Upload
tranxuyen
View
260
Download
3
Embed Size (px)
Citation preview
PCI Internal Controls and Auditing Requirements
Agenda
9
Introduction
PCI Governance /Advisory Team
What’s happening on campuses?
Risks of non-compliance
PCI DSS 3.2
PCI Lifecycle
Role of Internal audit
Tools for auditing PCI DSS
PCI Maturity model
Q & A
University of Alaska
America’s Arctic university – land, sea and
space grant system. Geographically
distributed across three major campuses – in
Anchorage, Fairbanks and Juneau with 17
satellite campuses and 28 facilities. As of 2016, total enrollment is 32,000
Arctic Circle 65th Parallel
• Institutes of higher education are required to maintain PCI compliance
• At disadvantage compared to other industries like banking, services and retail
• Have varied types of businesses on campus accepting credit cards for tuition, student fees, campus cards, events, dining, housing, athletics, parking, online giving
• Very difficult to have one office with knowledge of all the above – (mostly one person department)
Introduction
Campuses and Ah! Compliance• Many departments want to accept payments by credit cards,
but their needs, resources and business and system maturity differ
• E-commerce is complex and is not easy deciding who is ‘in charge’ of e-commerce –
• Acquirer banks and credit card companies require the institution is compliant to the most current standard and non-compliance results in penalties and jeopardize reputation
• Centralized policies, education, management support and communication
PCI DSS
14
14
Standard that is applied to: Merchants
Service Providers (Third Third-party vendor, gateways)
Systems (Hardware, software)
That: Stores cardholder data
Transmits cardholder data
Processes cardholder data
Applies to: Electronic Transactions
Paper Transactions
The PCI compliance - 12 security requirements
15
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored data.
4. Encrypt transmission of cardholder data and sensitive information across public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications
The PCI compliance - 12 security requirements
16
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Routinely test security systems and processes.
Maintain an Information Security Policy.
12. Establish high-level security principles and procedures.
PCI Governance Team
PCI Governance Team is a systemwide advisory team on all aspects (business, IT, compliance) of PCI and consists;- Chief Finance Officer/VP of Finance
- Controller
- Cash Manager
- Chief Information Technology Officer
- Network Ops
- Business unit managers
- IT Managers
- Internal Audit
- IT Security
- Financial Systems
-
• UA formed e-commerce committee to centralize and prioritize payment system
• Recommended by acquirer bank to be complaint with PCI – DSS.
• E-commerce committee transitioned to PCI Advisory team and chartered by VP Finance to develop PCI policy
• Hired QSA to advice and conduct vulnerability scans
• PCI Advisory team developed the PCI Administrative policy, requiring SAQ to be completed for each MID by Oct 31 every year
• PCI Advisory team meets every month to review scan status, update and prioritize all PCI tasks
University of Alaska’s PCI
PCI Governance/Advisory Team
• Deficiency Reports• SAQ’s• Scope reduction efforts
Compliance Vs Validation
20
20
Compliance – Means adherence to the standard
Applies to every merchant regardless of volume
Technical and business practices
Validation – Verification that merchant (including its services providers) is compliant with the standard
Applies based on Level assigned to merchant & transaction volume
Two types of Validation
Self-Assessment
Certified by a Qualified Security Assessor (QSA)
Attestation – Letter to card issuer (bank) signed by both merchant and acquirer bank attesting that validation has been performed
PCI Council – Consortium
21
21
All merchants are subject to the standard and to card association rules
No exemption provided to anyone
Immunity does not apply because Requirement is contractual - not regulatory or statutory
Card associations can be selective who they provide services to
Merchants accept services on a voluntary basis
Merchants agree to abide by association rules when they execute e-merchant bank agreement
Merchant banks are prohibited by association rules from indemnifying a merchant from not being compliant with the standard
Association Rules require merchant banks to monitor merchants to ensure their compliance
Failure of a merchant bank to require compliance jeopardizes the merchant bank bank’s right to continue to be a merchant banks
Any fines levied are against the merchant bank, which in turns passes the fines onto the merchant
Two Components to Validation
22
Annual Assessment Questionnaire Required of all merchants – regardless of level
Applies to both technical and business
Security Vulnerability Scan - Quarterly Required for External facing IP addresses
Web applications
POS Software and databases on networks
Applies even if there is a re-direction link to third third-party
Must be performed by Approved Scanning Vendor (ASV)
Validation based on Level assigned to merchant, based on transaction volume
Three components to Compliance
Self Assessment Questionaires All registered MID’s
Make sure MID is properly categorized (SAQ A-D)
Deficiency Reports
Vulnerability Scans Clean Scans
Assess –what level of risk is acceptable (low-medium-high)
Certified by a Qualified Security Assessor (QSA)
Update Policy/Procedure
Include all recent changes
SAQ - PCI DSS Version 3.2Face-to-Face and Mail/Telephone Only eCommerce Only
B POS analog not connected to IP * A Card-not-present fully outsourced *
B-IP POS connected to IP * # A-EP Outsourced, but website redirect can impact security of payment * #
C-VT Virtual Terminal IP, dedicated or segmented, and keyed only * #
C POS Software connected to IP, dedicated or segmented* #
P2PE-HW
POS hardware managed w/ Point to Point Encryption *
D Cardholder data is stored # D Cardholder data is either processed, transmitted, or stored #
Combination of Face-to-Face and eCommerce
D All merchants not included entirely in any one of the above, or where cardholder data is stored (Systems are connected / Not segmented) #
* Indicates cardholder data is not stored; # Indicates vulnerability scanning required.-
Threat – Detect, Response and Recovery
25Source: Cisco Threat Report
6Control
Objectives 12Core
Requirements290+
Audit
Procedures
Key changes Multi factor authentication for admins (8.3.1)
5 new sub requirements for service providers (3,10,11,12)
2 new appendices
SSL/TLS migration deadline
Designated entities supplemental validation
Changing payment and threat
environment
Breach reports and compromise
trends
Feedback from industry
PCI DSS 3.2 - Threat is the main driver
PCI Lifecycle
Treasury/Controller Business unit IT Security Compliance Legal Audit Risk Services
PCI lifecycle - Discussion
28
1. Policy – authoritative source by which processes/actions are measured
2. Inventory – an accounting conducted by the auditee to validate fiduciary responsibilities are fulfilled
3. Prioritize – a determination of whether the auditee has evaluated assets and risks while “getting the job done”
PCI lifecycle – Continued…
29
4. Vulnerabilities – the weak link in the chain. Is a process in place to find vulnerabilities? Can the auditor find them?
5. Threats – what threats are known? Is a process in place to watch for new threats? Does the auditee have a process to eliminate, mitigate, or respond to threats?
6. Risk – the optimization of risk. Is risk reduced to acceptable levels? Risk to people, revenue, assets, and reputation? Evaluate decision to accept, avoid, reduce, or transfer the risk.
30
7. Remediation – when inadequacies are found, the auditor will want to see a plan to remedy the situation. The auditor will follow-up to validate that the remediation plan was implemented and works.
8. Measure – accounting is specific and measurable… auditors want to see the quantitative and qualitative results. Bean counters…
9. Compliance – a determination of how closely processes are aligning with authoritative guidance
PCI lifecycle – Continued…
Assess Risk
The product of:
Assets
Vulnerabilities
Threats
Based upon the criticality of AVT
Focus your resources on the true risk
See handout – spreadsheet #1
32
Tools for Auditing PCI DSS in Your Institution
The Audit Process
Role of Internal Audit
33
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. ”
The Institute of Internal Auditors
Audit – Effective tool
34
Focus on risk of occurrences that could prevent the University from achieving its goals
Risk factors:
Impact
Probability
Controls
There are many types of risk – non-compliance, fraud, improper reporting, ineffective or inefficient use of resources, reputational/credibility loss, etc.
Focus on areas with high risk and high probability that controls are not in place or are weak
Audit – Internal Controls
35
Internal controls are processes designed to provide reasonable assurance regarding the achievement of an organization’s objects related to:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws, regulations and policies
36
Authoritative Guidance
Federal statutes and regulations governing financial and personally identifiable data (GLBA, HIPAA, FERPA, FISMA)
State statutes and regulations governing financial and personally identifiable data
PCI DSS
The PCI Standards available from the PCI SSC Document Library: https://www.pcisecuritystandards.org/document_library
Contract with acquiring bank
Your institution’s own PCI regulations, policies, and procedures
Overview of Process
37
Audit Plan set by Audit Committee or governing structure
Planning
Conduct research on topic
Set scope, usually set by cardholder data environment
Develop audit program, internal control questionnaire (ICQ), preliminary request for information
Conducting fieldwork
Internal Control Questionnaires (Refer to hand outs)
Test work
Reporting
Planning
38
Planning and Risk Assessment Guide
Solicitation for Concerns
Preliminary Survey
Data Analysis and Sampling Methodology
Risk and Fraud Risk Assessment
Prior Audits
Authoritative Guidance
Background Information
Auditor Independence Statement
Scope and Objectives Memo
Entrance Letter
Preliminary Request for Information
Entrance Meeting
Key Contacts
Planning Meetings
Field Work
39
Use program to evaluate information provided from prior steps (Prelim Info Request, ICQ’s, meetings, etc)
Assessment of environment
Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)
Documentation of compensating controls
Attestation of Compliance and Action Plan for Non-Compliant Requirements (if applicable)
Approved Scanning Vendor (ASV) scan reports
Vendor SSAE-16 (Statement of Standards for Attestation Engagement) reports
Reporting
40
Deliverables: Report, memo
Provide findings and recommendations
Five elements of audit findings: Condition, criteria, cause, consequence (effect), corrective action (recommendation)
Quality of Internal Audit Report
Objective – Comments and opinions should be objective and unbiased
Clarity – Simple and straightforward
Accuracy – Comments correct and on-point
Brevity – Concise
Timeliness – Issued promptly after fieldwork
Reporting – continued…
41
What was found
Why it happened
What is required
What effect it has
Recommendation for improvement
Response – who, when and how
This can be combined with the; Gap Assessment Vulnerability scan reports Penetration test reports
Granularity
42
Determined by:
Risk-based auditing
Compliance-based auditing
Time
Scope
Sample Documents
• Program
• Preliminary Info Request
• ICQs
• Other helpful docs at:
– https://www.pcisecuritystandards.org
Level Category Description
0 Not performed Complete lack of any recognizable processes. The institution has not even recognized that there is an issue to be addressed.
1 Performed Informally:
There is evidence that the institution has recognized that the issues exist and need to be addressed. There are no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.
2 Planned and Tracked
Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely.
3 Well Defined and Communicated
Procedures have been standardized, documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.
4 Managed and Measurable
Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
5 Continuously Improved
Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity as recommended by the most current PCI DSS , providing tools to improve quality and effectiveness, making the institution quick to adapt.
PCI Maturity Model
Conclusions
• PCI compliance is not a one time thing – it’s constantly changing
• Dissemination and training are very critical
• Assess your environment
• Do not hesitate to file deficiency reports and work on them
• Internal audit is a important tool to enforce compliance
45