PCI Compliance


Published on

Published in: Economy & Finance, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

PCI Compliance

  1. 1. Evolving Defenses on the PCI Front Evolving Defenses On the PCI Front Jack Waller CTO Transaction Resources, Inc. (TRI)1
  2. 2. Transaction Resources, Inc. Transaction Resources, Inc., or TRI, is an electronic payment solution provider and a registered ISO/MSP of Wells Fargo Bank, N. A., Walnut Creek, CA. TRI offers innovative payment processing solutions to merchants by combining the latest technologies with a passion for customer service and competitive rates.2
  3. 3. Overview Ski Areas have felt the pain associated with a network penetration and data breach. It can happen to you! Our primary objectives: • Review current trends in payment card data breaches. • Expose PCI related challenges. • Illuminate current and emerging solutions that can better protect you and your guests.3
  4. 4. Overview Agenda • Quick Review of PCI DSS • Benefits of PCI Compliance • The Ever Evolving Approaches to Data Theft • PCI Deficiencies • The Means to Mitigate Vulnerabilities4
  5. 5. What is PCI DSS? Payment Card Industry Data Security Standard  A collection of practices that safeguard payment card data formalized by a collaboration Visa, MasterCard, JCB, Discover & Diners.  PCI DSS applies to IT systems and applications.  PCI DSS applies to any procedure that involves bankcard account data.  Common Sense Policies5
  6. 6. To Whom Does PCI DSS Apply? All Merchants “PCI DSS compliance is required of all merchants and service providers that store, process, or transmit bankcard data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce” no matter the size of the business6
  7. 7. How is Compliance Achieved? • Adherence to the requirements laid out under PCI DSS. • Identification and remediation of vulnerabilities through the compliance validation process7
  8. 8. Benefits of PCI Compliance • Locked down public-side access to your network • Locked down private-side access to your network • Antivirus protected Systems • Cardholder data protection • Restricted and audited access to Cardholder data • Diminished chance of being affected by known threats • PA-DSS Compliant Apps • Peace of mind for the IT Manager Right!8
  9. 9. Benefits of PCI Compliance With all the benefits that come with being PCI Compliant, can we choose to focus instead on the issues of the day? NO!!9
  10. 10. The Evolving Threat Recent Ski Industry and Payment Service Provider Breaches • 2008 Okemo Mountain Resort: Intruder • 2009 Heartland (acquirer): Malicious Software • 2011 Snow Creek: Malicious Software • 2012 Solitude: Malicious Software • 2012 Global Payments (acquirer): Malicious Software • 2012 and beyond: Stuxnet model (among others)10
  11. 11. PCI Deficiencies Compliance cannot protect your from: • A careless Vendor • New viruses • An employee intent on abuse (e.g., skimming). Additional Challenge: • Your network perimeter is changing.11
  12. 12. Mitigating Weaknesses Options to look at: • Beyond Antivirus: Controlling Applications • Eliminating the Reward: PTPE/Tokenization • Hosted Payment Solutions • Cloud-based Solutions • Card Association Answer: EMV12
  13. 13. Beyond Antivirus • Antivirus only safeguards against known malware • Users and applications run with too high of privilege • Windows UAC is disabled • Solutions: – Whitelist Application Managers: • CoreTrace • Faronics – Application Permission Managers • PowerBroker13
  14. 14. Reward Elimination: P2PE / Tokenization • Point-to-Point Encryption (P2PE) and Tokens work together. • P2PE and Tokenization cost more14
  15. 15. Reward Elimination: P2PE / Tokenization How P2PE Encryption works • Required: a magnetic stripe reader that supports P2PE. • Required: Minor code revisions • Upon card swipe, the reader: – Encrypts the Account Number in tracks 1 & 2. – Encrypts discretionary data in both tracks 1 & 2 • Track data is delivered to POS System. • POS treats the data like a clear text read • Middleware applications require NO modification. • Gateway or Acquirer decrypt tracks data. • Transaction with decrypted data submitted to issuer.15
  16. 16. Reward Elimination: P2PE / Tokenization What about manually keyed transactions? • Capturing encrypted manually-keyed account numbers trickier • Requires integration of one of the following: – A P2PE enabled PIN Entry Device (PED). – A Secure Payment module in the POS. • PED Integration required hardware purchase. • PED Integration requires some application adaptation. • Secure Payment module is a more aggressive POS revision.16
  17. 17. Reward Elimination: P2PE / Tokenization • Example of a P2PE Enabled PED: – IPAD from MagTek. – SecurePIN from IDTech. • Example of Secure Payment module: – VeriFone SIM.17
  18. 18. Reward Elimination: P2PE / Tokenization P2PE Options • MagneSafe (MagTek) – Open Standard - Encryption by 3DES and DUKPT key management – Supported by Merchant Link, ePN, NMI, Elavon – Magensa decryption service for do-it-yourselfers • VeriShield (VeriFone) – Proprietary Standard. – Expensive to License – Supported by VeriFone’s Payware Connect gateway and First Data (TransArmour)18
  19. 19. Reward Elimination: P2PE / Tokenization P2PE Options (continued) • Voltage Security Secure Data/SecureMag – Hardware support: ID Tech, – Open Standard – Encryption by 3DES and AES using DUKPT key management. – Supported by: Global Payments, NPC, T-Gate, ePN, Merchant Link (coming)19
  20. 20. Reward Elimination: P2PE / Tokenization A look at Credit Card Tokens: • Credit Card Tokens protect stored account numbers. • Tokens returned in authorization response. • Tokens can also be retrieved using an administrative transaction. • Tokens can be exchanged for an account number. • Tokens can be stored indefinitely, they never expire. • Tokens are only good for the entity to whom they are issued. • Tokens can be used in lieu of an account number. • They are worthless if stolen. • Tokens generally provide a clue to the tokenized account number: – A digit indicates the card brand. – Last four digits match the last four of the tokenized account number.20
  21. 21. Reward Elimination: P2PE / Tokenization Current Token Providers: • Merchant Link: Transaction Vault. • Shift4: 4Go SafeSwipe. • EPX: BuyerWall.21
  22. 22. Reward Elimination: P2PE / Tokenization Conclusion Fully implementing P2PE and Tokenization across your payment systems removes sensitive cardholder account data from your systems. Therefore, even if you do get breached, there is nothing for the would be thieves to capture. The Challenge Getting all your POS Venders to play in the same sandbox or in some cases to play at all22
  23. 23. Web Commerce • P2PE and Tokenization take your POS systems out of PCI scope, but what about you web store? • To get web-based transactions out-of-scope for PCI, a different solution is required: a hosted payment system. Think PayPal. • Some Hosted Payment Providers exist: PayPal, FuseBox, HostedCheckOut. • Ideal solution works seamlessly with your web store. • HTNG developing open standards for this service.23
  24. 24. Cloud Based Solutions • Current software trend is to move to the SaaS model. • Easier update cycle for software providers and consumers. • Should take adopters out of PCI scope. • Various Pros and Cons – Imposes subscription fee model. – Updates come whether you like them or not. – Service dependent upon Internet access; both bandwidth and reliability. • Vendors moving this way include: – Microsoft – RTP – PAR Springer Miller24
  25. 25. EMV • EMV stands for EuroPay, MasterCard & Visa. • Also known as Chip and PIN. • These banks united in the 1990’s to develop the standard. • Implemented in nearly every country but the United States. • The Card Associations Visa and MasterCard now pushing for adoption in the States. • Visa to start offering interchange incentives to EMV enabled merchants in April of 2013.25
  26. 26. EMV Why now? • Improved the security of the U.S. payment infrastructure. • Improved international customer experience. • Maintain interoperability with the rest of the world as it migrates to EMV. • Positions the industry for other forms of payment, notably NFC mobile contactless payments.26
  27. 27. EMV EMV/SmartCards facts of Interest: • EMV Transactions require new hardware. • The EMV Standard supports both contact and two contactless interfaces: MSD & EMV. • The EMV process incorporates offline and online steps for: – Card Authentication – Transaction Authorization – Cardholder Verification via PIN or Signature • With Offline PINs, the card stores the PIN and validates PIN entry. • Offline PINs can be transmitted either in the clear or encrypted. • Online PINs require a round-trip to the issuer for validation.27
  28. 28. EMV EMV/SmartCards Interesting facts (continued) • With regard to offline transactions: – The number of consecutive offline transactions is dynamic – The floor limit for offline transactions is dynamic – The card will auth at random in string of consecutive offline transactions. • EMV Transactions are more complex. • EMV Transactions may take longer to complete. • Several card-based applications exist. • Each card can contain one or more applications. • The cardholder selects the application to use if needed.28
  29. 29. Observations Regarding EMV • EMV adoption will occur over many years if at all. • EMV Capable Cards will continue to include a magnetic stripe. • EMV capable cards will continue to include a printed or embossed account number. • The magnetic stripe keeps EMV cards vulnerable to skimming. • EMV does not solve authentication issues in the card-not-present transaction. • NO meaningful PCI DSS advantages over P2PE. • Tokenization still required for regular billing to keep out of PCI scope. • Expense of conversion exceeds the cost of credit card fraud.29
  30. 30. Conclusion • No compelling reason for EMV other than secure contactless mobile transactions, even that is sketchy. • P2PE and Tokenization are compelling technologies. • Changes are coming. • Be informed. • Best solution will likely be a hybrid of technologies discussed today. • No need to race to EMV adoption. • Choose a worthy electronic payment technology partner.30
  31. 31. Anatomy of Today’s Credit Card Transactions Steps in a Credit Card Transaction Today Terminal Issuer MSR31
  32. 32. Anatomy of a Contact EMV Transaction Terminal Issuer User Card POS32
  33. 33. Transaction Resources, Inc. Transaction Resources , Inc. www.transactionresources.com 888-494-998833