Walter Conway, QSA
403 Labs, LLC
PCI DSS Compliance in 2013
California State University
Auxiliary Organizations Association
January 17, 2013
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 2
Agenda PCI and Higher Ed
Mobile commerce
Point-to-Point Encryption
Special Interest Group guidance
PCI DSS v 3.0 this year
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 3
Walt Conway, 403 Labs PCI QSA, consultant, blogger, trainer, speaker, author
- Former Visa VP - Represent NACUBO at PCI Council - Help schools become PCI compliant
403 Labs: Security consulting firm - All things PCI: QSA, PA-QSA, ASV, PFI
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 4
PCI DSS: 6 Goals, 12 Requirements
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 5
Some PCI DSS Basics Payment Card Industry Data Security Standard
Goal is to protect Cardholder Data - And to keep you out of the headlines - PCI does not make you secure
If you take plastic, PCI applies to you
PCI scope includes - Any system that “stores, processes, or transmits” cardholder data - Any connected system
PCI is a program, not a project
Two things you need to accept about PCI - Your costs have gone up - You will change the way you do business
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 6
Mobile Commerce is Here Smartphones and tablets are
ubiquitous
The dongles are winning
Sleds are an option with some POS system providers
One problem: None of the devices is PCI DSS compliant - Devices not secure - Applications not secure - Dongles not encrypting card data
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 7
Mobile Commerce: The Way Forward PCI Council approach: P2PE
A secure solution, which has its own issue: - Approved secure card readers and approved P2PE
solution providers are in short supply
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 8
Mobile Commerce: The Way Forward May 2012: MasterCard guidance to merchants - Introduced “Payment Facilitator” (e.g., Square) - Limitations on activity - PCI compliance presents a “unique challenge”…
June 2012: Visa clarifications - Use the payment application only as intended - Restrict device access - Don’t install malware (i.e., bye-bye Angry Birds) - Application should adhere to principles of PCI
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 9
Mobile Commerce: The Way Forward
ADVANCING INNOVATION ADVANCING COMMERCE
MASTERCARD BEST PRACTICES FOR MOBILE POINT OF SALE ACCEPTANCE
AUDIENCEThis document is intended for all entities that develop, deploy, or use MPOS solutions. Audiences include:
MAY 2012
APPROXIMATELY 75% OF THE ESTIMATED 1.2 MILLION MPOS SOLUTIONS SHIPPED TO MASTERCARD MERCHANTS GLOBALLY, THROUGHOUT 2010 AND 2011, WENT TO MERCHANTS WHO DID NOT PREVIOUSLY ACCEPT PAYMENT CARD TRANSACTIONS.75%
Mobile Point-of-Sale Solutions
product features to provide a consumer payment experience that is simple, safe,
MasterCard Rules
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 10
Mobile Commerce: The Way Forward PCI Council issued payment
application developer guidelines - Look for secure apps(?)
Dongles are not risk-free - Check the fine print!
Mobile POS device is an option for some merchants
Monitor P2PE for more options
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 11
Point-to-Point Encryption: Definition Point-to-point encryption (P2PE):
- People, processes and technology - That encrypt and decrypt cardholder or sensitive authentication data
“Point” – One designated and independently validated encryption device or location (the source, or encryption point)
“to” – The data are subsequently sent as unreadable ciphertext for decryption to…
“Point” – A second designated and independently validated decryption device or location (the destination, or decryption point)
“Encryption” – the algorithmic process of transforming plaintext into unreadable ciphertext
Note: there is no such thing as “End-to-End” encryption…
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 12
P2PE In Theory
Source: PCI SSC
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 13
P2PE In Theory Ideally, P2PE encrypts data everywhere in
merchant environment - Merchant has no access to card data - Data remain encrypted between the merchant and the
processor - No decryption is feasible at any point between the
source and the destination
The payoff: P2PE can reduce the cost of PCI compliance - Self-Assessment Questionnaire just for P2PE
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 14
P2PE: Where We Are Today
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 15
P2PE: Where We Are Today, part 2 Can acquirer or vendor options reduce PCI
scope, maybe as well as P2PE? - They encrypt card data at POS - Merchant cannot access cleartext card data
To find out, merchant must perform due-diligence on solution and provider - Examine technical and operational characteristics - Service provider capabilities, PCI compliance
Risk: Everything depends on FAQ 10359
Risk: Service Level Agreement
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 16
Special Interest Group (SIG) Three SIGs in 2012 - Risk assessment - Cloud computing - eCommerce
Two SIGs for 2013 - Staying PCI compliant - Managing third parties
!
!
Standard: PCI Data Security Standard (PCI DSS)
Version: 1.0
Date: November 2012
Author: Risk Assessment Special Interest Group (SIG) PCI Security Standards Council
Information Supplement:
PCI DSS Risk Assessment Guidelines
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 17
What Is New in 2013 Comments on v 2.0 received from Participating
Organizations
PCI DSS v 3.0 will be effective in October - Both v 2.0 and v 3.0 in effect in 2014 - PCI DSS may not change significantly - SAQs may change, possibly a great deal
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 18
How Schools Address PCI Secure top management commitment
- Develop your pitch: PCI is a business not a security issue - Budget adequately: PCI is a program not a project
Build a dedicated, multidisciplinary team
Inventory data, processes, vendors - Ask, interpret, verify, explore where stuff is, where it goes
Engage stakeholders, communicate - Hold users accountable for behavior (consequences)
Outsource payment functions, but do it carefully - Payment processors - Payment applications you host
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 19
Where’s My Silver Bullet? Minimize PCI scope (aka, PCI “Requirement 0”) - Store no cardholder data (even paper) - Segment your network - Change processes and procedures - Map your cardholder data flow - Perform a PCI Gap Analysis to identify non-compliant
processes and systems
Emerging technologies - Tokenization - Point-to-Point Encryption
Get trained: - PCI Council training - Treasury Institute PCI Workshop
(May 13-15, 2013)
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 20
Resources PCI Council:
- https://www.pcisecuritystandards.org/ - RSS Feed:
https://www.pcisecuritystandards.org/news_events/index.php
Visa: - http://usa.visa.com/merchants/risk_management/cisp.html - RSS Feeds: http://usa.visa.com/merchants/merchant_resources/
data_security_rss_feed.html
MasterCard: - http://www.mastercard.com/us/sdp/merchants/index.html
Treasury Institute for Higher Education - http://www.treasuryinstitute.org/ - http://treasuryinstitutepcidss.blogspot.com/ - PCI Listserv: Chrissy Woodward, University of Arkansas, Fayetteville
California State University AOA, January 2013 | Walter Conway, QSA | 403 Labs, LLC | © 2013 21
Thank You Your comments? Questions? Thoughts?
email: [email protected]
Follow my PCI column at storefrontbacktalk.com
Higher Education PCI blog (Treasury Institute) treasuryinstitutepcidss.blogspot.com