Presentation is loading. Please wait.

Presentation is loading. Please wait.

Payment Card Industry (PCI) Data Security Standards (DSS) Fundamentals

Published byStanley Nichols Modified over 9 years ago

Similar presentations

Presentation on theme: "Payment Card Industry (PCI) Data Security Standards (DSS) Fundamentals"— Presentation transcript:

1 Payment Card Industry (PCI) Data Security Standards (DSS) Fundamentals
Presented by: Rose Andert and Lance Wright July 24, 2008

2 Learning Points What is the Payment Card Industry (PCI) Data Security Standard (DSS)? Recent Data Breaches and Cost Card Brand Programs History and Non-compliance Problems Complimentary Regulatory Compliance Efforts PCI Component Overview Member Requirements and Merchant Levels Identifying, Finding, Storing & Eliminating Sensitive Cardholder Info Scope of PCI PCI DSS (Digital 12) Self-Assessment versus Audit Requirements

3 What is the PCI DSS? Definition:
The Payment Card Industry (PCI) Data Security Standard (DSS) is a rigorous set of requirements designed to assist retailers protect their customers’ identity by securing their payment account transactions (credit card/debit card) and stored card information. Not a federal law nor a certification process It is a set of requirements standardized by the PCI council

4 What is the PCI DSS? Main Objective:
Consistency in “due care” through mandated requirements surrounding protection of payment account, transaction and authentication of data of customers The PCI DSS includes requirements for: Security Management Policies and Procedures Network Architecture Software Design Other standards mandated around processing, storage and transmission of cardholder data

5 Breaches

6 The TJX Companies, Inc. Data Breach
July 2005 to January 2007, TJX suffered the largest computer data breach in corporate history, affecting over 45 million credit and debit cards 451,000 customers exposed to identity theft, including Social Security numbers and driver’s license numbers Source: August 2007, TJX disclosed that the costs of the data breach – including lawsuits, computer system improvements, security upgrades, fraud monitoring and other claims – have soared to $256 million, up from the initial estimate of $25 million Source: _at_tjx_soars_to_256m/ Experts estimate that breach-related costs could potentially reach $1 billion dollars December 2007, TJX agreed to fund up to $40.9 million pre-tax for recovery payments to financial institutions as part of a settlement agreement Source:

7 Hannaford Bros. Data Breach
In March 2008, the Massachusetts Bankers Association (MBA) notified 60 to 70 of its 200 member banks of a large data breach originating from a “major retailer” between December 2007 to March 2008 It has been reported that the data breach occurred within Hannaford Bros., a Maine-based supermarket chain, exposing as many as 4.2 million credit and debit cards to fraud in Massachusetts and the northern New England states Hannaford has already reported that at least 1,800 cases have occurred where cards were used fraudulently Source: state_warns_hannaford_about_laws_on_data_leaks/ The total costs of these breaches is high according to SearchSecurity.com, which notes: In a study released in October 2006, the Ponemon Institute found that data breaches cost companies an average of $182 per compromised record, a 31% increase over Ponemon studied 31 companies that experienced a data breach. The total costs for each loss ranged from less than $1 million to more than $22 million, according to the 2006 findings.

8 Cost of Security Breaches Continue to Increase
Breaches cost companies an average of $182 per compromised record* This was a 31% increase over 2005* Gartner analysts estimate that the cost of sensitive data break will increase 20 percent per year through 2009 ** *Ponemon Institute **

9 Card Brand Programs - History
In June 2001, Visa developed a robust security audit program (CISP) In December 2004 the expanded Payment Card Industry (PCI) Data Security Standard (DSS) was adopted by American Express, Discover Financial Services, JCB International, MasterCard Worldwide (includes Diners Club) and Visa International September 2006 PCI Security Standards Council Formed

10 Non-compliance is a Problem
Retailers Failing to Comply with Credit Card Security Standards Despite five years and two deadlines, just 65 percent of level one merchants (6 million+ annual transactions) and an estimated 43 percent of lower-volume merchants have fully validated with cardholder data security standards (as of Sept 30, 2007) Source: pci_compliance/index.html

11 Non-compliance is a Problem
Penalties are Severe Companies can be barred from processing credit card transactions, higher processing fees can be applied; and in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance Source

12 Non-compliance is a Problem
Member Fines and Penalties In case of a compromise, Members proven to be non-compliant or whose merchants or agents are non-compliant may be assessed: Non-compliance fine (egregious violations up to $500k) Forensic investigation costs Issuer/Acquirer losses Unlimited liability for fraudulent transactions Potential additional Issuer compensation (e.g., card replacement) Dispute resolution costs Disclosure costs

13 Complementary Regulatory Compliance Efforts
Sarbanes-Oxley Act Requires that public companies have effective internal controls on financial reporting information with independent auditor attestation Prudent private companies comply as well It comes down to this: Access control: Who has access to what information? Auditability: Can you monitor and track access to information?

14 Complementary Regulatory Compliance Efforts
Gramm-Leach-Bliley Act (GLBA) Requires that financial institutions safeguard “Personally Identifiable information” (PII) Prudent retailers consider GLBA compliance a “best practice” Personal service depends on secure access to PII Data Privacy: Do your best customers trust you? State Breach Notification Laws (SB1386) Require notification of customers if customer data is compromised

15 PCI Component Overview
and/or Issuer Acquirer Merchant Cardholder uses card to buy from is a member of provides processing services to issues cards to may or may not be the same as

16 Member Compliance Requirements
All Members must comply with the PCI Data Security Standard Issuing and Acquiring Members are not YET required to validate compliance unless they are a VisaNet Processor Members are responsible for ensuring the compliance of their merchants and service providers who store, process, or transmit cardholder data Compliance dates have come and gone. Banks established new reporting dates (e.g., 6/30/07 and 9/30/07 were common dates)

17 Merchant Levels and Required Validation

18 Self Assessment vs. Audit Requirements
All Merchants are responsible to comply with the PCI Standard Validation varies based on merchant level Level 1 requires onsite audit using audit procedures document Level 2 and below require Self-assessment Questionnaire Questionnaire is extremely high level… could result in a merchant thinking they are fully compliant with the standard when they are missing key controls Merchants should read the PCI standard document and refer to the audit procedures for additional information and clarification regarding the controls and then fill out the Questionnaire with this information in mind

19 New Requirements for Level 2 & 3 Merchants

20 Credit Card Processing Prerequisites
Merchant processing agreements for card processing, including multiple Merchant IDs for each business unit and currencies Merchant bank account for settlement deposits Communication method for routing transaction data between SAP and each processor used (US, Europe, American Express, etc.)

21 Visa Safe Harbor Safe harbor provides Members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise. To attain safe harbor: The entity must be in full compliance with the PCI Data Security Standards at the time of the breach, as demonstrated during a forensic investigation The entity must have validated full compliance prior to the compromise Submission of a Report on Compliance (ROC), in and of itself, does not provide a Member safe harbor status Compromised entity must have adhered to all the requirements at the time of the breach

22 Identifying, Finding, Storing & Eliminating Sensitive Cardholder Data
What information is at risk? Account and transaction information includes: Track Data CVV2/CVC2 PIN block Primary Account Number (PAN) Expiration Date Password, name, , address, other personal data (when with PAN)

23 Identifying, Finding, Storing & Eliminating Sensitive Cardholder Data

24 Storing Cardholder Data
What is allowed to be stored, transmitted, or processed? Encrypted PAN, expiration date, and name How should the PAN be protected when stored? Encrypted, hashed, or truncated What must not be stored post-authorization? Full track data Track 1 Track 2 CVV2/CVC2 PIN block

25 When is Track Data Allowed/Disallowed?
Cannot be stored past initial authorization Elements that are allowed to be stored (name, account number, and expiration date) should be parsed out and stored appropriately May (and must) travel over the network: Should be encrypted on the internal network Must be encrypted outside the internal network One exception - Issuers may store track data where necessary for issuing business needs

26 PCI DSS Scoping Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, web servers) Encrypted cardholder data is still within scope Does include all account numbers

27 PCI DSS Scoping PCI DSS applies to all systems and networks that store, process, and/or transmit cardholder data and all connected systems Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, web servers) Encrypted cardholder data is still within scope Does include all account numbers

28 Merchants and Service Provider Scoping
PCI Compliance Review includes networks connected to those that have cardholder data, unless internal firewalls are implemented and validated Review includes wireless access, even for non-cardholder data functions, unless there is a firewall between the wireless and production networks Good network segmentation can reduce the scope Service Provider scope for validation is same as scope for compliance (Merchants differ slightly…)

29 Merchant Validation Scope
Merchant is responsible for compliance of all systems but validation scope is focused on systems related to authorization and settlement where cardholder data is processed, stored, or transmitted: All external connections into the merchant network All connections to and from the authorization and settlement environment Any data repository outside of the authorization and settlement environment where more than 500 thousand account numbers are stored

30 Scoping PCI Ways to limit the scope of PCI Network Segmentation
Limiting Storage of Credit Card data Processing and Reporting as Separate DBAs PAN Truncation PAN Hashing Process/Procedure Changes

31 Compensating Controls
Assessors can always consider compensating controls (except for track data storage) Compensating controls are “above and beyond” other PCI DSS requirements Compensating controls are applicable to most PCI DSS requirements Bottom line: Must meet the intent and rigor of the original PCI requirement and would withstand a compromise attempt with the same preventive force as the original requirement

32 Technical Session - PCI Data Security Standard
DSS - 12 overall requirements (Digital Dozen) categorized in 6 logical groupings Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Install and maintain a firewall confirmation to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Use and regularly update anti-virus software Develop and maintain secure applications

33 Technical Session - PCI Data Security Standard
Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security

34 Thank You for Listening
Questions? Thanks for listening. Do you have any questions that we have not addressed during the presentation?

35 Contact Rose Andert Lance Wright Associate Director Protiviti
Lance Wright Senior Consultant

Download ppt "Payment Card Industry (PCI) Data Security Standards (DSS) Fundamentals"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
ISACA January 8, 2013. IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.

1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.

Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Similar presentations

Ads by Google