PCI DSS and MasterCard Site Data Protection Program

Payment System Integrity

September 2008

MasterCard Proprietary 2

Agenda• PCI

- Brief History

- Security Standards Council

- Documentation, Tools, Vendors

- SDP

- Acquirer requirements

- Compliance Database

- Enforcement

- Safe Harbor

- Special Topics: Level 4 merchants, ADC Cases

- Reporting and support

MasterCard Proprietary 3

Evolution of Industry Approach• Feb 2002: Optional SDP service launched

• April 2003: MasterCard Security Standard published

• June 2003: SDP program deployed globally

• Sept 2003: SDP mandate announced

• June 2004: Initial compliance date for Level 2 merchants and service providers

• December 2004: PCI Data Security Standard (v1.0) published

• June 2005: Initial compliance date for Level 1 and 3 merchants and service providers

• September 2006: PCI Security Standards Council formed and PCI DSS v1.1 published

• May 2007: SDP mandate expanded

• Nov 2007: PIN PED and PA DSS part of the PCI SSC

• Feb 2008: Revised PCI SAQ released

PCI Security Standards PCI Security Standards CouncilCouncil

MasterCard Proprietary 5

The PCI Security Standards Council Members

MasterCard Proprietary 6

PCI SSC – Scope

• Develop and manage the PCI Security Standards (PCI DSS) and related documents

• Manage industry-level approval processes for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs)

• Provide an open forum where stakeholders can provide input to the ongoing development of payment security standards.

• Address industry and constituent questions on standards and interpretation of standards

MasterCard Proprietary 7

PCI SSC Participating Organizations by Industry

Merchants

Associations

Vendors

Financial Institutions

Gateways

ProcessorsEFT Networks

Service Provider

MasterCard Proprietary 8

Global Participation & Representation

More than 400 organizations have been accepted

United States 73%

2%

6%

2%

16%

1%

Asia Pacific

LAC

Europe

Central Europe /Middle East /Africa

Canada

MasterCard Proprietary 9

Participating Organization Benefits

• Vote and Run for Participating Organization Board of Advisors

• Comment on DSS, SAQ, PED, PA DSS and on other PCI SSC documentation, prior to public release

• Attend Community Meetings

• Attend Quarterly Webinar Meetings

• Recommend new initiatives and standards

• Early updates on upcoming press releases

• Monthly bulletin from SSC General Manager

Reserve Your Seat at the Table!

MasterCard Proprietary 10

PCI SSC - The Standards

PCI PED addresses device characteristics impacting security of PIN Entry Device (PED) during financial transactions

Stand Alone PED Device

Payment Applications

(e.g. Shopping cart, POS)

Merchants’ and Service Providers’

cardholder data environment

PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where those applications are sold,

distributed, or licensed to third parties.

PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data, and specifically to those system components included in or connected to the cardholder data environment (the part of the network with cardholder data)

PEDs Integrated with payment applications (POS, ATM)

Payment Applications in

merchants/ service

providers environment**

PCI PED applies-PED device only

PA DSS may apply*

PCI DSS applies – systems & networks

PCI PEDPCI PED PCI PA-DSSPCI PA-DSS PCI DSSPCI DSS

MasterCard Proprietary 11

PCI DSS• Build and Maintain a Secure Network

– Requirement 1: Install and maintain a firewall configuration to protect cardholder data

– Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

• Protect Cardholder Data– Requirement 3: Protect stored cardholder data

– Requirement 4: Encrypt transmission of cardholder data across open, public networks

• Maintain a Vulnerability Management Program– Requirement 5: Use and regularly update anti-virus software

– Requirement 6: Develop and maintain secure systems and applications

• Implement Strong Access Control Measures– Requirement 7: Restrict access to cardholder data by business need-to-know

– Requirement 8: Assign a unique ID to each person with computer access

– Requirement 9: Restrict physical access to cardholder data

• Regularly Monitor and Test Networks– Requirement 10: Track and monitor all access to network resources and cardholder data

– Requirement 11: Regularly test security systems and processes

• Maintain an Information Security Policy– Requirement 12: Maintain a policy that addresses information security

MasterCard Proprietary 12

PCI Cardholder Data Storage Clarification

   ComponentComponentStorage Storage

PermittedPermittedProtection Protection RequiredRequired

Encryption Encryption RequiredRequired****

Cardholder Data PAN YES YES YES

  Expiration Date* YES YES NO

  Service Code* YES YES NO

  Cardholder Name* YES YES NO

Sensitive Authentication Data

Full Magnetic Strip NO N/A N/A

  CVC2/CVV/CID NO N/A N/A

  PIN NO N/A N/A

* Data elements must be protected when stored in conjunction with PAN** Compensating controls for encryption may be employed

MasterCard Proprietary 13

PCI Self Assessment Questionnaire

SAQ Validation SAQ Validation TypeType DescriptionDescription SAQSAQ

1Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced. This would never apply to face to face merchants

A<20 Questions

2Imprint-only merchants with no cardholder data storage

B21 Questions

3Stand alone dial-up terminal merchants, no cardholder data storage

4Merchants with payment application systems connected to the Internet, no cardholder data storage

C38 Questions

5 All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ

DFull DSS

B21 Questions

Note: Sunset date for old version of SAQ is April 30, 2008

MasterCard Proprietary 14

PCI SSC Milestones in 2008

• Phased Approach for PA-DSS

– Phase 1: Publish PA-DSS and testing procedures

– Phase 2: PA-QSA testing approval

– Phase 3: Payment application validation

• Searchable FAQ Tool launched on PCI SSC Website

– Responses developed by all five payment brands help ‘pave the way’ for PCI DSS evolution

MasterCard Proprietary 15

PCI and SDP – Functional Areas

Standards Development and Interpretation

Compliance Validation Enforcement

-----------------------------

PCI SSC

Payment Brands

----------------------Acquirers

QSAs

MasterCard Site Data Protection MasterCard Site Data Protection (SDP)(SDP)

MasterCard Proprietary 17

PCI SSC - Not in scope

• The following functions will be performed by each payment brand individually

– Approval and posting of compliant third party service providers

– Forensics and response to Account Data Compromise (ADC) events

– PCI compliance tracking and enforcement

MasterCard Proprietary 18

The SDP Program - 3 Major Components

• Reporting

– Acquirers must submit quarterly compliance reports on their affected merchants (level 1, 2 and 3)

– Service Providers submit a Certificate of Validation (COV) or a PCI action plan for review and approval

• Registration

– Annual merchant requirement that is fulfilled via the MasterCard Registration Program (MRP)

• Enforcement

– Communications, Assessments and MCBS Billing

MasterCard Proprietary 19

Entities that Store, Transmit or Process Cardholder Data

• Any entity that stores, transmits or processes cardholder data must comply with the PCI DSS.

• This statement has broad application in the financial industry.

• Under the SDP Program, only affected merchants and service providers are required to validate their compliance.

• MasterCard does not require compliance evidence or validation from issuers or acquirers.

MasterCard Proprietary 20

Reporting - SDP Submission Form v3.0

Available on www.mastercard.com/sdp

Instruction Tab

Acquirer Data Tab

Merchant Data Tab

MasterCard Proprietary 21

Reporting - PCI Compliance Levels

CategoryCategory CriteriaCriteria RequirementsRequirementsCompliance Compliance

DateDateLevel 1 • Merchants >6 MM annual

transactions (all channels)• Service Providers > 1MM annual

transactions• All compromised merchants, TPPs

and DSEs

• Annual Onsite Audit • Quarterly Network Scan

30 June 2005

Level 2 • All merchants > 1 million total MasterCard transactions <= 6 million total MasterCard transactions annually

• All merchants meeting the Level 2 criteria of a competing payment brand

• Service Providers <= 1MM annual transactions

• Annual Self-Assessment• Quarterly Network Scan

31 December 2008

Level 3 • All merchants with annual MasterCard e-commerce transactions > 20,000 but less than one million total transactions

• All merchants meeting the Level 3 criteria of a competing payment brand

• Annual Self-Assessment• Quarterly Network Scan

30 June 2005

Level 4 All other merchants • Annual Self-Assessment• Quarterly Network Scan

Consult Acquirer

MasterCard Proprietary 22

Reporting - Level 4 Merchants

• Compliance with the PCI Data Security Standard is required for all Level 4 merchants

• The only optional aspects of compliance for Level 4 merchants are:– Active compliance validation with their acquirer– Card Association specific steps (e.g., MRP registration)

• To be compliant with the PCI DSS, Level 4 merchants must successfully complete the following:– An annual PCI self assessment– Quarterly network security scans

MasterCard Proprietary 23

Registration - PCI and SDP Compliance

• PCI Onsite Assessment• PCI Self Assessment• PCI Quarterly Network Scanning

The successful completion of the above applicable compliance requirements means the merchant is compliant with the PCI Data Security Standard.

The successful completion of the above compliance requirements means the merchant is compliant with the PCI Data Security Standard AND compliant with the MasterCard SDP Program requirements.

PCI Compliance + SDP Compliance =PCI Compliance + SDP Compliance = Safe Safe HarborHarbor

PCI PCI ComplianceCompliance

SDP SDP ComplianceCompliance

• Compliance Validation with Acquirer

• Acquirer Registration of Merchant with MasterCard

MasterCard Proprietary 24

Enforcement – Areas of Focus

• Enforcement activities are generally managed in three distinct categories:

– Non-reporting or incomplete quarterly reporting

– Merchant storage of sensitive authentication data (post authorization)

– Insufficient compliance progress

• Communications is the preferred route of enforcement and range from informal to formal.

SDP Global Mailbox: sdp@mastercard.com

MasterCard Proprietary 25

Enforcement - Process

• Each quarter, MasterCard reviews merchant submissions against the 3 identified categories.

• Prior to any SDP noncompliance assessment, there is direct customer communication, both formal (letters) and informal (emails).

• The overall intent is to drive compliance, with SDP noncompliance assessments as only one tool.

MasterCard Proprietary 26

SDP Enforcement

• In 3Q2008, MasterCard will begin to enforce the completion of the Sensitive Authentication Data Storage field

• Level 3 merchants

• Continued focus on timely and complete quarterly reporting

MasterCard Proprietary 27

SDP and Account Data Compromise

• With a confirmed ADC, there is a demonstrated risk to the payment system.

• MasterCard rules govern the immediate actions that acquirers must undertake with an ADC event.

• Per MasterCard rules, all ADCs are classified as Level 1 with the compliance requirements of a annual onsite assessment and quarterly network scans.

• Once action is taken by the ADC group, the merchant enters an accelerated PCI compliance process.

MasterCard Proprietary 28

Contact Information

For general Site Data Protection inquiries:

Email: sdp@mastercard.com

Website:www.mastercard.com/sdp

For MasterCard security initiatives visit

www.mastercardsecurity.com

For the PCI Security Standards Council

www.pcisecuritystandards.org

Thank you.