PCI Security Standards Council - OWASP
PCI Security Standards CouncilGuiding open standards for global payment card securityJeremy King, European DirectorJuly 20121
Why PCI?How TheCouncil CanHelp YouHow You CanParticipateAgenda2Guiding open standards for global payment card security
Your Card Data is a Gold Mine for CriminalsTypes of Data on a Payment CardCIDCAV2/CID/CVC2/CW2(American Express)(Discover, JCB, MasterCard, Visa)ChipPanCardholder DataExpiration DateMagnetic Strip(data on tracks 1 & 2)Guiding open standards for global payment card security
They Steal Your Data and They Sell ItCountryBalancePriceBank of America(BOA)USA SoldAmsouth BankUSA 16,040 700Washington MutualBank (WAMU)USA 14,400 600Washington MutualBank (WAMU)USA, Multi-CurrencyAcct. 7,950 2,612 500Washington MutualBank (WAMU)USA SoldMBNA America BankUSA 22,003 1,500Brazil, Dollar Account 13,451 650CITIBANKUK, GBP Account 10,044 850NatWestUK, GBP Account 12,000 1000BNP Paribas BankFrance, Euro Account 30,792 2200Caja de Ahorros deGalociaSpain, Euro Account 23,200 1200Caja de Ahorros deGalociaSpain, Euro Account 7,846 500Banc SabadellSpain, Euro Account 25,663 1450BANCO BRADESCOS.A.Guiding open standards for global payment card security
Business Sectors With the Most BreachesAccommodation and Food Service 54%Retail Trade 20%Finance and Insurance 10%Healthcare and Social Assistance 4%Information 3%Other 6%Source: Verizon 2012 Data Breach Investigations ReportGuiding open standards for global payment card security
Organizations Ignored PCI and Were Breached96% of those breached were not PCIcompliant as of their last assessment (orwere never assessed/validated)Top attack methods used to breachorganizations: 81% of incidents involved hacking 69% incorporated malware 10% involved physical attackGuiding open standards for global payment card security
Top Mistakes By Those BreachedRevealed by Forensic AuditsWeak or Blank Password for anAdministrative System AccountWireless Clients Probe for ESSID’sfrom Stored Profiles When NotConnectedSensitive Information TransmittedUnencrypted on the WireContinued Use of Wired EquivalentPrivacy (WEP) EncryptionMS-SQL Server with Weak or NoCredentials for AdministrativeAccountClient Sends LAN Manager (LM)Response for NTLM AuthenticationAddress Resolution Protocol (ARP)Cache PoisoningMisconfigured Firewall Rules PermitAccess to Internal ResourcesSource: Trustwave 2012 Global Security ReportGuiding open standards for global payment card security
EMV Environments Also Have Risks Lost & Stolen CardFraud now at its lowestlevel since the industrycollation of fraud lossesbegan in 1991-EMV by itself does notprotect the confidentialityof, or inappropriate accessto sensitive authenticationdata and/or cardholder dataGuiding open standards for global payment card security
Compliance Is Good for BusinessCost of ComplyingCost of a Breach Upgrading payment systems andsecurity Average cost per compromisedrecord is 214 Verifying compliance via assessment Average cost of a breach eventis 7.2 million Sustaining compliance May cost as little as 150 to 2,500per IP address per year for scans forsmaller merchants. Can cost millionsfor complex or older systems1 Non-compliance cost is an average of2.65 times the cost of compliance Also: business disruption, reducedproductivity, fees, penalties, otherlegal and non-legal settlement costs2Sources: (1) PCI Compliance Cost Analysis: A Justified Expense.” A joint analysisconducted by Solidcore Systems, Emagined Security and Fortrex. (2) Ponemon Institute.Guiding open standards for global payment card security
PCI Security StandardsHelp You Protect Cardholder DataP2PEManufacturersSoftwareDevelopersPCI PTSPCI PA-DSSPin Entry DevicesPaymentApplicationsMerchants &ServiceProvidersPCI DSSPCISecuritySecureEnvironmentsP2PEEcosystem of payment devices, applications, infrastructure and usersGuiding open standards for global payment card security
About the PCI CouncilOpen, global forumFounded 2006Guiding open standards for payment card security Develop Manage process Educate Foster AwarenessGuiding open standards for global payment card security
Global Representation, 600 Members PayPal RSA, The SecurityDivision of EMC Starbucks TSYS VeriFone Systems, Inc. Wal-Mart Stores, Inc. Cisco Citi First DataCorporation HeartlandPaymentSystems JPMorganChase&Co. McDonald’sCorporation BarclaycardBritish AirwaysCartes BancairesEuropean PaymentsCouncil IATA Ingenico Tesco Stores Limited Cielo WoolworthsLimited* Board of AdvisorsGuiding open standards for global payment card security
The PCI Data Security StandardSix GoalsTwelve Requirements1.2.Install and maintain a firewall configuration to protect cardholder dataDo not use vendor-supplied defaults for system passwords and othersecurity parametersProtect Cardholder Data3.4.Protect stored cardholder dataEncrypt transmission of cardholder data across open, public networksMaintain a VulnerabilityManagement Program5.6.Use and regularly update anti-virus software or programsDevelop and maintain secure systems and applicationsImplement Strong AccessControl Measures7.8.9.Restrict access to cardholder data by business need-to-knowAssign a unique ID to each person with computer accessRestrict physical access to cardholder dataBuild and Maintain aSecure NetworkRegularly Monitor andTest NetworksMaintain an InformationSecurity Policy10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes12. Maintain a policy that addresses information security for employeesand contractorsGuiding open standards for global payment card security
PCI Standards Help Secure Your Data92% ofcompromises weresimple97% were avoidable throughsimple or intermediatecontrols92%97%Source: Verizon 2012 Data Breach Investigations ReportVerizon Business 2011 Data BreachGuiding open standards for global payment card securityInvestigations Report
You Drive the Open PCI Standards LifecycleImplementationFeedbackFormalFeedbackDraft RevisionsFeedbackGuiding open standards for global payment card security
Your Feedback Shapes the Standards1Feedback reviewed and categorized (April ‘12 – August ‘12)2Feedback shared with PCI community (August – September ’12)3Feedback presented at 2012 Community Meetings (September ‘12 – October ‘12)4Revisions drafted for PCI DSS and PA-DSS (November ‘12 – April ‘13)5Final Review Period (May ’13 – July ‘13)6Standards Published (October ‘13)Guiding open standards for global payment card security16
PCI Security is a Journey but reaching the summitholds immense value foryour organization96% of breach victims that aresubject to PCI DSS had not achievedcomplianceSource: Verizon 2012 Data Breach Investigations ReportGuiding open standards for global payment card security
Use the Standards to Make Security Part ofYour DNAReduce theattack surfaceContinuousAwareness &ProtectionPrevent NewTypes ofExposureGuiding open standards for global payment card securityMeasure successand identifyopportunity
Focused Guidance on Payment phone-basedPayment Card DataGuiding open standards for global payment card securityWirelessEMV
Even EMV Security Needs PCIEMV Council released guidance on EMV within anoverall data security framework defined by thePCI Data Security Standard Guidance highlights benefits both systemsbring to tackling fraud EMV does help prevent some types of fraud,but for a merchant to secure payment datathey must also adopt all elements of the PCIDSS In today’s EMV market, PCI DSS must be fullyimplemented to protect cardholder dataGuiding open standards for global payment card security
Point-to-Point Encryption2012 TargetDeliverablesGeneral Requirements P2PE Hardware encryptionand hardware decryption P2PE “Hybrid” Hardwareencryption and hardwaredecryption, withtransaction keys insoftware at decryption P2PE next phasePoint-to-Point Encryption P2PE Assessor QualificationRequirements released Testing Procedures, ProgramGuide, SAQ and P2PE Assessortraining now available Solutions listing for Fall 2012Sign up for P2PE Training ing open standards for global payment card security
Mobile UpdateDeliverableGuidance and BestPractices Mobile Transactions UsingSCR & P2PE for Merchants Mobile Acceptance BestPracticesMobile Key areas of focus include:‒ Devices‒ Applications‒ Service ProvidersGuiding open standards for global payment card security
Mobile UpdateAccepting MobilePayment AcceptanceSecurity Fact Sheet forMerchants Understand PCI DSS responsibilities inmobile environments Leverage benefits of P2PE program Choose a mobile payment acceptancesolution that complements themerchant’s PCI DSS responsibilitiesGuiding open standards for global payment card security
2012 Training Highlights Qualified Integrators and Resellers (QIR) Program Corporate PCI Awareness – Let Us Come To You! Online Awareness Training in Four HoursTo learn more, g/index.phpGuiding open standards for global payment card security
Make 2012 the Year of Data Security TrainingPCI SSC InternalSecurityAssessor (ISA) ProgramHelps securityprofessionals improvetheir organizations’understanding of PCIDSS and validate andmaintain ongoingcompliancePCI Awareness TrainingOffers general PCItraining across yourbusiness to ensure auniversalunderstanding of PCIcompliance2012 Training ScheduleCheck out ourTraining Webinar!ISA Training: Boston, MA, USA 20-21 AugustQSA Training: Boston, MA, USA on 22-23 AugustISA Training: Lake Buena Vista, FL, USA on 6 – 7 SeptemberPA-QSA Training: Lake Buena Vista, FL, USA on 8 – 9 SeptemberQSA Training: Lake Buena Vista, FL, USA on 10 – 11 SeptemberISA Training: Lake Buena Vista, FL, USA on 10 – 11 SeptemberP2PE Training: Lake Buena Vista, FL, USA on 15 – 16 SeptemberGuiding open standards for global payment card security
What is the Qualified Integrators and Resellers (QIR) Program? PCI SSC certification program toeducate, qualify, and train organizations involved in the implementation, configuration, and/or supportof a PA-DSS validated payment application on behalf of a merchant.Who can participate? Any eligible company involved in implementing and configuring PA-DSSvalidated applications into merchant environments, including both brick-and-mortar and e-commerceenvironments.What are the benefits? Achieve industry-recognized certification Be included on merchants’ go-to global list of certified integrators and reseller Receive specialized training from PCI SSC experts on guidelines for implementing andmaintaining payment applications Earn CPE creditsOnline training will begin in fall 2012.For more details, visit www.pcisecuritystandards.org/training/qir training.php.Please contact QIR@pcisecuritystandards.org with any questions.Guiding open standards for global payment card security
Why PCI?How TheCouncil CanHelp YouHow You CanParticipateAgendaGuiding open standards for global payment card security
Be Involved – Contribute Your Expertise!Chief SecurityOfficersInformationSecurityProfessionalsIT ManagersRisk hnologistsInformationOfficersLegal ExpertsData SecurityExpertsJoin! Become aParticipatingOrganizationtodayChiefGuiding open standards for global payment card security
Special Interest Groups (SIGs) Are For YouRisk orgEmail today to join!Guiding open standards for global payment card security
2013 SIG Proposal & Election TimelineJune 1, 2012July 31, 2012ProposalPeriod OpenProposalPeriod CloseThe Special Interest Groups (SIGs) leverage the valuable business and technicalexperiences of PCI SSC Participating Organizations to collaborate with the Council on anysupporting guidance or special projects relating to the PCI Security Standards.Submit your 2013 SIG proposal today! After the close of the SIG proposal period a shortlist of proposals will be drawn up by PCISSC and those selected notified. Presentations from POs and assessors on shortlisted SIG proposals will be given at theNorth American and European Community Meetings. Electronic vote on which proposals to move ahead with will follow in November.NEW for 2013: Online Proposal Form now available 12.phpGuiding open standards for global payment card security
2012 PCI Community MeetingsOrlando, Florida, USASeptember 12-14, 2012Dublin, IrelandOctober 22-24, 2012Register today:http://www.regonline.com/pcissc cm orlando2012http://www.regonline.com/pcissc cm dublin2012Guiding open standards for global payment card security
SummaryLearn!Join!Take advantage of theCouncil’s resources andguidance, and trainingcoursesBecome a ParticipatingOrganization todayShare!Participate!We want your feedbackon the StandardsGet involved in aSpecial Interest GroupGuiding open standards for global payment card security
Questions?Please visit our website at www.pcisecuritystandards.orgGuiding open standards for global payment card security
PCI Awareness Training Offers general PCI training across your business to ensure a universal understanding of PCI compliance Check out our Training Webinar! 2012 Training Schedule ISA Training: Boston, MA, USA 20-21 August QSA Training: Boston, MA, USA on 22-23 August ISA Training: Lake Buena Vista, FL, USA on 6 – 7 September
OWASP Code review guide, V1.1 The Ruby on Rails Security Guide v2 OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool) Internationalization Guidelines and OWASP-Spanish Project OWASP Application Security Desk Reference (ASDR) OWASP .NET Project Leader OWASP Education Project
This Quick Reference Guide to the PCI Data Security Standard (PCI DSS) is provided by the PCI Security Standards Council (PCI SSC) to inform and educate merchants and other entities involved in payment card processing. For more information about the PCI SSC and the standards we manage, please visit www.pcisecuritystandards.org.
PCI Flexmörtel bzw. PCI Flexmörtel-Schnell, PCI Nanolight oder PCI Flexmörtel S1 Flott nach den Re - geln der Technik mit einer 4-mm- oder 6-mm- Zahnung aufkämmen. 3 Innerhalb der klebeoffenen Zeit (bei PCI Flexmörtel und PCI Nanolight ca. 30 Minuten, bei PCI Flexmörtel-Schnell ca. 20 Minuten) die PCI Pecilastic-W-
This Quick Reference Guide to the PCI Data Security Standard (PCI DSS) is provided by the PCI Security Standards Council (PCI SSC) to inform and educate merchants and other entities involved in payment card processing. For more information about the PCI SSC and the standards we manage, please visit www.pcisecuritystandards.org.
This Quick Reference Guide to the PCI Data Security Standard (PCI DSS) is provided by the PCI Security Standards Council (PCI SSC) to inform and educate merchants and other entities involved in payment card processing. For more information about the PCI SSC and the standards we manage, please visit www.pcisecuritystandards.org.
This Quick Reference Guide to the PCI Data Security Standard (PCI DSS) is provided by the PCI Security Standards Council (PCI SSC) to inform and educate merchants and other entities involved in payment card processing. For more information about the PCI SSC and the standards we manage, please visit www.pcisecuritystandards.org.
This Quick Reference Guide to the PCI Data Security Standard (PCI DSS) is provided by the PCI Security Standards Council (PCI SSC) to inform and educate merchants and other entities involved in payment card processing. For more information about the PCI SSC and the standards we manage, please visit www.pcisecuritystandards.org.
Threat Prevention Coverage – OWASP Top 10 Analysis of Check Point Coverage for OWASP Top 10 Website Vulnerability Classes The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. OWASP mission is to make software security visible, so that individuals and
