PCI Compliance: What’s All the Fuss? Bob Russo November 7, 2008.

PCI Compliance: What’s All the Fuss?

Bob RussoNovember 7, 2008

04/18/23 2

The PCI Security Standards Council

• An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI Security Standards, including: – Data Security Standard (DSS)– Payment Application Data Security Standard (PA-DSS)– Pin-Entry Device (PED)

PCI PEDPCI PED PCI PA-DSSPCI PA-DSS PCI DSSPCI DSS

04/18/23 304/18/23 3

PCI SSC - The Standards

04/18/23 4

The PCI Security Standards Council Founders

04/18/23 5

PCI DSS Drivers

PCI Data Security Standard

Industry Best Practices

Community Meeting

Security Scans

Self-Assessment Questionnaire

On-Site Audits

ADC Forensics Results

Proactive feedback from POs and Assessor Community

Advisory Board

Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs)

04/18/23 6

Notable Successes

• Over 500 Participating Organizations around the world

• Successful Community Meetings with over 700 attendees from around the world

• Board of Advisors driving special interest groups

- Wireless

- Pre-authorization

• 164 current QSA Companies, of these 74 are also ASV Companies

• Total QSAs (individuals) trained to date is 1,063

• Additional devices added to PED Standard

• Implemented two-year lifecycle process for DSS & SAQ

• PCI SSC participated in 33 events worldwide

Assessor Servicing Markets per Region

Asia Pacific: 29

Canada: 16

CEMEA: 28

Latin America & Caribbean: 27

United States: 87

Europe: 57

04/18/23 7

Roles and Responsibilities of the Council

• Is an Independent Industry Standard

• Manages the technical and business requirements for how payment data should be stored and protected

• Maintains List of Qualified PCI Assessor Community

– QSAs, ASVs, PA-QSA and PED Labs

PCI SSC…. PCI SSC Does Not…

• Manage or Drive Compliance

– Each brand continues to maintain its own compliance programs

• Identifies stakeholders that need to validate compliance

• Definitions of Validation Levels

• Fines and Fees

04/18/23 8

Resources Provided by Council

• Security standards and supporting documents

• Frequently asked questions

• List of approved QSAs, ASVs, PA-QSAs, PED Labs

• Education and outreach programs

- Webinars- Newsletters/bulletins

Council appeared in almost 300 pieces of coverage globally since January

• Searchable FAQ tool for all standards-related questions

• Participating organization membership, community meetings, qualifications standards feedback

• One global voice for the industry

PCI SSC Standards

04/18/23 10

• Risky Behavior

– 81% store payment card numbers

– 73% store payment card expiration dates

– 53% store customer data from magnetic stripe on card

– 16% store other personal data

Threat Landscape

Implementing the standard is a Journey… Not a Destination

Source: Forrester Consulting, Sept. 2007

The Cost of Complying

Three Categories of Compliance

How much does this cost your organization?

For merchants with complex or older systems, it may cost millions

“PCI Compliance Cost Analysis: A Justified Expense.” A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex. Jan. 2008 [This study utilized data from several sources including level 1 and level 2 merchants with 2,000 – 2,500 retail locations.]

The Cost of Not Complying

Same study estimated non-compliance costs significantly higher, including

• “Crisis” cost upgrades

• Repeat assessments

• Notification costs

• Brand reputation

• Shareholder and consumer lawsuits

The cost of a breach can easily be 20 times the cost of PCI

Compliance

• Upgrading Payments Systems and Security

• Verifying Compliance (Assessment)

• Sustaining Compliance

04/18/23 11

04/18/23 12

Forensics Statistics

Consumer data:Payment card information

-Credit / Debit

-Card-present / CNP

Personal Check information

Identity-related data:Name, address, email

Social security, Social insurance

IRS / tax return information

Company-proprietary:Financial records

HR / employee data

Product strategy & roadmap

Trade secrets & technology

Inside Jobs vs. Intrusions 17% Inside ~77% are partial

insiders

Incident Detection>75% via allegation of

compromise

Findings Percentages 92% Confirmed Security

Breach >60% Confirmed Data

Compromise

Case Commonalities 19% SQL injection 45% POS systems 10% Wireless

infrastructure ~50% Via 3rd party

connections

Breach Sources~13% Inside U.S.

Vulnerability ScanningSQL Injection cases: 71% had commercial scanning63% detected SQL vulnerability15% in scan reports for 1 year +

> 60% Payment Cards vs. Others

Law Enforcement Involvement87% of cases

Incident Detection>75% via allegation of

compromise

04/18/23 1304/18/23

13

It’ll be OKPCI doesn’t introduce any new,

alien concepts

•AngerAnger

•BargainingBargaining

•DepressionDepression

•AcceptanceAcceptance

•DenialDenial It doesn’t apply to mePCI compliance is mandatory

It isn’t fair PCI applies to all parties in the

payment process

I’ll do some of itCompliance is “pass / fail”

I’ll never get thereMany merchants already have

The Five Stages of Grief

04/18/23 14

The PCI Data Security Standard

• The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures

• This comprehensive standard is intended to help organizations proactively protect customer payment data

Payment Card Industry (PCI) Data Security Standard

Version 1.2Release: October 2008

04/18/23 18

Six Goals, Twelve Requirements

The PCI Data Security Standard

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for employees and contractors

Sarah Cummins

This will likely tie in to the risk-based approach.

Summary of PCI Requirements

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

1604/18/23


Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

1704/18/23


Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for employees and contractors

1804/18/23

Self-Assessment Questionnaire (SAQ) A

04/18/23 19

SAQ Objectives

Self Assessment Questionnaires• Alignment with the PCI DSS v1.2

• Based on industry feedback

• Flexibility for multiple merchant types

• Providing guidance for the intent and applicability of the underlying requirements

04/18/23 20

Self Assessment Questionnaire

SAQ Validation

TypeDescription SAQ

1Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants

A<11 Questions

2 Imprint-only merchants with no cardholder data storageB

21 Questions

3Stand alone dial-up terminal merchants, no cardholder data storage

B21 Questions

4Merchants with payment application systems connected to the Internet, no cardholder data storage

C38 Questions

5All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ

DFull DSS

Payment Application (PA-DSS) Data Security Standard

04/18/23 21

The Payment Application Data Security Standard

• Distinct from but aligned with PCI DSS

• PA-DSS is a comprehensive set of requirements designed for payment application software vendors to facilitate their customers’ PCI DSS compliance

• This comprehensive standard is intended to help organizations minimize the potential for security breaches due to flawed payment applications, leading to compromise of full magnetic stripe data

04/18/23 22

The Payment Application Data Security Standard

Fourteen Requirements…Protecting Payment Application Transactions

Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2) or PIN block data

Provide secure password features

Protect stored cardholder data

Log Application Activity

Develop Secure Applications

Protect wireless transmissions

Test Applications to address vulnerabilities

Facilitate secure network implementation

Cardholder data must never be stored on a server connected to the Internet

Facilitate secure remote software updates

Facilitate secure remote access to application

Encrypt sensitive traffic over public networks

Encrypt all non-console administrative access

Maintain instructional documentation and training programs for customers, resellers, and integrators

04/18/23 23

PIN Entry Device Requirements

Physical Attributes Logical Attributes

• Attributes that deter physical Attacks

– ex penetration of device to determine key(s)

– Planting a PIN disclosing bug within

• Logical security characteristics include functional capabilities that preclude:

– Allowing device to output clear text PIN encryption key

The PED Security Requirements are designed to secure personal identification number (PIN)-based transactions globally and applies to devices (attended or unattended) that accept PIN entry for all PIN-based transactions as well as non-cardholder interface devices (hardware security modules)

PCI DSS Applicability Information

Data ElementStorage

PermittedProtection Required

PCI DSS Req. 3.4

Cardholder Data

Primary Account Number (PAN)

Yes Yes Yes

Cardholder Name [1] Yes Yes 1 No

Service Code 1 Yes Yes 1 No

Expiration Date 1 Yes Yes 1 No

Sensitive Authentication

Data [2]

Full Magnetic Stripe Data [3] No N/A N/A

CAV2/CVC2/CVV2/CID No N/A N/A

PIN/PIN Block No N/A N/A

[1] These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.[2] Sensitive authentication data must not be stored after authorization (even if encrypted).[3] Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.

How To Get Involved

04/18/23 26

Global Participation & Representation

More than 500 organizations have been accepted

North America: 411

Asia Pacific: 12

Europe: 78 Latin America / Caribbean: 6

Central Europe / Middle East / Africa: 14

04/18/23 27

Participating Organizations

Categories

04/18/23 28

Board Representation & Special Interest Groups

A Seat at the Table…

• Financial institutions

– Merchants

– Gateways

– Processors

– Service providers

– EFT networks

– Associations

– Vendors

04/18/23 29

Participating Organization Privileges

• Vote and run for Participating Organization Board of Advisors

• Comment on DSS, SAQ, PED, PA-DSS and on other PCI SSC documentation, prior to public release

• Attend Community Meetings • Attend Webinar meetings• Recommend new initiatives and standards• Early updates on upcoming press releases• Monthly bulletin from SSC General Manager• Coming soon: Exclusive private Web site for PO and

assessor community

Reserve Your Seat at the Table

04/18/23 30

Community Meeting

MerchantsMerchants

ApprovedScanning VendorsApprovedScanning Vendors

ServiceProvidersServiceProviders

Qualified Security Assessors

Qualified Security Assessors

AcquirersAcquirers

BrandsBrands

Community Community MeetingMeeting

04/18/23 31

Participating Organizations

For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm

AssociationsAssociations


Financial Financial InstitutionsInstitutions


OtherOther


OtherOther


OtherOther


POS VendorsPOS Vendors


ProcessorsProcessors


ProcessorsProcessors


MerchantsMerchants


MerchantsMerchants


MerchantsMerchants


https://www.pcisecuritystandards.org/join/participating_organizations.htm





04/18/23 32

Need More Information?

Thank You!

Date post:	16-Dec-2015
Category:	Documents
Upload:	dwain-crawford
View:	213 times
Download:	0 times

PCI Compliance: What’s All the Fuss? Bob Russo November 7, 2008.

Documents