One Utility's PCI audit Experience

Angela Hare

Disclaimer Angela Hare is by no means a PCI expert. She is simply the only employee at Central EMC who didnt know to be sick the day a compliance meeting was mentioned.

What in the world is PCI??? The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

In English Protect your customers credit card data

OR ELSE..

Credit Card fraud cant happen to me!

Massive Theft of Credit Card Numbers Reported Heartland Payment Systems, a payment processor for hundreds of thousands of businesses, disclosed today that it has been hit by what may be the largest credit card data theft to date. IT People, Places, Things to Hear More or Less About in '08 Looking ahead to 2008, here are three subjects we hope to hear more about--and a few we'd like to hear less about. Cost of Data Breaches Rising Organizations that are hit by data breaches are paying more to recover their losses and retain customers. California Governor Vetoes Bill on Data Breach Costs Gov. Schwarzenegger vetoed a bill requiring retailers affected by data breaches to reimburse banks for the costs involved in dealing with them. Gap Contractor Blamed for Data Breach The Gap says one of its vendors lost laptops with information on 800,000 job applications. Pfizer Employees at Risk for Identity Theft In July Pfizer discovered a data breach that took place last year, informed employees only recently. Stolen Monster Data Put to Bad Use The Trojan horse used to steal personal data from Monster.com sends targeted spam seeking recruits for moneylaundering jobs. Monster Shuts Down Rogue Server Monster has shut down a server that hackers used to steal job seekers' personal data. Disney Warns of Data Leak A subcontractor for the Disney Movie Club was caught selling customer credit card numbers and other data. Gov't Report: Data Breaches Don't Often Result in ID Theft Most large data breaches don't appear to lead to identity theft, and proposals that would require companies to notify customers of most breaches may lead to increased costs. Gas Stations Ripe for ID Theft? Insecure networks and point-of-sale terminals are riskier than online shopping, Gartner charges. Data Breaches Could Take a Toll on E-Commerce Consumers are becoming skittish about the potential dangers of e-commerce, survey says. Los Alamos Breach Caused by Human Error Security breach that may have exposed nuclear secrets was not a breakdown in security processes. Lab May Have Exposed Nuclear Weapons Data Officials at the Los Alamos National Laboratory used unsecure e-mail to share classified information concerning materials used in nuclear weapons.

Twelve Requirements of PCI DSS

Build and Maintain a Secure Network. Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters . Protect Cardholder Data. Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks . Maintain a Vulnerability Management Program. Requirement 5: Use and regularly update anti-virus software. Requirement 6: Develop and maintain secure systems and applications.

Twelve Requirements Cont

Implement Strong Access Control Measures. Requirement 7: Restrict access to cardholder data by business need-toknow. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data . Regularly Monitor and Test Networks. Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy. Requirement 12: Maintain a policy that addresses information security.

How do I know if PCI applies to me?

If you accept credit card payments it applies to you.

Merchant Levels
Level 1 Any merchantregardless of acceptance channelprocessing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Level 2 Any merchantregardless of acceptance channelprocessing 1M to 6M Visa transactions per year. Level 3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year. Level 4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchantsregardless of acceptance channelprocessing up to 1M Visa transactions per year.

Central EMCs Approach Self-Assessment Questionnaire EMC Technologies evaluation & penetration testing Form a team to assess. Make the needed changes.

Changes to IVR Before CC info stored in engine logs & CC pmt table Stored for 30 days Network Admin & Milsoft personnel have access Now No CC information stored Access is the same

Other Changes
CIS CC information is XXXXX out. Network Firewall installed Tipping Point installed Secureworks monitoring PCI Scan Quarterly

Physical CSR notebooks are locked up at night. Additional doors are locked. New Security System to be installed Additional security cameras to be installed Employee training/policy

Are we better off? Yes, but Social Engineering Tracking the fraud

Where can I find more information? www.pcisecuritystandards.org www.pcicomplianceguide.org www.secureworks.com

Questions?
Thank you! Angela Hare Director of Information Systems Central EMC harea@cemcpower.com