PCI Compliance: What’s All the Fuss? Bob Russo November 7, 2008

5/11/20152 The PCI Security Standards Council An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI Security Standards, including: –Data Security Standard (DSS) –Payment Application Data Security Standard (PA-DSS) –Pin-Entry Device (PED) PCI PED PCI PA-DSS PCI DSS

5/11/ PCI SSC - The Standards

5/11/20154 The PCI Security Standards Council Founders

5/11/20155 PCI DSS Drivers PCI Data Security Standard Industry Best Practices Community Meeting Security Scans Self- Assessment Questionnaire On-Site Audits ADC Forensics Results Proactive feedback from POs and Assessor Community Advisory Board Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs)

5/11/20156 Notable Successes Over 500 Participating Organizations around the world Successful Community Meetings with over 700 attendees from around the world Board of Advisors driving special interest groups - Wireless - Pre-authorization 164 current QSA Companies, of these 74 are also ASV Companies Total QSAs (individuals) trained to date is 1,063 Additional devices added to PED Standard Implemented two-year lifecycle process for DSS & SAQ PCI SSC participated in 33 events worldwide Assessor Servicing Markets per Region Asia Pacific: 29 Canada: 16 CEMEA: 28 Latin America & Caribbean: 27 United States: 87 Europe: 57

5/11/20157 Roles and Responsibilities of the Council Is an Independent Industry Standard Manages the technical and business requirements for how payment data should be stored and protected Maintains List of Qualified PCI Assessor Community –QSAs, ASVs, PA-QSA and PED Labs PCI SSC….PCI SSC Does Not… Manage or Drive Compliance –Each brand continues to maintain its own compliance programs Identifies stakeholders that need to validate compliance Definitions of Validation Levels Fines and Fees

5/11/20158 Resources Provided by Council Security standards and supporting documents Frequently asked questions List of approved QSAs, ASVs, PA-QSAs, PED Labs Education and outreach programs -Webinars -Newsletters/bulletins Council appeared in almost 300 pieces of coverage globally since January Searchable FAQ tool for all standards-related questions Participating organization membership, community meetings, qualifications standards feedback One global voice for the industry

PCI SSC Standards

5/11/ Risky Behavior –81% store payment card numbers –73% store payment card expiration dates –53% store customer data from magnetic stripe on card –16% store other personal data Threat Landscape Implementing the standard is a Journey… Not a Destination Source: Forrester Consulting, Sept. 2007

The Cost of Complying Three Categories of Compliance How much does this cost your organization? For merchants with complex or older systems, it may cost millions “PCI Compliance Cost Analysis: A Justified Expense.” A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex. Jan [This study utilized data from several sources including level 1 and level 2 merchants with 2,000 – 2,500 retail locations.] The Cost of Not Complying Same study estimated non-compliance costs significantly higher, including “Crisis” cost upgrades Repeat assessments Notification costs Brand reputation Shareholder and consumer lawsuits The cost of a breach can easily be 20 times the cost of PCI Compliance Upgrading Payments Systems and Security Verifying Compliance (Assessment) Sustaining Compliance 5/11/201511

5/11/ Forensics Statistics Consumer data: Payment card information -Credit / Debit -Card-present / CNP Personal Check information Identity-related data: Name, address, Social security, Social insurance IRS / tax return information Company-proprietary: Financial records HR / employee data Product strategy & roadmap Trade secrets & technology Inside Jobs vs. Intrusions 17% Inside ~77% are partial insiders Incident Detection >75% via allegation of compromise Findings Percentages 92% Confirmed Security Breach >60% Confirmed Data Compromise Case Commonalities 19% SQL injection 45% POS systems 10% Wireless infrastructure ~50% Via 3rd party connections Breach Sources ~13% Inside U.S. Vulnerability Scanning SQL Injection cases: 71% had commercial scanning 63% detected SQL vulnerability 15% in scan reports for 1 year + > 60% Payment Cards vs. Others Law Enforcement Involvement 87% of cases Incident Detection >75% via allegation of compromise

5/11/ /11/ It’ll be OK PCI doesn’t introduce any new, alien concepts AngerAnger BargainingBargaining DepressionDepression AcceptanceAcceptance DenialDenial It doesn’t apply to me PCI compliance is mandatory It isn’t fair PCI applies to all parties in the payment process I’ll do some of it Compliance is “pass / fail” I’ll never get there Many merchants already have The Five Stages of Grief

5/11/ The PCI Data Security Standard The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures This comprehensive standard is intended to help organizations proactively protect customer payment data Payment Card Industry (PCI) Data Security Standard Version 1.2 Release: October 2008

5/11/ Six Goals, Twelve Requirements The PCI Data Security Standard Build and Maintain a Secure Network 1.Install and maintain a firewall configuration to protect cardholder data 2.Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3.Protect stored cardholder data 4.Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5.Use and regularly update anti-virus software or programs 6.Develop and maintain secure systems and applications Implement Strong Access Control Measures 7.Restrict access to cardholder data by business need-to- know 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data Regularly Monitor and Test Networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an Information Security Policy 12.Maintain a policy that addresses information security for employees and contractors

Summary of PCI Requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks 165/11/2015

Summary of PCI Requirements Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data 175/11/2015

Summary of PCI Requirements Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for employees and contractors 185/11/2015

Self-Assessment Questionnaire (SAQ) A 5/11/ SAQ Objectives Self Assessment Questionnaires Alignment with the PCI DSS v1.2 Based on industry feedback Flexibility for multiple merchant types Providing guidance for the intent and applicability of the underlying requirements

5/11/ Self Assessment Questionnaire SAQ Validation Type DescriptionSAQ 1 Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants A <11 Questions 2Imprint-only merchants with no cardholder data storage B 21 Questions 3 Stand alone dial-up terminal merchants, no cardholder data storage B 21 Questions 4 Merchants with payment application systems connected to the Internet, no cardholder data storage C 38 Questions 5 All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ D Full DSS

Payment Application (PA-DSS) Data Security Standard 5/11/ The Payment Application Data Security Standard Distinct from but aligned with PCI DSS PA-DSS is a comprehensive set of requirements designed for payment application software vendors to facilitate their customers’ PCI DSS compliance This comprehensive standard is intended to help organizations minimize the potential for security breaches due to flawed payment applications, leading to compromise of full magnetic stripe data

5/11/ The Payment Application Data Security Standard Fourteen Requirements…Protecting Payment Application Transactions Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2) or PIN block data Provide secure password features Protect stored cardholder data Log Application Activity Develop Secure Applications Protect wireless transmissions Test Applications to address vulnerabilities Facilitate secure network implementation Cardholder data must never be stored on a server connected to the Internet Facilitate secure remote software updates Facilitate secure remote access to application Encrypt sensitive traffic over public networks Encrypt all non-console administrative access Maintain instructional documentation and training programs for customers, resellers, and integrators

5/11/ PIN Entry Device Requirements Physical Attributes Logical Attributes Attributes that deter physical Attacks –ex penetration of device to determine key(s) –Planting a PIN disclosing bug within Logical security characteristics include functional capabilities that preclude: –Allowing device to output clear text PIN encryption key The PED Security Requirements are designed to secure personal identification number (PIN)-based transactions globally and applies to devices (attended or unattended) that accept PIN entry for all PIN-based transactions as well as non-cardholder interface devices (hardware security modules)

PCI DSS Applicability Information Data Element Storage Permitted Protection Required PCI DSS Req. 3.4 Cardholder Data Primary Account Number (PAN) Yes Cardholder Name [1] YesYes 1 No Service Code 1 YesYes 1 No Expiration Date 1 YesYes 1 No Sensitive Authentication Data [2] Full Magnetic Stripe Data [3] NoN/A CAV2/CVC2/CVV2/CIDNoN/A PIN/PIN BlockNoN/A [1] These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted. [2] Sensitive authentication data must not be stored after authorization (even if encrypted). [3] Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.

How To Get Involved

5/11/ Global Participation & Representation More than 500 organizations have been accepted North America: 411 Asia Pacific: 12 Europe: 78Latin America / Caribbean: 6 Central Europe / Middle East / Africa: 14

5/11/ Participating Organizations Categories

5/11/ Board Representation & Special Interest Groups A Seat at the Table… Financial institutions –Merchants –Gateways –Processors –Service providers –EFT networks –Associations –Vendors

5/11/ Participating Organization Privileges Vote and run for Participating Organization Board of Advisors Comment on DSS, SAQ, PED, PA-DSS and on other PCI SSC documentation, prior to public release Attend Community Meetings Attend Webinar meetings Recommend new initiatives and standards Early updates on upcoming press releases Monthly bulletin from SSC General Manager Coming soon: Exclusive private Web site for PO and assessor community Reserve Your Seat at the Table

5/11/ Community Meeting Merchants Approved Scanning Vendors Service Providers Qualified Security Assessors Acquirers Brands CommunityMeeting

5/11/ Participating Organizations For a full list: Associations For a full list: Financial Institutions For a full list: Other For a full list: Other For a full list: Other For a full list: POS Vendors For a full list: Processors For a full list: Processors For a full list: Merchants For a full list: Merchants For a full list: Merchants For a full list:

5/11/ Need More Information?

Thank You!