Payment Card Industry - Requirements and implementation challenges in Armenian market Vladislav Muradyan Partner
Table of Contents What is the PCI SSC and PCI DSS? Payment Industry terminology Who is targeted? Understanding the risk How to secure cardholder data environment?
What is the PCI SSC and PCI DSS?
What is the PCI SSC and PCI DSS? The PCI SSC is an independent industry standards body providing oversight of the development and management of Payment Card Industry Data Security Standards on a global basis. The PCI SSC founding payment brands include: American Express Discover Financial JCB International MasterCard Visa, Inc.
What is the PCI SSC and PCI DSS? The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) .
What is the PCI SSC and PCI DSS? Account Data Cardholder Data Includes: Sensitive Authentication Data includes: Primary Account Number (PAN) Cardholder Name Expiration Date Service Code Full track data (magnetic-stripe data or equivalent on a chip) CAV2/CVC2/CVV2/CID PINs/PIN blocks
What is the PCI SSC and PCI DSS? PCI Data Security Standard – High level Overview Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 1. Protect stored cardholder data 2. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 3. Protect all systems against malware and regularly update anti-virus software or programs 4. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
Payment industry terminology Payment Terminal is the device used to take customer card payments via swipe, dip, insert, tap, or manual entry of the card number. Point-of-sale (or POS) terminal, credit card machine, PDQ terminal, or EMV/chip-enabled terminal are also names used to describe these devices. Electronic Cash Register (or till) registers and calculates transactions, and may print out receipts, but it does not accept customer card payments Integrated Payment Terminal is a payment terminal and electronic cash register in one, meaning it takes payments, registers and calculates transactions, and prints receipts.
Payment industry terminology Cardholder Issuer Merchant Customer purchasing goods either as a “Card Present” or “Card Not Present”; Receives the payment card and bills from the issuer Bank or other organization issuing a payment card on behalf of a Payment Brand (VISA, MasterCard and etc.) Payment Brand issuing a payment card directly (Amex, Discover, JCB) Organization accepting the payment card for payment during a purchase
Payment industry terminology Acquirer Bank or entity the merchant uses to process their payment card transactions Receive authorization request from merchant and forward to Issuer for approval Provide authorization, clearing and settlement services to merchants Acquirer is also called: Merchant Bank ISO (Independent Sales Organization) Payment Brand - Amex, Discover, JCB Never VISA and MasterCard
Payment industry terminology Authorization Clearing Settlement Merchants requests and receives authorization from the Issuer to allow the purchase to be conducted Authorization code is provided Issuer and Acquirer exchange purchase and reconciliation information Issuer pays Acquirer Acquirer pays merchant for cardholder purchase Merchant receives payment Issuer bills cardholder Cardholder gets charged
Payment industry terminology Service Provider is a business that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data on behalf of another entity. Service Provider examples: Transaction Processors Payment Gateways Remittance processing companies Managed Firewall and IDS service providers Web Hosting and Data Center Hosting providers Offsite data storage facilities
Payment industry terminology Merchants Level 1 Level 2 Level 3 and Level 4 Type of Assessment Onsite Assessment Self Assessment Determined by payment brand or acquirer Reporting Requirements ROC and ASV scan report SAQ and ASV scan report
Payment industry terminology Service Providers Level 1 Level 2 Level (American Express) Type of Assessment Onsite Assessment Self Assessment Reporting Requirements ROC and ASV scan report SAQ and ASV scan report
Who is targeted? The top targeted industries included: Retail – 45% of breaches Food and Beverage – 24% of breaches Hospitality – 9% of breaches Financial Services – 7% of breaches Nonprofit – 3% of breaches
Who is targeted? Payment processor (2009) – 160 million cards lost Major retailer (2014) – over 50 million cards lost Malware installed on point-of-sale system to capture data in memory Major retailed (2013) – over 100 million cards lost Senior staff members resigned following breach Payment processor (2009) – 160 million cards lost Malware was used to capture cardholder data as it was processed Reports suggest direct costs for the breach cost 171 million USD
Who is targeted? 99,9% of breaches were preventable – caused by known vulnerabilities with fixable patches 76% of companies took weeks or more to discover breach 67% of organizations did not adequately test the security of all in-scope systems
Who is targeted? Stolen payment cards and cardholder data 10$ per card and/or cardholder data (USA) 20$ per card and/or cardholder data (Japan) 50$ per card and/or cardholder data (EU)
Understanding the risk The merchants, payment gateways, and other small service providers are a prime target for data thieves 60% of small businesses experienced a cyber breach 71% of hackers attack businesses with under 100 employees 20,752 USD – average cost to a small business due to hacking, up from 8,600 USD in 2013 There are potential financial penalties and damages from lawsuits, and your business may lose the ability to accept payment cards Customers’ card data is a gold mine for criminals
Understanding the risk Factors to make cardholder data environment vulnerable to the security breaches It will never happen with me Not following recommendations and basic security guidelines Not familiar with the PCI DSS compliance and the ways of how to achieve compliance (onsite assessment, SAQ and etc.) Lack of coordination and communication with the merchant bank, data processors and etc. The more features the payment system has, the more complex it is to secure. These extra features often provide easy ways for criminals to steal customer card data
Understanding the risk Security risks vary greatly depending on the complexity of the payment system, whether face-to-face or online Complex environment requires more activities to reduce the risks Simple environment requires less activities to reduce the risks The way to address business needs vs security of the customer card data is to get them in balance
How to secure cardholder data environment? To be familiar with the PCI DSS requirements and other publications related to your business Implementation guidelines, standards and recommendations issued by PCI SSC Definitions of the merchants and service providers level and how to determine the appropriate level and what requirements need be followed Implement information security basics Be in contact with your merchant bank and data processer service provider
How to secure cardholder data environment? The good news is, it is possible to start protecting cardholder data environment right now by implementing basic and not expensive activities: Use strong passwords and change default ones Protect your card data and only store what you need Inspect payment terminals for tampering Install patches from your vendors Use trusted business partners and know how to contact them Protect in-house access to your card data
How to secure cardholder data environment? Use strong passwords and change default ones CHANGE YOUR PASSWORDS REGULARLY MAKE THEM HARD TO GUESS DON’T SHARE It should be noted that computer equipment and software out of the box (including payment terminal) often come with default (preset) passwords such as “password” or “admin,” which are commonly known by hackers and are a frequent source of small merchant breaches
How to secure cardholder data environment? Protect your card data and only store what you need Ask your payment terminal vendor or merchant bank here your systems store data and if you can simplify how you process payments The best way to protect against data breaches is not to store card data at all. Consider outsourcing your card processing to a PCI DSS compliant service provider Securely destroy/shred card data you don’t need. Ask your merchant bank if you REALLY need to store that card data. If you do, ask your merchant bank or service provider about encryption or tokenization technologies that make card data useless even if stolen
How to secure cardholder data environment? Inspect payment terminals for tampering LOOK FOR OBVIOUS SIGNS of tampering, such as broken seals over access cover plates or screws, odd/different cabling, or new devices or features you don’t recognize KEEP A LIST of all payment terminals and take pictures (front, back, cords, and connections) so you know what they are supposed to look like Make sure the payment terminals are secure before you close your shop for the day, including any devices that read your customers’ payment cards or accept their personal identification numbers (PINs) Only allow payment terminal repairs from authorized repair personnel, and only if you are expecting them
How to secure cardholder data environment? Install patches from your vendors ASK the vendor or service provider how it notifies you of new security patches, and make sure you receive and read these notices You may get patches from vendors of your payment terminal, payment applications, other payment systems (tills, cash registers, PCs, etc.), operating systems (Android, Windows, iOS, etc.), MAKE SURE your vendors update your payment terminals, operating systems, etc. so they can support the latest security patches. Ask them Installing patches as soon as possible is very important. Also look out for patches from the payment service provider. Ask your e-commerce hosting provider whether they patch your system (and how often). Make sure they update the operating system, e-commerce platform and/or web application so it can support the latest patches
How to secure cardholder data environment? Use trusted business partners and know how to contact them Who is your merchant bank? Who else helps you process payments? Who did you buy your payment device/software from and who installed it for you? Who are your service providers? Keep company and contact names, phone numbers, website addresses, and other contact details where you can easily find them in an emergency Is your service provider adhering to PCI DSS requirements? For e-commerce merchants, it is important that your payment service provider is PCI DSS compliant as well Once you know who your outside providers are and what they do for you, talk to them to understand how they protect card data
How to secure cardholder data environment? Protect in-house access to your card data Set up your system to grant access only based on a “business need-to-know.” As the owner, you have access to everything. But most employees can do their job with access only to a subset of data, applications, and functions LIMIT ACCESS to payment systems and unencrypted card data to only those employees that need access, and only to the data, applications and functions they need to do their jobs KEEP A LOG. Track all “behind the counter” visitors in your establishment. Include name, reason for visit, and name of employee that authorized visitor’s access. Keep the log for at least a year Ask your payment system vendor or service provider how to securely remove card data before selling or disposing of payment devices (so data cannot be recovered)
Questions?
THANK YOU!
Business risk services & cybersecurity Contact details For assistance and advice please contact us: 8/1 Vagharshyan str., Yerevan, 0012, Armenia Vladislav Muradyan Partner, Business risk services & cybersecurity T + 374 (10) 260964 E Vladislav.Muradyan@am.gt.com T +374 (10) 26 09 64 gta@am.gt.com