Sc World Congress Econference March 2011

PCI Compliance – What’s the buzz?…Neira Jones

Head of Payment Security, Barclaycard23rd March 2011

Headlines…• 18th October 2010: the UK Government published their National Security

Strategy. – This placed "Hostile attacks upon UK Cyberspace by other states and large scale

cyber crime" at the same level as International Terrorism, and International Military threats.

• The Olympics are a target: In 2008, Beijing suffered 12 million cyber attacks per day.

– These games ran (!) for 16 days: total number of attacks = 192 million.– The number Internet users was estimated at 1.9 billion users in June 2010*, a 23%

increase since 2008.– As the number of internet users increases, a far larger attack statistic in 2012 is likely.

• A study by Cisco Systems (December 2010), projected that almost 12% of all enterprise workloads will run in the public cloud by the end of 2013.

Source: Miniwatts Marketing Group, 2010

Cloud Computing

• 2010: the Year Of The Cloud (Salesforce.com, IBM, Google, Microsoft , Oracle, Amazon, Rackspace, Dell and others)

• The key opportunity for service providers is to differentiate themselves by becoming cloud service providers.

• Perceived key benefits for organisation considering a move to the cloud:– reduce capital costs– become more agile by divesting infrastructure and application management to concentrate on

core competencies.– opportunity to re-architect older applications and infrastructure to meet or exceed modern

security requirements. • Key issues for organisations when determining migration decisions:

– security and control– data-centre overcapacity and scale– availability of skilled IT people.

The digital era…

• By 2015 there will be more interconnected devices on the planet than humans.*

• What’s mobile? What do I need to do?• The most recent figures estimated that every year in the UK,

identity fraud costs more than £2.7 billion and affects over 1.8 million people*.

• Every year, we share more of ourselves online.• Each time we do this, we place our data and our faith in the

security measures taken by those managing it on our behalf

* UK National Security Strategy, October 2010* * National Fraud Authority, October 2010

Fraud news (UK)…

“While another drop in fraud is good news, the crooks haven’t shut up shop, which is why there can be no room for complacency from the industry, shops or consumers.”

DCI Paul Barnard Head of the Dedicated Cheque and Plastic Crime Unit

• Crooks still got away with £1million/day.

• Compared to a 28% fall in 2009.

• Compared to a 19% drop in 2009. CNP fraud remains by far the biggest category.

☺• Debit and credit card fraud fell by nearly

£75M in 2010 to the lowest level for a decade.

• This represents a 17% drop to £365M

• Phone, internet and mail-order fraud (Card Not Present) fell 15%.

The challenges…

• Cloud computing• Mobile infrastructure• Third parties• Governance or compliance?• Risk management

Cloudy out there…

Moving to the Cloud?...

• Use the Cloud Computing Reference Model provided by NIST.– ask cloud services providers to disclose their security controls– ask cloud services providers to disclose how these controls are

implemented to the “consuming” organisation– “consuming” organisations will need to know which controls are

needed to maintain the security of their information.• This is a vital step as it is critical that a cloud service is classified

against the cloud architecture model, then against the security architecture, and then against the business, regulatory and other compliance requirements.

NIST Cloud Reference Model

Information(Data, Metadata,

Content)

Applications

APIs

Presentation

So

ftw

are

as a

Ser

vice

(S

aaS

)•Infrastructure as a Service (IaaS)

– Lowest level infrastructure resource stack– Capability to abstract resources (or not)– Physical and logical connectivity to those resources– Provides a set of APIs which allows “consumers” to

interact with the infrastructure.

Integration & Middleware

Pla

tfo

rm a

s a

Ser

vice

(P

aaS

)

Facilities

Hardware

Abstraction

Core Connectivity & Delivery

APIs

Infr

astr

uct

ure

as

a S

ervi

ce (

IaaS

)

•Platform as a Service (PaaS)– Sits on top of IaaS– Additional integration layer with application development

frameworks– Middleware– Programming languages and tools supported by the

stack– Functions allowing developers to build applications on the

platform

•Software as a Service (SaaS)– Sits on top of IaaS and PaaS stacks– Self-contained operating environment to deliver the

entire user experience

Cloud Computing and security

• Does the risk of moving sensitive data and applications to an emerging infrastructure exceed your tolerance levels?

• The limitations on cloud computing growth will include issues:– Data custody– Control– Security– Privacy– Jurisdiction– Portability standards for data and code

• Adopting cloud computing is a complex decision involving many factors: desktop applications, e-mail, collaboration, enterprise resource planning and potentially any application.

• The key consideration for a security architecture is that the lower down the SPI stack the cloud service provider stops, the more organisations will be responsible themselves for managing the risk to their assets.

Cloud Computing isn’t necessarily more or less secure than your current environment.

Control & risk management

• Whilst the risk assessment depends on the “where” and “how” of the assets, it also depends on the following:– The types of assets being managed– Who manages them and how– Which controls are selected and why– What compliance issues need to be considered

• Consideration should be made for risk mitigation in each of the SPI tiers (SaaS, PaaS, IaaS) and compliance/ regulatory requirements should be considered (e.g. PCI DSS, FSA, SOX, etc.).

What degree of control and risk management will the organisation have for each of the cloud service models.

IaaS

PaaSSaaS

Find the gaps…Find the gaps!

Facilities

Hardware

Abstraction

Core Connectivity & Delivery

APIs

Infr

astr

uct

ure

as

a S

ervi

ce (

IaaS

)Integration & Middleware

Pla

tfo

rm a

s a

Ser

vice

(Paa

S)

Information(Data, Metadata, Content)

Applications

APIs

Presentation

So

ftw

are

as a

Ser

vice

(S

aaS

)

Cloud Reference Model

Physical

Compute & Storage

Trusted computing

Network

Management

Information

Applications

Security Control Model

PCI DSS

Compliance Model

ISO 27002

DPA

DDA

SOX

FSA

Who does what?The lower down the stack the cloud service provider stops, the more security capabilities and management “consuming” organisations are responsible for implementing & managing themselves.

IaaSPaaS

SaaS

Provider bears the responsibility for security.

Security controls and their scope are negotiated in the service contracts (SLAs, privacy, compliance, liability etc.).

Provider responsible for the security of the platform.“Consuming” organisations responsible for

–securing applications developed against the platform

–developing applications securely (e.g. OWASP Top 10).

Provider responsible for securing the underlying infrastructure and abstraction layers.“Consuming” organisation will be responsible for the security of the remainder for the stack.

Evaluate cloud service providers

• Evaluating the risk for potential cloud service providers is a challenge:– ask cloud services providers to disclose their security controls– ask cloud services providers to disclose how these controls are

implemented to the “consuming” organisation– “consuming” organisations will need to know which controls are

needed to maintain the security of their information.• This is a vital step as it is critical that a cloud service is classified

against the cloud architecture model, then against the security architecture, and then against the business, regulatory and other compliance requirements.

For further reading, see http://www.cloudsecurityalliance.org/Research.html

On the move with mobile…

What’s mobile?

• Full-featured mobile phones with functionality similar to personal computers, or “smartphones”

• Laptops, netbooks, tablet computers & Portable Digital Assistants (PDAs)

• Portable USB devices for storage (such as “thumb drives” and MP3 devices) and for connectivity (such as Wi-Fi, Bluetooth and HSDPA/UMTS/EDGE/GPRS modem cards)

• Digital cameras• Radio frequency identification (RFID) and mobile RFID (M-RFID)

devices for data storage, identification and asset management• Infrared-enabled (IrDA) devices (printers, smart cards, etc.)

What do I need to do?What does a mobile security policy look like?

How do I enforce it?What does a mobile security policy look like?

How do I enforce it?

It’s all about risk…

What’s the buzz?

• Visa TIP program promotes a risk based approach.

• The banks want merchants to take a risk based approach.

• The merchants want to take a risk based approach.

• The PCI SSC has ‘blessed’ the adoption of a risk based approach.

At the end of the day, what we all want is to stop sensitive information being exploited by fraudsters.

The era of compliance for compliance’s sake is drawing to an end.

Barclaycard’s top ten tipsPrepare for change1. Don’t treat PCI DSS as an IT project: it is a Change

Programme and needs organisational commitment. 2. Train staff at all levels (there will be various degrees of

training, and don’t forget Board and Exco) and embed an Information Security culture within your organisation early.

3. Scope: Understand how card payments are currently processed (people, process and technology). Reduce the scope of the cardholder environment (the smaller, the easier)

4. There will be quick wins derived by reviewing and changing business processes and historical practices that require little investment. If you don’t need cardholder information, don’t have it…

5. Develop a gap analysis between current practices and what is necessary to become PCI DSS compliant. The gap analysis and cardholder data flow mapping is the most important step (and this should be refreshed periodically - once a year is advised).

Reduce Risk6. Remove sensitive authentication data storage as a

top most priority. 7. Prioritise Risk: once SAD storage is addressed, look at

vulnerabilities in the Card Not Present environment (e- commerce and Mail Order/ Telephone Order). (This tip is for markets that have implemented EMV in their F2F channel).

8. Outsource to compliant third parties where possible: in the e-comm space, Level 1 PCI DSS compliant end- to-end e-comm Software as a Service (SaaS) is increasingly seen as a means of achieving compliance quicker & maximising RoI. And if not possible, tie down third parties (contractually).

9. Assess suitability of and implement risk mitigation technologies (e.g. Verified by Visa, Secure Code, tokenisation, point-to-point encryption, etc.), whilst these are not PCI DSS requirements, they will improve security and reduce risk.

10. If Compensating Controls are required ensure that all parties are engaged to agree the controls before implementation (merchant, QSA, acquirers)

Third parties: do I have a choice?

For those who outsource…• 324 (UK) and 900 (US) Level 1 PCI DSS compliant service providers listed on Visa websites

http://www.visaeurope.com/en/businesses__retailers/payment_security/downloads__resources.aspx http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf

• 867 Level 1 PCI DSS compliant service providers listed on MasterCard website http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20- %20November%2029%202010.pdf

For those who want to retain control in-house…• 724 PA DSS validated payment applications on PCI SSC website

https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=trueBarclaycard’s position…• We always recommend that our customers use Level 1 Service providers as self-assessment does not

provide you with an independent assessment of your supplier.• Contractual provisions are crucial.• Merchants should seek help from their acquiring bank when facing problems with third party providers

as a merchant cannot reach compliance without their third parties being compliant.

How organisations can select service providers

[email protected]

http://uk.linkedin.com/pub/neira-jones/0/7a5/140

Twitter: neirajones