PCI DSS 3.2 AWARENESS NOVEMBER 2017 1
AGENDA PCI STANDARD OVERVIEW PAYMENT ENVIRONMENT 2ACTORS PCI ROLES AND RESPONSIBILITIES MERCHANTS COMPLIANCE PROGRAM PCI DSS 3.2 REQUIREMENTS 2
PCI STANDARD OVERVIEW WHAT IS PCI SSC? An independent industry standards body providing oversight of the development and management of Payment Card Industry Security Standards on a global basis. PCI DSS covers security of the environments that store, process, or transmit account data Environments receive account data from payment application and other sources (e.g., acquirers) 3 PCI DSS applies to any entity that stores, processes, or transmits account data Covers security for any system components included in or connected to a merchant s or service provider s Cardholder Data Environment (CDE) 3
PAYMENT ENVIRONMENT ACTORS CARDHOLDER Customer purchasing goods either as a Card Present or Card Not Present transaction Receives the payment card and bills from the issuer MERCHANT Organization accepting the payment card for payment during a purchase ISSUER Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard & Visa) Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB) 4 ACQUIRER Bank or entity the merchant uses to process their payment card transactions Receive authorization request from merchant and forward to Issuer for approval Provide authorization, clearing, and settlement services to merchants 4
PCI ROLES AND RESPONSIBILITIES COUNCIL Maintain PCI DSS standard and supporting documentation Approve companies and their employees to perform PCI DSS assessments and ASV scanning Offer training for the QSAs and ISAs PAYMENT BRANDS Development and enforcement of compliance programs Fines or penalties for non-compliance Forensic investigations of account data compromise QSA & ISA Validate the scope of assessment Conduct PCI Data Security Standard assessment Produce the final report (ROC or SAQ) ASV Perform external vulnerability scans in accordance with PCI DSS Req. 11.2 Providing adequate documentation to demonstrate compliance or non-compliance of the scanned customer s components 5 5
PCI ROLES AND RESPONSIBILITIES ISSUERS Comply with PCI DSS requirements Ensure that all of their service providers comply with the PCI DSS requirements ACQUIRERS Comply with PCI DSS requirements Ensure that all of their merchants and service providers comply with the PCI DSS requirements Provide merchant/service provider compliance status to 6payment brands Determine merchant/service provider level based on transaction volume where applicable Manage merchant/service provider communications Incur any liability that may occur as a result of non-compliance MERCHANTS & SERVICE PROVIDERS Comply with PCI DSS requirements Know who their acquirers are Validate and report compliance to acquirer or payment card brand as applicable Read and incorporate communications from the payment brands, acquirers, and the PCI SSC throughout the year 6
MERCHANTS COMPLIANCE PROGRAM MERCHANT LEVELS Level MasterCard VISA 1 Processing over 6 million total combined MasterCard and Maestro transactions annually 2 Processing more than 1 million but less than or equal to 6 million total combined MasterCard and Maestro 7 transactions annually 3 Processing more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro transactions annually Processing over 6 million Visa transactions annually (all channels) Processing 1 million to 6 million Visa transactions annually Processing 20,000 to 1 million Visa e-commerce transactions annually 4 All other MasterCard merchants Processing less than 20,000 Visa e-commerce transactions annually, and all other merchants processing up to 1 million Visa transactions annually 7
MERCHANTS COMPLIANCE PROGRAM Level MasterCard VISA 1 Annual onsite assessment by QSA or ISA 2 Annual Self Assessment Questionnaire by ISA; QSA can also be used. 3 Annual Self Assessment Questionnaire 4 Compliance validation is at discretion of acquirer Recommended: Annual Self Assessment Questionnaire MERCHANT VALIDATION REQUIREMENTS Annual onsite assessment by QSA or ISA Attestation of Compliance form Annual Self-Assessment Questionnaire Attestation 8 of Compliance form Annual Self-Assessment Questionnaire VISA Europe: Use PCI DSS compliant Service Provider, or Have certified their own PCI DSS compliance to the acquirer (SAQ) Annual SAQ recommended recommended Compliance validation requirements set by acquirer VISA Europe: Merchant validation for e-commerce is the same as level 3 Non e-commerce: Annual SAQ, Quarterly network scan by ASV, Attestation of Compliance form 8
PCI DSS 3.2 REQUIREMENTS Goals Requirements No. Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 37 2. Do not use vendor-supplied defaults for system passwords and other security parameters 34 Protect Cardholder Data 3. Protect stored cardholder data 47 Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 4. Encrypt transmission of cardholder data across open, public networks 12 9 5. Use and regularly update anti-virus software or programs 11 6. Develop and maintain secure systems and applications 42 7. Restrict access to cardholder data by business need to know 11 8. Assign a unique ID to each person with computer access 46 9. Restrict physical access to cardholder data 43 10. Track and monitor all access to network resources and cardholder data 45 11. Regularly test security systems and processes 35 12. Maintain a policy that addresses information security for all personnel 52 Total: 415 9
10 CRISTIAN-ADRIAN PIGULEA SENIOR SECURITY CONSULTANT, PCI QSA, PCIP, CISA +40 734 220 788, +40 742 356 937 cristian.pigulea@endava.com