Helping Customers Comply with PCI DSS v3.0 Payment Card Industry Data Security Standards Troy Kitch Principal Director Security Software Product Marketing
Oct 19, 2014
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.1
Helping Customers Comply with PCI DSS v3.0Payment Card Industry Data Security Standards
Troy KitchPrincipal DirectorSecurity Software Product Marketing
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.2
INTERNATIONAL
STANDARDSSECURE
CARD DATAGLOBAL
CARD BRANDSPCI SECURITY
COUNCIL
PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.4
9000-6000 BCCATTLE
500 BCSILVER COINS
806PAPER
CURRENCY
1891AMERICAN EXPRESS
TRAVELER’S CHECKS
1946FIRST BANK CARD
1966MODERN CREDIT CARD
1983RADIO FREQUENCY
IDENTIFICATION (RFID)
19971st MOBILE PAYMENT
1999PAYPAL
2004NEAR FIELD
COMMUNICATION FORUM
2007MOBILE PAYMENT DEVELOPED
2010SQUARE
FUTUREIMPLANTS & MUCH MORE
A BRIEF HISTORY OF THE PAYMENT INDUSTRY
PAYMENTS DEPEND ON TRUST
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.5
WHY IS PCI COMPLIANCE IMPORTANT?
$11BLOST IN 2012
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 20120
2
4
6
8
10
12
GLOBAL PAYMENT CARD INDUSTRY LOSSES $BILLIONS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.6
Merchant
.5 "
Issuing Bank(Consumer Bank)
Card Holder(Consumer)
.5"
Payment Card
Processors
TranUnionEquifaxExperian
Wm MorrisonAmazonWal Mart
Credit Bureaus
Deutsche BankBarclaysRoyal Bank of Scotland
PNCBluePayPayPalMerchant One
Credit Agricole GroupBNP ParibasHSBC HoldingsBanco Santander
Collection Agency
SquareTwoEuler HermesAtradius
Payment Card IndustryAcquiring Bank
(Merchant Bank)
PAYMENT CARD ECOSYSTEMTHE FLOW OF CREDIT
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.7
Attacker phishes third party contractor
1
Malware sends credit card data to internal server; sends custom ping to notify
5
Malware scrapes RAM for clear text credit card stripe data
4b
Finds and infects internal Windows file server
3Attacker uses stolen credentials to access contractor portal
2
Stolen data exfiltrated to FTP Servers
6
Finds & infects point of sale systems with malware
4a
ANATOMY OF A BREACHMILLIONS OF CONSUMERS EFFECTED
PERIMETER
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.8
N O T P A S S E D A L LREQUIREMENTS
89%Source: Verizon 2014 PCI Compliance Report
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.9
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4
SIZE MATTERS BY TRANSACTION VOLUME
ANNUAL ONSITEASSESSMENT
QTRLY NETWORKSSCANS
ANNUAL SELFASSESSMENT
QTRLY NETWORKSSCANS
ANNUAL SELFASSESSMENT
QTRLY NETWORKSSCANS
ANNUAL SELFASSESSMENT
QTRLY NETWORKSSCANS
6M+ 1M-6M 20K-1M 0K-20K
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.10
Clarifications Change all default passwords Mask displayed data Encryption key storage Detect/prevent web-based attack
Guidance Business as Usual
Source: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Changes.pdf
v2
v3
WHAT’S NEW IN PCI DSS v3.0
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.11
TWELVE PCI REQUIREMENTS
Identify and authenticate access to system components
Regularly test security systems and processes
Restrict access to cardholder data by business need to know
Develop and maintain secure systems and applications
Protect stored cardholder data
Remove vendor defaults for passwords and security configs
Maintain a policy that addresses infosec for all personnel
Track, monitor access to network resources and cardholder data
Restrict physical access to cardholder data
Encrypt transmission of cardholder data across open, public networks Protect systems against malware and update anti-virus software
Install firewall configuration to protect cardholder data
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.12
Identify and authenticate access to system components
Regularly test security systems and processes
Restrict access to cardholder data by business need to know
Develop and maintain secure systems and applications
Protect stored cardholder data
Remove vendor defaults for passwords and security configs
Maintain a policy that addresses infosec for all personnel
Track, monitor access to network resources and cardholder data
Restrict physical access to cardholder data
Encrypt transmission of cardholder data across open, public networks Protect systems against malware and update anti-virus software
Install firewall configuration to protect cardholder data
REQUIREMENTS ORACLE ADDRESSES
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.13
PCI ROCK
http://www.youtube.com/watch?v=xpfCr4By71U
IF YOU CAN’T REMEMBER ALL 12HERE’S A HANDY VIDEO
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.14
CAPABILITIES
PASSWORDSSECURITY CONFIGS
2. REMOVE DEFAULT
AND
Forced password reset Configuration scans Database lifecycle mgmt. SSL/TLS network encryption
EXAMPLESChange vendor-supplied PASSWORD DEFAULTS
Develop CONFIGURATION STANDARDS for all system components
ENCRYPT non-console administrative access
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.15
CAPABILITIES
STOREDDATA
3. PROTECT
CARDHOLDER
Transparent Data Encryption Data Redaction Data Masking Secure Backup Privileged Access Control
EXAMPLESENCRYPT cardholder data at rest and REDACT on display
REDUCE PRIVILEGED ACCESS to card holder information
MASK non-production card data
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.16
CAPABILITIES
SECURE SYSTEMSAPPLICATIONS
6. DEVELOP AND MAINTAIN
AND
Follow Oracle Critical Patch Updates
Mask PII in nonproduction Monitor and block SQL
injection attacks
EXAMPLESApply PATCHES within 1 month
MASK live PANs in TEST and DEVELOPMENT
Address SQL INJECTIONS
Enforce SEPARATION of TEST and DEVELOPMENT
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.17
CAPABILITIES
CARDHOLDER DATA BY BUSINESS
7. RESTRICT
NEED TO KNOW
Privilege user access controls
Privilege analysis
EXAMPLES
Limit ACCESS based on NEED TO KNOW and JOB
Employ LEAST PRIVILEGE and SEPARATION of DUTIES
ACCESS TO
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.18
CAPABILITIES
AUTHENTICATE8. IDENTIFY AND
ACCESS TO SYS COMPONENTS
Multifactor authentication Strong authentication Single sign-on Provision Unique-ID’s
EXAMPLESAssign a UNIQUE ID to each person with access
STRONG AUTHENTICATION for all administrators
Set PASSWORD POLICIES
MONITOR and ALERT on all suspicious activity
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.19
CAPABILITIES
ACCESS10. TRACK AND MONITOR
RESOURCES AND CARDHOLDER DATA
Database and system audit Database activity monitoring Alerting and Blocking SQL Conditional auditing
EXAMPLES
Implement AUDIT TRAILS
REDUCE PRIVILEGED ACCESS to card holder information
TO NETWORK
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.20
SquareTwo Financial is an asset and
recovery management organization that
secures more than two million individuals
and small businesses using Oracle
• Minimal customer disruption – 5.9
million accounts
• Quickly scale security – 37% company
growth
• Addressed compliance – PCI, GLBA,
HIPAA, and SOX
SquareTwo Financial
SECURING CARDHOLDER DATA
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.21
TransUnion provides credit information
and information management services to
45,000 businesses and 500 million
consumers worldwide.
• Oracle Advanced Security – zero
downtime, no application changes
• Seamless key rotation – no impact
to performance
• Audit Vault and Database Firewall
– 10k transactions/sec
• PCI DSS Compliant – satisfies all
auditor requirements
TransUnion
SECURING CARDHOLDER DATA
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.22
Learn More
Sustainable Compliance for the Payment Card Industry Data Security Standard http://www.oracle.com/us/products/database/security-pci-dss-wp-078843.pdf
PCI Compliance Whitepaper
Copyright © 2014, Oracle and/or its affiliates. All rights reserved.23