PCI SSC Global Security Standards for the payments industry

Transcription

1 PCI SSC Global Security Standards for the payments industry 1

2 About the PCI Council Founded in Guiding open standards for payment card security Development Management Education Awareness

3 PCI Security Standards Council 3

4 PCI Security Standards Securing Payment Data Throughout the Transaction Process Management Sales and Marketing Stock Control Third party suppliers Point of Interaction Merchant In Store Server Data center 3 rd Party Processor The Internet Acquiring Bank Moto Ecommerce

5 PCI Security Standards PCI DSS PA-DSS PTS (HSM, POI, PIN) P2PE Card Production (Logical, Physical) Token Service Providers

6 PCI Card Production Physical Version 2.0 released January 2017

7 Card Production Logical & Physical Security Requirements More stringent requirements than PCI DSS Covers: Manufacturing Personalization PIN Mailing

8 Physical Security - Scope Card Manufacturing Chip embedding Personalization Storage Packaging Mailing Shipping or delivery Fulfilment Perform cloud-based or secure element (SE) provisioning services; Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or Manage associated cryptographic keys. It does not apply to providers who are only performing the distribution of secure elements 8

9 Logical Security - Scope Data preparation Pre-personalization Card personalization PIN generation PIN mailers Card carriers and distribution Perform cloud-based or secure element (SE) provisioning services; Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or Manage associated cryptographic keys. It does not apply to providers who are only performing the distribution of secure elements 9

10 Facility Exterior fence Secure Entrance reception Control Room Loading bay Vault HSA Server room and data prep PIN mailer 10

11 Major changes Version 2: General The security manager must review audit logs of the ID badge access control system weekly Visitor to badge in/out to enable the tracking of movement of all visitors. Access to be activated only for areas that the visitor is authorized to enter. 11

12 Major changes Version 2: General Destruction by a third party may take place in the loading bay using portable/mobile equipment. All the requirements for a destruction room must be met for this temporary usage. Security control room or a room with equivalent security and must not be in the HSA Clarified that bullet-resistant (e.g., UL 752) glass, rather than unbreakable, or iron bars must protect all non-opening windows in HSAs 12

13 Major changes Version 2: The Vault The vault must be protected with sufficient number of intruderdetection devices that provide an early attack indication e.g., seismic, vibration/shock, microphonic wire, microphone, etc. on attempts to enter and also provide full coverage of the walls, ceiling, and floor. The vault must be fitted with a main steel-reinforced door with a dual-locking mechanism (mechanical and/or logical e.g., mechanical combination and biometrics) that requires physical and simultaneous dual-control access. Unsealed boxes are only permitted for stock that requires multiple pulls per day. Unsealed boxes must be in a centralized area within the vault. The counting process must be applied during the pull process, and an inventory count under dual control must be performed for each unsealed box at the end of each shift. All other boxes must be sealed. 13

14 PCI Card Production Logical Version 2 released January 2017

15 Logical Security Changes Version 2: Added requirement that the CISO must identify a security manager responsible for overseeing the vendor s security environment Clarified that individuals with custody of removable media must not have the ability to decrypt any sensitive or confidential data contained on that media. New requirement requiring an electronic log for both when cards are successfully and unsuccessfully provisioned Specified that all connections to and from the personalization network must be through a system in the DMZ and that the DMZ must be dedicated to card production/provisioning activities. 15

16 Logical Security Changes Version 2: Host Card Emulation provisioning must be on its own network, secure element-based provisioning can co-exist with other personalization activities Specified that a firewall must be deployed between the external network and the DMZ and between the DMZ and the cloud-based provisioning network. Modified requirement to allow firewall rule sets to be reviewed either monthly or quarterly with review after every firewall configuration change. Specified that networks where clear-text PINs traverse must not be configured to allow capture of clear PIN values. Ensure separation of duties exists between the staff assigned to the development environment and those assigned to the production environment. Clarified that if the system does not permit session locking, the user must be logged off after the period of inactivity. 16

17 Removable Media The vendor must have a documented removable-media policy that includes laptops, mobile devices, and removable storage devices e.g., USB devices, tapes and disks. b) All removable media (e.g., USB devices, tapes, disks) within the HSA must be clearly labeled with a unique identifier and the data classification. c) All removable media must be securely stored, controlled, and tracked. d) All removable media within the HSA or the cloud-based provisioning environment must be in the custody of an authorized individual, and that individual must not have the ability to decrypt any sensitive or confidential data contained on that media. Physically destroy any media holding secret or confidential data when it is not possible to delete the data so that it is no longer recoverable. 17

18 Logical and Physical Appendix A 18

19 PCI SSC Website: Document Library 19

20 Card Production Report on Compliance with Test requirements 20

21 PCI Token Service Provider

22 Token Service Provider A TSP is an entity within the payment ecosystem that generates and managers Tokens 22

23 Token Service Provider 23

24 To Sum Up: Why PCI? PCI provides a range of global standards PCI Standards are the best set of security requirements available for protecting cardholder data Covers; Card Production Token Service Providers Visit the PCI web site

25 Thank You!