden of
compliance is as light as possible and that you achieve your goal as quickly and efficiently as you can. Your
relationship
l i hi with
i h the
h QSA should
h ld therefore
h f be
b viewed
i d as a partnership.
hi After
Af allll you are in
i this
hi together
h and
d
have a joint responsibility to achieve a successful assessment. Their reputation quite literally depends on it.
Failure to properly assess a merchant can have dire consequences for a QSA. They
will face fines and could be struck off the PCI SSC register.
g It is in their best interests to do the best jjob
possible.
To get the most out of a QSA it is important that they are the right people for you
and your business. Like any external consultant, be it an accountant or solicitor, you
have to feel comfortable that they have the knowledge and expertise necessary to
do what needs to be done. They must also be available as and when you need them, which is likely to be a
lot. Being thorough in your selection is vital.
global payment acceptanceWhat to look for in a QSA… global payment acceptance
Does the QSA Consultancy have the right credentials?
Is the QSA right for your business?
Interpreter
Payment
y experience
Industry expertise
Communicator
N t
Networker
k
Does the QSA consultancy have their own agenda?
global payment acceptanceThe Top 5 Questions you must ask your QSA
1. How many assessments has your company undertaken this year?
2. How many assessments have you undertaken in our industry sector?
3. How many assessments have you undertaken for a company of our size?
4. How long have you been with your consultancy?
5. Have you got consultants that are ISO 27001 lead auditor accredited?
6 What other services does you company provide?
6.
global payment acceptanceBuilding payment security
and risk management into
the fabric of your business
global payment acceptanceBarclaycard’s merchant compliance index
January 2012
From an analysis of our corporate and mid-tier portfolio, we can confirm that PCI DSS
compliance is certainly moving the right way. As at January 2012, below is the shape of
compliance by sector,
sector so organisations can position themselves against their peers:
PCI PCI
SECTOR Compliance
p Compliance
p Change
g
Sept 2011 Jan 2012
Hotels 66% 79% +16%
Retail 55% 50% -5%
5%
Gaming 58% 48% -10%
Insurance 53% 46% -7%
University 52% 41% -11%
Restaurants/ Pubs 37% 30% -7%
Airlines 25% 25% =
Public sector 22% 22% =
global payment acceptanceBarclaycard Payment Security Top Tips… 1. Are you still storing sensitive authentication data you don’t need? 2 Are you maintaining and disseminating a security policy? 2. 3. Are you assessing your risk elsewhere in your organisation? (e.g. perhaps using ITIL / ISO 27001/CLAS) Have you thought of including the PCI DSS controls in this framework? 4. Have you established and are you annually testing an incident response plan? 5. Are you performing internal and external penetration tests? 6. Do you know how your public-facing web applications are protected against new threats and vulnerabilities and how these applications are protected against known attacks? 7. Are you sure you are not using vendor supplied defaults for system passwords and other security parameters? 8. Have you deployed proper user identification and authentication management? 9. Is your asset management framework adequate? 10. Have you deployed adequate log management procedures for your key assets? global payment acceptance
One step at a time...
•Are my employees taking information outside of the organisation?
How can they do this?
•Can I limit access to this information to only those who need it?
•What types of attackers would be interested in infiltrating my
systems? What would they seek? Why?
•What is the business impact?
•If any web server was compromised, how difficult would it be for an
attacker to work its way to those systems containing information?
How easy would it be to take this information out?
•How quickly would I know this has happened? How quickly can I
stop it?
t?
•How quickly do I need to respond to the market, and what do I say?
global payment acceptanceWhat can we learn?...
•Lesson 1.
1 Understand your risk profile
•Lesson 2. Make risk management your objective,
compliance will come naturally
Lesson 3. Avoid quick fixes and silos
•Lesson
(i.e. don’t panic!)
•Lesson
L 4.
4 Automate
A t t
•Lesson 5. Educate
global payment acceptanceFor those who haven’t started on their PCI
compliance journey yet….
yet
Prepare for change Reduce Risk
1. Don’t treat PCI DSS as an IT project: it is a Change 6. Remove sensitive authentication data storage as a
Programme and needs organisational commitment. top most priority.
2. Train staff at all levels (there will be various degrees of 7. Prioritise Risk: once SAD storage is addressed, look
training and don
training, don’tt forget Board and Exco) and embed at vulnerabilities in the Card Not Present
an Information Security culture within your environment (e-commerce and Mail Order/
organisation early. Telephone Order). (This tip is for markets that have
3. Scope: Understand how card payments are currently implemented EMV in their F2F channel).
processed (people, process and technology). Reduce 8. Outsource to compliant third parties where
the scope of the cardholder environment (the smaller, possible: in the e-comm space, Level 1 PCI DSS
the easier) compliant end-to-end e-comm Software as a Service
4. There will be quick wins derived by reviewing and (SaaS) is increasingly seen as a means of achieving
changing business processes and historical practices compliance quicker & maximising RoI. And if not
that require little investment.
investment If you don
don’tt need possible, tie down third parties (contractually).
cardholder information, don’t have it… 9. Assess suitability of and implement risk mitigation
5. Develop a gap analysis between current practices and technologies (e.g. Verified by Visa, Secure Code,
what is necessary to become PCI DSS compliant. The tokenisation, point-to-point encryption, etc.), whilst
gap
g p analysis
y and cardholder data flow mapping
pp g is the these are not PCI DSS requirements, they will
most important step (and this should be refreshed improve security and reduce risk.
periodically - once a year is advised). 10.If Compensating Controls are required ensure that
all parties are engaged to agree the controls before
implementation (merchant, QSA, acquirers)
global payment acceptanceHelp!!! Third Parties
• For those who outsource…
• >350 (UK) and >900 (US) Level 1 PCI DSS compliant service providers listed on Visa
websites
http://www.visaeurope.com/en/businesses__retailers/payment_security/service_providers.aspx
http://usa visa com/download/merchants/cisp list of pcidss compliant service providers pdf
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
• C. 900 Level 1 PCI DSS compliant service providers listed on MasterCard website
http://www.mastercard.com/us/company/en/whatwedo/compliant_providers.html
• For those who want to retain control in
in-house…
house…
• C. 750 PA-DSS validated payment applications on PCI SSC website
https://www.pcisecuritystandards.org/approved_companies_providers/vpa_agreement.php
• Barclaycard’s
Barclaycard s position…
• We always recommend that our customers use PCI DSS compliant Level 1 Service
Providers as self-assessment does not provide you with an independent assessment of your
supplier.
• Contractual provisions are crucial.
• Merchants should seek help from their acquiring bank when facing problems with third
party providers as a merchant cannot reach compliance without their third parties being compliant.
global payment acceptanceHelp!!! Cloud Computing & Mobile…
• Cloud computing
• key deciding factors for migration to the cloud are: data custody, control,
security, privacy, jurisdiction, and portability standards for data & code.
• Essentially, organisations will have to perform the balancing act of losing
control gracefully whilst maintaining accountability when the operational responsibility of
handling and securing their assets lie with one or more third parties.
• The key is in the contracts… Disclosure and transparency are key
• Mobile infrastructure
• Full featured mobile phones with functionality similar to personal computers,
Full-featured computers
or “smartphones”
• Laptops, netbooks, tablet computers & Portable Digital Assistants (PDAs)
• Portable USB devices for storageg (such
( as “thumb drives” and MP3 devices))
and connectivity (such as Wi-Fi, Bluetooth and HSDPA/UMTS/EDGE/GPRS modem
cards)
• Digital cameras
• Radio frequency identification (RFID) and mobile RFID (M-RFID)
(M RFID) devices for data
storage, identification and asset management.
• Infrared-enabled (IrDA) devices (printers, smart cards, etc.)
• Ag global mobile security
y policy
p y is key,
y, and let’s not forget
g social networks…
global payment acceptanceThe PCI SSC Risk Assessment SIG
• The objective of the Risk Assessment SIG is to explore the
various industry-recognised risk assessment methodologies and
develop an Information Supplement containing guidance and
recommendations for performing a risk assessment.
• This document will provide guidance to all levels of merchants,
service providers,
providers merchant acquirers and assessors for
performing risk assessments that support PCI DSS compliance in
an optimum manner.
global payment acceptanceThe PCI SSC Risk Assessment SIG (cont.)
The Information Supplement will include the following:
1. Conducting effective risk assessments, including but not
limited to best practices for categorising and recording assets,
and for evaluatingg assets against
g threats and vulnerabilities
2. Guidance for understanding and documenting risk assessment
results
3. Guidance for understanding the potential impact when risk
management responsibilities are shared among other parties
(for example, third parties such as managed/virtual/co
managed/virtual/co-location
location
hosting environments/data centers, etc.)
4. Guidance for incorporating PCI DSS into an overall risk
management strategy, including
i l di use off the
h Prioritised
i i i d
Approach for PCI DSS and the Prioritized Approach Tool
global payment acceptanceAdvice for small merchants
• Understand what security
yyyour business uses and how it operates
p
• Ensure this is looked after effectively
• Responsibilities need to be assigned and managed
• Your reaction in the event of a data breach is critical - effective operating
processes need to be in place
• Ensure continuous monitoring at all times
• PCI DSS is part of your security journey not "The Journey“…
global payment acceptanceDon t spend £100 protecting a £1 asset,
Don’t asset
know your risk, select the right partners,
fix the basics first,
first and be prepared…
prepared
global payment acceptanceFurther help and information global payment acceptance
Barclaycard PCI DSS Website (internet) www.barclaycard.co.uk/pcidss global payment acceptance
Leaflets global payment acceptance
Contact information
www barclaycard co uk/pcidss
www.barclaycard.co.uk/pcidss
Email: PCI.Taskforce@barclaycard.co.uk
Board Member and Participating Organisation of the Payment
Card Industry Security Standards Council
Winner of ‘Information Security Team of the Year’
SC Magazine Awards 2011 Europe
Winner of the 2010 European Card Acquiring Forum (ECAF)
Data Security Award for our PCI DSS merchant compliance
programme
global payment acceptanceYou can also read
