Payment Card Industry Data Security Standards The Card Associations are concerned about cardholder information getting into the wrong hands for illegal use. Therefore, the Card Associations have adopted the PCI Standards to better secure cardholder information.
What is PCI & PCIDSS Payment Card Industry (PCI) Data Security Standard (DSS) so (PCIDSS) PCIDSS was developed jointly by all the credit card brands (Amex, DC, JCB, MC and Visa) to protect the merchants business, their customers (cardholders), and the integrity of the payment system from the rising incidences of stolen cardholder account data.
Why is PCI compliance important? PCI helps protect the merchant business from: fraud substantial fines from the card associations customer dissatisfaction and distrust if their cardholder data is compromised and misused as result of the merchants business being compromised. The credit card brands have made PCI compliance mandatory for merchants.
How Could Cardholder Information be Compromised? ► Hackers could illegally access a merchant’s POS System. ► Employees could be conned into revealing passwords, logons, or other sensitive data. ► Credit card data such as reports or receipts could be thrown in the trash by merchants and retrieved by anyone digging through the dumpster.
Who Must Comply with the PCI Data Security Standards? ► All merchants who accept credit and debit cards. ► All credit card processors, issuers and acquirers (such as Heartland), third party processors, and gateways. ► Developers and software providers.
PCI Data Security Standards Defined by the Card Associations Require Merchants to: 1.Build and maintain a secure network. 2.Protect cardholder data. 3.Maintain a Vulnerability Management Program. 4.Implement strong access control measures. 5.Regularly monitor and test networks. 6.Maintain an information security policy.
1. Build and Maintain a Secure Network ► Merchants using the Internet for transmitting credit/debit card information, must install and maintain a firewall. Internet firewall security needs to be installed and functional on all computers and POS Systems using IP connectivity. POS systems with a dial connection to the Internet are required to comply with this standard as well.
2. Protect Cardholder Data Merchants Must Use Passwords and Other Security Measures ►Merchants must implement personalized logons and passwords for all users of computers and POS systems to limit access to cardholder information.
3. Maintain a Vulnerability Management Program to Protect Stored Data. ►Hard copies of batch reports and paper receipts must be placed in a secured area where only authorized personnel can enter. ►Unneeded reports and receipts must be shredded before disposal. ►Databases and files containing credit/debit card information must be encrypted. ►Encryption software is required for POS systems using internet connectivity for transmission of cardholder information.
4. Install Antivirus Software. ►Merchants must install and maintain updated antivirus software on their computers and POS Systems.
5. Regularly Monitor and Test Networks. ►Merchants must track and monitor all access to network resources. ►Merchants must show proof that they track and monitor who has access to their computers and POS systems.
6. Maintain an Information Security Policy. ► Merchants must have a written and enforceable policy that details safeguarding of credit/debit card information
Merchant Levels of Compliance Level 1 – Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transaction per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system Any merchant identified by any other payment card brand as level 1. Level 2 –Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year. eCommerce merchants (1m trans/yr – 6M trans/yr) Must comply & pass third party audits ►Levels of PCI Security compliance are based on size, type of business and the number of transactions per year. ►Compliance requirements are based on 4 levels.
Merchant Levels of Compliance Level 3 – Any Merchant processing 20,000 to 1,000,000 Visa e- commerce transaction per year. Required to comply ►Levels of PCI Security compliance are based on size, type of business and the number of transactions per year. ►Compliance requirements are based on 4 levels. Level 4 –All other merchants-regardless of acceptance channel- processing up to 1,000,000 Visa transactions per year. And all merchant processing fewer than 20,000 Visa e-commerce transactions per year,
Level 1 – Large Retail Merchants Level of compliance is determined by merchant’s size ► Level 1 merchants must undergo annual on-site audits by certified auditors. ► Level 1 merchants must incur the cost of quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers. ► Adhering to the PCI standards can cost Level 1 merchants hundreds of thousands of dollars per year to ensure compliance. All merchants (regardless of size) are subject to annual audits and quarterly scans if they have a compromised data situation. Large Retail Merchants (Wal-Mart, Target, etc)
Level 1 – Large Retail Merchants Validation ActionValidated ByDue Date Annual On-site PCI Data Security Assessment Qualified Data Security Company of Internal Audit if signed by Office of the Company 9/30/2004 Quarterly Network Scan Qualified Independent Scan Vendor New Level 1 merchants have up to one year from identification to validate
Level 2 - Mid/Large Merchants ►Level 2 and 3 merchants must undergo annual self- assessments (no outside validation required). ►Level 2 and 3 merchants must undergo quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers. ►Internet facing system scans can generally cost $1,000 to $3,000 dollars.
Level 2 - Mid/Large Merchants Validation ActionValidated ByDue Date Annual On-site PCI Self-Assessment Questionnaire MerchantCurrent Quarterly Network Scan Qualified Independent Scan Vendor New Level 2 merchants: 9/30/2007
Level 3 – Mid/Low Merchants ►Level 2 and 3 merchants must undergo annual self- assessments (no outside validation required). ►Level 2 and 3 merchants must undergo quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers. ►Internet facing system scans can generally cost $1,000 to $3,000 dollars.
Level 3 – Mid/Low Merchants Validation ActionValidated ByDue Date Annual On-site Self- Assessment Questionnaire MerchantCurrent Quarterly Network Scan Qualified Independent Scan Vendor 6/30/2005
Level 4 - Small Merchants ► PCI standards recommend Level 4 merchants undergo annual self-assessment (no outside validation required). ► The standards also recommend the merchant conduct quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers. ► These are only “recommendations” for security practices.
Level 4* - Small Merchants Validation ActionValidated ByDue Date Annual On-site PCI Self-Assessment Questionnaire MerchantCurrent Quarterly Network Scan Qualified Independent Scan Vendor Validation requirements and dates are determined by the merchant’s acquirer *The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.
POS Software Developers must be PABP Compliant Merchant’s software can never store the CVV data ► POS system software should only extract and store the cardholder number, expiration date, and cardholder name from the magnetic stripe. ► The POS software must encrypt all cardholder information. ► The POS software must truncate the cardholder number on receipts, reports and display screens. ► The POS software must encrypt all Internet transactions, generally done by SSL (Secure Socket Layer) encryption.
POS Software Developers must be PABP Compliant ► POS ► CCV Card Code is never allowed to be stored
How do you know which POS Software Complies with PABP Standards? ► Merchants must contact their VAR/dealer or software developer to determine if their POS System software is PABP compliant.
Why Should Merchants Comply with PCI Standards? ► To protect their business reputation. ► To protect their customer’s card information. ► To limit their risk of being fined and forced to undergo forensics (Visa/MasterCard on-site audit to determine the cause of the compromise) which can cost tens of thousands of dollars and put them out of business.
Potential Cost to a Merchant for a Compromise First Violation Second Violation Third Violation $50,000 $100,000 Management discretion ►If security is compromised, regardless of the merchant’s tier level, they will be required to undergo an on-site security audit. ►Merchants will be fined and assessed all costs and expenses related to the forensic investigation. They must pay a consultant to conduct the audit. The merchant must pass the audit and continue to do audits on an annual basis. Failure to notify Visa of a suspected or confirmed loss or theft of credit card data is subject to a fine of $100,000 per incident. ►Costs of forensic investigations begin at $50,000 and could be as high as $100,000 per investigation. ►Costs of audits can range from $15,000 - $20,000 per audit.
Summary of Steps to Compliance ► PCI standards apply to all credit and debit cards. ► Every merchant is mandated by the Card Associations to comply. ► The six basic standards are as follows: ► Build and Maintain a Secure Network ► Protect Cardholder Data ► Maintain a Vulnerability Management Program ► Implement Strong Access Control Measures ► Regularly Monitor and Test Networks ► Maintain an Information Security Policy ► The fines, investigations and audits for certification and compromises can be expensive.
Visa Alerts 10:54:07 by David Press News Green Sheet Magazine “Visa alerts restaurants to lax POS installation a spike in data security compromises at restaurants prompted Visa U.S.A. to issue a data security alert in July. It emphasized the proper installation and use of POS equipment and systems. The card association also issued a reminder of ways merchants can protect themselves against lapses.”
Visa alerts Visa alerts restaurants to lax POS installation Visa's recommended mitigation strategy "If there is one theme that is most helpful to the merchant and ISO community, it is to make sure your payment applications are not inadvertently storing track data.“ – Martin Elliott, Visa's Vice President for Emerging Risk
Credit Firms Push to Thwart Fraud Credit Firms Push to Thwart Fraud Merchants Face a Penalty If Steps Aren't Taken to Curb Identity Theft; Visa Misses Own Security Deadline By ROBIN SIDEL, Wall Street Journal September 25, 2006; Page C1. MasterCard Inc. and Visa USA Inc. are clamping down on merchants that flout rules aimed at protecting card transactions from fraudsters.
An article appeared in the September 25th edition of the Wall Street Journal “The Journal article begins “MasterCard Inc. and Visa USA Inc. are clamping down on merchants that flout rules aimed at protecting card transactions from fraudsters. In recent weeks, MasterCard has imposed fines on merchants that haven't met its requirements to keep transactions secure. Saturday, Visa will take aim at the nation's largest merchants with fines that start at $10,000 a month and can rise to $100,000 a month.”
An article appeared in the September 25th edition of the Wall Street Journal The article goes on to describe the various issues the credit card industry faces regarding data security and how it plans to deal with them in the coming months and years. The fact is that although the credit card companies are starting their efforts to enforce PCIDSS standards with the big retailers, it is the small and mid sized businesses like yours that are the easiest and most lucrative targets for cyber criminals.
An article appeared in the September 25th edition of the Wall Street Journal For example, restaurants from coast to coast have already had to pay fines ranging from $5,000 to $350,000. In addition, they faced the immediate loss of their ability to accept credit cards and had to pay for initial and ongoing security audits that cost thousands more.”
Case Study: The POS System Attacker Retail Store Processor Corporate Internet
Compromise Statistics: Industry SpiderLabs data is gathered from more than 140 card compromise cases. Food Service Industry represents the majority of the compromises. Cases By Industry
Compromise Statistics: Acceptance Cases by Card Acceptance About 4 out of every 5 cases is a traditional Brick and Mortar environment. Card Present Merchants are not aware of these risks!
Compromise Statistics: System Type Majority of the cases involved a compromise of a Software based POS system. None of these systems were Visa PABP or PCI DSS compliant. Cases By System Type
Compromise Statistics: Connectivity All Internet connectivity should be considered high risk. SpiderLabs has tracked a trend in migration from T1 and Dial-Up to DSL/Cable. Cases By Connectivity
Compromise Statistics: Error Merchant Error vs. 3rd Party Error Half of the compromises were caused by a fault in the service provided by a 3rd party to a Merchant. POS Developers, Integrators, IT Firms are not following PCI DSS and leaving Merchants at Risk!
Compromise Statistics: Track Data Track Data storage is never permitted in any environment post authorization. Non-Compliant software packages are storing Track Data and the Merchants did not know until it was too late! Brick and Mortar Cases w/ Track Data Storage
Compromise Statistics: PCI DSS Violations Most Common “Not In-Place” Requirement 1: Install and maintain a firewall to protect data Requirement 3: Protect stored data Requirement 6: Develop and maintain secure systems and applications Requirement 8: Assign a unique ID to each person with computer access Requirement 10: Track and monitor all access to network and card data Requirement 11: Regularly test security systems and processes
Compromise Statistics: SpiderLabs Top 10 Top 10 Reasons/Methods of Compromise 1.Backdoor / Trojan 2.No Firewall 3.SQL Injection 4.Internal Theft 5.Remote Access 6.FTP Access to Data 7.Remote Exploit 8.Remote Buffer Overflow 9.Login Credential Leak 10.Password Brute Force
Compromise Statistics: Riskiest Merchant Profile of the Merchant w/ Greatest Compromise Potential Industry: Food Service Payment Acceptance: Card Present System Type: Non-Compliant Software POS Connectivity: DSL or Cable Modem
Websites nt/cisp_merchants.html nt/cisp_merchants.html