Issuer Data Security 07272011.PDF.rb
Content
Issuer Data Security Trends and Best Practices
July 27, 2011
Visa Public
Issuers Data Security Trends and Best Practices
• • • • • • • Issuer Security Environment PCI DSS Compliance for Issuers PCI DSS Compliance for ATM Environment ATM Cash Out Preventive Measures ATM Malware and Best Practices for PIN Security PCI PIN and PCI EPP Security Requirements Resources
Visa Public
July 2011
2
Top 7 PCI DSS and PCI PIN Violations
Based on compromises of PIN and cardholder data, Visa has found the following common issues:
1. 2. 3. 4. 5. 6. 7.
Vulnerable payment applications (e.g., inappropriate storage of full track, CVV2 and PIN data, insecure remote access) Inadequate perimeter security (e.g., improperly managed firewall) Out-of-date system security patches Vendor default settings and passwords (e.g., unsecured wireless) Poorly coded web-facing applications (e.g., no input validation) resulting in SQL injection attack Poor cryptographic key management used for PIN encryption Weak controls over production HSM environment
Visa Public
July 2011
3
PCI DSS Compliance for Issuers
• Issuers are required to be PCI DSS compliant • Issuers that are directly connected to VisaNet and/or process on behalf of other Visa clients must validate PCI DSS annually with Visa
– Third Party Processors must use a QSA for validation
• Individual issuers validation may be performed by a QSA or internal auditor
• PCI SSC has clarified issuers may store sensitive authentication data
– There must be a legitimate business need to store such data – Must be protected in accordance with the PCI DSS
Visa Public
July 2011
4
PCI DSS Compliance for ATM Environment
• An Issuer’s ATM network and physical environment must be PCI DSS compliant • As a best practice, ATM core processing applications should adhere to the PA-DSS • PCI SSC has clarified ATMs may store sensitive authentication data
– There must be a legitimate business need to store such data – Must be protected in accordance with the PCI DSS
Visa Public
July 2011
5
Preventive Measures
• Review all external facing applications and systems (production, development, test) • Harden all servers and databases • Remove risky protocols such as Terminal services, NetBios, etc. • Disable direct queries/command shell/stored procedures on databases • Implement “deny/deny” on firewall configuration and block compressed files (i.e., .RAR, .TAR, .ZIP, etc) on outbound traffic • Limit administrative access to critical systems • Review high-privileged accounts and implement group policies (e.g., SA, database operators, domain users) • Segregate payment processing systems from other non-payment networks
6 Visa Public July 2011
Preventive Measures
• Transaction monitoring
– Velocity controls – Transaction limits – Real-time fraud checking and alerts
• Deploy third-party tool to identify malicious/unauthorized software • Review IVR and HSM and consider disabling clear-text HTTP_Get request • Deploy Security Information and Event Management (SIEM)
– Implement and review security event logs – Centralizing tracking and review of logs and network traffic
• Deploy Data Loss Prevention (DLP) • Segregate Internet-facing networks from internal networks
7 Visa Public July 2011
Recent ATM Malware Attacks
• Confirmed cases in Russia, Ukraine and Mexico • Modes of Attack
– Direct USB injection of malware into ATM by ‘Trusted’ ESO – Manipulation of ATM patches remotely loaded (Ukraine) – Insecure key loading from back of ATM exposed Key Exchange Key
• Non-compliance with PCI PIN Security Requirements
• Known cases involved access to a non-hardened Operating System – Windows XP
– Weak administrative user access controls and passwords
• Modified chip cards used at ATMs used to:
– Write data to chip or print data to paper – Dispense all ATM cash
• April 2011 Visa Business News describing latest attack
Visa Public July 2011 8
Recommendations to Protect ATMs Against Malware Attack
• Visa published a list of known malware hash values • Clients should use this information to work with ATM Vendors, processors and security teams to identify the existence of ATM malware • Ensure the integrity of all software maintenance fixes via the use of checksums, digital signatures, etc. • Equipped ATMs with sensors detecting external intrusion • Operating Systems’ user management controls must be compliant with the PCI DSS requirements • Configure Operating Systems in accordance with the PCI DSS requirements, including patch management, password management and the overall security configuration
Visa Public July 2011 9
Recommendations to Protect ATMs Against Malware Attack
• Implement enhanced access controls, such as one time passwords, challenge response mechanisms, etc. • Implement the least privilege necessary for system, services and software accounts • Utilize hard drive encryption • Implement a trusted environment – validate software integrity and authenticity testing upon start-up and at least once per day to help determine whether the ATM is in a compromised state • Patch and secure necessary systems, services and software • Completely disable or remove unused and unnecessary services and software – e.g. RMS • Vet and register with Visa only trusted Plus ESO Agents
Visa Public July 2011 10
Recommendations to Protect ATMs Against Malware Attack
• Use Anti-Malware solutions that can detect and prevent unwanted changes
– White list of executables / executable at the kernel level / lockdown of OS
• Check vendor manuals and Internet resources for default, blank, and weak settings - immediately change settings upon installation
– Includes changing all passwords, disabling users not needed
• Activate necessary security and logging functions • Keep anti-virus and anti-spyware software programs up-to-date • Ensure ATM software has been validated as compliant with the PCI PADSS • Contact ATM vendors and processors to:
– Determine potential exposures of deployed ATM base – Implement prevention and detection tools – Receive specific security alerts and best practices
July 2011
Visa Public
11
Securing the Visa/Plus Payment System
Visa’s Data and PIN security compliance programs help secure the overall payment system • PCI Data Security Standard (PCI DSS) Compliance
– Drive PCI DSS compliance to ensure entities protect cardholder data from compromise
• PCI PIN Security Requirements
– Advance compliance to prevent PIN compromises
• PCI PIN Transaction Security Testing program
– Ensuring use of secure cryptographic hardware
- PCI EPP - PCI HSM
- PCI POS - PCI UPT - PCI ATM (pending)
• PCI Payment Application Security Standard (PA-DSS)
– Promote development and use of secure payment applications and eliminate vulnerable applications
Visa Public July 2011 12
PCI PIN and PCI EPP Security Requirements
• PCI PIN Security Requirements transitioned to PCI Security Standards Council (SSC) in early 2011 • Visa / Plus clients and their agents must be compliant with the:
– PCI PIN Security Requirements – Key Management – PCI Encrypting PIN PAD (EPP) security requirements – Secure Hardware
• Level 1 PIN Security Program entities must validate annually with Visa • ATM owners / sponsors must ensure ATMs comply with applicable:
– PCI DSS & PA-DSS Requirements – PCI PIN & PCI EPP Requirements
…Regardless if ATM driving, processing, and maintenance is performed by a
third party processor or agent
• ATM owners and their agents should confirm their devices are listed on the PCI SSC’s list of Approved PIN Transaction Security Devices* – www.pcisecuritystandards.org
*Dependent on when ATM was deployed / moved
Visa Public July 2011 13
Compliant Equipment
• Purchase only PCI approved Devices
– Install only the compliant EPP firmware version listed with the approved EPP – Major area of non-compliance
• Require suppliers to sell only PCI approved / compliant products • Verify EPP serial numbers and firmware against manufacturer’s documents and PCI EPP list • Bind only compliant PCI approved EPPs into purchase contracts • PCI Approved EPPs
– 60 V1 Expire – 21 V2 Expire – 1 V3 Expire
Visa Public
April 2014 April 2017 April 2020
July 2011 14
Compliant Equipment
Visa Public
July 2011
15
Compliant Equipment – EPP Mandate
Effective 1 October 2005, all newly deployed EPPs, including replacements or those in newly deployed ATMs, must have passed testing by a PCI-recognized laboratory and be approved by Visa for new deployments
– ATMs never moved prior to October 1, 2005 – Vendor Attested – ATMs deployed on or after October 1, 2005 – Pre-PCI Approved
• Pre-PCI EPP list on www.visa.com/cisp
– ATMs deployed after September 2008 – PCI Approved
• PCI PTS list on www.pcisecuritystandards.org
• For Visa mandates for use of PCI Approved devices see www.visa.com/cisp - Visa General PIN Entry Device FAQ
Visa Public
July 2011
16
Resources
• Visa Websites
– www.visa.com/cisp
• Visa Documents
– – – – – – Issuers’ PCI DSS Frequently Asked Questions Issuer PIN Security Guidelines PIN-Entry Device Frequently Asked Questions Personal Identification Number (PIN) Attacks Alert What To Do If Compromised Guide Reminder: Registration and Compliance Requirements for Encryption Support Organizations – Joint USSS/FBI Advisory Feb. 2009
• Communications and Training
– Visa Key Management and PIN Security trainings – Data Security Alerts, Bulletins, Best Practices and Webinars
• www.visaonline.com
– Update: Compromise of ATM PIN Transactions, May 2011 Visa Business News
Visa Public July 2011 17
Resources
• Visa Client Tools
– Incorporate Visa Advanced Authorization risk scores and condition codes in risk decision management systems [email protected] – Register and use Visa’s Compromised Account Management System (“CAMS”) alerts [email protected]
• PCI Security Standards Council
– www.pcisecuritystandards.org
– PCI PIN Transaction Security (PTS) – Approved PTS Devices
Visa Public
July 2011
18
Questions?
Visa Public
July 2011
19
July 27, 2011
Visa Public
Issuers Data Security Trends and Best Practices
• • • • • • • Issuer Security Environment PCI DSS Compliance for Issuers PCI DSS Compliance for ATM Environment ATM Cash Out Preventive Measures ATM Malware and Best Practices for PIN Security PCI PIN and PCI EPP Security Requirements Resources
Visa Public
July 2011
2
Top 7 PCI DSS and PCI PIN Violations
Based on compromises of PIN and cardholder data, Visa has found the following common issues:
1. 2. 3. 4. 5. 6. 7.
Vulnerable payment applications (e.g., inappropriate storage of full track, CVV2 and PIN data, insecure remote access) Inadequate perimeter security (e.g., improperly managed firewall) Out-of-date system security patches Vendor default settings and passwords (e.g., unsecured wireless) Poorly coded web-facing applications (e.g., no input validation) resulting in SQL injection attack Poor cryptographic key management used for PIN encryption Weak controls over production HSM environment
Visa Public
July 2011
3
PCI DSS Compliance for Issuers
• Issuers are required to be PCI DSS compliant • Issuers that are directly connected to VisaNet and/or process on behalf of other Visa clients must validate PCI DSS annually with Visa
– Third Party Processors must use a QSA for validation
• Individual issuers validation may be performed by a QSA or internal auditor
• PCI SSC has clarified issuers may store sensitive authentication data
– There must be a legitimate business need to store such data – Must be protected in accordance with the PCI DSS
Visa Public
July 2011
4
PCI DSS Compliance for ATM Environment
• An Issuer’s ATM network and physical environment must be PCI DSS compliant • As a best practice, ATM core processing applications should adhere to the PA-DSS • PCI SSC has clarified ATMs may store sensitive authentication data
– There must be a legitimate business need to store such data – Must be protected in accordance with the PCI DSS
Visa Public
July 2011
5
Preventive Measures
• Review all external facing applications and systems (production, development, test) • Harden all servers and databases • Remove risky protocols such as Terminal services, NetBios, etc. • Disable direct queries/command shell/stored procedures on databases • Implement “deny/deny” on firewall configuration and block compressed files (i.e., .RAR, .TAR, .ZIP, etc) on outbound traffic • Limit administrative access to critical systems • Review high-privileged accounts and implement group policies (e.g., SA, database operators, domain users) • Segregate payment processing systems from other non-payment networks
6 Visa Public July 2011
Preventive Measures
• Transaction monitoring
– Velocity controls – Transaction limits – Real-time fraud checking and alerts
• Deploy third-party tool to identify malicious/unauthorized software • Review IVR and HSM and consider disabling clear-text HTTP_Get request • Deploy Security Information and Event Management (SIEM)
– Implement and review security event logs – Centralizing tracking and review of logs and network traffic
• Deploy Data Loss Prevention (DLP) • Segregate Internet-facing networks from internal networks
7 Visa Public July 2011
Recent ATM Malware Attacks
• Confirmed cases in Russia, Ukraine and Mexico • Modes of Attack
– Direct USB injection of malware into ATM by ‘Trusted’ ESO – Manipulation of ATM patches remotely loaded (Ukraine) – Insecure key loading from back of ATM exposed Key Exchange Key
• Non-compliance with PCI PIN Security Requirements
• Known cases involved access to a non-hardened Operating System – Windows XP
– Weak administrative user access controls and passwords
• Modified chip cards used at ATMs used to:
– Write data to chip or print data to paper – Dispense all ATM cash
• April 2011 Visa Business News describing latest attack
Visa Public July 2011 8
Recommendations to Protect ATMs Against Malware Attack
• Visa published a list of known malware hash values • Clients should use this information to work with ATM Vendors, processors and security teams to identify the existence of ATM malware • Ensure the integrity of all software maintenance fixes via the use of checksums, digital signatures, etc. • Equipped ATMs with sensors detecting external intrusion • Operating Systems’ user management controls must be compliant with the PCI DSS requirements • Configure Operating Systems in accordance with the PCI DSS requirements, including patch management, password management and the overall security configuration
Visa Public July 2011 9
Recommendations to Protect ATMs Against Malware Attack
• Implement enhanced access controls, such as one time passwords, challenge response mechanisms, etc. • Implement the least privilege necessary for system, services and software accounts • Utilize hard drive encryption • Implement a trusted environment – validate software integrity and authenticity testing upon start-up and at least once per day to help determine whether the ATM is in a compromised state • Patch and secure necessary systems, services and software • Completely disable or remove unused and unnecessary services and software – e.g. RMS • Vet and register with Visa only trusted Plus ESO Agents
Visa Public July 2011 10
Recommendations to Protect ATMs Against Malware Attack
• Use Anti-Malware solutions that can detect and prevent unwanted changes
– White list of executables / executable at the kernel level / lockdown of OS
• Check vendor manuals and Internet resources for default, blank, and weak settings - immediately change settings upon installation
– Includes changing all passwords, disabling users not needed
• Activate necessary security and logging functions • Keep anti-virus and anti-spyware software programs up-to-date • Ensure ATM software has been validated as compliant with the PCI PADSS • Contact ATM vendors and processors to:
– Determine potential exposures of deployed ATM base – Implement prevention and detection tools – Receive specific security alerts and best practices
July 2011
Visa Public
11
Securing the Visa/Plus Payment System
Visa’s Data and PIN security compliance programs help secure the overall payment system • PCI Data Security Standard (PCI DSS) Compliance
– Drive PCI DSS compliance to ensure entities protect cardholder data from compromise
• PCI PIN Security Requirements
– Advance compliance to prevent PIN compromises
• PCI PIN Transaction Security Testing program
– Ensuring use of secure cryptographic hardware
- PCI EPP - PCI HSM
- PCI POS - PCI UPT - PCI ATM (pending)
• PCI Payment Application Security Standard (PA-DSS)
– Promote development and use of secure payment applications and eliminate vulnerable applications
Visa Public July 2011 12
PCI PIN and PCI EPP Security Requirements
• PCI PIN Security Requirements transitioned to PCI Security Standards Council (SSC) in early 2011 • Visa / Plus clients and their agents must be compliant with the:
– PCI PIN Security Requirements – Key Management – PCI Encrypting PIN PAD (EPP) security requirements – Secure Hardware
• Level 1 PIN Security Program entities must validate annually with Visa • ATM owners / sponsors must ensure ATMs comply with applicable:
– PCI DSS & PA-DSS Requirements – PCI PIN & PCI EPP Requirements
…Regardless if ATM driving, processing, and maintenance is performed by a
third party processor or agent
• ATM owners and their agents should confirm their devices are listed on the PCI SSC’s list of Approved PIN Transaction Security Devices* – www.pcisecuritystandards.org
*Dependent on when ATM was deployed / moved
Visa Public July 2011 13
Compliant Equipment
• Purchase only PCI approved Devices
– Install only the compliant EPP firmware version listed with the approved EPP – Major area of non-compliance
• Require suppliers to sell only PCI approved / compliant products • Verify EPP serial numbers and firmware against manufacturer’s documents and PCI EPP list • Bind only compliant PCI approved EPPs into purchase contracts • PCI Approved EPPs
– 60 V1 Expire – 21 V2 Expire – 1 V3 Expire
Visa Public
April 2014 April 2017 April 2020
July 2011 14
Compliant Equipment
Visa Public
July 2011
15
Compliant Equipment – EPP Mandate
Effective 1 October 2005, all newly deployed EPPs, including replacements or those in newly deployed ATMs, must have passed testing by a PCI-recognized laboratory and be approved by Visa for new deployments
– ATMs never moved prior to October 1, 2005 – Vendor Attested – ATMs deployed on or after October 1, 2005 – Pre-PCI Approved
• Pre-PCI EPP list on www.visa.com/cisp
– ATMs deployed after September 2008 – PCI Approved
• PCI PTS list on www.pcisecuritystandards.org
• For Visa mandates for use of PCI Approved devices see www.visa.com/cisp - Visa General PIN Entry Device FAQ
Visa Public
July 2011
16
Resources
• Visa Websites
– www.visa.com/cisp
• Visa Documents
– – – – – – Issuers’ PCI DSS Frequently Asked Questions Issuer PIN Security Guidelines PIN-Entry Device Frequently Asked Questions Personal Identification Number (PIN) Attacks Alert What To Do If Compromised Guide Reminder: Registration and Compliance Requirements for Encryption Support Organizations – Joint USSS/FBI Advisory Feb. 2009
• Communications and Training
– Visa Key Management and PIN Security trainings – Data Security Alerts, Bulletins, Best Practices and Webinars
• www.visaonline.com
– Update: Compromise of ATM PIN Transactions, May 2011 Visa Business News
Visa Public July 2011 17
Resources
• Visa Client Tools
– Incorporate Visa Advanced Authorization risk scores and condition codes in risk decision management systems [email protected] – Register and use Visa’s Compromised Account Management System (“CAMS”) alerts [email protected]
• PCI Security Standards Council
– www.pcisecuritystandards.org
– PCI PIN Transaction Security (PTS) – Approved PTS Devices
Visa Public
July 2011
18
Questions?
Visa Public
July 2011
19
