Payment Card Industry (PCI) Data Security Standards (DSS) Fundamentals

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.
1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento
Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.
PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?
Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
MasterCard Site Data Protection Program Program Alignment.
PCI DSS Managed Service Solution October 18, 2011.
Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
The Payment Card Industry (PCI) Data Security Standard: What it is and why you might find it useful Fred Hopper, CISSP TASK - 27 March 2007.
PCI requirements in business language What can happen with the cardholder data?
Brian Cloud August 06, Overall Digital Security  What is Digital Security  Murphy’s Law Since 2005, over 263M records breeched (privacyreports.com)
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
PCI: As complicated as it sounds? Gerry Lawrence CTO
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA
Introduction to Payment Card Industry Data Security Standard
Identity Protection (Red Flag/PCI Compliance/SSN Remediation) SACUBO Fall Workshop Savannah, GA November 3, 2009.
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
Payment Card Industry (PCI)
BUSINESS CLARITY ™ PCI – The Pathway to Compliance.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.
Payment Card Industry (PCI) Rules and Standards
Burton Group Take 5! The PCI Half-Dozen: 6 Recommendations for PCI Compliance Diana Kelley, VP & Service Director March,
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Internet Payment.
Breaches by Merchant Type
Session 11 Other Assurance Services
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
PCI DSS Erin Carrick.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI)
Presented by: Jeff Soukup
Presentation transcript:

Payment Card Industry (PCI) Data Security Standards (DSS) Fundamentals Presented by: Rose Andert and Lance Wright July 24, 2008

Learning Points What is the Payment Card Industry (PCI) Data Security Standard (DSS)? Recent Data Breaches and Cost Card Brand Programs History and Non-compliance Problems Complimentary Regulatory Compliance Efforts PCI Component Overview Member Requirements and Merchant Levels Identifying, Finding, Storing & Eliminating Sensitive Cardholder Info Scope of PCI PCI DSS (Digital 12) Self-Assessment versus Audit Requirements

What is the PCI DSS? Definition: The Payment Card Industry (PCI) Data Security Standard (DSS) is a rigorous set of requirements designed to assist retailers protect their customers’ identity by securing their payment account transactions (credit card/debit card) and stored card information. Not a federal law nor a certification process It is a set of requirements standardized by the PCI council

What is the PCI DSS? Main Objective: Consistency in “due care” through mandated requirements surrounding protection of payment account, transaction and authentication of data of customers The PCI DSS includes requirements for: Security Management Policies and Procedures Network Architecture Software Design Other standards mandated around processing, storage and transmission of cardholder data

Breaches

The TJX Companies, Inc. Data Breach July 2005 to January 2007, TJX suffered the largest computer data breach in corporate history, affecting over 45 million credit and debit cards 451,000 customers exposed to identity theft, including Social Security numbers and driver’s license numbers Source: http://online.wsj.com/article_email/article_print/SB117824446226991797.html August 2007, TJX disclosed that the costs of the data breach – including lawsuits, computer system improvements, security upgrades, fraud monitoring and other claims – have soared to $256 million, up from the initial estimate of $25 million Source: http://www.boston.com/business/globe/articles/2007/08/15/cost_of_data_breach _at_tjx_soars_to_256m/ Experts estimate that breach-related costs could potentially reach $1 billion dollars December 2007, TJX agreed to fund up to $40.9 million pre-tax for recovery payments to financial institutions as part of a settlement agreement Source: http://www.boston.com/news/local/massachusetts/articles/2008/03/19/state_warns_hannaford_about_laws_on_data_leaks/

Hannaford Bros. Data Breach In March 2008, the Massachusetts Bankers Association (MBA) notified 60 to 70 of its 200 member banks of a large data breach originating from a “major retailer” between December 2007 to March 2008 It has been reported that the data breach occurred within Hannaford Bros., a Maine-based supermarket chain, exposing as many as 4.2 million credit and debit cards to fraud in Massachusetts and the northern New England states Hannaford has already reported that at least 1,800 cases have occurred where cards were used fraudulently Source: http://www.boston.com/news/local/massachusetts/articles/2008/03/19/ state_warns_hannaford_about_laws_on_data_leaks/ The total costs of these breaches is high according to SearchSecurity.com, which notes: In a study released in October 2006, the Ponemon Institute found that data breaches cost companies an average of $182 per compromised record, a 31% increase over 2005. Ponemon studied 31 companies that experienced a data breach. The total costs for each loss ranged from less than $1 million to more than $22 million, according to the 2006 findings.

Cost of Security Breaches Continue to Increase Breaches cost companies an average of $182 per compromised record* This was a 31% increase over 2005* Gartner analysts estimate that the cost of sensitive data break will increase 20 percent per year through 2009 ** *Ponemon Institute **http://security.tekrati.com/research/9457/

Card Brand Programs - History In June 2001, Visa developed a robust security audit program (CISP) In December 2004 the expanded Payment Card Industry (PCI) Data Security Standard (DSS) was adopted by American Express, Discover Financial Services, JCB International, MasterCard Worldwide (includes Diners Club) and Visa International September 2006 PCI Security Standards Council Formed

Non-compliance is a Problem Retailers Failing to Comply with Credit Card Security Standards Despite five years and two deadlines, just 65 percent of level one merchants (6 million+ annual transactions) and an estimated 43 percent of lower-volume merchants have fully validated with cardholder data security standards (as of Sept 30, 2007) Source: http://www.ecorablog.com/the_compliance_and_securi/ pci_compliance/index.html

Non-compliance is a Problem Penalties are Severe Companies can be barred from processing credit card transactions, higher processing fees can be applied; and in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance Source http://www.internetretailer.com/internet/marketing-conference/80146-compliance-dilemma.html

Non-compliance is a Problem Member Fines and Penalties In case of a compromise, Members proven to be non-compliant or whose merchants or agents are non-compliant may be assessed: Non-compliance fine (egregious violations up to $500k) Forensic investigation costs Issuer/Acquirer losses Unlimited liability for fraudulent transactions Potential additional Issuer compensation (e.g., card replacement) Dispute resolution costs Disclosure costs

Complementary Regulatory Compliance Efforts Sarbanes-Oxley Act Requires that public companies have effective internal controls on financial reporting information with independent auditor attestation Prudent private companies comply as well It comes down to this: Access control: Who has access to what information? Auditability: Can you monitor and track access to information?

Complementary Regulatory Compliance Efforts Gramm-Leach-Bliley Act (GLBA) Requires that financial institutions safeguard “Personally Identifiable information” (PII) Prudent retailers consider GLBA compliance a “best practice” Personal service depends on secure access to PII Data Privacy: Do your best customers trust you? State Breach Notification Laws (SB1386) Require notification of customers if customer data is compromised

PCI Component Overview and/or Issuer Acquirer Merchant Cardholder uses card to buy from is a member of provides processing services to issues cards to may or may not be the same as

Member Compliance Requirements All Members must comply with the PCI Data Security Standard Issuing and Acquiring Members are not YET required to validate compliance unless they are a VisaNet Processor Members are responsible for ensuring the compliance of their merchants and service providers who store, process, or transmit cardholder data Compliance dates have come and gone. Banks established new reporting dates (e.g., 6/30/07 and 9/30/07 were common dates)

Merchant Levels and Required Validation

Self Assessment vs. Audit Requirements All Merchants are responsible to comply with the PCI Standard Validation varies based on merchant level Level 1 requires onsite audit using audit procedures document Level 2 and below require Self-assessment Questionnaire Questionnaire is extremely high level… could result in a merchant thinking they are fully compliant with the standard when they are missing key controls Merchants should read the PCI standard document and refer to the audit procedures for additional information and clarification regarding the controls and then fill out the Questionnaire with this information in mind

New Requirements for Level 2 & 3 Merchants

Credit Card Processing Prerequisites Merchant processing agreements for card processing, including multiple Merchant IDs for each business unit and currencies Merchant bank account for settlement deposits Communication method for routing transaction data between SAP and each processor used (US, Europe, American Express, etc.)

Visa Safe Harbor Safe harbor provides Members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise. To attain safe harbor: The entity must be in full compliance with the PCI Data Security Standards at the time of the breach, as demonstrated during a forensic investigation The entity must have validated full compliance prior to the compromise Submission of a Report on Compliance (ROC), in and of itself, does not provide a Member safe harbor status Compromised entity must have adhered to all the requirements at the time of the breach

Identifying, Finding, Storing & Eliminating Sensitive Cardholder Data What information is at risk? Account and transaction information includes: Track Data CVV2/CVC2 PIN block Primary Account Number (PAN) Expiration Date Password, name, e-mail, address, other personal data (when with PAN)

Identifying, Finding, Storing & Eliminating Sensitive Cardholder Data

Storing Cardholder Data What is allowed to be stored, transmitted, or processed? Encrypted PAN, expiration date, and name How should the PAN be protected when stored? Encrypted, hashed, or truncated What must not be stored post-authorization? Full track data Track 1 Track 2 CVV2/CVC2 PIN block

When is Track Data Allowed/Disallowed? Cannot be stored past initial authorization Elements that are allowed to be stored (name, account number, and expiration date) should be parsed out and stored appropriately May (and must) travel over the network: Should be encrypted on the internal network Must be encrypted outside the internal network One exception - Issuers may store track data where necessary for issuing business needs

PCI DSS Scoping Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, web servers) Encrypted cardholder data is still within scope Does include all account numbers

PCI DSS Scoping PCI DSS applies to all systems and networks that store, process, and/or transmit cardholder data and all connected systems Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, web servers) Encrypted cardholder data is still within scope Does include all account numbers

Merchants and Service Provider Scoping PCI Compliance Review includes networks connected to those that have cardholder data, unless internal firewalls are implemented and validated Review includes wireless access, even for non-cardholder data functions, unless there is a firewall between the wireless and production networks Good network segmentation can reduce the scope Service Provider scope for validation is same as scope for compliance (Merchants differ slightly…)

Merchant Validation Scope Merchant is responsible for compliance of all systems but validation scope is focused on systems related to authorization and settlement where cardholder data is processed, stored, or transmitted: All external connections into the merchant network All connections to and from the authorization and settlement environment Any data repository outside of the authorization and settlement environment where more than 500 thousand account numbers are stored

Scoping PCI Ways to limit the scope of PCI Network Segmentation Limiting Storage of Credit Card data Processing and Reporting as Separate DBAs PAN Truncation PAN Hashing Process/Procedure Changes

Compensating Controls Assessors can always consider compensating controls (except for track data storage) Compensating controls are “above and beyond” other PCI DSS requirements Compensating controls are applicable to most PCI DSS requirements Bottom line: Must meet the intent and rigor of the original PCI requirement and would withstand a compromise attempt with the same preventive force as the original requirement

Technical Session - PCI Data Security Standard DSS - 12 overall requirements (Digital Dozen) categorized in 6 logical groupings Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Install and maintain a firewall confirmation to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Use and regularly update anti-virus software Develop and maintain secure applications

Technical Session - PCI Data Security Standard Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security

Thank You for Listening Questions? Thanks for listening. Do you have any questions that we have not addressed during the presentation?

Contact Rose Andert Lance Wright Associate Director Protiviti rose.andert@protiviti.com 602.273.8045 www.protiviti.com Lance Wright Senior Consultant lance.wright@protiviti.com 602.683.4117