MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
Sc World Congress Econference March 2011
1. PCI Compliance – What’s the buzz?…
Neira Jones
Head of Payment Security, Barclaycard
23rd March 2011
2. Headlines…
• 18th October 2010: the UK Government published their National Security
Strategy.
– This placed "Hostile attacks upon UK Cyberspace by other states and large scale
cyber crime" at the same level as International Terrorism, and International Military
threats.
• The Olympics are a target: In 2008, Beijing suffered 12 million cyber attacks per
day.
– These games ran (!) for 16 days: total number of attacks = 192 million.
– The number Internet users was estimated at 1.9 billion users in June 2010*, a 23%
increase since 2008.
– As the number of internet users increases, a far larger attack statistic in 2012 is likely.
• A study by Cisco Systems (December 2010), projected that almost 12% of all
enterprise workloads will run in the public cloud by the end of 2013.
Source: Miniwatts Marketing Group, 2010
3. Cloud Computing
• 2010: the Year Of The Cloud (Salesforce.com, IBM, Google, Microsoft , Oracle,
Amazon, Rackspace, Dell and others)
• The key opportunity for service providers is to differentiate themselves by becoming
cloud service providers.
• Perceived key benefits for organisation considering a move to the cloud:
– reduce capital costs
– become more agile by divesting infrastructure and application management to concentrate on
core competencies.
– opportunity to re-architect older applications and infrastructure to meet or exceed modern
security requirements.
• Key issues for organisations when determining migration decisions:
– security and control
– data-centre overcapacity and scale
– availability of skilled IT people.
4. The digital era…
• By 2015 there will be more interconnected devices on the planet
than humans.*
• What’s mobile? What do I need to do?
• The most recent figures estimated that every year in the UK,
identity fraud costs more than £2.7 billion and affects over 1.8
million people*.
• Every year, we share more of ourselves online.
• Each time we do this, we place our data and our faith in the
security measures taken by those managing it on our behalf
* UK National Security Strategy, October 2010
* * National Fraud Authority, October 2010
5.
6. Fraud news (UK)…
☺
• Debit and credit card fraud fell by nearly • Crooks still got away with £1million/day.
£75M in 2010 to the lowest level for
a decade.
• This represents a 17% drop to £365M • Compared to a 28% fall in 2009.
• Phone, internet and mail-order fraud • Compared to a 19% drop in 2009. CNP
(Card Not Present) fell 15%. fraud remains by far the biggest category.
“While another drop in fraud is good news, the crooks haven’t shut up shop, which is
why there can be no room for complacency from the industry, shops or consumers.”
DCI Paul Barnard
Head of the Dedicated Cheque and Plastic Crime Unit
7. The challenges…
• Cloud computing
• Mobile infrastructure
• Third parties
• Governance or compliance?
• Risk management
9. Moving to the Cloud?...
• Use the Cloud Computing Reference Model provided by NIST.
– ask cloud services providers to disclose their security controls
– ask cloud services providers to disclose how these controls are
implemented to the “consuming” organisation
– “consuming” organisations will need to know which controls are
needed to maintain the security of their information.
• This is a vital step as it is critical that a cloud service is classified
against the cloud architecture model, then against the security
architecture, and then against the business, regulatory and
other compliance requirements.
10. NIST Cloud Reference Model
Presentation •Software as a Service (SaaS)
– Sits on top of IaaS and PaaS stacks
Software as a Service (SaaS)
APIs
– Self-contained operating environment to deliver the
entire user experience
Applications
Information
(Data, Metadata,
•Platform as a Service (PaaS)
Content) – Sits on top of IaaS
– Additional integration layer with application development
Integration & frameworks
Middleware
Platform as a Service (PaaS)
– Middleware
– Programming languages and tools supported by the
APIs stack
Infrastructure as a Service (IaaS)
– Functions allowing developers to build applications on the
Core Connectivity
& Delivery
platform
•Infrastructure as a Service (IaaS)
Abstraction
– Lowest level infrastructure resource stack
– Capability to abstract resources (or not)
Hardware – Physical and logical connectivity to those resources
– Provides a set of APIs which allows “consumers” to
Facilities
interact with the infrastructure.
11. Cloud Computing and security
Cloud Computing isn’t necessarily more or less secure than your current environment.
• Does the risk of moving sensitive data and applications to an emerging infrastructure
exceed your tolerance levels?
• The limitations on cloud computing growth will include issues:
– Data custody
– Control
– Security
– Privacy
– Jurisdiction
– Portability standards for data and code
• Adopting cloud computing is a complex decision involving many factors: desktop
applications, e-mail, collaboration, enterprise resource planning and potentially any
application.
• The key consideration for a security architecture is that the lower down the SPI stack the
cloud service provider stops, the more organisations will be responsible themselves for
managing the risk to their assets.
12. Control & risk management
What degree of control and risk management will the organisation have for
each of the cloud service models.
• Whilst the risk assessment depends on the “where” and “how” of
the assets, it also depends on the following:
SaaS
– The types of assets being managed PaaS
– Who manages them and how
IaaS
– Which controls are selected and why
– What compliance issues need to be considered
• Consideration should be made for risk mitigation in each of the SPI
tiers (SaaS, PaaS, IaaS) and compliance/ regulatory requirements
should be considered (e.g. PCI DSS, FSA, SOX, etc.).
13. Find the gaps…
Find the gaps!
Cloud Reference Model
Presentation
APIs Security Control Model
Software as a Service (SaaS)
Applications Compliance Model
Applications
Information DDA
Information
(Data, Metadata, Content)
Integration & Middleware FSA
Platform as a Service (PaaS) Management
APIs
Infrastructure as a Service (IaaS)
PCI DSS
Core Connectivity &
Delivery
Network ISO 27002
Abstraction
Trusted computing
DPA
Hardware Compute & Storage
Facilities Physical SOX
14. Who does what?
The lower down the stack the cloud service provider stops, the more security capabilities and
management “consuming” organisations are responsible for implementing & managing themselves.
SaaS
PaaS
IaaS Provider bears the
Provider responsible for the security responsibility for security.
Provider responsible for of the platform.
securing the underlying “Consuming” organisations Security controls and their
infrastructure and abstraction responsible for scope are negotiated in the
layers. service contracts (SLAs,
–securing applications developed privacy, compliance,
“Consuming” organisation will be against the platform liability etc.).
responsible for the security of –developing applications securely
the remainder for the stack. (e.g. OWASP Top 10).
15. Evaluate cloud service providers
• Evaluating the risk for potential cloud service providers is a
challenge:
– ask cloud services providers to disclose their security controls
– ask cloud services providers to disclose how these controls are
implemented to the “consuming” organisation
– “consuming” organisations will need to know which controls are
needed to maintain the security of their information.
• This is a vital step as it is critical that a cloud service is classified
against the cloud architecture model, then against the security
architecture, and then against the business, regulatory and
other compliance requirements.
For further reading, see http://www.cloudsecurityalliance.org/Research.html
17. What’s mobile? What does a a mobile security policy look like?
What does mobile security policy look like?
What do I need to do? How do I enforce it?
How do I enforce it?
• Full-featured mobile phones with functionality similar to personal
computers, or “smartphones”
• Laptops, netbooks, tablet computers & Portable Digital Assistants
(PDAs)
• Portable USB devices for storage (such as “thumb drives” and MP3
devices) and for connectivity (such as Wi-Fi, Bluetooth and
HSDPA/UMTS/EDGE/GPRS modem cards)
• Digital cameras
• Radio frequency identification (RFID) and mobile RFID (M-RFID)
devices for data storage, identification and asset management
• Infrared-enabled (IrDA) devices (printers, smart cards, etc.)
19. What’s the buzz?
• Visa TIP program promotes a risk based approach.
• The banks want merchants to take a risk based approach.
• The merchants want to take a risk based approach.
• The PCI SSC has ‘blessed’ the adoption of a risk based
approach.
At the end of the day, what we all want is to stop sensitive information being
exploited by fraudsters.
The era of compliance for compliance’s sake is drawing to an end.
20. Barclaycard’s top ten tips
Prepare for change Reduce Risk
1. Don’t treat PCI DSS as an IT project: it is a Change 6. Remove sensitive authentication data storage as a
Programme and needs organisational commitment. top most priority.
2. Train staff at all levels (there will be various degrees of 7. Prioritise Risk: once SAD storage is addressed, look at
training, and don’t forget Board and Exco) and embed an vulnerabilities in the Card Not Present environment (e-
Information Security culture within your organisation early. commerce and Mail Order/ Telephone Order). (This tip
3. Scope: Understand how card payments are currently is for markets that have implemented EMV in their F2F
processed (people, process and technology). Reduce the channel).
scope of the cardholder environment (the smaller, the 8. Outsource to compliant third parties where possible:
easier) in the e-comm space, Level 1 PCI DSS compliant end-
4. There will be quick wins derived by reviewing and to-end e-comm Software as a Service (SaaS) is
changing business processes and historical practices increasingly seen as a means of achieving compliance
that require little investment. If you don’t need cardholder quicker & maximising RoI. And if not possible, tie down
information, don’t have it… third parties (contractually).
5. Develop a gap analysis between current practices and 9. Assess suitability of and implement risk mitigation
what is necessary to become PCI DSS compliant. The gap technologies (e.g. Verified by Visa, Secure Code,
analysis and cardholder data flow mapping is the most tokenisation, point-to-point encryption, etc.), whilst these
important step (and this should be refreshed periodically - are not PCI DSS requirements, they will improve
once a year is advised). security and reduce risk.
10.If Compensating Controls are required ensure that all
parties are engaged to agree the controls before
implementation (merchant, QSA, acquirers)
21. Third parties: do I have a choice?
How organisations can select service providers
For those who outsource…
• 324 (UK) and 900 (US) Level 1 PCI DSS compliant service providers listed on Visa websites
http://www.visaeurope.com/en/businesses__retailers/payment_security/downloads__resources.aspx
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
• 867 Level 1 PCI DSS compliant service providers listed on MasterCard website
http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20-
%20November%2029%202010.pdf
For those who want to retain control in-house…
• 724 PA DSS validated payment applications on PCI SSC website
https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php?agree=true
Barclaycard’s position…
• We always recommend that our customers use Level 1 Service providers as self-assessment does not
provide you with an independent assessment of your supplier.
• Contractual provisions are crucial.
• Merchants should seek help from their acquiring bank when facing problems with third party providers
as a merchant cannot reach compliance without their third parties being compliant.