PCI DSS for Retail Industry March 21, 2014

Agenda Threat Landscape Payment Ecosystem Overview of PCI DSS Bank’s Approach for PCIDSS Compliance

Threat Landscape Increased focus at compromising POS systems at retail outlets Successful data breaches resulting in leakage of millions of cardholder data Sophisticated attack vectors being used to breach the security controls Affected Retailers Target Neiman Marcus Schnucks Markets Inc Harbor Freight MACPO Express ..and many more Malicious executables JackPOS Dexter Chewbacca Project Hack POSRAM Trojan …and many more Implement PCI DSS and PA DSS controls Lockdown POS terminals to allow only basic requisite applications (whitelist) Implement anti-malware and anti-virus solution capable of detecting variants of malicious executables Implement advanced monitoring solutions Advanced mitigation controls

Threat landscape

Payment Ecosystem– Terminologies Customer purchasing products or services from merchant Receives the payment card and bills from the issuer Card Holder Bank or other organization issuing a payment card on behalf of a payment brand (e.g. Master Card & Visa) Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB) Issuer Visa, MasterCard, Amex, Discover, JCB Payment Brand

Payment Card Transaction Flow – Terminologies Organization accepting the payment card for payment during a purchase Merchant Bank or entity the merchant uses to process their payment card transactions Receive authorization request from merchant and forward to issuer for approval Provides authorization, clearing and settlement services to merchants Acquirer

Payment Ecosystem – Authorization Flow

Payment Ecosystem – Settlement Flow

PCIDSS Overview - Some Key Terminologies AOC – Attestation of Compliance SAQ – Self Assessment Questionnaire ROC – Report on compliance SAD – Sensitive Authentication Data CHD – Cardholder data PAN – Primary A/c. No. ASV – Approved Scanning Vendor QSA – Qualified Security Assessor

Payment Card Industry – Security Standards Council Description PCI PTS This standard applies to hardware developers that design and build PIN entry devices. PCI PA-DSS This standard provides security requirements to software developers that build and resell payment applications to merchants P2PE The Point-to-Point Encryption (p2pe) program is optional and provides a comprehensive set of security requirements for p2pe solution providers to validate their hardware-based solutions, and may help reduce the PCI DSS scope of merchants using such solutions. PCI DSS Security requirements for entities processing, storing and/or transmitting CHD

PCI DSS Overview – The standard 6 Goals 12 Requirements 62 Main clauses 289 Testing Procedures Goal 1: Build and Maintain a Secure Network Goal 2: Protect Cardholder Data Goal 3: Maintain a Vulnerability Management Program Goal 4: Implement Strong Access Control Measures Goal 5: Regularly Monitor and Test Networks Goal 6: Maintain an Information Security Policy

Merchant Levels PAYMENT BRAND MERCHANT LEVEL Level 1 Level 2 Level 3 AMEX > 2.5million 50000 >< 2.5million <50000 NA DISCOVER > 6million 1million >< 6million 20000 ><1million Others JCB >1million < 1million MasterCard 20000 >< 1million VISA 20000 to 1million (ecommerce) < 20000 (ecommerce). < 1million (other) Payment Brand reserves the right to deem the level irrespective of transaction volume

Merchant Reporting Requirements PAYMENT BRAND MERCHANT LEVEL Level 1 Level 2 Level 3 Level 4 AMEX Annual OA by QSA or IA EU Only: Annual SAQ Quarterly N/W scan (ASV) (R) EU Only: SAQ (R) NA Quarterly Network Scan (ASV) JCB Annual OA by QSA Quarterly N/W scan(ASV) Annual SAQ DISCOVER Acquirer to determine compliance validation Annual SAQ (R) MasterCard VISA Quarterly N/W scan (ASV) Attestation of Compliance form OA: Onsite Assessment R: Recommended IA: Internal Auditor

Service Provider Levels PAYMENT BRAND SERVICE PROVIDER LEVEL Level 1 Level 2 AMEX All TPPs NA DISCOVER Does not categorize Service providers into levels JCB MasterCard >1million <1million VISA Inc >300,000 <300,000 Payment Brand reserves the right to deem the level irrespective of transaction volume TPP: Third Party Processors

Service Provider Reporting Requirements PAYMENT BRAND SERVICE PROVIDER LEVEL Level 1 Level 2 AMEX Annual OA by QSA or IA DISCOVER Annual OA by QSA OR IA OR Annual SAQ Quarterly network scans by ASV JCB Annual OA by QSA MasterCard Annual onsite review by QSA Quarterly network scan by ASV Annual SAQ VISA Attestation of Compliance form OA: Onsite Assessment IA: Internal Auditor

Need for PCIDSS Compliance RBI/2012-13/424: Section A – Point iv: Banks should ensure that all acquiring infrastructure that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquirers, processors / aggregators and large merchants RBI Mandate It is not about just compliance. It is a security imperative, especially in the wake of recent high profile data breach incident at Service Providers & Merchants. Compliance is incidental, end objective is security. Remain resilient to data breaches

Bank’s Approach for PCIDSS Compliance Bank Compliance 1. On boarded a QSA Company to support in implementing PCI DSS controls at the enterprise level 2. Current State Assessment and Implementation in progress for all payment applications (switch, payment gateways, etc.), infrastructure, network and processes Merchant Compliance 1. Deployed a portal to monitor PCI DSS compliance for merchants and service providers 2. Monitoring compliance status of Level 1, Level 2 and Level 3 merchants and Level 1 and Level 2 service providers 3. Assist merchants and service providers in filling the applicable SAQ Two streams of compliance program HDFC Bank has taken the initiative to share the data security alerts and advisories received from Payment brands with all its merchants. Take these alerts/advisories seriously. If not actioned on time you will get hit – as a target or by a random attack.

Thank You Manish Pal, Information Security Group