1. PCI Compliance Overview


Published on

High level overview of what PCI Compliance is about, whom and what it affects.

1. PCI Compliance Overview

  1. 1. Why it‘s important to your businessPCI COMPLIANCE
  2. 2. What is PCIIn 2004 the Pament Card Industry Data Security Standard(PCI-DSS) was created by the 4 major credit cards brands– Visa, MasterCard, Discover and American Express. In2006 JCB joined these four to form the PCI SecurityStandards Council (PCI SSC), establishing additionalsecurity standards and updating the existing ones.Ensure you are compliant so you avoid costly securitybreaches that can include: 100% responsibility for cardholder losses Card brand fines up to $500,000 per incident Forensic investigations expenses as high as $100,000IT Compliance Consulting 2
  3. 3. Terminology of Who’s WhoVisa and MasterCard are made up of Member organisationswho can be either Acquirers, Issuers or bothAcquirers are the Members of the Visa or MasterCardorganisations which handle MerchantsIssuers are the Members of the Visa or MasterCardorganisations that issue the cards to CardholdersMerchants are those entities who “accept” card transactionsCardholders are consumers like you and meService Providers are the entities that provide any servicerequiring the processing, storing or transport of card informationon behalf of any of the aboveIT Compliance Consulting 3
  4. 4. Who must complyThe Payment Card Industry Data Security Standards (PCI-DSS)apply to all members, merchants and service providers thatstore, process or transmit cardholder dataAdditionally, these security requirements apply to all systemcomponents which are defined as any network component,server or application included in, or connected to, thecardholder data environmentAlthough compliance is universally required, compliancevalidation requirements can vary By classification: Service Providers (entities that process, store, or transmit cardholder data on behalf of other entities) have stronger validation requirements than Merchants By size: Entities that process larger volumes have stronger validation requirements than those who process smaller volumesIT Compliance Consulting 4
  5. 5. ResponsibilitiesMasterCard is responsible for certifying products andcompanies capable of fulfilling the scanning requirements These are referred to Approved Scanning Vendors (ASVs)Visa is responsible for training and certifying companies andindividuals capable of fulfilling the on-site audit requirements Such companies are called Qualified Security Assessors (QSAs)The other PCI organisations are contributors to the standardsIT Compliance Consulting 5
  6. 6. Data in ScopeCardholder Data PAN (Primary Account Number) Cardholder Name Card verification code (CVV, CVC) Expiration DateApart from the cardholder name, all other data must be protected when stored inany form, electronic or paperAuthentication Data Referred to as Track Data (1 or 2) Three elements Full Magnetic Strip Data CVV2/CVC2/CID2 (Security Code) PIN / PIN BlockNone of this data can ever be stored after authorizationIT Compliance Consulting 6
  7. 7. Cardholder Data: Storage Guidelines Data Element Storage Protection permitted required Primary Account Number (PAN) Yes Yes Cardholder Name* Yes Yes* Cardholder Data Service Code* Yes Yes* Expiration Date Yes Yes* Sensitive Magnetic Stripe No N/AAuthentication Data CVV2/CVC2/CID2 No N/A PIN / PIN Block No N/A* These data elements must be protected if stored in conjunction with the PAN IT Compliance Consulting 7
  8. 8. Protect your Business and your CustomersWith data security compromises on the rise, it is more important than ever totake measures to safeguard your customers and your businessCriminals or “hackers” can pose a risk to your business both on-site andremotely, making it necessary to implement procedures to protect yoursensitive data, whether it is stored in a file cabinet or on a computerThe largest breach in history – 94 million card numbers stolen in 2007,occured at TJ Max, a large US clothing retailer. They agreed to pay $60million to card networks to settle complaints 11 TJ-Max Hackers were caught, coming from the US, Ukraine, China, Estonia and Belarus70 % of all database breaches are internalIT Compliance Consulting 8
  9. 9. What are the costs of a security breach?The cost associated with a compliance failure or data breach canbe very expensive for any merchant or service provider, especiallya small or medium sized business owner. These costs include: Forensic investigation of computer or point of sale systems: $10,000 - $20,000 Replacement cards for breached accounts: $20-$30 per card Card Association fines for non-compliance with the PCI Standard, up to $500,000 Loss of business reputation and customer loyalty, and potentially credit card acceptance IT Compliance Consulting 9
  10. 10. Common excuses after a security breach I thought my IT Department was taking care of that I thought we had a secure website with a firewall I didn’t know my filing cabinets had to be secured I didn’t know 70% of all database breaches are internal I thought outsourcing to a vendor relieved me of the responsibility My bank never mentioned anything about PCI to me The merchant agreement with the bank didn’t specifically indicate we would be responsible for finesIT Compliance Consulting 10
  11. 11. Compliance-Validation-Attestation Compliance - Adherence to the standard Applies to every merchant/ service provider regardless of volume Applies to both technical and business practices Validation - Verification that merchant/ service provider is compliant with the standard Depends upon type of card capture method(s) utilized Two types of Validation Self-Assessment Questionnaire (SAQ) Annually – applies to every merchant Vulnerability Scanning Quarterly – applies if external-facing IP addresses are involved (Web and POS Software). Must be performed by a Qualified Scanning Vendor (QSV) Attestation - Providing proof of validation to card processor Card processor reports to Visa and MasterCard Attest whenever requested by the card processorIT Compliance Consulting 11
  12. 12. Card Capture Channels Card Present Card Not PresentCard can be swiped Card cannot be swiped• All Credit Cards • All Credit Cards• Pin based debit cards with the • Debit cards with the Visa/ Visa/ MasterCard logo MasterCard logoFace to Face transactions Remote transactions • Through the Internet • Mail / Telephone Order (MOTO) • Interactive Voice Response (IVR) Requirements to be followed are determined primarily by the card capture method being utilized IT Compliance Consulting 12
  13. 13. Do’s to become PCI Compliant Build and maintain a secure network Protect cardholder data Segregation of duties by department Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policyIT Compliance Consulting 13
  14. 14. Donts to stay PCI compliant Transmitting credit card numbers unsecured by Fax E‐mail Text message Instant messaging Storing of audio recordings of CVV, CVC, etc. Storing of full Magnetic Stripe track data - one of the most ‐ common violations of PCI‐DSS) Storing CVV2/CVC2/CID2 anytime after the transaction has been authorized Forgetting about paper copies and disk drives in multifunctional printersIT Compliance Consulting 14
  15. 15. Easy ImprovementsStore Less Data Don’t store cardholder data unless there is a compelling business reason to do so Determine where credit card data exists in your organization, what it is used for and why it is needed Eliminate “shadow databases” (Excel worksheets, etc.) View online reports, don’t download them (downloading = storing) Ensure your systems don’t store magnetic stripe data by default Retaining of CVV2/ CVC2/ CID2 data and PIN subsequent to authorization is never allowedBetter Access Controls Limit cardholder data only to employees with “need to know” Segment databases and networks – thereby limiting scope of PCI Implement requirements specified in the Standard, as identified in the annual Self Assessment Questionnaire (SAQ)Establish formal written Policies and ProceduresIT Compliance Consulting 15
  16. 16. Compliance Levels of Merchants Quarterly Self-Assessment Network Security Vulnerability Scan Questionaire Scan (Penetr. test)*Level 1 Required, in addition to Not Required Required> 6 million transactions or annual on-site (annually)previously compromised certificationLevel 2 Required Required Required> 1 million transactions (annually) (annually)Level 3 Required Required Required> 20K e-commerce txs. (annually) (annually)Level 4 Required Recommended Recommended< 20K e-commerce txs. (annually) (annually)< 1 million total txs.* External facing IP addresses, that only store cardholder data IT Compliance Consulting 16
  17. 17. Compliance Levels of Service Providers Quarterly Self-Assessment Network Security Vulnerability Scan Questionaire Scan (Penetr. test)* Level 1 Required, in addition to Not Required Required All processors and annual (annually) payment gateways on-site certification Level 2 Required, in addition to Required Required Not level 1 and stores, annual *** (annually) processes or transmits on-site certification more than 1 million txs. ** Level 3 Required Required Recommended Not level 1 and stores, (annually) processes or transmits less than 1 million txs.* External facing IP addresses, that only store cardholder data** On-site certification required only by MasterCard as of 2011*** Required annually only by VISA IT Compliance Consulting 17
  18. 18. Service ProvidersIt is the responsibility of the merchant to utilize compliant serviceproviders If the service provider is not compliant, then the merchant is not compliant Any fines for breaches pertain to the merchant not to the service providerExamples of Service Providers Gateway and Web Hosting Backup Storage and IT InfrastructurePCI Requirement 12.8 applies, requiring merchant to “manage”the service provider: Maintaining a “written agreement” specifying the service provider’s responsibility for compliance Performing due diligence to ensure PCI compliance prior to engagement Monitoring the service provider’s compliance statusMonitoring the Service Provider Some vendors are registered as compliant by Visa or MC. The merchant should obtain “evidence” of compliance from vendor (e.g. Report on Compliance –RoC) Merchant cannot answer SAQ truthfully if requirements are not metIT Compliance Consulting 18
  19. 19. PCI DSS Structure Is made up of six key sections: Build and maintain a secure network Protect cardholder data Maintain a vulnerability management Program Implement strong control measures Regularly monitor and test networks Maintain aninformation security policy Each section has a set of Requirements, for example: Build and maintain a secure network Requirement 1: Install and maintain a firewall configuration to protect data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.IT Compliance Consulting 19
  20. 20. PCI DSS Structure, ContinuedEach Requirement has a rationale and a set of subrequirements specified forreview, e.g. Requirement 1: Install and maintain a firewall configuration to protect data Firewalls are computer devices that control computer traffic allowed into a company’s network from the outside, as well as traffic into more sensitive areas within a company’s internal network. All systems need to be protected from unauthorized access from the Internet, whether for e-commerce, employees’ Internet-based access via desktop browsers, or employees’ email access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network Requirement 1.1 Establish firewall configuration standards that include: 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration 1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks 1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the Intranet IT Compliance Consulting 20
  21. 21. Building and Maintaining a Secure NetworkRequirement 1: Install and maintain a firewall configuration to protect cardholder data. Internet firewall security needs to be installed and functional on all computers, payment applications and POS systems using IP connectivity, including those with a dial up connection to the internetRequirement 2: Do not use vendor supplied defaults for system passwords and other security parameters. Passwords should be personalized for all users. All unnecessary services should be disabled IT Compliance Consulting 21
  22. 22. Protecting Cardholder DataRequirement 3: Protect stored cardholder data. Do not store the contents of the track data from the magnetic stripe on the credit card or the CVV or CVC information (3 digit code on the back on the card) post authorization Only store cardholder account information that is essential to your business. Hard copies of reports and paper receipts must be placed in a secured area and shredded when discarded. Implement a policy on how long data will be stored for and why (i.e. business or legal purposes)Requirement 4: Encrypt transmission of cardholder data across open or public networks. Databases and files containing payment card information must be encrypted. Encryption software is required for systems using internet connectivity for transmission of cardholder information IT Compliance Consulting 22
  23. 23. Maintaining a Vulnerability Management ProgramRequirement 5: Use and regularly update anti-virus software. Install and maintain updated anti-virus software on all computers and servers. The number one reason for hacker fraud is Trojan or Backdoor virus intrusionRequirement 6: Develop and maintain secure systems and applications. Check with your software supplier to ensure you are using the latest version. You can also verify if your software and version are included on the PCI Security Standards Council’s Validated Payment Application list Old technology and software is an open invitation for hackers. Don’t take for granted that your supplier has informed you of possible vulnerabilities or updates. Remember it is you that will be subject to fines if your business is compromised IT Compliance Consulting 23
  24. 24. Implementing Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data on a need-to-know basis. Complex passwords should always be used to limit access to cardholder informationRequirement 8: Assign a unique ID to each person with computer access. Ensure each employee has a unique user name and password to restrict access to computers and transaction systems’ data. Make sure you update passwords when any employee leaves who had access to cardholder dataRequirement 9: Restrict physical access to cardholder data IT Compliance Consulting 24
  25. 25. Regularly Monitoring and Testing Networks/ Maintaining an Information Security PolicyRequirement 10: Track and monitor all access to network resources and cardholder data as well as to network resources (i.e. computers and transaction systems). You must be able to show proof of trackingRequirement 11: Regularly test security systems and processes. Document a policy for testing of security systems and processes. You must be able to show proof of testing of your internet security and policy processesRequirement 12: Maintain a policy that addresses information security. Document and maintain an enforceable policy that details safeguarding of payment card information IT Compliance Consulting 25
  26. 26. PCI-DSS relative to other standards PCI-DSS Consistency of controls SOX 404 GLBA SR Expertise required HIPAA SR ISO 17799-2000 Generic Prescriptive IT Compliance Consulting 26
  27. 27. Milestones for Prioritizing PCI DSS Compliance effortsThe Prioritized Approach includes six milestones. The list belowsummarizes the high-level goals and intentions of each milestone.1. Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication and other cardholder data is not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it!2. Protect the perimeter, internal and wireless networks. This milestone targets controls for points of access to most compromises – the network or a wireless access point IT Compliance Consulting 27
  28. 28. Milestones for Prioritizing PCI DSS Compliance efforts cont.3. Secure payment card applications. This milestone targets controls for applications, application processes and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data4. Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when and how concerning who is accessing your network and cardholder data environment IT Compliance Consulting 28
  29. 29. Milestones for Prioritizing PCI DSS Compliance efforts cont.5. Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, milestone five targets key protections mechanisms for that stored data6. Finalize remaining compliance efforts and ensure all controls are in place. The intent of milestone six is to complete PCI DSS requirements and finalize all remaining related policies, procedures and processes needed to protect the cardholder data environment IT Compliance Consulting 29
  30. 30. On-site AssessmentIs a detailed audit against the PCI Data Security StandardPotentially targets all systems and networks that store, process and/or transmit cardholder informationIncludes review of contractual relationships, but not assessment ofthe Third Parties themselvesMust be performed using an offering from a Visa certified QualifiedSecurity Assessor (QSA) such as TrustwaveBiggest difficulties in having on-site reviews are the initial scopingand the subsequent cost of correction to compliant levelsThe QSA provides a report on compliance when compliant, forsubmission to the Acquirer. Interim reports may be asked for by theAcquirerIT Compliance Consulting 30
  31. 31. On-site Review PracticalitiesMake sure you scope correctly The appropriate placement of a stateful firewall can reduce the scope dramaticallyIf not compliant, it will be necessary to submit planninginformation on how compliance will be achieved This will be monitored and policed both by your QSA and AcquirerIt may be possible to use compensating controls to meet arequirement Must be controls over and above what is already specified, and Must meet the intent of the requirement At the discretion of the QSA and must be agreed to by the AcquirerIT Compliance Consulting 31
  32. 32. PCI DSS Control EvaluationThe PCI Security Audit Procedures give some guidance onwhat will be checked for. An example of this can be seen by:6.3.7 Review of custom code prior to release to production or customers, to identifyany potential coding vulnerabilityTesting procedure 6.3.7.a - Obtain and review written policies to confirm they dictate that code reviews are required, and must be performed by individuals other than the originating author of the code 6.3.7.b - Confirm that code reviews are occurring for new code as well as after code changesIT Compliance Consulting 32
  33. 33. Tokenization This new technology replaces sensitive cardholder data (the PAN in particular) with a randomized token that represents the data. Tokenization eliminates the storage of actual cardholder data and brings the following benefits: Scope reduction by allowing fewer system components to have access to real card holder data – the most significant benefit Cardholder data security can be improved when data encryption is combined with tokenization Avoids the complexity of key management requirements when replacing encryptionIT Compliance Consulting 33
  34. 34. Network Security ScanningTargets Internet facing devices, systems and applicationsincluding routers and firewalls servers and hosts (including virtual) ApplicationsMay not have any severity 3 or greater issues: 5 (Urgent) - Trojan Horses, file read and write exploits, remote command execution 4 (Critical) - Potential Trojan Horses, file read exploit 3 (High) - Limited exploitIT Compliance Consulting 34
  35. 35. Security Incident PlanRequirements of: Card Association Rules Requirement number 12 of the PCI DSS OSC’s policy -“Merchant Cards Security Incident Plan”Basic points Must have a formal plan Applies to both technology and paper breaches Acquirer must be notified in all cases – immediately Card associations take into consideration timeliness of reporting when determining fines for breachIT Compliance Consulting 35
  36. 36. Limit Personnel Access to Restricted DataBackground checks must be performed prior to hiring for anypositions with unrestricted access to cardholder data (notnecessary for cashier level personnel with access to only onecard at a time)All personnel involved in credit card transactions must attendsecurity training annuallyPhysical and logical access only granted on a ‘need to know’basisIT Compliance Consulting 36
  37. 37. FAQ‘sQ: Am I PCI compliant if my point-of-sale system is compliant?A: No. PCI compliance goes beyond the hardware or software used for payment card processing. You are expected to be compliant to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS contains 12 requirements addressing 6 core principles for network architecture, cardholder data protection, vulnerability management, access controls, network security and information security policies. These include items such as policies for storing reports/receipts, physical access to data, passwords, etc. Using a validated payment application and/ or an PCI approved PIN Entry Device (PED) may aide in reducing scope of potential areas requiring attention. However, to be considered PCI compliant, you must validate your compliance by completing and passing the PCI SAQ and network vulnerability scans (if applicable) IT Compliance Consulting 37
  38. 38. FAQ’sQ: As a merchant, I did not sign anything saying I would be compliant; therefore, I don’t need to beA: The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. The regulations signed when you open an account at the bank state that the VISA regulations have to be adhered to. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit card dataQ: Who needs to comply with the PCI DSS?A: ALL organizations, regardless of size or number of transactions, that process, store or transmit cardholder data must comply with the PCI DSS. Essentially, all merchants with a Merchant Identification number (MID) and all service providers that touch cardholder data are required to comply with the PCI DSS. IT Compliance Consulting 38
  39. 39. PCI GlossaryCISP - Visa’s Cardholder Information Security ProgramSDP - MasterCard’s Site Data Protection ProgramPCI SSC - Payment Card Security Standards CouncilPCI DSS - Payment Card Industry Data Security Standard *PCI PA-DSS - PCI Payment Application Data Security Standard*PTS - PIN Transaction Security Standard *QSA - Qualified Security Assessor (e.g., Trustwave)ASV - Approved Scanning Vendor (e.g., Trustwave)SAQ - Self Assessment Questionnaire (A, B, C, or D)* Note: Three separate standards can applyIT Compliance Consulting 39