Effective Data Security Measures on Payment Cards through PCI DSS 2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA
Learning Bites Comprehend the foundations, requirements, and benefits of PCI-DSS Recognize the need for compliance and the issues and challenges that come with it Understand the documentation and audit requirements of the standard Demonstrate compliance to all legal and regulatory requirements. 2
High Profile Data Breaches 3
In the Philippines There were an estimated 33 million debit cards and 8 million credit cards in circulation in The Philippines in 2009. The number of credit cards in circulation enjoyed healthy growth in 2010 as financial companies kept interest rates low, similar to 2009 levels. Also, industry players have introduced a pay later function, which creates a low interest rate climate to encourage usage of cards. With the growth of financial cards in circulation, the value of card transactions also increased, at the expense of cash transaction value as a proportion of total consumer expenditure. The value share growth of card payments is expected to continue in the forecast period as consumers increasingly becoming comfortable using financial cards. (Source: Euromonitor International, January 2010 & February 2011) 4
Data Breaches Statistics Hacking Statistics by Industry Hacking Statistics by Vector 5% 4% 4% 2% 1% 5% 3% 16% 13% 38% 14% 21% 55% 19% Hospitality Services Financial Services Retail food & Beverages Business Services Technology Others Education Manufacturing Outside Inside-Malicious Inside Inside-Accidental Unknown 5
Founders of PCI SSC 6
Payment Card Industry Security Standards PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data 7
Terminologies Visa & Mastercard Acquirers Issuers Merchants Cardholders Service Providers Member of organizations who can be either Acquirers of Issuers (or both) Members of the Visa or Mastercard organizations which handle merchants Members of the Visa or Mastercard organizations that issue the cards to Cardholders Those entities who accept card transactions Well, cardholders Entities that provide any service requiring the processing, storing or transport of card information on behalf of any of the above 8
Diagrammatically and/or is a member of is a member of Acquirer provides processing services to may or may not be the same as Issuer issues cards to Merchant uses card buy from to Cardholder 9
Key Regulations/Requirements by VISA 10
PCI DSS Versions 11
Outline of PCI DSS Requirements PCI DSS Requirements - Outlined About 130 individual requirements under the 12 requirements With the major exception of the requirement to encrypt cardholder data, the requirements only represent generally accepted good security practice. PCI does not represent an onerous ideal but very many organisations are still only fully compliant with a small proportion of the requirements The standard is very prescriptive (unlike eg SOX, ISO27001) but compensating controls are permitted in certain areas subject to acquirer s or Payment Brand s approval 12
PCI DSS General Information Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security PCI DSS is based on fundamental data security practices 13
PCI DSS Prioritized Approach PCI DSS Prioritized Approach The Prioritized Approach and its milestones are intended to provide the following benefits: Roadmap that an organization can use to address its risks in priority order Pragmatic approach that allows for quick wins Supports financial and operational planning Promotes objective and measurable progress indicators Helps promote consistency among Qualified Security Assessors 14
PCI DSS Requirements and Milestones 12 PCI DSS Requirements Build & Maintain a Secure Network (Requirement1 & 2) Implement Strong Access Control Measures (Requirement7, 8 & 9) Protect Cardholder Data (Requirement3 & 4) Regularly Monitor & Access Networks (Requirement 10 & 11) Maintain a Vulnerability Management Program (Requirement5 & 6) Maintain an Information Security Policy (Requirement12) Prioritized Approach Security Milestone # 1 If you don t need it, don t store it Security Milestone # 4 Control access to your systems Security Milestone # 2 Secure the perimeter Security Milestone # 5 Protect stored cardholder data Security Milestone # 3 Secure applications Security Milestone # 6 Finalize remaining compliance efforts & ensure all controls are in place 15
PCIPhases DSS Lifecycle PCI Compliance, & Deliverables On-site Assessment Self-Assessment Questionnaire (SAQ) Assess PCI DSS Framework and Scope of Assessment Gap Analysis Risk Assessment REPORT Remediate Plan and implement remediation Report Development of Remediation Plan Implementation of Remediation Plan PCI Security Scan (Pentest & Vulnerability Assessment) Physical Security Assessment On-Site Assessment & Attestation of Compliance Self Assessment Questionnaire (SAQ) Map out data flow Gap Analysis & Risk Assessment 16
PCI DSS Compliance: Difficult & Ongoing PCI (Payment Card Industry) compliance - a requirement for accepting credit card transactions can be difficult. About 65% of global enterprises are still working on their PCI compliance initiatives. But PCI compliance is an ongoing effort, not abounded IT security project. Forrester Research September 2008 17
Key Challenges Key Challenges Identifying data locations (PAN, track 2, CVV2/CVC2) Encryption of cardholder data Monitoring cardholder data access Changing business processes Changing technology Cost of compliance 18
Thank you very much! facebook.com/eccinternational linkedin.com/company/ecc-international eccinternational.wordpress.com