Payment Card Industry (PCI) Data Security Standards (DSS) Fundamentals Presented by: Rose Andert and Lance Wright July 24, 2008

Learning Points What is the Payment Card Industry (PCI) Data Security Standard (DSS)? Recent Data Breaches and Cost Card Brand Programs History and Non-compliance Problems Complimentary Regulatory Compliance Efforts PCI Component Overview Member Requirements and Merchant Levels Identifying, Finding, Storing & Eliminating Sensitive Cardholder Info Scope of PCI PCI DSS (Digital 12) Self-Assessment versus Audit Requirements

What is the PCI DSS? Definition: The Payment Card Industry (PCI) Data Security Standard (DSS) is a rigorous set of requirements designed to assist retailers protect their customers’ identity by securing their payment account transactions (credit card/debit card) and stored card information. Not a federal law nor a certification process It is a set of requirements standardized by the PCI council

What is the PCI DSS? Main Objective: Consistency in “due care” through mandated requirements surrounding protection of payment account, transaction and authentication of data of customers The PCI DSS includes requirements for: Security Management Policies and Procedures Network Architecture Software Design Other standards mandated around processing, storage and transmission of cardholder data

Breaches

The TJX Companies, Inc. Data Breach July 2005 to January 2007, TJX suffered the largest computer data breach in corporate history, affecting over 45 million credit and debit cards 451,000 customers exposed to identity theft, including Social Security numbers and driver’s license numbers Source: http://online.wsj.com/article_email/article_print/SB117824446226991797.html August 2007, TJX disclosed that the costs of the data breach – including lawsuits, computer system improvements, security upgrades, fraud monitoring and other claims – have soared to $256 million, up from the initial estimate of $25 million Source: http://www.boston.com/business/globe/articles/2007/08/15/cost_of_data_breach _at_tjx_soars_to_256m/ Experts estimate that breach-related costs could potentially reach $1 billion dollars December 2007, TJX agreed to fund up to $40.9 million pre-tax for recovery payments to financial institutions as part of a settlement agreement Source: http://www.boston.com/news/local/massachusetts/articles/2008/03/19/state_warns_hannaford_about_laws_on_data_leaks/

Hannaford Bros. Data Breach In March 2008, the Massachusetts Bankers Association (MBA) notified 60 to 70 of its 200 member banks of a large data breach originating from a “major retailer” between December 2007 to March 2008 It has been reported that the data breach occurred within Hannaford Bros., a Maine-based supermarket chain, exposing as many as 4.2 million credit and debit cards to fraud in Massachusetts and the northern New England states Hannaford has already reported that at least 1,800 cases have occurred where cards were used fraudulently Source: http://www.boston.com/news/local/massachusetts/articles/2008/03/19/ state_warns_hannaford_about_laws_on_data_leaks/ The total costs of these breaches is high according to SearchSecurity.com, which notes: In a study released in October 2006, the Ponemon Institute found that data breaches cost companies an average of $182 per compromised record, a 31% increase over 2005. Ponemon studied 31 companies that experienced a data breach. The total costs for each loss ranged from less than $1 million to more than $22 million, according to the 2006 findings.

Cost of Security Breaches Continue to Increase Breaches cost companies an average of $182 per compromised record* This was a 31% increase over 2005* Gartner analysts estimate that the cost of sensitive data break will increase 20 percent per year through 2009 ** *Ponemon Institute **http://security.tekrati.com/research/9457/

Card Brand Programs - History In June 2001, Visa developed a robust security audit program (CISP) In December 2004 the expanded Payment Card Industry (PCI) Data Security Standard (DSS) was adopted by American Express, Discover Financial Services, JCB International, MasterCard Worldwide (includes Diners Club) and Visa International September 2006 PCI Security Standards Council Formed

Non-compliance is a Problem Retailers Failing to Comply with Credit Card Security Standards Despite five years and two deadlines, just 65 percent of level one merchants (6 million+ annual transactions) and an estimated 43 percent of lower-volume merchants have fully validated with cardholder data security standards (as of Sept 30, 2007) Source: http://www.ecorablog.com/the_compliance_and_securi/ pci_compliance/index.html

Non-compliance is a Problem Penalties are Severe Companies can be barred from processing credit card transactions, higher processing fees can be applied; and in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance Source http://www.internetretailer.com/internet/marketing-conference/80146-compliance-dilemma.html

Non-compliance is a Problem Member Fines and Penalties In case of a compromise, Members proven to be non-compliant or whose merchants or agents are non-compliant may be assessed: Non-compliance fine (egregious violations up to $500k) Forensic investigation costs Issuer/Acquirer losses Unlimited liability for fraudulent transactions Potential additional Issuer compensation (e.g., card replacement) Dispute resolution costs Disclosure costs

Complementary Regulatory Compliance Efforts Sarbanes-Oxley Act Requires that public companies have effective internal controls on financial reporting information with independent auditor attestation Prudent private companies comply as well It comes down to this: Access control: Who has access to what information? Auditability: Can you monitor and track access to information?

Complementary Regulatory Compliance Efforts Gramm-Leach-Bliley Act (GLBA) Requires that financial institutions safeguard “Personally Identifiable information” (PII) Prudent retailers consider GLBA compliance a “best practice” Personal service depends on secure access to PII Data Privacy: Do your best customers trust you? State Breach Notification Laws (SB1386) Require notification of customers if customer data is compromised

PCI Component Overview and/or Issuer Acquirer Merchant Cardholder uses card to buy from is a member of provides processing services to issues cards to may or may not be the same as

Member Compliance Requirements All Members must comply with the PCI Data Security Standard Issuing and Acquiring Members are not YET required to validate compliance unless they are a VisaNet Processor Members are responsible for ensuring the compliance of their merchants and service providers who store, process, or transmit cardholder data Compliance dates have come and gone. Banks established new reporting dates (e.g., 6/30/07 and 9/30/07 were common dates)

Merchant Levels and Required Validation

Self Assessment vs. Audit Requirements All Merchants are responsible to comply with the PCI Standard Validation varies based on merchant level Level 1 requires onsite audit using audit procedures document Level 2 and below require Self-assessment Questionnaire Questionnaire is extremely high level… could result in a merchant thinking they are fully compliant with the standard when they are missing key controls Merchants should read the PCI standard document and refer to the audit procedures for additional information and clarification regarding the controls and then fill out the Questionnaire with this information in mind

New Requirements for Level 2 & 3 Merchants

Credit Card Processing Prerequisites Merchant processing agreements for card processing, including multiple Merchant IDs for each business unit and currencies Merchant bank account for settlement deposits Communication method for routing transaction data between SAP and each processor used (US, Europe, American Express, etc.)

Visa Safe Harbor Safe harbor provides Members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise. To attain safe harbor: The entity must be in full compliance with the PCI Data Security Standards at the time of the breach, as demonstrated during a forensic investigation The entity must have validated full compliance prior to the compromise Submission of a Report on Compliance (ROC), in and of itself, does not provide a Member safe harbor status Compromised entity must have adhered to all the requirements at the time of the breach

Identifying, Finding, Storing & Eliminating Sensitive Cardholder Data What information is at risk? Account and transaction information includes: Track Data CVV2/CVC2 PIN block Primary Account Number (PAN) Expiration Date Password, name, e-mail, address, other personal data (when with PAN)

Identifying, Finding, Storing & Eliminating Sensitive Cardholder Data

Storing Cardholder Data What is allowed to be stored, transmitted, or processed? Encrypted PAN, expiration date, and name How should the PAN be protected when stored? Encrypted, hashed, or truncated What must not be stored post-authorization? Full track data Track 1 Track 2 CVV2/CVC2 PIN block

When is Track Data Allowed/Disallowed? Cannot be stored past initial authorization Elements that are allowed to be stored (name, account number, and expiration date) should be parsed out and stored appropriately May (and must) travel over the network: Should be encrypted on the internal network Must be encrypted outside the internal network One exception - Issuers may store track data where necessary for issuing business needs

PCI DSS Scoping Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, web servers) Encrypted cardholder data is still within scope Does include all account numbers

PCI DSS Scoping PCI DSS applies to all systems and networks that store, process, and/or transmit cardholder data and all connected systems Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, web servers) Encrypted cardholder data is still within scope Does include all account numbers

Merchants and Service Provider Scoping PCI Compliance Review includes networks connected to those that have cardholder data, unless internal firewalls are implemented and validated Review includes wireless access, even for non-cardholder data functions, unless there is a firewall between the wireless and production networks Good network segmentation can reduce the scope Service Provider scope for validation is same as scope for compliance (Merchants differ slightly…)

Merchant Validation Scope Merchant is responsible for compliance of all systems but validation scope is focused on systems related to authorization and settlement where cardholder data is processed, stored, or transmitted: All external connections into the merchant network All connections to and from the authorization and settlement environment Any data repository outside of the authorization and settlement environment where more than 500 thousand account numbers are stored

Scoping PCI Ways to limit the scope of PCI Network Segmentation Limiting Storage of Credit Card data Processing and Reporting as Separate DBAs PAN Truncation PAN Hashing Process/Procedure Changes

Compensating Controls Assessors can always consider compensating controls (except for track data storage) Compensating controls are “above and beyond” other PCI DSS requirements Compensating controls are applicable to most PCI DSS requirements Bottom line: Must meet the intent and rigor of the original PCI requirement and would withstand a compromise attempt with the same preventive force as the original requirement

Technical Session - PCI Data Security Standard DSS - 12 overall requirements (Digital Dozen) categorized in 6 logical groupings Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Install and maintain a firewall confirmation to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Use and regularly update anti-virus software Develop and maintain secure applications

Technical Session - PCI Data Security Standard Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security

Thank You for Listening Questions? Thanks for listening. Do you have any questions that we have not addressed during the presentation?

Contact Rose Andert Lance Wright Associate Director Protiviti rose.andert@protiviti.com 602.273.8045 www.protiviti.com Lance Wright Senior Consultant lance.wright@protiviti.com 602.683.4117