Date post: | 18-Nov-2014 |
Category: |
Technology |
Upload: | internet-security-auditors |
View: | 523 times |
Download: | 2 times |
Visa Europe Public
Payment System Risk Andrew Mulvenna 10th November 2010
Visa Europe Public
Agenda
• PCI DSS & PA-DSS v2.0 – What’s new?
• Visa Europe’s PCI Compliance Programme
• Vulnerability Guidance
• Encryption and Tokenisation
• Questions and Answers
2
Visa Europe Public
PCI DSS & PA-DSS v2.0 – What’s new?
• Mainly clarifications to existing requirements.
• Certain requirements will be based more on risk assessment rather than being overly perspective.
• The standards will be moving to a three year standard lifecycle.
Visa Europe Public
The New Life-cycle
Visa Europe Public
Agenda
• PCI DSS & PA-DSS v2.0 – What’s new?
• Visa Europe’s PCI Compliance Programme
• Vulnerability Guidance
• Encryption and Tokenisation
• Questions and Answers
5
Visa Europe Public
The Current Environment
• Knowledge of cardholder and account data is (largely) considered proof of ownership. Consequently, cardholder data is inherently valuable to a criminal.
• Many retailers believe that there is a disproportionate onus on them to protect data.
• What if we could make data less valuable such that it needs less protection?
=
Visa Europe Public
Storing cardholder data
Basic principles:
• If you don’t need it don’t store it
• Delete sensitive authentication data after authorisation
• If you store cardholder data you must do one or more of the following:
– Truncate
– Hash
– Encrypt
7 Retail Fraud Conference 20 April 2010
Visa Europe Public
Merchant Levels and Validation Requirements
Level Definition Validation requirements
1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.**
** Where merchants operate in more than one country or region, if they meet level one criteria in any Visa country or region, they are considered a global Level one merchant. An exception may apply to global merchants if there is no common infrastructure and if Visa data is not aggregated across borders. In such cases merchants are validated according to regional levels.
Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource
Quarterly network scan by Approved Scan Vendor (ASV)
Attestation of Compliance form
2 Merchants processing one million to six million Visa transactions annually via all channels.
Annual Self-Assessment Questionnaire (SAQ)
Quarterly network scan by ASV
Attestation of Compliance form
Visa Europe Public
Merchant Levels and Validation Requirements (2)
Level Definition Validation requirements
3 Merchants processing 20,000 to one million Visa e-commerce transactions annually.
Use a service provider that has certified PCI DSS
compliance to process, store and transmit card and
account data.
OR
Have certified their own PCI DSS compliance to the
acquirer, who must, on request, be able to validate
that compliance to Visa Europe
4 E-commerce merchants only
Merchants processing fewer than 20,000 Visa e-commerce transactions annually.
Use a service provider that has certified PCI DSS compliance to process, store and transmit card and account data
OR
Have certified their own PCI DSS compliance to the acquirer, who must, on request, be able to validate that compliance to Visa Europe
4 Non e-commerce merchants processing up to one million Visa transactions annually.
Annual SAQ
Quarterly network scan by an ASV
Attestation of Compliance form
Visa Europe Public
PCI DSS Prioritised Risk Based Approach
Phase PCI DSS Objective (defined by PCI SSC)
1 Remove Sensitive Authentication Data and Limit Data Retention
2 Protect the Perimeter, Internal, and Wireless Networks
3 Secure Applications
4 Protect Through Monitoring and Access Control
5 Render Cardholder Data Unreadable
6 Achieve Final Compliance and Maintenance of PCI DSS
Required
Validation
Merchant
Discretion /
Safe Harbour
Visa Europe Public
Agenda
• PCI DSS & PA-DSS v2.0 – What’s new?
• Visa Europe’s PCI Compliance Programme
• Vulnerability Guidance
• Encryption And Tokenisation
•Questions and Answers
11
Visa Europe Public
Guidance Supplements
Visa Europe Public
Agenda
• PCI DSS & PA-DSS v2.0 – What’s new?
• Visa Europe’s PCI Compliance Programme
• Vulnerability Guidance
• Encryption and Tokenisation
• Questions and Answers
13
Visa Europe Public
New Payment Architectures
Encrypting Registers
Segmenting
Device
PCI Compliant Zone
Internal or Public
Network
Point of Decryption
PCI Compliant Zone
Segmenting
Device
Encrypting PEDs
Visa Europe Public
The industry’s first specification for Data Field Encryption
– A compressive guidance document describing the key management practices that would be necessary to support encryption solutions
– Based on 5 key security objectives
– Aimed at consolidating industry best practice
15
Visa Europe Public
SRED – Secure Read and Exchange of Data
• A new optional module within PCI PTS PoI v3.
• Describes security requirements for the protection of account data originating from a secure PED.
Visa Europe Public
What is Tokenisation?
• Tokenisation defines a process through which PANs are replaced with surrogate values known as “tokens”.
• The security of an individual token relies on the properties of uniqueness and the infeasibility to determine the original PAN knowing only the surrogate value.
Visa Europe Public
Agenda
• PCI DSS & PA-DSS v2.0 – What’s new?
• Visa Europe’s PCI Compliance Programme
• Vulnerability Guidance
• Encryption and Tokenisation
•Questions and Answers
18
Visa Europe Public
Questions?
Visa Europe Public
Thank you