Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | dwain-crawford |
View: | 213 times |
Download: | 0 times |
PCI Compliance: What’s All the Fuss?
Bob RussoNovember 7, 2008
04/18/23 2
The PCI Security Standards Council
• An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI Security Standards, including: – Data Security Standard (DSS)– Payment Application Data Security Standard (PA-DSS)– Pin-Entry Device (PED)
PCI PEDPCI PED PCI PA-DSSPCI PA-DSS PCI DSSPCI DSS
04/18/23 304/18/23 3
PCI SSC - The Standards
04/18/23 4
The PCI Security Standards Council Founders
04/18/23 5
PCI DSS Drivers
PCI Data Security Standard
Industry Best Practices
Community Meeting
Security Scans
Self-Assessment Questionnaire
On-Site Audits
ADC Forensics Results
Proactive feedback from POs and Assessor Community
Advisory Board
Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs)
04/18/23 6
Notable Successes
• Over 500 Participating Organizations around the world
• Successful Community Meetings with over 700 attendees from around the world
• Board of Advisors driving special interest groups
- Wireless
- Pre-authorization
• 164 current QSA Companies, of these 74 are also ASV Companies
• Total QSAs (individuals) trained to date is 1,063
• Additional devices added to PED Standard
• Implemented two-year lifecycle process for DSS & SAQ
• PCI SSC participated in 33 events worldwide
Assessor Servicing Markets per Region
Asia Pacific: 29
Canada: 16
CEMEA: 28
Latin America & Caribbean: 27
United States: 87
Europe: 57
04/18/23 7
Roles and Responsibilities of the Council
• Is an Independent Industry Standard
• Manages the technical and business requirements for how payment data should be stored and protected
• Maintains List of Qualified PCI Assessor Community
– QSAs, ASVs, PA-QSA and PED Labs
PCI SSC…. PCI SSC Does Not…
• Manage or Drive Compliance
– Each brand continues to maintain its own compliance programs
• Identifies stakeholders that need to validate compliance
• Definitions of Validation Levels
• Fines and Fees
04/18/23 8
Resources Provided by Council
• Security standards and supporting documents
• Frequently asked questions
• List of approved QSAs, ASVs, PA-QSAs, PED Labs
• Education and outreach programs
- Webinars- Newsletters/bulletins
Council appeared in almost 300 pieces of coverage globally since January
• Searchable FAQ tool for all standards-related questions
• Participating organization membership, community meetings, qualifications standards feedback
• One global voice for the industry
PCI SSC Standards
04/18/23 10
• Risky Behavior
– 81% store payment card numbers
– 73% store payment card expiration dates
– 53% store customer data from magnetic stripe on card
– 16% store other personal data
Threat Landscape
Implementing the standard is a Journey… Not a Destination
Source: Forrester Consulting, Sept. 2007
The Cost of Complying
Three Categories of Compliance
How much does this cost your organization?
For merchants with complex or older systems, it may cost millions
“PCI Compliance Cost Analysis: A Justified Expense.” A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex. Jan. 2008 [This study utilized data from several sources including level 1 and level 2 merchants with 2,000 – 2,500 retail locations.]
The Cost of Not Complying
Same study estimated non-compliance costs significantly higher, including
• “Crisis” cost upgrades
• Repeat assessments
• Notification costs
• Brand reputation
• Shareholder and consumer lawsuits
The cost of a breach can easily be 20 times the cost of PCI
Compliance
• Upgrading Payments Systems and Security
• Verifying Compliance (Assessment)
• Sustaining Compliance
04/18/23 11
04/18/23 12
Forensics Statistics
Consumer data:Payment card information
-Credit / Debit
-Card-present / CNP
Personal Check information
Identity-related data:Name, address, email
Social security, Social insurance
IRS / tax return information
Company-proprietary:Financial records
HR / employee data
Product strategy & roadmap
Trade secrets & technology
Inside Jobs vs. Intrusions 17% Inside ~77% are partial
insiders
Incident Detection>75% via allegation of
compromise
Findings Percentages 92% Confirmed Security
Breach >60% Confirmed Data
Compromise
Case Commonalities 19% SQL injection 45% POS systems 10% Wireless
infrastructure ~50% Via 3rd party
connections
Breach Sources~13% Inside U.S.
Vulnerability ScanningSQL Injection cases: 71% had commercial scanning63% detected SQL vulnerability15% in scan reports for 1 year +
> 60% Payment Cards vs. Others
Law Enforcement Involvement87% of cases
Incident Detection>75% via allegation of
compromise
04/18/23 1304/18/23
13
It’ll be OKPCI doesn’t introduce any new,
alien concepts
•AngerAnger
•BargainingBargaining
•DepressionDepression
•AcceptanceAcceptance
•DenialDenial It doesn’t apply to mePCI compliance is mandatory
It isn’t fair PCI applies to all parties in the
payment process
I’ll do some of itCompliance is “pass / fail”
I’ll never get thereMany merchants already have
The Five Stages of Grief
04/18/23 14
The PCI Data Security Standard
• The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures
• This comprehensive standard is intended to help organizations proactively protect customer payment data
Payment Card Industry (PCI) Data Security Standard
Version 1.2Release: October 2008
04/18/23 18
Six Goals, Twelve Requirements
The PCI Data Security Standard
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
Summary of PCI Requirements
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
1604/18/23
Summary of PCI Requirements
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
1704/18/23
Summary of PCI Requirements
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for employees and contractors
1804/18/23
Self-Assessment Questionnaire (SAQ) A
04/18/23 19
SAQ Objectives
Self Assessment Questionnaires• Alignment with the PCI DSS v1.2
• Based on industry feedback
• Flexibility for multiple merchant types
• Providing guidance for the intent and applicability of the underlying requirements
04/18/23 20
Self Assessment Questionnaire
SAQ Validation
TypeDescription SAQ
1Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants
A<11 Questions
2 Imprint-only merchants with no cardholder data storageB
21 Questions
3Stand alone dial-up terminal merchants, no cardholder data storage
B21 Questions
4Merchants with payment application systems connected to the Internet, no cardholder data storage
C38 Questions
5All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ
DFull DSS
Payment Application (PA-DSS) Data Security Standard
04/18/23 21
The Payment Application Data Security Standard
• Distinct from but aligned with PCI DSS
• PA-DSS is a comprehensive set of requirements designed for payment application software vendors to facilitate their customers’ PCI DSS compliance
• This comprehensive standard is intended to help organizations minimize the potential for security breaches due to flawed payment applications, leading to compromise of full magnetic stripe data
04/18/23 22
The Payment Application Data Security Standard
Fourteen Requirements…Protecting Payment Application Transactions
Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2) or PIN block data
Provide secure password features
Protect stored cardholder data
Log Application Activity
Develop Secure Applications
Protect wireless transmissions
Test Applications to address vulnerabilities
Facilitate secure network implementation
Cardholder data must never be stored on a server connected to the Internet
Facilitate secure remote software updates
Facilitate secure remote access to application
Encrypt sensitive traffic over public networks
Encrypt all non-console administrative access
Maintain instructional documentation and training programs for customers, resellers, and integrators
04/18/23 23
PIN Entry Device Requirements
Physical Attributes Logical Attributes
• Attributes that deter physical Attacks
– ex penetration of device to determine key(s)
– Planting a PIN disclosing bug within
• Logical security characteristics include functional capabilities that preclude:
– Allowing device to output clear text PIN encryption key
The PED Security Requirements are designed to secure personal identification number (PIN)-based transactions globally and applies to devices (attended or unattended) that accept PIN entry for all PIN-based transactions as well as non-cardholder interface devices (hardware security modules)
PCI DSS Applicability Information
Data ElementStorage
PermittedProtection Required
PCI DSS Req. 3.4
Cardholder Data
Primary Account Number (PAN)
Yes Yes Yes
Cardholder Name [1] Yes Yes 1 No
Service Code 1 Yes Yes 1 No
Expiration Date 1 Yes Yes 1 No
Sensitive Authentication
Data [2]
Full Magnetic Stripe Data [3] No N/A N/A
CAV2/CVC2/CVV2/CID No N/A N/A
PIN/PIN Block No N/A N/A
[1] These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.[2] Sensitive authentication data must not be stored after authorization (even if encrypted).[3] Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.
How To Get Involved
04/18/23 26
Global Participation & Representation
More than 500 organizations have been accepted
North America: 411
Asia Pacific: 12
Europe: 78 Latin America / Caribbean: 6
Central Europe / Middle East / Africa: 14
04/18/23 27
Participating Organizations
Categories
04/18/23 28
Board Representation & Special Interest Groups
A Seat at the Table…
• Financial institutions
– Merchants
– Gateways
– Processors
– Service providers
– EFT networks
– Associations
– Vendors
04/18/23 29
Participating Organization Privileges
• Vote and run for Participating Organization Board of Advisors
• Comment on DSS, SAQ, PED, PA-DSS and on other PCI SSC documentation, prior to public release
• Attend Community Meetings • Attend Webinar meetings• Recommend new initiatives and standards• Early updates on upcoming press releases• Monthly bulletin from SSC General Manager• Coming soon: Exclusive private Web site for PO and
assessor community
Reserve Your Seat at the Table
04/18/23 30
Community Meeting
MerchantsMerchants
ApprovedScanning VendorsApprovedScanning Vendors
ServiceProvidersServiceProviders
Qualified Security Assessors
Qualified Security Assessors
AcquirersAcquirers
BrandsBrands
Community Community MeetingMeeting
04/18/23 31
Participating Organizations
For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm
AssociationsAssociations
For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm
Financial Financial InstitutionsInstitutions
For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm
OtherOther
For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm
OtherOther
For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm
OtherOther
For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm
POS VendorsPOS Vendors
For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm
ProcessorsProcessors
For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm
ProcessorsProcessors
For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm
MerchantsMerchants
For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm
MerchantsMerchants
For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm
MerchantsMerchants
For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm
04/18/23 32
Need More Information?
Thank You!