Protecting Credit Card Information IT Security Roundtable January 14, 2011 Harvard Townsend Chief Information Security Officer [email protected].

Protecting Credit Card Information

IT Security RoundtableJanuary 14, 2011

Harvard TownsendChief Information Security [email protected]

Agenda

Why we should care Payment card industry (PCI)

expectations of merchants Overview of PCI Data

Security Standards (PCI DSS) PCI compliance at K-State Open discussion

2

3

Stolen credit card information and the major costs associated with a breach Notifying/compensating victims ($30 each) Damages/liability for lost credit card numbers Fines (depends on card brand or bank;

range from $10K to $200K per month) Additional compliance reporting/auditing

requirements (may move to level 1 merchant) Bank or credit card company may refuse to

do business with us Identity theft Damage to reputation – perhaps more

expensive/important than any of the above4

The Risks

Economics of a breach

• Notify clients

• Fines and penalties

• Increased audit needs

• Fraud liability

• Reputation Loss

$30 x 10,000 = $300,000

$50,000+

$25,000 x 3 years = $75,000 (minimum)

500 accounts x $1,000 = $500,000

PRICELESS!

A hypothetical merchant compromises 10,000 accounts

PCI Expectations

[PCI = Payment Card Industry] PCI Data Security Standards compliance Validate our compliance

Annual Self-Assessment Questionnaire (SAQ)

Quarterly network scans by an external vendor (“Approved Scan Vendor”, or ASV)

Validation method dependent on our “Merchant Level”, which is a reflection of the number of transactions per year

6

7

K-State now a level 3 merchant (several individual merchant IDs > 20,000 transactions per year in FY2010, cumulative ~ 280,000)

PCI Expectations

This means every K-State entity with a merchant ID (i.e., any department that accepts credit card payments) must: Protect cardholder information (ultimate goal) Fill out an SAQ every year Have its credit card technical infrastructure

scanned for vulnerabilities by an approved scan vendor four times a year

Ensure compliance with PCI DSS K-State currently has 47 merchant IDs

8

PCI ExpectationsAre 4 types of SAQs based on how card info is accepted

9

The Players

“Payment Card Industry” encompasses all the organizations that store, process and transmit cardholder data PCI Security Standards Council (PCI SSC) Card brands (VISA, MasterCard, etc.) Banks (Bank of America, Chase, etc.) Service Providers (manage the transactions for the

banks, like PayPal, FirstData, VeriSign) Merchants (like K-State – the entity that takes the

credit card info from the customer) PCI Assessors (Qualified Security Assessor – QSA) Approved Scan Vendor (ASV)

10

Overview of PCI DSS Six goals with 12 general security

requirements ~150 detailed requirements 288 testing procedures to assess whether a

requirement is “in place” Is a substantial set of requirements designed

to provide adequate protection of “cardholder data”

Many are technical, but some are process and policy oriented; requirement 12 even dabbles in contract law

Compliance = implementing all the requirements 11

Overview of PCI DSS

12

HighlightsBuild and Maintain a Secure Network Establish firewall and router configuration standards…

… review firewall and router rule sets at least every six months

Restrict connections between untrusted networks and any system components in the cardholder data environment… … verify that inbound and outbound traffic is limited to that

which is necessary for the cardholder data environment, and all other traffic is specifically denied (ie, use an explicit “deny all” or implicit deny after allow statements)

Prohibit direct public access between the Internet and any system component in the cardholder data environment

13

Highlights

Protect Cardholder Data Do not store sensitive authentication data

after authorization (even if encrypted)… … card verification value (3-digit code on back

of the card), PIN, or mag stripe content Render PAN [Primary Account Number]

unreadable anywhere it is stored… … examine a sample of removable media (for

example, back-up tapes) to confirm that the PAN is rendered unreadable

14

15

HighlightsMaintain a Vulnerability Mgmt Program Use and regularly update antivirus software…

… we can handle this one!!! Ensure that all system components and software are

protected from known vulnerabilities by having the latest vendor-supplied security patches installed… … interview responsible personnel to verify that processes

are implemented to identify new security vulnerabilities and rank them based on risk

Follow change control processes and procedures for all changes to system components… … for a sample of system components and recent

changes/security patches, trace those changes back to related change control documentation

16

HighlightsImplement Strong Access Control Measures Limit access to system components and cardholder

data to only those individuals whose job requires such access… … confirm that privileges are assigned to individuals based

on job classification and function Incorporate two-factor authentication for remote

access… … observe an employee connecting remotely to the

network and verify that two of the three authentication methods are used

Ensure proper user identification and authentication management for non-consumer users and administrators on all system components… … change ser passwords at least every 90 days 17

Highlights

Regularly Monitor and Test Networks Implement automated audit trails for all

system components… … verify all individual access to cardholder data is

logged, along with all actions taken by any individual with root or administrative privileges

Review logs for all system components at least daily

Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis 18

HighlightsRegularly Monitor and Test Networks continued… Test for the presence of wireless access points and detect

unauthorized wireless access points on a quarterly basis Run internal and external quarterly network scans at least quarterly

and after any significant change in the network … via an Approved Scanning Vendor (ASV) approved by the PCI

Security Standards Committee Perform internal and external penetration testing at least once a

year… … at the network layer and application layer

Use intrusion-detection systems, and/or intrusion-prevention systems, to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment

Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files

19

Highlights

Maintain an Information Security Policy Establish, publish, maintain, and disseminate

a security policy… … that addresses all PCI DSS requirements

Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security… …verify that personnel attend awareness training

upon hire and at least annually Screen potential personnel prior to hire to

minimize the risk of attacks from internal sources 20

K-State Compliance Plan

21

Perform baseline survey audit of credit card handling, led by Internal Audit – starting March 2011

Reduce scope of network exposure (for the quarterly scan)

Contract with a QSA (PCI consultant) to do gap analysis and help develop a compliance plan

Contract with ASV to perform initial quarterly network scan (late spring)

Fill out SAQs (by June) Tackle full compliance in strategic, prioritized

manner over next few years

Points to Ponder

22

PCI DSS compliance is NOT optional Protecting credit card information is a serious matter

requiring considerable effort and expense It is a university-wide effort – we must work together

to move toward compliance as quickly as possible Is challenging since K-State has many merchants

spread out all over campus with many ways of handling credit cards

Many will have to change how they operate; some may find compliance too burdensome/expensive

It’s not about complying with some arbitrary industry standard – these are reasonable security controls necessary for properly protecting confidential information

Policy

K-State does have a policy for credit card handling:www.k-state.edu/policies/ppm/6115.html

Includes a section on PCI compliance which states that departments must comply, do the quarterly scans, and fill out the SAQ (see“.070 Payment Card Industry Requirements”)

23

Contacts

Division of Financial ServicesJennyfer [email protected]

Information Security and ComplianceHarvard [email protected]

24

What’s on your mind?

25