Site Data Protection (SDP) Program Update

Transcription

1 Advanced Payments October 9, 2006 Site Data Protection (SDP) Program Update

2 Agenda Security Landscape PCI Security Standards Council SDP Program October 9, 2006 SDP Program Update 2

3 Security Landscape - Current Trends Cyber crime is growing in diversity and sophistication Integrated POS Systems are increasingly targeted In most cases, magnetic stripe data is stolen from log files as opposed to traditional databases Sensitive data is often unknowingly stored leading to risk Hackers are targeting centralized servers with Internet connectivity, not just an e-commerce issue October 9, 2006 SDP Program Update 3

4 Security Landscape - Current Trends SQL injection is the most common attack method First attempt is almost always SQL injection Thieves can directly extract data from databases including log-in credentials or payment card information Remote control software PC Anywhere/VNC commonly used Poor access controls October 9, 2006 SDP Program Update 4

5 How do ADC events occur? Physical theft Remote Access Internet Direct connect Wi-Fi SQL Injection Acquirers PC/Server Theft Hacking Mail Theft Merchants Cardholders Data Storage Entities MSPs Shoulder Surfing Skimming Phishing PC Attacks October 9, 2006 SDP Program Update 5

6 Top 5 Reasons for Account Data Compromise Based on MasterCard Forensics Examinations of Hacked Entities # Ineffective Patch Management # No Security Scanning Weak Network Level Security # # SQL Injection # Lack of Real Time Security Monitoring October 9, 2006 SDP Program Update 6

7 October 9, 2006 PCI Security Standards Council

8 PCI Security Standards Council (PCICo) Launched on September 7, 2006 Mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. Executive Committee contains founding brands including MasterCard Worldwide, American Express, Discover Financial Services, JCB and Visa International. October 9, 2006 SDP Program Update 8

9 PCICo Scope Develop and manage the PCI Data Security Standard (PCIDSS) Manage industry-level approval processes for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) Develop and publish all PCIDSS related documents and associated QSA and ASV requirements Provide an open forum where all key stakeholders can provide input into the ongoing development of payment security standards. October 9, 2006 SDP Program Update 9

10 PCICo Not in scope The following functions will be performed by each payment brand individually PCI compliance tracking and enforcement Approval and posting of compliant third party service providers Forensics and response to Account Data Compromise (ADC) events October 9, 2006 SDP Program Update 10

11 PCICo Participating Organizations Open to merchants, vendors, processors and financial institutions Will be able to recommend, review and comment on changes to standards Will be invited to an annual PCI community meeting May nominate representatives for election to the PCICo Advisory Board $2000 annual fee October 9, 2006 SDP Program Update 11

12 PCICo Advisory Board Provides strategic and technical guidance to the PCICo Executive Committee, reflecting different stakeholder perspectives One third appointed by the Executive Committee Two thirds elected from within the ranks of Participating Organizations. October 9, 2006 SDP Program Update 12

13 PCICo Published Documents Available on PCI Data Security Standard v1.1 Summary of Changes Glossary PCI Security Audit Procedures PCI Security Scanning Procedures PCI Self-Assessment Questionnaire Qualified Security Assessor (QSA) Validation Requirements Approved Scanning Vendor (ASV) Technical and Operational Requirements ASV Validation Requirements October 9, 2006 SDP Program Update 13

14 PCI DSS v1.1 - Revisions The new application level requirement (6.6) will be effective June 30, 2008 instead of December 2007 as originally proposed Incorporated a clarification of data definitions, distinguishing between cardholder data that must be protected by PCI vs. sensitive authentication data that must never be stored Defined compensating controls for data encryption Provided flexibility for compensating controls to be applied to various requirements based on technical and business constraints October 9, 2006 SDP Program Update 14

15 PCICo Future Enhancements New Self-Assessment Questionnaire which will specify requirements that apply to various types of merchants including electronic commerce, MOTO, face-face, terminal-only, and others. New PCI Interpretations FAQ to facilitate consistent rulings by QSAs and ASVs in the field Feedback forms on QSA and ASV vendors October 9, 2006 SDP Program Update 15

16 PCI Compliance Levels Category Level 1 Criteria Merchants >6 MM annual transactions (all channels) All TPPs All DSEs storing data for Level 1, 2, 3 All compromised merchants, TPPs and DSEs Requirements Annual Onsite Audit 1 Quarterly Network Scan Compliance Date 30 June '05 2 Level 2 Merchants >150,000 annual EC transactions Annual Self-Assessment Quarterly Network Scan 30 June '04 Level 3 Merchants >20,000 annual EC transactions Annual Self-Assessment Quarterly Network Scan 30 June '05 Level 4 All other merchants Annual Self-Assessment Quarterly Network Scan Consult Acquirer 1 TPPs and DSEs must use a certified third party to perform the onsite audit 2 TPPs and DSEs were previously required to completed quarterly scans and self-assessments by 30 June 2004 October 9, 2006 SDP Program Update 16

17 PCI Update - Data Storage Clarification Component Storage Permitted Protection Required Encryption Required** Cardholder Data PAN YES YES YES Expiration Date* YES YES NO Service Code* YES YES NO Cardholder Name* YES YES NO Sensitive Authentication Data Full Magnetic Strip NO N/A N/A CVC2/CVV/CID NO N/A N/A PIN NO N/A N/A * Data elements must be protected when stored in conjunction with PAN ** Compensating controls for encryption may be employed October 9, 2006 SDP Program Update 17

18 Level 4 Merchants Compliance with the PCI Data Security Standard is required for all Level 4 merchants The only optional aspects of compliance for Level 4 merchants are: Active compliance validation with their acquirer Card Association specific steps (e.g., registration) To be compliant with the PCI DSS, Level 4 merchants must successfully complete the following: An annual self assessment Quarterly network scans October 9, 2006 SDP Program Update 18

19 Preparing for PCI Compliance Considerations Know your data Do you store data? Do you need the data you store? For the data that is stored, is it secure? Take the time to identify how data flows through your company and pay particular attention to where it is being stored There is no substitute for preparation Note that the storage of track data or CVC2 data is never permitted by MasterCard October 9, 2006 SDP Program Update 19

20 Network Scanning the countermeasure that will protect you, should a hacker scan your machines with a scanner is to scan your own systems first. Make sure to address any problems and then a scan by a hacker will give him no edge. Hacking Linux Exposed October 9, 2006 SDP Program Update 20

21 Network Security Scanning Security professionals use scans to find vulnerabilities Takes outside-in approach to security Hackers also scan systems to find vulnerabilities and exploit them using well-known and widely available tools Router Internet Firewall Load balancer DNS server Mail Server OS Web Applications Cardholder Data IP Services Application Server Web Server Database Server MERCHANT SITE IT COMPONENTS October 9, 2006 SDP Program Update 21

22 Network Security Scan Sample Report Network Scan Report Certificate number IP addresses Scan Status October 9, 2006 SDP Program Update 22

23 PCI Vendor Management Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV) October 9, 2006 SDP Program Update 23

24 MasterCard Site Data Protection Program October 9, 2006 SDP Program Update 24

25 PCI and SDP Compliance PCI Compliance PCI Onsite Assessment PCI Self Assessment PCI Quarterly Network Scanning The successful completion of the above applicable compliance requirements means the merchant is compliant with the PCI Data Security Standard. SDP Compliance Compliance Validation with Acquirer Acquirer Registration of Merchant with MasterCard The successful completion of the above compliance requirements means the merchant is compliant with the PCI Data Security Standard AND compliant with the MasterCard SDP Program requirements. PCI Compliance + SDP Compliance = Safe Harbor October 9, 2006 SDP Program Update 25

26 New Safe Harbor Rule MasterCard will fully exempt acquirers from data security-related noncompliance assessments, investigative costs, and issuer reimbursement costs if the compromised entity: Is found to have been compliant with the Payment Card Industry (PCI) Data Security Standard at the time of the compromise, and Was registered on MOL (in the MRP system) as compliant at the time of the compromise. October 9, 2006 SDP Program Update 26

27 MasterCard SDP Program Acquirer Mgt. Systems Acquirer compliance MSP Mgt. MRP Compliance Database MSP compliance Standards PCI Documents Related Documents Vendor Mgt. Program Management Communications Messaging and materials October 9, 2006 SDP Program Update 27

28 Communications Vendor Programs Site Data Reflection Security Articles Webinars White Papers Public Relations Website Trade Ads Case Studies Conferences October 9, 2006 SDP Program Update 28

29 Merchant Webinars Three PCI related webinars held in 2006 Introduction to the PCI Data Security Standard Preparing for a PCI Audit Data Security Requirements for Acquirers and Processors Online and print campaign Print ads in 7 related trade magazines Banner Ads MasterCard website promotion Over 500 attendees at live sessions Webinars archived on MasterCard website October 9, 2006 SDP Program Update 29

30 Site Data Reflections Publication focused on account data security issues Shares MasterCard experiences in data security SDP Program Forensics investigation findings Relevant educational material targeting acquirers, merchants, and third parties storing data Available to acquirers for distribution Acquirers, merchants, and third parties may submit topics October 9, 2006 SDP Program Update 30

31 Contact Information For general Site Data Protection inquiries: Website: For MasterCard security initiatives visit For the PCI Security Standards Council October 9, 2006 SDP Program Update 31

32 Thank you. October 9, 2006 SDP Program Update 32