Sense of Security Pty Ltd
                                                            (ABN 14 098 237 908)
               ...
Agenda

    • Overview of PCI DSS
    • Merchant Compliance Levels and Associated
      Compliance Requirements
    • Risk...
Payment Card transactions -
                                         on the increase




3   www.senseofsecurity.com      ...
The big players in AU market




4   www.senseofsecurity.com                             Nov 2007
The PCI Security Standards Council
                                                       Members




5   www.senseofsecur...
PCI Data Security Standard

PCI DSS is:
• An open industry standard
• Tech requirements for data security
• PCI SSC mainta...
PCI DSS: Six Goals, Twelve Requirements

            The Payment Card Industry Data Security Standard (PCI DSS)
    Build ...
Who must comply?

    • Everyone who stores, processes or transmits
      cardholder data
       • PCI compliance is manda...
How is PCI DSS Regulated?

• Regulated by the respective Card Scheme
  Compliance Programs.
• PCI is a technical standard ...
Card Present


                                                        Merchant swipes the
                               ...
Merchant Levels –
                                                MasterCard & Visa from Jan08

                          ...
Merchant Levels – Amex


                                     Level 1                         Level 2                     ...
What can and can’t be stored


     • What must not be stored (after authorisation):
       – Full magnetic stripe
       ...
Most Common PCI Requirements Not Met

                                                                             Require...
Risks and consequences of non-compliance


• Card Schemes may levy fines to the Acquiring Bank
  of a Merchant if Merchant...
Fines - MasterCard

     • MasterCard has issued fines in AU.
     • US$25K for non compliant Level 1’s & Level 1
       a...
Fines - Visa

• Visa AP has not yet levied any fines in AU. Crunch
  time will come in Jan 2008.
• Visa AP can fine up to ...
Safe Harbour

     • Safe harbor provides members protection from
       Visa fines in the event its merchant or service
 ...
Merchant Benefits of Compliance

• Protect customers’ personal data
• Boost customer confidence through a higher level
  o...
Visa’s focus

• Historically focused on large e-commerce & Level
  1 Merchants. (Target Compliance 31Dec07)
• Visa looking...
Visa’s Focus cont…

• Not enough focus on Level 2’s at present.
• At least 6 breaches on Level 2 and Level 3 ecom
  Mercha...
Service Providers

• 30-90 Service Providers in the AU Market.
• Expect merchants to look for partnership with a
  Service...
How big is the AU Market?



                   Level 1
                   Level 2
                   Level 3
            ...
So how many Merchants are Compliant?


      According to VISA USA:               Ref:http://corporate.visa.com/md/nr/pres...
And in Australia?

• This type of info is not readily available to the
  public.
• Conflicting information. Some Acquirers...
Australia’s Position

• Research indicates that AU and NZ regions
  compare favourably with other APAC regions.
• Higher l...
Are we better off now than
                                   12 and 24 months ago?
• Overwhelming answer YES from all sch...
So where to from now?

• Merchants will likely consider hosted solutions.
• Expect more focus on Verified by Visa (vbv) an...
PCI DSS Continual Development

• Clarity and Consistency:
     – data definitions and cardholder data storage
       and p...
Simplified SAQ’s



       "Today, it's a one-size fits all but going forward
       we'll have four different versions ba...
Card Scheme Focus in 2008

• Visa and MasterCard concur more education
  required for smaller sized merchants.
• MasterCar...
What if you haven't started
                               PCI Compliance Initiatives yet?
• There is plenty of help avail...
Thank you
                               for participating in this research




33   www.senseofsecurity.com              ...
Thank you

                                       Questions?

                                   Murray Goldschmidt
      ...
Upcoming SlideShare
Loading in …5
×

PCI Compliance What Does This Mean For the Australian Market Place 2007

905
-1

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
905
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PCI Compliance What Does This Mean For the Australian Market Place 2007

  1. 1. Sense of Security Pty Ltd (ABN 14 098 237 908) 306, 66 King St Sydney NSW 2000 Australia Tel: +61 (0)2 9290 4444 Fax: +61 (0)2 9290 4455 info@senseofsecurity.com.au PCI Compliance : What does this mean for the Australian Market Place? Nov 2007 1 www.senseofsecurity.com Nov 2007
  2. 2. Agenda • Overview of PCI DSS • Merchant Compliance Levels and Associated Compliance Requirements • Risks and consequences of non-compliance • Benefits of Compliance • Current status of PCI in Australia 2 www.senseofsecurity.com Nov 2007
  3. 3. Payment Card transactions - on the increase 3 www.senseofsecurity.com Nov 2007
  4. 4. The big players in AU market 4 www.senseofsecurity.com Nov 2007
  5. 5. The PCI Security Standards Council Members 5 www.senseofsecurity.com Nov 2007
  6. 6. PCI Data Security Standard PCI DSS is: • An open industry standard • Tech requirements for data security • PCI SSC maintains list of qualified PCI assessors (QSAs & ASVs) PCI DSS is not: • A compliance program – Card Schemes run their own programs 6 www.senseofsecurity.com Nov 2007
  7. 7. PCI DSS: Six Goals, Twelve Requirements The Payment Card Industry Data Security Standard (PCI DSS) Build and Maintain a Secure 1. Install and maintain a firewall configuration to protect cardholder data Network 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software Management Program 6. Develop and maintain secure systems and applications Implement Strong Access Control 7. Restrict access to cardholder data by business need-to-know Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test 10. Track and monitor all access to network resources and cardholder data Networks 11. Regularly test security systems and processes Maintain an Information Security 12. Maintain a policy that addresses information security Policy 7 www.senseofsecurity.com Nov 2007
  8. 8. Who must comply? • Everyone who stores, processes or transmits cardholder data • PCI compliance is mandatory • PCI applies to all parties in the payment process • You cannot be partially compliant: Compliance is PASS/FAIL 8 www.senseofsecurity.com Nov 2007
  9. 9. How is PCI DSS Regulated? • Regulated by the respective Card Scheme Compliance Programs. • PCI is a technical standard of due care. • PCI DSS is not law. • The Payments System Board (PSB) of the Reserve Bank oversees the payments system in Australia. 9 www.senseofsecurity.com Nov 2007
  10. 10. Card Present Merchant swipes the card, enters the dollar amount. Merchant receives authorisation response and completes the transaction. Authorisation request Merchant bank forwards is sent to acquiring authorisation response merchant bank. to merchant. Customer bank sends funds to merchant bank. Merchant bank sends transaction information to customer (issuing) n k bank through Card k Ba B an Customer bank e r Scheme Network t tom h an verifies credit card and clears request. C us Mer c 10 www.senseofsecurity.com Nov 2007
  11. 11. Merchant Levels – MasterCard & Visa from Jan08 Level 1 Level 2 Level 3 Level 4 *Annually More Between 1M Between 20K All † Quarterly than 6M and 6M and 1M e- Others transactions transactions Commerce ‡Annually transactions Self Not Reqd Mandate Mandate Mandate Assessment * Vulnerability Mandate Mandate Mandate Mandate / Scan † Rec VISA Onsite Mandate Not Reqd Not Reqd Not Reqd Review ‡ 11 www.senseofsecurity.com Nov 2007
  12. 12. Merchant Levels – Amex Level 1 Level 2 Level 3 † Quarterly ‡Annually More than 2.5M Between 50K and 2.5M Less than 50K transactions transactions transactions Vulnerability Mandate Mandate Highly Scan † Recommend Onsite Mandate N/A N/A Review ‡ ref: http://www10.americanexpress.com/sif/cda/page/0,1641,17457,00.asp 12 www.senseofsecurity.com Nov 2007
  13. 13. What can and can’t be stored • What must not be stored (after authorisation): – Full magnetic stripe – Card verification values (CVV2, CVC2, CID) – PIN verification value – PIN and PIN block • What can be stored (must be protected): – Primary account number – Cardholder name – Service code – Expiration date 13 www.senseofsecurity.com Nov 2007
  14. 14. Most Common PCI Requirements Not Met Requirement 1: • Install and maintain a firewall to protect cardholder data Requirement 3: • Protect stored data Requirement 6: • Develop and maintain secure systems and applications Requirement 8: • Assign a unique ID to each person with computer access Requirement 10: • Track and monitor access to network and card data *Percentage of Compromised Merchants That Failed To Meet Each PCI DSS Requirement Requirement 11: • Regularly test security *Data gathered from more than 250 card compromise investigations conducted by ATW. This Slide is Copyright PCI Security Council systems and processes 14 www.senseofsecurity.com Nov 2007
  15. 15. Risks and consequences of non-compliance • Card Schemes may levy fines to the Acquiring Bank of a Merchant if Merchant is not compliant. • Acquiring Bank may pass on fines to the Merchant in line with Merchant Contract or Bank’s discretion. 15 www.senseofsecurity.com Nov 2007
  16. 16. Fines - MasterCard • MasterCard has issued fines in AU. • US$25K for non compliant Level 1’s & Level 1 and 2 Service Providers • US$5K for Level 2 and 3 Merchants. • Penalty applied if Merchant/Gateway: – did not complete PCI DSS – did not take steps to mitigate the risks of an account data compromise. • Operational Risks to consider: – Up to US$100K for each incident + Up to US$25K each day until member achieves compliance + Investigation and other related costs incurred. – Compensation: Up to US$25 per card re-issued + Up to US$5 per card monitored (without card reissue) 16 www.senseofsecurity.com Nov 2007
  17. 17. Fines - Visa • Visa AP has not yet levied any fines in AU. Crunch time will come in Jan 2008. • Visa AP can fine up to US$500K if a threshold level is triggered. • This threshold probably has been reached in AU (recent breach). • $500K comprised of $100K in card replacement fees & $400K if more than $1M fraud reported. 17 www.senseofsecurity.com Nov 2007
  18. 18. Safe Harbour • Safe harbor provides members protection from Visa fines in the event its merchant or service provider experiences a data compromise. • To attain safe harbor status: – must maintain full compliance at all times, including at the time of breach. – must demonstrate prior to the compromise merchant was fully compliant . • Ref: http://usa.visa.com/merchants/risk_management/cisp_overview.html 18 www.senseofsecurity.com Nov 2007
  19. 19. Merchant Benefits of Compliance • Protect customers’ personal data • Boost customer confidence through a higher level of data security • Lower exposure to financial losses and remediation costs • Maintain customer trust and safeguard the reputation of their brand • Provide a complete “health check” for any business that stores or transmits customer information. 19 www.senseofsecurity.com Nov 2007
  20. 20. Visa’s focus • Historically focused on large e-commerce & Level 1 Merchants. (Target Compliance 31Dec07) • Visa looking for evidence of Merchant PCI Cert intent & Road Maps for ’08 ’09. • Visa requires validation of Level 1 but not yet Level 2 Merchants. 20 www.senseofsecurity.com Nov 2007
  21. 21. Visa’s Focus cont… • Not enough focus on Level 2’s at present. • At least 6 breaches on Level 2 and Level 3 ecom Merchants recently. • Expect in 2008: – Certificate of compliance for Level 2’s. – Education campaign for L3’s but not looking for certificate of compliance yet. 21 www.senseofsecurity.com Nov 2007
  22. 22. Service Providers • 30-90 Service Providers in the AU Market. • Expect merchants to look for partnership with a Service Provider to reduce Merchant exposure. • Complexity when there is a 3rd Party involved. 22 www.senseofsecurity.com Nov 2007
  23. 23. How big is the AU Market? Level 1 Level 2 Level 3 } 300 Level 4 650,000 -750,000 Per info from MasterCard 23 www.senseofsecurity.com Nov 2007
  24. 24. So how many Merchants are Compliant? According to VISA USA: Ref:http://corporate.visa.com/md/nr/press719.jsp (30 Jul 07) Level Compliant Working towards 1 40% 50% 2 33% 42% 3 52% 22% 24 www.senseofsecurity.com Nov 2007
  25. 25. And in Australia? • This type of info is not readily available to the public. • Conflicting information. Some Acquirers confident for their L1’s. • Complexity of historical systems means that true compliance still requires significant effort. 25 www.senseofsecurity.com Nov 2007
  26. 26. Australia’s Position • Research indicates that AU and NZ regions compare favourably with other APAC regions. • Higher level of collaboration. • Good work between banks and schemes. • Scheme PCI Road Shows had good results. • Fewer barriers with brands. 26 www.senseofsecurity.com Nov 2007
  27. 27. Are we better off now than 12 and 24 months ago? • Overwhelming answer YES from all schemes and acquiring banks interviewed. 27 www.senseofsecurity.com Nov 2007
  28. 28. So where to from now? • Merchants will likely consider hosted solutions. • Expect more focus on Verified by Visa (vbv) and MasterCard SecureCode for cardholder authentication. – Called 3-D Secure if the Gateway offers both. – Merchants are no longer liable for chargebacks where the cardholder claims fraud or non participation 28 www.senseofsecurity.com Nov 2007
  29. 29. PCI DSS Continual Development • Clarity and Consistency: – data definitions and cardholder data storage and protection. • Flexibility: – compensating controls for data encryption • New Security Requirement: – New application level requirement (6.6) web app code review or web app fw. 29 www.senseofsecurity.com Nov 2007
  30. 30. Simplified SAQ’s "Today, it's a one-size fits all but going forward we'll have four different versions based on the merchant's business," says Russo. "For instance, if they're small and just doing dial-up, there's no need for them to answer 200 questions, we'll just have 30 or 40 questions." Ref: http://computerworld.co.nz/news.nsf/scrt/6277ADB06EBBC57FCC2573870002C963 5 Nov 07 30 www.senseofsecurity.com Nov 2007
  31. 31. Card Scheme Focus in 2008 • Visa and MasterCard concur more education required for smaller sized merchants. • MasterCard also noted focus on recalcitrant merchants. • Payment Application Best Practices. 31 www.senseofsecurity.com Nov 2007
  32. 32. What if you haven't started PCI Compliance Initiatives yet? • There is plenty of help available. • Speak to Merchant Services at your Acquiring Bank. • Speak to your local Card Scheme office. • Read the standards at www.pcisecuritystandards.org • Find a local QSA. • Join a PCI Forum, read whitepapers • Prepare your managers for the work ahead. 32 www.senseofsecurity.com Nov 2007
  33. 33. Thank you for participating in this research 33 www.senseofsecurity.com Nov 2007
  34. 34. Thank you Questions? Murray Goldschmidt Sense of Security Pty Ltd info@senseofsecurity.com.au Tel: +61 2 9290 4442 34 www.senseofsecurity.com Nov 2007

×