33
The PCI Security Standards Council Julie Krueger JCB International PCI SSC Executive Committee Member May 7, 2009
The PCI Security Standards CouncilJulie Krueger
JCB InternationalPCI SSC Executive Committee Member
May 7, 2009
About the Council
• Open Global Forum– 500 participating organizations
• Founded 2006 by 5 global payment brands• Responsible for PCI Security Standards
– Development– Management– Education– Awareness
5/14/2009 2
Ground Rules
5/14/2009 3
• Is an Independent Industry Standard
• Manages the technical and business requirements for how payment data should be stored and protected
• Maintains List of Qualified PCI Assessor Community– QSAs, ASVs, PA-QSA and PED
Labs
PCI SSC…. PCI SSC Does Not…• Manage or Drive Compliance
– Each brand continues to maintain its own compliance programs
• Identifies stakeholders that need to validate compliance
• Definitions of Validation Levels
• Fines and Fees
5/14/2009
PCI Standards
4
Threat Landscape
Implementing the Standard is a Journey… Not a Destination
Risky Behavior
• 81% store payment card numbers
• 73% store payment card expiration dates
• 53% store customer data from magnetic stripe on card
• 16% store other personal data
Source: Forrester Consulting, September 2007
5/14/2009 6
Value of Compliance
• Upgrading payment systems and security
• Verifying compliance via assessment
• Sustaining compliance
May cost millions for complex or older systems
5/14/2009
Cost of Complying Cost of a Breach
• “Crisis” upgrades
• Repeat assessments
• Notification
• Brand reputation loss
• Shareholder and consumer lawsuits
May cost 20 times the price of compliance
“PCI Compliance Cost Analysis: A Justified Expense.”A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex. January 2008 [This study utilized data from several sources including level 1 and level 2 merchants with 2,000 – 2,500 retail locations.]
7
Top Violations
Common Audit / Forensic Results
Bad or no firewall
Unprotected stored data
Insecure systems and applications
No unique user IDs
No tracking or monitoring of access
No regular tests of security
No security policy
5/14/2009 8
Drivers
Industry Best Practices
Community Meeting
Security Scans
Self-Assessment Questionnaire
On-Site Audits
ADC Forensics Results
Proactive feedback from POs and Assessor Community
Advisory Board
PCI Data Security Standard Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs)
5/14/2009 10
What’s New
• Standards & Tools
Released PCI DSS Version 1.2
Lifecycle process
New devices for PED
PA DSS listings on Web site
Quick Reference Guide
Prioritized Approach
Standards Training
5/14/2009 11
5/14/2009
PCI DSS
12
Six Goals
The PCI Data Security Standard
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
Twelve Requirements
5/14/2009 13
SC1
Slide 13
SC1 This will likely tie in to the risk-based approach. Sarah Cummins, 1/9/2008
PCI DSS Applicability Information
Data Element Storage Permitted
Protection Required
Rendered Unreadable
Cardholder Data
Primary Account Number (PAN) Yes Yes Yes
Cardholder Name [1] Yes Yes 1 No
Service Code 1 Yes Yes 1 No
Expiration Date 1 Yes Yes 1 No
Sensitive Authentication
Data [2]
Full Magnetic Stripe Data [3] No N/A N/A
CAV2/CVC2/CVV2/CID No N/A N/A
PIN/PIN Block No N/A N/A
[1]These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.[2]Sensitive authentication data must not be stored after authorization (even if encrypted).[3]Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.
5/14/2009 14
PCI Data Security Standard
Summary of Changes in Version 1.2
•Consolidate PCI DSS and assessment procedures
•Consistent use of terms
•Enhance Report on Compliance
•Clarify compensating controls
•Add Attestation of Compliance forms
•Add flowchart for scoping and sampling
5/14/2009 15
PCI DSS Prioritized Approach
What is it?
• Guidance for organizations to prioritize their PCI DSS implementation efforts
What are the benefits?• Provides a roadmap that an organization can use to
address risks in priority order• Enables merchants, of any size, to demonstrate progress
on PCI DSS compliance process to key stakeholders –banks, acquirers, QSAs and others
• Promotes objective and measurable progress indicators
PCI DSS Prioritized Approach
Six Security Milestones
• Milestone One - If you don’t need it, don’t store it.The intent of Milestone One is to remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised – if sensitive authentication data and other cardholder data had not been stored, the effects of the compromise would have been greatly reduced.
• Milestone Two - Secure the perimeter.The intent of Milestone Two is to protect the perimeter, internal, and wireless networks. This milestone targets a key area that represents the point of access for most compromises: vulnerabilities in networks or at wireless access points.
• Milestone Three - Secure applications.The intent of Milestone Three is to secure applications. This milestone focuses on applications, as well as application processes and application servers, since application weaknesses are a key access point used to compromise systems and obtain access to cardholder data.
PCI DSS Prioritized Approach
• Milestone Four - Control access to your systems.The intent of Milestone Four is to protect the cardholder data environment through monitoring and access control since this is the key method to detect the who, what, when and how about who is accessing your network.
• Milestone Five - Protect stored cardholder data.For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protection mechanisms for that stored data.
• Milestone Six - Finalize remaining compliance efforts, and ensure all controls are in place.The intent of Milestone Six is to complete PCI DSS requirements and finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment.
PCI DSS Prioritized Approach
Prioritized Approach Tool
5/14/2009
PCI PA-DSS
20
Payment Application DSS
5/14/2009 21
Fourteen Requirements…Protecting Payment Application Transactions
Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2) or PIN block data
Provide secure password features
Protect stored cardholder data
Log Application Activity
Develop Secure Applications
Protect wireless transmissions
Test Applications to address vulnerabilities
Facilitate secure network implementation
Cardholder data must never be stored on a server connected to the Internet
Facilitate secure remote software updates
Facilitate secure remote access to application
Encrypt sensitive traffic over public networks
Encrypt all non-console administrative access
Maintain instructional documentation and training programs for customers, resellers, and integrators
5/14/2009
PCI PED
22
PED Requirements
Device Characteristics
•Physical security
•Logical security
Device Management
•During manufacturing
•Between manufacturing and initial key loading
•Addresses lifecycle of how PED is produced, controlled, transported, stored and used
PIN Entry Device
5/14/2009 23
PIN Entry Device
Devices Covered by PED
5/14/2009
Standards In Place•Point of sale used for secure PIN entry•Attended by clerk
Standards Introduced in April2009•Unattended payment terminals (UPTs such as fuel pumps, kiosks)•Hardware / host security modules (HSMs as non-cardholder interfaces or embedded devices)
24
Standards Training Update
First PCI SSC Standards Training Merchant training endorsed by PCI SSC
• Objective: Arm merchants with everything they need to know to best prepare for an onsite PCI DSS inspection or to perform the assessment internally
• Focus: Four key modules– PCI Program – defining the payment card
industry– Scoping a PCI DSS Assessment– PCI DSS v1.2 Requirements– Compensating Controls
• Where: Sydney May 28&29 and Atlanta June 17&18
Global Growth
More than 500 organizations have been accepted
5/14/2009
North America: 411North America: 411
Asia Pacific: 12Asia Pacific: 12
Europe: 78Europe: 78
Latin America / Caribbean: 6
Latin America / Caribbean: 6
Central Europe / Middle East / Africa: 14
Central Europe / Middle East / Africa: 14
27
Global Resources
• QSAs/ASVs
164 QSAs (of these, 74 are ASVs)
Total QSA people trained: 1,063
Regional assessors:
• Asia Pacific: 29• Canada: 16• CEMEA: 28• Latin America & Caribbean: 27• United States: 87• Europe: 57
5/14/2009 28
Council Resources
• Security standards and supporting documents
• Quick Reference Guide
• Searchable Frequently Asked Questions
• List of approved QSAs, ASVs, PA-QSAs, PED Labs
• Education and outreach - e.g., fact sheets, case studies
• Participating membership, meetings, collaboration
• A global voice for the industry
5/14/2009 29
Community Meetings
Two Meetings in 2009 – Responsive to Industry!
•Las Vegas, NV, September 22 – 24, 2009
•European Meeting, Prague, October 26 – 28, 2009
We had very successful Community Meetings in 2008!
Join us as a Participating Organization to get involved in setting global PCI standards!
5/14/2009 30
Need More Information?
5/14/2009 31
Thank You!
