PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008
MasterCard Proprietary2 Agenda PCI - Brief History - Security Standards Council - Documentation, Tools, Vendors - SDP - Acquirer requirements - Compliance Database - Enforcement - Safe Harbor - Special Topics: Level 4 merchants, ADC Cases - Reporting and support
MasterCard Proprietary3 Evolution of Industry Approach Feb 2002: Optional SDP service launched April 2003: MasterCard Security Standard published June 2003: SDP program deployed globally Sept 2003: SDP mandate announced June 2004: Initial compliance date for Level 2 merchants and service providers December 2004: PCI Data Security Standard (v1.0) published June 2005: Initial compliance date for Level 1 and 3 merchants and service providers September 2006: PCI Security Standards Council formed and PCI DSS v1.1 published May 2007: SDP mandate expanded Nov 2007: PIN PED and PA DSS part of the PCI SSC Feb 2008: Revised PCI SAQ released
PCI Security Standards Council
MasterCard Proprietary5 The PCI Security Standards Council Members
MasterCard Proprietary6 PCI SSC – Scope Develop and manage the PCI Security Standards (PCI DSS) and related documents Manage industry-level approval processes for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) Provide an open forum where stakeholders can provide input to the ongoing development of payment security standards. Address industry and constituent questions on standards and interpretation of standards
MasterCard Proprietary7 PCI SSC Participating Organizations by Industry Merchants Associations Vendors Financial Institutions Gateways ProcessorsEFT Networks Service Provider
MasterCard Proprietary8 Global Participation & Representation More than 400 organizations have been accepted United States73% 2% 6% 2% 16% 1% Asia Pacific LAC Europe Central Europe /Middle East /Africa Canada
MasterCard Proprietary9 Participating Organization Benefits Vote and Run for Participating Organization Board of Advisors Comment on DSS, SAQ, PED, PA DSS and on other PCI SSC documentation, prior to public release Attend Community Meetings Attend Quarterly Webinar Meetings Recommend new initiatives and standards Early updates on upcoming press releases Monthly bulletin from SSC General Manager Reserve Your Seat at the Table!
MasterCard Proprietary10 PCI SSC - The Standards PCI PED addresses device characteristics impacting security of PIN Entry Device (PED) during financial transactions Stand Alone PED Device Payment Applications (e.g. Shopping cart, POS) Merchants’ and Service Providers’ cardholder data environment PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where those applications are sold, distributed, or licensed to third parties. PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data, and specifically to those system components included in or connected to the cardholder data environment (the part of the network with cardholder data) PEDs Integrated with payment applications (POS, ATM) Payment Applications in merchants/ service providers environment** PCI PED applies- PED device only PA DSS may apply* PCI DSS applies – systems & networks PCI PED PCI PA-DSS PCI DSS
MasterCard Proprietary11 PCI DSS Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security
MasterCard Proprietary12 PCI Cardholder Data Storage Clarification Component Storage Permitted Protection Required Encryption Required** Encryption Required** Cardholder DataPANYES Expiration Date*YES NO Service Code*YES NO Cardholder Name*YES NO Sensitive Authentication DataFull Magnetic StripNON/A CVC2/CVV/CIDNON/A PINNON/A *Data elements must be protected when stored in conjunction with PAN **Compensating controls for encryption may be employed
MasterCard Proprietary13 PCI Self Assessment Questionnaire SAQ Validation Type Description SAQ 1 Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced. This would never apply to face to face merchants A <20 Questions 2 Imprint-only merchants with no cardholder data storage B 21 Questions 3 Stand alone dial-up terminal merchants, no cardholder data storage 4 Merchants with payment application systems connected to the Internet, no cardholder data storage C 38 Questions 5 All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ D Full DSS B 21 Questions Note: Sunset date for old version of SAQ is April 30, 2008
MasterCard Proprietary14 PCI SSC Milestones in 2008 Phased Approach for PA-DSS – Phase 1: Publish PA-DSS and testing procedures – Phase 2: PA-QSA testing approval – Phase 3: Payment application validation Searchable FAQ Tool launched on PCI SSC Website – Responses developed by all five payment brands help ‘pave the way’ for PCI DSS evolution
MasterCard Proprietary15 PCI and SDP – Functional Areas Standards Development and Interpretation Compliance ValidationEnforcement PCI SSC Payment Brands Acquirers QSAs
MasterCard Site Data Protection (SDP)
MasterCard Proprietary17 PCI SSC - Not in scope The following functions will be performed by each payment brand individually – Approval and posting of compliant third party service providers – Forensics and response to Account Data Compromise (ADC) events – PCI compliance tracking and enforcement
MasterCard Proprietary18 The SDP Program - 3 Major Components Reporting – Acquirers must submit quarterly compliance reports on their affected merchants (level 1, 2 and 3) – Service Providers submit a Certificate of Validation (COV) or a PCI action plan for review and approval Registration – Annual merchant requirement that is fulfilled via the MasterCard Registration Program (MRP) Enforcement – Communications, Assessments and MCBS Billing
MasterCard Proprietary19 Entities that Store, Transmit or Process Cardholder Data Any entity that stores, transmits or processes cardholder data must comply with the PCI DSS. This statement has broad application in the financial industry. Under the SDP Program, only affected merchants and service providers are required to validate their compliance. MasterCard does not require compliance evidence or validation from issuers or acquirers.
MasterCard Proprietary20 Reporting - SDP Submission Form v3.0 Available on Instruction Tab Acquirer Data Tab Merchant Data Tab
MasterCard Proprietary21 Reporting - PCI Compliance Levels CategoryCriteriaRequirements Compliance Date Level 1 Merchants >6 MM annual transactions (all channels) Service Providers > 1MM annual transactions All compromised merchants, TPPs and DSEs Annual Onsite Audit Quarterly Network Scan 30 June 2005 Level 2 All merchants > 1 million total MasterCard transactions <= 6 million total MasterCard transactions annually All merchants meeting the Level 2 criteria of a competing payment brand Service Providers <= 1MM annual transactions Annual Self-Assessment Quarterly Network Scan 31 December 2008 Level 3 All merchants with annual MasterCard e-commerce transactions > 20,000 but less than one million total transactions All merchants meeting the Level 3 criteria of a competing payment brand Annual Self-Assessment Quarterly Network Scan 30 June 2005 Level 4 All other merchants Annual Self-Assessment Quarterly Network Scan Consult Acquirer
MasterCard Proprietary22 Reporting - Level 4 Merchants Compliance with the PCI Data Security Standard is required for all Level 4 merchants The only optional aspects of compliance for Level 4 merchants are: – Active compliance validation with their acquirer – Card Association specific steps (e.g., MRP registration) To be compliant with the PCI DSS, Level 4 merchants must successfully complete the following: – An annual PCI self assessment – Quarterly network security scans
MasterCard Proprietary23 Registration - PCI and SDP Compliance PCI Onsite Assessment PCI Self Assessment PCI Quarterly Network Scanning The successful completion of the above applicable compliance requirements means the merchant is compliant with the PCI Data Security Standard. The successful completion of the above compliance requirements means the merchant is compliant with the PCI Data Security Standard AND compliant with the MasterCard SDP Program requirements. PCI Compliance + SDP Compliance = Safe Harbor PCI Compliance SDP Compliance Compliance Validation with Acquirer Acquirer Registration of Merchant withMasterCard
MasterCard Proprietary24 Enforcement – Areas of Focus Enforcement activities are generally managed in three distinct categories: – Non-reporting or incomplete quarterly reporting – Merchant storage of sensitive authentication data (post authorization) – Insufficient compliance progress Communications is the preferred route of enforcement and range from informal to formal. SDP Global Mailbox:
MasterCard Proprietary25 Enforcement - Process Each quarter, MasterCard reviews merchant submissions against the 3 identified categories. Prior to any SDP noncompliance assessment, there is direct customer communication, both formal (letters) and informal ( s). The overall intent is to drive compliance, with SDP noncompliance assessments as only one tool.
MasterCard Proprietary26 SDP Enforcement In 3Q2008, MasterCard will begin to enforce the completion of the Sensitive Authentication Data Storage field Level 3 merchants Continued focus on timely and complete quarterly reporting
MasterCard Proprietary27 SDP and Account Data Compromise With a confirmed ADC, there is a demonstrated risk to the payment system. MasterCard rules govern the immediate actions that acquirers must undertake with an ADC event. Per MasterCard rules, all ADCs are classified as Level 1 with the compliance requirements of a annual onsite assessment and quarterly network scans. Once action is taken by the ADC group, the merchant enters an accelerated PCI compliance process.
MasterCard Proprietary28 Contact Information For general Site Data Protection inquiries: Website: For MasterCard security initiatives visit For the PCI Security Standards Council
Thank you.