XXXXPCI最新产业动态和安全标准

GuidingopenstandardsforglobalpaymentcardsecurityThefutureofPCI:SecuringpaymentsinachangingworldJeremyKing2014GuidingopenstandardsforglobalpaymentcardsecurityYourCardDataisaGoldMineforCriminalsTypesofDataonaPaymentCardChipPanExpirationDateMagneticStrip(dataontracks1&2)CAV2/CID/CVC2/CW2(Discover,JCB,MasterCard,Visa)CID(AmericanExpress)CardholderDataGuidingopenstandardsforglobalpaymentcardsecurityBusinessSectorsWiththeMostBreachesRetail45%Food&Beverage24%Hospitality9%Other8%FinancialServices7%Nonprofit3%Health&Beauty2%HighTechnology2%Systemsthatstore,processortransmitcardholderdataremainprimarytargetsforcriminalsSource:Trustwave2013GlobalSecurityReportGuidingopenstandardsforglobalpaymentcardsecurityWho’sHighRisk?GuidingopenstandardsforglobalpaymentcardsecurityPeopleinPaymentChainCauseMostInternalBreaches!GuidingopenstandardsforglobalpaymentcardsecurityAsGlobalUseRises,SoDoesRisk©2013TheNilsonReportGrowthinPurchaseTransactionsWorldwidefrom2011-201633%99%105%44%97%99%51%GuidingopenstandardsforglobalpaymentcardsecurityWeakordefaultpasswordsLackofemployeeeducationSecuritydeficienciesintroducedbythirdpartiesSlowself-detectionTopMistakesRevealedbyForensicAuditsSource:2013TrustwaveGlobalSecurityReportGuidingopenstandardsforglobalpaymentcardsecurityComplexPasswordsDon’tHavetobeComplicatedPasswordTimetoCrackbigmac0.077seconds(notadictionaryword)B1gMac14seconds(uppercase,lowercase,numberB1gMac114minutes(7characters)leB1gMac15hours(8characters)B1gMac39939days(9characters)B1gMacfries412years(11characters)Bigmacandfries511years(14characters,butonlyletters)B1gMac&fries344,000years(12characters)Guidingopenstandardsforglobalpaymentcardsecurity25MostCommonPasswordsof2013*1.123456(Up1)2.password(Down1)3.12345678(Unchanged)4.qwerty(Up1)5.abc123(Down1)6.123456789(New)7.111111(Up2)8.1234567(Up5)9.iloveyou(Up2)10.adobe123(New)11.123123(Up5)12.admin(New)13.1234567890(New)14.letmein(Down7)15.photoshop(New)16.1234(New)17.monkey(Down11)18.shadow(Unchanged)19.sunshine(Down5)20.12345(New)21.password1(up4)22.princess(New)23.azerty(New)24.trustno1(Down12)25.000000(New)*CBSNews,21January2014GuidingopenstandardsforglobalpaymentcardsecurityPCIStandardsHelpSecureYourData92%97%92%ofcompromisesweresimple97%wereavoidablethroughsimpleorintermediatecontrolsSource:Verizon2012DataBreachInvestigationsReportGuidingopenstandardsforglobalpaymentcardsecurityOrganizationsIgnoredPCI…andWereBreached96%ofthosebreachedwerenotPCIcompliantasoftheirlastassessment(orwereneverassessed/validated)Topattackmethodsusedtobreachorganizations:•81%ofincidentsinvolvedhacking•69%incorporatedmalware•10%involvedphysicalattackSource:Verizon2012DataBreachInvestigationsReportGuidingopenstandardsforglobalpaymentcardsecurityWhywefailtomaintainsecureenvironments•LackofawarenessbyITpractitioners•Incentivetokeepsecurityaprimaryfocus•Quicklyevolvingtechnologylandscape•Rapiddevelopmentanddistributionofnewsolutions•StillunnecessaryexposureofcardholderdataWhy?GuidingopenstandardsforglobalpaymentcardsecurityPCI:ArchitectureforPaymentCardSecurityFivemajorcardbrandsdriveeffortsforpaymentcardsecurityPCISecurityStandardsCouncilmanagesthetechnicalstandardsandprocessGuidingopenstandardsforglobalpaymentcardsecurityAboutthePCICouncilOpen,globalforumFounded2006Guidingopenstandardsforpaymentcardsecurity•Development•Management•Education•AwarenessGuidingopenstandardsforglobalpaymentcardsecurityExpandingGlobalRepresentationPCICouncilBoardofAdvisorsGuidingopenstandardsforglobalpaymentcardsecurityManufacturersPCIPTSPinEntryDevicesEcosystemofpaymentdevices,applications,infrastructureandusersSoftwareDevelopersPCIPA-DSSPaymentApplicationsPCISecurity&ComplianceP2PEMerchants&ServiceProvidersPCIDSSSecureEnvironmentsPCISecurityStandardsSuiteProtectionofCardholderPaymentDataGuidingopenstandardsforglobalpaymentcardsecurityPCIStandardsHelpSecureYourData92%97%9outof10securityprosrecommendPCI.Source:2013TrustwaveGlobalSecurityReportPCIDSShasmadecomprehensivesecuritycontrolsmorecommonplaceinlargerorganizations.Therefore,theorganizationsbecomemoredifficulttocompromise.Source:RealCostofSecurityReport,451GroupGuidingopenstandardsforglobalpaymentcardsecurityGuidingopenstandardsforglobalpaymentcardsecurityPCIDSS,PA-DSS3.0MakePCIyourcompass,notyourroadmapEducationAwarenessFlexibilitySecurityasaSharedResponsibilityGuidingopenstandardsforglobalpaymentcardsecurityAtaGlance…•12coresecurityprinciplesofPCIDSSremainthesame•Severalnewsub-requirementsthatwillimpactPCIDSSsecurityefforts•Futureimplementationdatesformoresignificantchanges•ClarifiedPCIDSSApplicability•Enhancedtestingprocedurestoclarifylevelofvalidationexpectedforeachrequirement•Alignedlanguagebetweenrequirementsandtestingproceduresforconsistency•InstructionsforReportonCompliance(ROC)reportingnowseparateROCreportingtemplateGuidingopenstandardsforglobalpaymentcardsecurityPhysicalSecurityforPOSDevices9.9Protectdevicesthatcapturepaymentcarddatafromtamperingandsubstitution•Maintainanup-to-datelistofdevices•Periodicallyinspectdevicesurfacestodetecttamperingorsubstitution•Pro