2015 IASA CAROLINAS CHAPTER MEETING WAKE FOREST UNIVERSITY

2015 IASA CAROLINAS CHAPTER MEETING WAKE FOREST UNIVERSITY

2015 IASA CAROLINAS CHAPTER MEETING WAKE FOREST UNIVERSITY CHARLOTTE DECEMBER 14, 2015 2015 RSM US LLP. All Rights Reserved. HOW CAN PCI BE LEVERAGED TO IMPROVE YOUR CYBERSECURITY PROGRAM December 14, 2015 2015 RSM US LLP. All Rights Reserved. Objectives What is PCI, why does it exist, and how PCI compliance affects your industry and

organization Challenging requirements that could drastically impact your compliance efforts Guidance on how to provide the highest level of security for confidential data while still implementing efficient payment card processes How to gain the most benefit from PCI compliance to protect your whole organization. 2015 RSM US LLP. All Rights Reserved. Introductions Corbin Del Carlo National Leader PCI Services Director, Security and Privacy Services

RSM US LLP [email protected] (847) 413-6319 4 2015 RSM US LLP. All Rights Reserved. The World Has Changed The world isnt run by weapons anymore, or energy, or money. Its run by little ones and zeroes, little bits of data. It's all just electrons. Cosmo - Sneakers 5 2015 RSM US LLP. All Rights Reserved.

What drives PCI compliance? Hackers and large international organized crime syndicates Higher monthly fees for non-compliance The fallout of a data breach: - The fallout can be significant, including fines/penalties, termination of your ability to accept payment cards, lost customer confidence, legal costs, settlements and judgments, fraud losses, etc. - A breach could result in a cost of, on average, $200

per card number lost. Knowing what data you have and where it resides 2015 RSM US LLP. All Rights Reserved. Information Value (marketplaces) 2015 RSM US LLP. All Rights Reserved. 7 Fraud cycle Cloned Cards Created

Cards Purchased online Profit ! 2015 RSM US LLP. All Rights Reserved. How do the Criminals Make Money? Buy Stuff (gift cards, luxury items, anything with high resale)

Keep goods or resell for cash The PCI DSS The PCI DSS was introduced to force the implementation of controls at service providers and merchants to protect CHD The PCI DSS has very specific controls that can be implemented to reduce risk data compromise. Based on 12 requirements Roughly 404 sub-requirements which are specific controls to be implemented

Designed with current breach methods in mind and focused on implementing controls that prevent data loss. 2015 RSM US LLP. All Rights Reserved. 9 The PCI DSS (cont) Required for all organizations that store, process, or transmit CHD. Compliance deadline for Service Providers was April 30, 2007 Compliance deadline for all organizations was September 30,

2009 Why if the deadline past six years ago do so many organizations still not even know what PCI compliance is? Compliance vs. Validation 2015 RSM US LLP. All Rights Reserved. 10 We are PCI compliant, were done right? Of Course not Many validated complaint organizations were still compromised.

Heartland Payment systems (2008) - 100 million cards lost Hannaford Brothers (2008) 4.2 million cards lost RBS Worldpay (2008) 1.5 million Global Payments (2012) 7 million cards Target (2013) 40 million cards 2015 RSM US LLP. All Rights Reserved. 11 So what is the problem? PCI compliance is

Point in Time Very limited focus Contractual not unlawful Gives a false sense of security Significant costs create management expectations Implemented controls create employee frustration (by passing controls) Security is the Goal of the PCI DSS, but not the outcome 2015 RSM US LLP. All Rights Reserved. 12 How does this effect Insurance industry

Lots of recurring payments which can require significant CHD storage Legal or regulatory scrutiny based on publicity of data breach PAN data integrated into multiple business processes - Segmentation difficult to impossible 2015 RSM US LLP. All Rights Reserved. Requirements that organizations struggle with Scope of assessment -

Evidence that card holder data only resides in the card holder data environment. Proof via Data flow documentation Interviews with business process owners Automated scans at perimeter points Proof of data containment Image courtesy of PCI SSC

2015 RSM US LLP. All Rights Reserved. Requirements that organizations struggle with (cont.) E-Commerce Scoping whitepaper - Published in January 2013 Clarifies the scope of PCI DSS in relation to e-commerce apps Most importantly pulls redirect systems into scope. SAQ exceptions

http://bit.ly/1Lg1NXO 2015 RSM US LLP. All Rights Reserved. Images courtesy of PCI SSC Information Supplement PCI DSS E-Commerce Guidelines Requirements that organizations struggle with (cont.) Requirement 3.4 Mixture of Hash and Truncation (tokens) Additional controls are required if both the hashed and the truncated tokens are present in the same system

If the organization is using tokens, what are those tokens? See Councils token guidance 1. http://bit.ly/1G2jfeW Requirement 4.1 SSL no longer considered a Secure Protocol TLS - must migrate to TLS 1.2 or have plan to do so by June 2016

2015 RSM US LLP. All Rights Reserved. Requirements that organizations struggle with (cont.) Requirement 10.2.1 Audit access to CHD - - Requirement that all individual user access to CHD must be logged and included in the audit trails No shared accounts without some other control

Requirement 10.6 daily log reviews - Clarified that log reviews should identify suspicious activity or anomalies Allows risk management strategy to be applied to the logs reviewed Actually a bit easier but almost (always) requires a SIEM 2015 RSM US LLP. All Rights Reserved. Requirements that organizations struggle with (cont.)

Requirement 9.9 protect capture devices - All devices that capture payment data (PIN PADs, Card swipes, CHIP readers, etc.) must have unique tamper proof stickers Periodic review of all stickers to validate not broken or equipment substituted Requirement 11.3 Pen-testing methodology

- - Methodology has to be documented and based on industry standard (such as NIST SP800-115) and include current threats and vulnerabilities Has to include the CDE perimeter and critical devices Has to validate any segmentation or scope reduction controls used to reduce the scope of the assessment Retention of remediation documentation http://bit.ly/1NrH5pt 2015 RSM US LLP. All Rights Reserved.

Requirements that organizations struggle with (cont.) Requirement 12.8.5 Vendor Management - - Merchant must maintain information of which PCI DSS requirements are managed by each servicer provider or by the entity Responsibility matrix MORE than just contractual language Organization may need to determine if TPSP meets PCI DSS requirements, depending on services provided

Requirement 12.9 vendor acknowledgement - Service providers must provide and merchants must obtain written acknowledgement of responsibilities discussed in 12.8 2015 RSM US LLP. All Rights Reserved. Requirements that organizations struggle with (cont.) Matrix example: 2015 RSM US LLP. All Rights Reserved.

SAQS 2015 RSM US LLP. All Rights Reserved. SAQ v 3.1 2015 RSM US LLP. All Rights Reserved. SAQ v 3.1 2015 RSM US LLP. All Rights Reserved. EMV AND HOW TO REDUCE PCI RISK

2015 RSM US LLP. All Rights Reserved. EMV Chip based cards EMV - Europay, MasterCard and Visa October 1, 2015 date to have EMV (Chip) implemented Only Chip and Signature in USA Liability of loss shifts to lower technology Minimal PCI DSS impact - Consider:

- Chip does not change PAN transmission Are they going directly from POS to processor and not entering the network? Card Not Present (eComm, Mail In, Phone, Fax) not impacted What are the costs to implement updated PINPAD/POS? Business perspective to update 2015 RSM US LLP. All Rights Reserved. EMV Chip and Signature Confirm issuer and processor are ready for accepting Chip and signature Global Operations

- Implement global, if you have not already done so Implement in US P2PE Point-to-Point Encryption consider EMV as part of this solution Multiple initiatives: - Some organizations are in process of implementing as part of POS upgrade tasks Some organizations are waiting to upgrade until it is time to replace POS devices Some organizations are waiting to see if the date is pushed back for

EMV solutions EMV will move forward as a result of high rate of breaches. US does 24% of global card transactions and is currently the target of 70% of fraud activity. 2015 RSM US LLP. All Rights Reserved. Tokenization The process of replacing a credit card number with a unique set of numbers that have no bearing on the original data. 27 2015 RSM US LLP. All Rights Reserved.

P2PE P2PE - - P2PE ensures sensitive credit and debit card data is protected from first card swipe, while in transit to the payment processor where it is securely decrypted Consider P2PE along with EMV as part of your solution 28 2015 RSM US LLP. All Rights Reserved.

WHAT CAN BE DONE ITS NOT HOPELESS 2015 RSM US LLP. All Rights Reserved. How Do I get Started? When I get Back to the Office today? Review your Information Security Policy/Program How mature is our incident Response plan How mature is our Risk Assessment

Daily/Weekly Update anti-virus software & apply patches Monitor access to critical data 30 2015 RSM US LLP. All Rights Reserved. How Do I get Started (cont.)? Monthly Review Daily processes (terms, change management, log reviews) Check security patches Quarterly Test security systems and processes

Vulnerability Scanning Yearly Independent penetration testing Review and Update DR/IRP Plan Vendor Security Reviews Security Awareness Every 3-5 Years Revisit Security Strategy /Needs (RA) does it really address your threats? 31 2015 RSM US LLP. All Rights Reserved. Corbin Del Carlo

[email protected] 32 2015 RSM US LLP. All Rights Reserved. (847) 413-6319 33 2015 RSM US LLP. All Rights Reserved. RSM US LLP 4725 Piedmont Row Drive Suite 300 Charlotte, NC 28210 704.367.6251 +1 800 274 3978 www.rsmus.com``````````````````````````````````````````````````````````````````````````

This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. RSM and the RSM logo are registered trademarks of RSM International Association. The power of being understood is a registered trademark of RSM US LLP. 2015 RSM US LLP. All Rights Reserved. 2015 RSM US LLP. All Rights Reserved.

Recently Viewed Presentations

  • 2D Coordinates represent coordinates of two locations Each

    2D Coordinates represent coordinates of two locations Each

    Each coordinate is an ?-bit unsigned number ... Each 1-bit comparator is composed of 3 XOR gates, 1 AND gate. MUX block is composed of 2? XOR gates, ? AND gates, where ? denotes the length of operands. ?=? for...
  • SURGERY Guide to Procedures Topics Patient prep  Debridement

    SURGERY Guide to Procedures Topics Patient prep Debridement

    It may be better to have the assistant open the individual sterile packets and allow the surgeon to grab and place the sterile items on the field than trusting the assistant to flip them onto the fields himself ... Incise...
  • Notes: 9.5  OBJECTIVES: Students will be able to

    Notes: 9.5 OBJECTIVES: Students will be able to

    Arrow points . toward negative side. Cross is at the positive side. Arrow represents a DIPOLE MOMENT where one side is partially + and one side is partially - 2.6. 4.0. 4.0 - 2.6 = 1.4. Polar covalent. State whether...
  • Needles don't have to hurt

    Needles don't have to hurt

    poke or a sting, and some pushing. Perception of pain is . very variable . among individuals. Children often perceive needles to be more painful . than adults and describe any procedure related to needles to be one of the...
  • User Data - instruct.uwo.ca

    User Data - instruct.uwo.ca

    Structured Query Language (SQL) Ask and ye shall receive. The Bible Class Outline What is SQL? What are the basic SQL select statements and what is the order in which they are to be used?
  • Snímek 1 - itec.co.uk

    Snímek 1 - itec.co.uk

    CSTT MAIN TASKS. Training. Brno - Staff training of brigades (BCTs), regiments and battalions (Land . Forces, UoD, THQ-MA) - Computer Assisted Exercises - CAX
  • 00:10:00 - PresentationPoint

    00:10:00 - PresentationPoint

    9 MIN. 8 MIN. 7 MIN. 6 MIN. 5 MIN. 4 MIN. 3 MIN. 2 MIN. 1 MIN. GAME OVER. Do More With PresentationPoint Products. Add a clock or countdown to your presentations. Real-time weather and forecasts. Live RSS feed...
  • Performance Based Navigation - AOPA Norway

    Performance Based Navigation - AOPA Norway

    Performance based navigation begins by setting out what the required performance is, in terms of accuracy, integrity, continuity, and functionality. Rather than looking at what it is possible to do with the on-board technology, it begins with what is need...