IVR System Solutions: One Utility's PCI Audit Experience

One Utility's PCI audit Experience

Angela Hare

Disclaimer

Angela Hare is by no means a “PCI expert.” She is simply the only employee at Central EMC who didn’t know to be sick the day a “compliance”

meeting was mentioned.

What in the world is PCI???

The PCI DSS is a multifaceted security standard that includes requirements for security

management, policies, procedures, network architecture, software design, and other critical

protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

In English

Protect your customer’s credit card data

OR ELSE…..

Credit Card fraud can’t happen to me!

• Massive Theft of Credit Card Numbers Reported Heartland Payment Systems, a payment processor for hundreds of thousands of businesses, disclosed today that it has been hit by what may be the largest credit card data theft to date.

• IT People, Places, Things to Hear More or Less About in '08 Looking ahead to 2008, here are three subjects we hope to hear more about--and a few we'd like to hear less about.

• Cost of Data Breaches Rising Organizations that are hit by data breaches are paying more to recover their losses and retain customers. • California Governor Vetoes Bill on Data Breach Costs Gov. Schwarzenegger vetoed a bill requiring retailers affected by data breaches to reimburse

banks for the costs involved in dealing with them. • Gap Contractor Blamed for Data Breach The Gap says one of its vendors lost laptops with information on 800,000 job applications. • Pfizer Employees at Risk for Identity Theft In July Pfizer discovered a data breach that took place last year, informed employees only recently. • Stolen Monster Data Put to Bad Use The Trojan horse used to steal personal data from Monster.com sends targeted spam seeking recruits for money-

laundering jobs. • Monster Shuts Down Rogue Server Monster has shut down a server that hackers used to steal job seekers' personal data. • Disney Warns of Data Leak A subcontractor for the Disney Movie Club was caught selling customer credit card numbers and other data. • Gov't Report: Data Breaches Don't Often Result in ID Theft Most large data breaches don't appear to lead to identity theft, and proposals that would

require companies to notify customers of most breaches may lead to increased costs. • Gas Stations Ripe for ID Theft? Insecure networks and point-of-sale terminals are riskier than online shopping, Gartner charges. • Data Breaches Could Take a Toll on E-CommerceConsumers are becoming skittish about the potential dangers of e-commerce, survey says. • Los Alamos Breach Caused by Human Error Security breach that may have exposed nuclear secrets was not a breakdown in security processes. • Lab May Have Exposed Nuclear Weapons Data Officials at the Los Alamos National Laboratory used unsecure e-mail to share classified information

concerning materials used in nuclear weapons.

Twelve Requirements of PCI DSSBuild and Maintain a Secure Network.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters .

Protect Cardholder Data.Requirement 3: Protect stored cardholder data.Requirement 4: Encrypt transmission of cardholder data across open, public networks .

Maintain a Vulnerability Management Program.Requirement 5: Use and regularly update anti-virus software.Requirement 6: Develop and maintain secure systems and applications.

Twelve Requirements Cont…Implement Strong Access Control Measures.

Requirement 7: Restrict access to cardholder data by business need-to-know.Requirement 8: Assign a unique ID to each person with computer access.Requirement 9: Restrict physical access to cardholder data .

Regularly Monitor and Test Networks.Requirement 10: Track and monitor all access to network resources and cardholder data.Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy.Requirement 12: Maintain a policy that addresses information security.

How do I know if PCI applies to me?

If you accept credit card payments – it applies to you.

Merchant LevelsLevel 1Any merchant—regardless of acceptance channel—processing over 6M Visa

transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Level 2Any merchant—regardless of acceptance channel—processing 1M to 6M Visa

transactions per year.Level 3Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.Level 4Any merchant processing fewer than 20,000 Visa e-commerce transactions per

year, and all other merchants—regardless of acceptance channel—processing up to 1M Visa transactions per year.

Central EMC’s Approach

• Self-Assessment Questionnaire• EMC Technologies evaluation & penetration

testing• Form a team to assess.• Make the needed changes.

Changes to IVRBefore

CC info stored in engine logs & CC pmt tableStored for 30 daysNetwork Admin & Milsoft personnel have access

NowNo CC information stored

Access is the same

Other ChangesCIS

CC information is XXXXX out.Network

Firewall installedTipping Point installedSecureworks monitoringPCI Scan Quarterly

PhysicalCSR notebooks are locked up at night.Additional doors are locked.New Security System to be installedAdditional security cameras to be

installedEmployee training/policy

Are we better off?

Yes, but……

“Social Engineering”“Tracking the fraud”

Where can I find more information?

www.pcisecuritystandards.orgwww.pcicomplianceguide.orgwww.secureworks.com

Questions?Thank you!

Angela HareDirector of Information Systems

Central [email protected]