Navigating the PCI DSS Challenge 29 April 2011
Agenda 1. Overview of Threat and Compliance Landscape 2. Introduction to the PCI Security Standards 3. Payment Brand Compliance Programs 4. PCI DSS Scope of Applicability 5. Lunch 6. Deep Dive of PCI DSS Requirements 7. Break 8. Deep Dive of PCI DSS Requirements 9. Use of Compensating Controls 10. Case Studies Discussion 2
Overview of Threat & Compliance Landscape
Payment Card Data is Valuable 20% The Data Loss Barometer analyzes data loss incidents reported around the world since 2005. This data is freely available in some countries thanks to legislation that requires full disclosure of data loss incidents. In other countries, information is obtained via KPMG s network of international firms and consultants. of incidents are related to banking and financial data 81% or more than 100M records breached are payment card data 4
Underground Marketplace Menu 1. Quick Bite ( cvv2s ) US$1 9 Includes card number, expiration date, cardholder name and address, and the CVV2 security code. 2. Set Lunch ( full-info ) US$10 14 Includes cvv2 and enhanced with other data about the cardholder such as date of birth, mother s maiden name, Social Security Number, place of birth, and other information for authenticating fraudulent transactions. 3. Chef s Special ( dump ) starting from US$15 Includes credit card track data (electronic data from the magnetic stripe on the back of a credit card). 5
Looming Compliance Deadlines 6
Looming Compliance Deadlines Acquirers Client Acquiring VNPs to disclose whether any prohibited data is being stored post authorization and if so, provide a remediation plan. Client Acquiring VNPs Submit PCI DSS Report on Compliance (ROC) identifying level of compliance. If not fully compliant, a remediation plan must be provided to Visa. Sep 30, 2010 Sep 30, 2011 7
Introduction to the PCI Security Standards
Payment Card Industry Overview PCI Security Standards Council Payment Brands Merchant Acquirer Issuer Cardholder Service Provider Payment Brand Network 9
Overview of PCI Security Standards Source: PCI SSC 10
Overview of PCI Security Standards PCI Data Security Standard (PCI DSS) Set of technical and operational requirements set by the PCI SSC to protect payment card data. Applicable to all entities that store, process or transmit payment card data. Consists of common security best practices Payment Application DataSecurity Standard (PA-DSS) Standard for developers elopers of payment applications based on Visa Payment Application Best Practice (PABP) Applies to payment applications sold, distributed or licensed to third parties Excludes in-house applications not sold but must still meet PCI DSS requirements PIN Transaction Security (PTS) Applies to point-of-interaction devices (POIs) used for PIN entry and also devices used for securing payment processing at data centers and for the production of payment cards. PCI DSS Quick Facts PCI DSS v1.0 released Dec 2004 Current PCI DSS 2.0 released Oct 28, 2010 Was two-year lifecycle and now moving to three-year lifecycle Global standard applicable to payment card data from cards branded with the logo of one of Visa, MasterCard, American Express, JCB and Discover Device characteristics and device management requirements 11
Components of Account Data Account Data consists of Cardholder Data (CHD) and Sensitive Authentication Data (SAD). Source: PCI SSC 12
PCI DSS Key Objective Protect Cardholder Payment Data 1 2 3 Source: PCI DSS Requirements and Security Assessment Procedures v2.0 1 2 3 Cardholder Name, Service Code and Expiration Date must be protected in accordance with all PCI DSS requirements (except 3.3 & 3.4) if present in the cardholder data environment. Sensitive authentication data must not be stored after authorization (even if encrypted). Full track data from the magnetic stripe, equivalent data on the chip, or elsewhere. 13
Requirements Have a Broad Coverage 1 Goals Build and Maintain a Secure Network 2 Protect Cardholder Data 3 4 5 6 Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Requirements 1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor-supplied defaults for system passwords and other security parameters 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks 5: Use and regularly update anti-virus software or programs 6: Develop and maintain secure systems and applications 7: Restrict access to cardholder data by business need to know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security for employees and contractors 14
and Not a Light Weight Standard Consists of 215 Sub-Requirements and 326 Testing Procedures (previously 270). Requirement Sub- Requirements Testing Procedures 1. Install and maintain a firewall configuration to protect cardholder data 21 29 2. Do not use vendor-supplied defaults for system passwords and other 9 26 security parameters 3. Protect stored cardholder data 21 37 4. Encrypt transmission of cardholder data across open, public networks 3 9 5. Use and regularly update anti-virus software or programs 3 6 6. Develop and maintain secure systems and applications 26 36 7. Restrict access to cardholder data by business need to know 9 9 8. Assign a unique ID to each person with computer access 21 33 9. Restrict physical access to cardholder data 20 29 10. Track and monitor all access to network resources and cardholder data 28 33 11. Regularly test security systems and processes 10 24 12. Maintain a policy that addresses information security for employees and 39 44 contractors Appendix A 5 9 TOTAL 215 326 15
Payment Brand Compliance Programs
PCI DSS Compliance Programs Payment Brands develop and maintain own compliance programs in accordance with their risk management framework and policies. USA Cardholder Information Security Program (CISP) Site Data Protection (SDP) Other Regions Account Information Security (AIS) Program Data Security Program Data Security Operating Policy (DSOP) Discover Information Security Compliance (DISC) 17
Compliance Program Components All payment brand compliance programs consist of the same three components. Any entity that stores, processes and/or transmits ts cardholder data. Payment Brands define merchant and service provider levels based on transactions Payment Brands Compliance Programs Reporting Each Payment Brand has own set of validation requirements but all relies on: Quarterly Network Scan Self Assessment Questionnaire i Onsite Assessment Each Payment Brand has own set of reporting requirements and deadlines. 18
Quarterly Network Scan PCI DSS Requirement 11.2 requires quarterly vulnerability scans of all externally accessible (Internet-facing) system components owned or utilized by the scan customer; part of the cardholder data environment; or provides a path to the cardholder data environment. All scans must be performed by an Approved Scanning Vendor (ASV). Validation by independent and qualified security companies is important to ensure the effectiveness of PCI DSS. Quality, reliability, and consistency of an ASV s work are essential to ensure the protection of cardholder data. For a compliant result, a scan must not contain high and medium severity vulnerabilities. CVSS Score Severity Level Scan Results 7.0 10.0 High Fail* 4.0 6.9 Medium Fail* 0.0 3.9 Low Pass * Vulnerabilities must be fix and rescan until a compliant report is obtained. 19
Self-Assessment Questionnaire (SAQ) Type Compliance Criteria SAQ 1 2 3 4 5 Card-not-present (e-commerce or mail/telephoneorder) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. This SAQ Type does not require scanning. (11 Questions) Imprint-only merchants with no electronic cardholder data storage. This SAQ Type does not require scanning. (21 Questions) Stand-alone terminal merchants, no electronic cardholder data storage. This SAQ Type does not require scanning. (21 Questions) Merchants with POS systems connected to the Internet, no electronic cardholder data storage. Scanning Requirements 11.1 and 11.2 only apply to this SAQ Type. (38 questions) All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. Requirement 11 in its entirety applies to this SAQ Type. (226 questions) A B B C D Used as a validation tool for merchants and service providers to evaluate their compliance with PCI DSS. Available in multiple versions with varying scope and complexity for various scenarios. Mandated in certain situations for merchants and service providers not required to undergo an onsite assessment. 20
Onsite Assessment Onsite assessments are security audits for merchants and service providers who must validate compliance. Qualified Security Assessor (QSA) companies qualified by the PCI SSC performs standard defined testing procedures to validate compliance QSAs are employees of these organizations certified to validate an entity s adherence to the PCI DSS. Outcome of the onsite assessments performed by QSAs are: Report on Compliance (ROC) describing the compliance status of the entity under review. Attestation on Compliance (AOC) demonstrating the entity s compliance status and is signed by the QSA and an Officer of the company, 21
Visa Inc. AIS (CEMEA) Customer Type Compliance Criteria Validation Requirements Reporting Requirements Merchant 1 Over 6 million transactions (all channels) annually or deemed as level 1 by Visa (all regions) or compromised merchant or deemed as level 1 by Visa Annual Onsite Assessment by QSA or internal audit and signed by Officer of the company AOC ROC Merchant 2 Between 1 to 6 million transactions (all channels) annually Annual SAQ AOC ROC (upon request) Merchant 3 Between 20,000 to 1 million e- commerce transactions ti annually Annual SAQ N/A Merchant 4 Less than 20,000 e-commerce transactions annually and all other merchants with less than 1 million transactions annually Annual SAQ (recommended) (recommended) Dependent on Acquirer Service Provider 1 VisaNet processors or any service provider with over 300,000 transactions annually Annual Onsite Assessment by QSA Annual SAQ (optional) Executive Summary of ROC and AOC Service Provider 2 Any service providers with less than 300,000 transactions annually Annual Onsite Assessment by QSA (recommended) SAQ Annual SAQ 22
MasterCard SDP Customer Type Compliance Criteria Validation Requirements Reporting Requirements Merchant 1 Merchant 2 Over 6 million transactions (MasterCard & Maestro) annually or deemed as level 1 by MasterCard/Visa or compromised merchant Between 1 to 6 million transactions (MasterCard & Maestro) annually or deemed as level 2 by Visa Merchant 3 Between 20,000 to 1 million e- commerce transactions (MasterCard & Maestro) annually Annual Onsite Assessment by QSA or internal ISA qualified staff Annual Onsite Assessment by QSA (at merchant discretion) or SAQ by internal ISA qualified staff Annual SAQ Merchant 4 All other Merchants Annual SAQ (Note: Discretion of Acquirer) Acquirers register compliant merchants and report quarterly Acquirers register compliant merchants and report quarterly Acquirers register compliant merchants and report quarterly N/A Service Provider 1 All TPPs All DSEs with more than 300,000 transactions annually (MasterCard & Maestro) Service Provider 2 All DSEs with less than 300,000 transactions annually (MasterCard & Maestro) Annual Onsite Assessment by QSA Annual SAQ AOC AOC 23