PCI DSS modular approach for F2F EMV mature environments

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Troy Leach April 2012 The PCI Security Standards Council.
PCI:DSS What is it, and what does it mean to you? Dale Pearson 17 th November 2009.
Navigating the New SAQs (Helping the 99% validate PCI compliance)
Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Security Controls – What Works
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Why Comply with PCI Security Standards?
Payment Card Industry (PCI) Data Security Standard
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
PCI requirements in business language What can happen with the cardholder data?
PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad.
Jon Bonham, CISA, QSA Director, ERC
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to PCI DSS
EMV.
MARTA’s Road to PCI Compliance
Payment Card Industry Data Security Standards
Payment Card Industry (PCI) Rules and Standards
Principles Identified - UK DfT -
Wake Forest University
PCI DSS Improve the Security of Your Ecommerce Environment
Summary of Changes PCI DSS V. 3.1 to V. 3.2
PCI-DSS Security Awareness
Decrypting Tokenization What is it and why is it important?
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Where Do You Have Cardholder Data?
Tim Carter Sales Director Sybase Confidential Propriety.
2013 PCI:DSS Meeting OSU Business Affairs
Internet Payment.
Session 11 Other Assurance Services
EMV® 3-D Secure - High Level Overview
Tim Carter Sales Director Sybase Confidential Propriety.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI)
MARTA’s Road to PCI Compliance
Contact Center Security Strategies
DieboldNixdorf.com Tokenization Roman Cinkais |
PCI 3.1 Compliance Panel for CHECO
Presented by: Jeff Soukup
Presentation transcript:

PCI DSS modular approach for F2F EMV mature environments Colin Whittaker Director and Founder

Agenda Background and Rationale for a PCI DSS modular approach for F2F EMV mature environments – The “Approach” Define relevant representative F2F EMV merchant environments and their appropriate module of PCI DSS control requirements A proposed assessment framework

Background and Rationale

Traditional Approach to PCI DSS Scope Acquirer PCI DSS Scope Merchant Data Centre E-Commerce F2F MOTO

Background to PCI DSS Compliance for F2F Merchants Pre 2011 - EMV iCVV issue and attacks against PIN Entry devices Improvements in PIN entry device security From 2008 - Attacks against F2F environments to capture mag-stripe data 2011 - Visa Europe Technology Innovation Programme 2012 – Early steps in a modular approach to PCI DSS Compliance

A Modular Approach by Channel PCI DSS Scope PCI DSS Scope PSP Acquirer PSP PCI DSS Scope Merchant Data Centre E-Commerce F2F MOTO

Initial Guidance for QSACs An entity may only need to validate a subset of requirements to their acquirer An entity may wish to validate a new security control that impacts only a subset of requirements The entity offers a service which addresses only a limited number of PCI DSS requirements

Rationale for The Approach Data has been Devalued Why ask EMV enabled F2F merchants to do more? Cardholder data breaches provide the evidence of the reduced threat to F2F EMV environments Transparency and equivalence in payment systems a regulatory given for Europe PSD2 MIF Security standards must be appropriate to the value of the data being protected GDPR Security a non-competitive issue

Factors The Approach had to Consider Multi-channel payment acceptance What does adequate segmentation between channel look like? Novel F2F Payment methods In store e-commerce Small F2F merchants Recognise the limit of their capabilities to prove they are secure Where cards are used for purposes other than payments Customer identification and verification Skimming attacks Are they on the increase and if so why and does this change the approach?

Primary Assumptions An EMV Mature Market can be defined >90% of card payments at F2F are made with EMV >95% of merchants are EMV enabled No evidence of any threat on EMV data since 2009 There is an identifiable market wide community Acquirers & Issuers accept the residual risks to EMV Sensitive Authentication Data must be redefined EMV track equivalent cardholder data should no longer be defined as sensitive authentication data

Rationale for excluding PCI DSS controls Baseline: EMV F2F environments are stable and not subject to dynamic and frequent changes Exclude processes and policies Exclude derived amplifying requirements Exclude controls which can be satisfied fully or in part by other controls Exclude controls addressed by other PCI SSC standards Partially retain some controls for key components

Example of Applying the Rationale Fully Excluded Partially Excluded 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations 3.3 Mask PAN when displayed … such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN. 11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. 11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel.

Representative F2F EMV merchant environments

Defined 3 types of merchants Merchants which consolidate transactions (typically large retailers) Merchants which connect directly to their Acquirer and contract a 3rd party service provider Merchants which connect directly to the Acquirer

Common applicability requirements The merchant must be in a EMV Mature market Card acceptance devices must be a currently approved PTS device (PCI PTS2.0 or later as of today) Compliance to schemes sunset date policy Other payment channels must be segregated at a network level from the EMV CDE, They must treat the EMV CDE as a less sensitive, and untrusted, environment

Merchant consolidates transactions Acquirer SAQ EMV Scope Consolidation Server Store A F2F Store B F2F Store N F2F Store N F2F Store N F2F ……….

SAQ EMV 45 out of 242 PCI DSS controls that need to be evidenced 11 of the 45 apply to the point of consolidation e.g.: 11.2.1 Perform quarterly internal vulnerability scans. Burden of providing the evidence is passed to the acquirer and not the merchant e.g.: 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks

PCI DSS Requirement 9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution Proposed revised guidance: Requirements solely apply to the threat of device substitution and not tampering In attended environments substitution threats can be mitigated by technical means For unattended or semi-attended devices 9.9.2 and 9.9.3 always applies in all cases.

Good Practice Controls 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities Good Practice Controls 35 PCI DSS additional controls No requirement to test against them Provided for those who wish to enhance their security even further, eg: 1.4 Install personal firewall software …… 5.1 Deploy anti-virus software on all systems commonly affected by malicious software…. 7.1.2 Restrict access to privileged user IDs to least privileges …… 11.4 Use intrusion-detection and/or intrusion-prevention techniques ……

Merchant connects directly to the Acquirer + 3rd party service provider SAQ B-EMV Scope Store A F2F Store B F2F Store N F2F Store N F2F Store N F2F ……….

SAQ B-EMV Derived from SAQ B and SAQ B-IP 16 out of 242 PCI DSS controls that need to be evidenced Applies to IP and dial-up connections Additional applicability requirements: 3rd parties have remote access to the EMV CDE The acquirer is responsible for the confidentiality requirements between them and the merchant The acquirer provides guidance on how to connect the device to the merchant’s network.

Merchant connects directly to the Acquirer No PCI DSS Requirements Store A F2F Store B F2F Store N F2F Store N F2F Store N F2F ……….

F2F EMV Accepting Merchants to whom PCI DSS no longer applies Additional applicability requirements: There is no remote access to the EMV CDE The acquirer is responsible for the confidentiality requirements between them and the merchant The acquirer provides guidance on how to connect the device to the merchant’s network.

Scoping Flow Chart

Proposed assessment framework

Merchant Categories Merchant consolidates transaction before submitting to an acquirer Merchant retail outlet direct to acquirer Large merchants processing more than 6M transactions per year Multi-acceptance channel merchants Multi-acceptance channel merchants who outsource non-EMV processing Merchants have adopted a PCI validated P2PE solution Merchants have implemented an end-to-end encryption (E2EE) solution

Levels of Assurance None Self Assess Self Assess QSAC Certify QSAC PCI DSS None Merchant with direct connection to acquirer Merchant with direct connection to acquirer + 3rd party service provider Self Assess Merchant consolidating transactions Self Assess QSAC Certify “Level 1” merchants non-modular approach QSAC Increasing number of requirements SAQ A-EP SAQ C SAQ B-IP SAQ C-VT TIP 2 Mandatory SAQ EMV SAQ B SAQ P2PE SAQ A SAQ B-EMV Increasing Assurance Requirements are satisfied

Common Assessment Framework Merchant category <6M Transactions/year >6M Transactions/year Merchant consolidates transactions before submitting to an acquirer SAQ EMV SAQ EMV Self Assessed PCI QSA certified Merchant retail outlet transactions direct to an acquirer SAQ B-EMV Merchant with multi-acceptance channels network segmentation assessment requirement Self-assess PCI DSS requirement 11.3.4 between EMV acceptance CDE and other channels’ CDE PCI QSA assess PCI DSS requirement 11.3.4 between EMV acceptance CDE and other channels’ CDE Merchant uses a PCI SSC P2PE validated Solutions SAQ P2PE Merchant uses a nationally endorsed or acquirer/processor approved E2EE solution Merchants that fall outside these categories Where an EMV F2F merchant cannot meet the eligibility requirements as set out for each of these SAQs the normal PCI DSS scoping and compliance considerations apply

Concluding Remarks

Concluding Remarks A significant change to PCI DSS compliance requirements for the F2F EMV environment Assumes a common compliance assessment framework across all global card brands Under GDPR an alternative to this is possible Do the merchant categories make sense? Is QSA based assessment a burden? Would there be benefits in a QSAC certifying a self assessment?