Payment card industry data security standard 1

1,230 views

Published on

  • Be the first to comment

Payment card industry data security standard 1

  1. 1. Payment Card Industry Data Security Standard - PCI DSS Executive SummaryPCI Compliance: Business Owners / IT Managers GuidePCI Standards must be met by all businesses that take credit/debit or pay cards from the top fourmajor card industry providers: American Express, Discover, MasterCard and Visa. PCI ComplianceStandards are not laws – they are contractual obligations with the credit card companies. Credit cardcompanies may enforce the terms of their contracts by imposing fines and/or sanctions againstcompanies who do no comply with the standards for each credit card company.What is Payment Card Industry (PCI) Compliance?Payment Card Industry (PCI) Compliance is a set of security standards that were created by themajor credit card companies (American Express, Discover Financial Services, JCB, MasterCardWorldwide, and Visa International) to protect their customers from increasing identity theft andsecurity breaches. Under the PCI DSS, a business or organization should be able to assure theircustomers that its credit card data/account information and transaction information is safe fromhackers or any malicious system intrusionDo I need to become compliant?Any company that accepts, processes, or stores credit card information needs to comply with thestandards set by the Payment Card Industry. This includes POS software vendors, 3rd party serviceproviders, merchants of all types, and any other entity who is part of the payment transactionprocess.What are my requirements for PCI Compliance?The requirements for becoming Payment Card Industry (PCI) Compliant are dependent upon themerchant level that a company falls under. Merchants are divided into four different levels based onthe number of transactions they process throughout a year.Level 1 CriteriaMerchants with over 6 million transactions a yearMerchants whose data has been compromisedLevel 1 RequirementsAnnual Onsite Security Audit and quarterly network security scanLevel 2 CriteriaMerchants with 150,000 to 6 million transactions a yearLevel 2 RequirementsAnnual Self Assessment Questionnaire 1
  2. 2. Quarterly Scan by an Approved PCI Scanning VendorLevel 3 CriteriaMerchants with 20,000 to 150,000 transactions a yearLevel 3 RequirementsQuarterly Scan by an Approved PCI Scanning VendorAnnual Self Assessment QuestionnaireLevel 4 CriteriaMerchants with less than 20,000 transactionsLevel 4 RequirementsNo need to report compliance but must maintain compliance.What kind of a scan needs to be performed?Vulnerability Assessment Scans must be performed by Payment Card Industry Approved ScanningVendors (ASV). The scan will be performed over all externally facing IP addresses that touch thecredit card acceptance, transmission and storage process. Scans must be turned into the merchantbank on a quarterly basis.How do I report compliance?Both the passing PCI Scan and Annual Self Assessment Questionnaire should be turned into yourmerchant bank. Your merchant bank will then report back to the Payment Card Industry that yourcompany is PCI Compliant.What happens if I am not compliant?Failure to comply with the Payment Card Industry security standards may result in heavy fines,restrictions, or permanent expulsion from card acceptance programs.Card companies may impose fines on their member banking institutions when merchants are foundto be non-compliant with PCI DSS. Acquiring banks may in turn contractually oblige merchants toindemnify and reimburse them for such fines. Fines could go up to $500,000 per incident if data iscompromised and merchants are found to be non-compliant. In the worst case scenario, merchantscould also risk losing the ability to process customers credit card transactions. Source: www.pcicomplianceguide.org 2
  3. 3. TABLE OF CONTENTSExecutive Summary 1Introduction to PCI DSS 4Finding PCI DSS Compliance Level 6Visa CISP Program 8MasterCard SDA Program 8Defining Merchant Levels 9Defining Service Provider Levels 13Acquirer PCI Responsibility 14Enforcement Dates 15Visa & MasterCard Quick Reference Guides 16Attaining PCI Compliance- Merchants 18PCI DSS 12 Requirements 19Finding PCI Approved Scanning Vendors 25Compliance Reporting 29PCI DSS Self Questionnaire 31Cardholder Data Theft- Real Cases 33 3
  4. 4. PCI DSS: A Five Step Guide to PCI ComplianceStep 1: An Introduction to PCI CompliancePayment Card Industry (PCI) Compliance is a set of security standards that were created by themajor credit card companies (American Express, Discover Financial Services, JCB, MasterCardWorldwide, and Visa International) to protect their customers from increasing identity theft andsecurity breaches.The PCI Data Security Standard (PCI DSS) really began with each credit card issuer establishingtheir own proprietary programs to store and secure credit card data.Merchant concerns and confusion concerning rival and intersecting card brand-specific requirements,along with the continuation of massive credit card data breaches at many high profile organizations,prompted the card issuers to come together to create a single standard for protecting credit carddata.In June 2005, American Express, Discover Financial Services, JCB, MasterCard Worldwide and VisaInternational founded the PCI Security Council. These requirements are based on ISO 17799-theinternationally recognized standard for information security practices.The main tasks of the council are: • Creating, owning and managing PCI DSS for credit card data • Classifying a common audit requirement to certify compliance • Overseeing a certification process for security assessors and network scanning vendors • Instituting minimum qualification requirements • Retaining and publishing a list of certified assessors and vendorsQuestion: What can happen to you and/or your organization, if you fail to implement or adhere to,the Payment Card Industry Data Security (PCI DSS) compliance rules?Answer: Ask TJX Companies Inc. (TJX).Currently, the company-owner of T.J. Maxx and Marshalls department stores and other stores inNorth America and the United Kingdom-faces more than a dozen class action lawsuits in Alabama,California, Massachusetts, Puerto Rico and six Canadian provinces, for what has been hailed as thesingle largest data breach in United States history.TJX revealed in March 2007 that hackers compromised at least 45.7 million credit and debit cards.From July 2005 until the discovery in December 2006, the bandits penetrated a supposedly securenetwork environment. 4
  5. 5. In a regulatory filing made with the Securities and Exchange Commission (SEC) after the violation,TJX stated that its computer systems were first hacked in July 2005 by one or more intruders whoaccessed information from customer transactions dating back to January 2003. TJX officials said thatthey didnt find out about the breach until about three months ago.More troubling, however, is the fact that TJX believes that the hackers had access to the decryptiontool for their encryption software, making PIN numbers, credit card numbers, and any other uniqueidentifiers easy to see. The SEC filing also said another 455,000 customers who returnedmerchandise without receipts had their drivers license numbers stolen.At this time, TJX is not sure whether it was a single breach, or multiple intrusions. The ripples of thisbreach are far reaching, including the addition of TJXs acquirer-Cincinnati-based Fifth ThirdBancorp-as a defendant in some of the lawsuits. The bank processed some payment cardtransactions for TJX. TJX and its acquirer are not alone in not being cognizant of potential holes intheir security systems, as there have been many examples of breaches that have compromisedconfidential information across several business sectors in the last decade alone. "Companies likeLexisNexis, Citibank, and ChoicePoint have all had breaches," says Khalid Kark, senior securityanalyst with Forrester Research. Kark is a leading expert in Security and Risk Management,compliance, best practices, and services."The issue is that its not that the company doesnt have good security, its just that they havent reallyput in all of the effort and the time to understand all of the areas of threat and try to protect againstthose."Even with the guidelines, many organizations have not opted to pursue PCI Compliance, even whenthey may know that they need to be.At the same time Visa U.S.A projects that 65 percent of all merchants will be PCI compliant by theend of 2007, and stiff penalties that target acquirers is one tool that the PCI SSC.If an organization doesnt know that they need to be PCI compliant, or if an organization just doesntwant to be bothered by having to obtain PCI compliance, it soon will not matter. The goal is to haveall merchants, regardless of their merchant level, compliant with PCI DSS."Being PCI compliant is a smart business decision, as far as securing their [merchants] Web propertyand Intellectual property," said Aaron Biddar, president of ControlScan-a leading Internet securitysolutions company."With data being stored virtually, in accessible areas, PCI standards are set up to help businesseswith better practices," he continued. "These better practices can begin with hey, do you have a lockon your door? to do you have scanning procedures in place?…being PCI compliant, without beingforced to do it, just makes good business sense, period."Who Put the DSS in PCI?The Payment Card Industry (PCI) consists of the five major credit card brands: 5
  6. 6. • Visa • MasterCard • American Express • Discover Card • JCB InternationalThe PCI Data Security Standard (PCI DSS) really began with each credit card issuer establishingtheir own proprietary programs to store and secure credit card data.Merchant concerns and confusion concerning rival and intersecting card brand-specific requirements,along with the continuation of massive credit card data breaches at many high profile organizations,prompted the card issuers to come together to create a single standard for protecting credit carddata.In June 2005, American Express, Discover Financial Services, JCB, MasterCard Worldwide and VisaInternational founded the PCI Security Council. These requirements are based on ISO 17799-theinternationally recognized standard for information security practices.The main tasks of the council are: • Creating, owning and managing PCI DSS for credit card data • Classifying a common audit requirement to certify compliance • Overseeing a certification process for security assessors and network scanning vendors • Instituting minimum qualification requirements • Retaining and publishing a list of certified assessors and vendorsUnder the PCI DSS, a business or organization should be able to assure their customers that itscredit card data/account information and transaction information is safe from hackers or anymalicious system intrusion.The PCI Security Standards Council is not a policing organization. It neither enforces the PCI DSS,nor determines the appropriate remediation for violations of the PCI DSS.Enforcement is left the specific credit card companies and acquirers. PCI DSS does not replace theindividual credit card companys compliance programs. Each credit card company separatelydetermines who must be compliant, including any brand-specific enforcement programs.Step 2: Finding the PCI DSS Merchant, Service, and Compliance LevelShould Your Organization be Concerned about PCI Compliance?The Payment Card Industry Data Security Standard (PCI DSS) applies to every organization thatprocesses credit or debit card information, including merchants and third-party service providers thatstore, process or transmit credit card/debit card data. 6
  7. 7. If you are one of the above, PCI Compliance is not a request, or suggestion, it is now a requirement.However, according to the PCI DSS documentation, "PCI DSS requirements are applicable if aPrimary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored,processed, or transmitted, PCI DSS requirements do not apply."By the end of 2007, any organization that accepts payment card transactions must be in compliancewith the standards.Credit card companies and acquirer banks can levy stiff fines and remove the merchants ability toprocess credit card transactions until the merchant is PCI compliant.Basic rules on PCI DSS compliance: • PCI DSS compliance includes merchants and service providers who accept, capture, store, transmit or process credit and debit card data. • As of September 2006, PCI DSS 1.1 includes 12 major requirements. A single violation of any of the requirements can trigger an overall non-compliant status. • Each non-compliant incident will result in steep fines, suspension and revocation of card processing privileges.In a recent PCI Webinar hosted by Imprivata software and Forrester Research, Khalid Kark said thatquestions concerning how to determine whether a service provider needs to be PCI DSS compliantare very common."I get these questions all of the time," he commented."The rule of thumb is this: If you house credit card information, in whatever form, if you house theinformation in your server-the server that you own or you added-then you are basically responsiblefor complying with PCI DSS," Kark stated.Even with a uniform standard for compliance, since the PCI DSS Standards Council instituted thenew security standards, evidence suggests that there has not been a huge rush to comply. Manyorganizations have started to comply or audit in certain areas, but overall numbers seesawdepending on the each merchant level.From data collected by Visa, in 2006 only 18 percent of Level 1 merchants-merchants with 6 millionor more Visa transactions per year-were compliant with PCI DSS, as opposed to the 35 percent whoare currently PCI compliant in 2007.Another 51 percent have completed a report concerning where they are in terms of compliance, and93 percent of the responding merchants certified that they are not storing PIN numbers, cardverification numbers and other stored credit card data.Only 26 percent of Level 2 merchants-merchants with 1 to 6 million Visa or MasterCard transactionsper year-are PCI compliant at this time, but Level 3 merchants-merchants with Visa or MasterCard 7
  8. 8. transactions totaling 20,000 to 1 million-have a higher level of compliance at 51 percent.According to information gathered by Kark and Forrester Research, though organizations arespending a lot of money to become PCI compliant, it still is taking a long time for the organization toactually see the benefits of that compliance."Weve found that over years, typically there is one year there is a push to get spending, or to havespending in terms of a specific regulation," Kark explained."In 2005, for government, it was VISMA [government compliance program] and there was a lot ofspending in terms of getting the controls in place, getting the technology in place, and so on, and in2006 we saw a similar trend in the retail industry where the retail industry spent a lot of money interms of getting compliant with PCI."Continuing, Kark said that implementing a PCI DSS compliance program is still a lengthy process."Once you start implementing technologies, once you start investing in security controls, then it takesa couple of years from implementation to realize the benefits of that spending," he said."And to be able to get to the fact of well, yes we are compliant completely, and yes we spent themoney a couple of years ahead of time, but then we needed to put in processes and other things thatwere kind of realizing the benefits of that spending."From surveys conducted by Forrester Research, Kark believes that most companies will becompliant with PCI DSS within the next 6 to 12 months."That may be a little late for some companies, but that is the data that we find, at the moment," Karksaid.But just because an organization is currently PCI DSS compliant right now, does not mean that it willcontinue to be compliant indefinitely. Compliance to the PCI DSS rules will continue indefinitely, asnew technologies and new ways of hacking personal data continue also."In general, compliance is 100 percent, but its a certain point in time, so if you are compliant today, itdoesnt necessarily mean you will be compliant tomorrow," Kark said."Being compliant means that at the time of the audit you [organization] were PCI compliant to 100percent of the requirement in respect to whoever the auditor was…its the auditor that makes thejudgment, but it may not really remain 100 percent throughout."PCI DSS: The Visa CISP Program:For Visa, Inc., PCI DSS compliance includes following their Cardholder Information Security Program(CISP), along with the incorporated PCI DSS standards.The CISP program includes compliance and validation requirements for the following entities: 8
  9. 9. • Merchants-All merchants including retail (brick-and-mortar), mail/telephone order, and e-commerce. • Service Providers-Visa identifies service providers as organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other service providers. • Payment Applications-Visa offers a "Best Practices" document for Payment applications, with the goal that the payment application must not retain full magnetic stripe data or CVV2 data. As well, as well the software must support a merchants and service providers ability to comply with the PCI Data Security Standard.MasterCard SDA Program:For MasterCard Inc., compliance and validation includes following its Site Data Protection (SDA)Program, along with the incorporated PCI DSS standards.The SDA program includes compliance requirements for the following entities: • Merchants-All merchants must become PCI DSS compliant through completing the PCI Self Assessment, PCI Onsite Assessment and PCI Quarterly Network Scanning. While all merchants are required to comply with the Payment Card Industry Data Security Standard, merchants that store, process or transmit MasterCard account data may also be required to validate compliance with their acquirer. • Service Providers-Third Party Processors (TPPs), Data Storage Entities (DSEs). Any service providers that store, process or transmit MasterCard account data on behalf of the merchant must also be compliant. • Vendors-Master Card provides a list of Approved Scanning Vendors (ASVs), based on the testing requirements laid out in the PCI DSS standard for ASVs. • Acquirers-MasterCard works with acquirers to help the acquirers merchants obtain SDA certification, as well as PCI DSS certification. The acquirer does not have to go through an SDA certification process, but the acquirer must manage the SDA process for their merchants. The acquirer must certify the merchants compliance validation tools, as well as registering the merchant with MasterCard.Defining PCI Compliance Merchant Validation LevelsIn order to be PCI DSS compliant, each card issuer has its own criteria for assigning a merchant leveland validation compliance classification level for a merchant, third party or service provider.The merchant level is based on transaction volume for the organization. The validation compliancelevel is based on the merchant level, and includes the validation actions and who needs to carry outthe validation actions, in order to be PCI DSS compliant. 9
  10. 10. For the majority of organizations, the standards set forth by Visas CISP program and MasterCardsSDP programs cover the qualifications for assigning both a merchant level and compliance level,along with incorporating PCI DSS.American Express and Discover, at this time, do not have a stringent program in place like Visa orMasterCard; however both companies have a best practices document, which coincides with thePCI DSS.The current Visa and MasterCard merchant levels and changes from PCI DSS 1.0 to PCI DSS1.1 are as follows: • Level 1-Visa U.S.A. and MasterCard World Wide transactions totaling 6 million and up, per year, and any merchants who experienced a data breach. • Level 2-Visa and MasterCard transactions totaling 1 million to 6 million per year. (The new requirement expands the number of Level 2 merchants to include former Level 4 merchants.) • Level 3-Visa and MasterCard e-commerce transactions totaling 20,000 to 1 million per year. (The new requirement expands Level 3 to include former Level 2 merchants who process fewer than 1 million e-commerce transactions per year.) • Level 4-Visa and MasterCard e-commerce transactions totaling up to 20,000 per year. (The new requirement decreases the number of Level 4 merchants.), and all other merchants, regardless of acceptance channel, processing up to 1 million Visa or MasterCard transactions per year.The current Visa and MasterCard validation requirements are as follows: • Level 1-Visa/MasterCard-- Annual onsite review by merchants internal auditor or a Qualified Security Assessor (QSA) or Internal Audit if signed by Officer of the company, and a quarterly network security scan with an Approved Scanning Vendor (ASV). • Level 2-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV. • Level 3-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV. • Level 4-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV. Submit summary of PCI compliance plan, via acquirer, by July 30, 2007. If a breach has been reported, or found, Visa reserves the right to move the Level 4 merchant to a Level 1. If so, the Level 4 merchant must abide by the Level 1 validation requirements. (See Level 4 Merchant Compliance for more information)PCI DSS Level 4 Merchant ComplianceAs PCI DSS continues to be enforced as the standard for credit card data security, the emphasis ofcompliance mandates have focused, primarily, on Level 1, Level 2 and Level 3 merchants. 10
  11. 11. On paper, this is the best and most obvious move, in order to protect the credit card data of themaximum number of cards and cardholders, and in order to emphasize-first-those merchantsclearing the largest volume of transactions per year.But Level 4 merchants are now getting much more attention, as many of those merchants are nowusing integrated POS terminals connected to high speed Internet connections, instead of the usualstand alone, dial-up POS terminals, which cannot be accessed from the Internet.This disparity, along with the fact that Level 4 run the gamut between small mom-and-pop merchants,with one dial-up POS terminal, to huge brick-and-mortar operations with high speed lines, leavessome of these merchants wide open for hackers.According to Visa, Level 4 merchants handle fewer transactions than Levels 1,2 and 3, but theyaccount for more than 99 percent of the merchants that accept Visa. This is an ultimate playgroundfor hackers."Usually, Level 4 merchants do not have the technical expertise, nor the IT Staff, to properly securecard holder data," said Aaron Biddar, President of ControlScan."For all data breaches, you have two main risks: The internal risk-an employee obtaining a file thatthey shouldnt have, and an external risk-a hacker," he explained."A hacker is going to look for the path of least resistance," he continued. "Level 1 and 2 merchantscan afford to button up their IT infrastructure, because they have the money to do so; they can affordto staff a huge IT department, and they dont want to be a headline in the news.""So, if I am a hacker, Im going to go to the merchant that I know cannot afford the proper security orstaff to mitigate that type of breach," he finished.Biddar said that, even with the July deadline, Level 4 merchants and acquirers are becoming PCIcompliant at a "trickle."Though Level 4 merchants are not required by the PCI SSC, or by card issuers such as Visa andMasterCard, to submit to an onsite security assessment, its up to the acquirer to make sure that itsLevel 4 merchants understand the need for being PCI compliant.In order to spur this suggestion along, Visa, U.S.A., added a new, Level 4 Merchant ComplianceProgram in order to address data security issues for Level 4 merchants.The new program, released in May 2007, requires acquirers to develop and submit a formal writtencompliance plan to Visa, which "identifies, prioritizes and manages overall risk within their Level 4merchant populations," according to the CISP Bulletin.Many acquirers have already developed, written and sent a summary of their plans to make theirLevel 4 merchants compliant, under Visas PCI Compliance Acceleration Program (PCI CAP). (SeeVisa PCI CAP Program).But for those acquirers who have not written and/or sent a summary of their plan, one must be 11
  12. 12. emailed to Visa no later than July 31, 2007. Email summaries to cisp@visa.com.The Level 4 Merchant Compliance Program plan must consist of the following items: • Timeline of Critical Events--Timeline of completion dates and milestones, for overall strategy. • Risk-Profiling Strategy--Prioritization of Level 4 merchants into subgroups, from merchants that post the greatest risk, to those that post little risk at all. Factors such as merchant category transaction volume, market segment, acceptance channel, number of locations can help the acquirer target compliance efforts for each subgroup. • Merchant Education Strategy--Strategy designed to eliminate prohibited data from being stored; protect stored data, and securing the environment in accordance with PCI DSS. This includes ensuring that merchants are only storing data they truly require, by complying with PCI DSS, and by making sure payment applications are compliant and any third-party agents are on Visas list of CISP-Compliant Service Providers. • Compliance Reporting--Monthly compliance reporting to executive or board management. Visa may also periodically request that the acquirer produce these reports.Visa PCI CAP ProgramVisa is the first credit card company to start a program that combines fines with incentives foracquirers to make their merchants PCI compliant, no matter the level.Visa has invested over $20 million dollars in order to pay Level 1 and Level 2 acquirers a one-timepayment, for each merchant, if each Level 1 and Level 2 merchant is compliant by March 31, 2007.Acquirers whose Level 1 and Level 2 merchants validate compliance after March 31 and prior toAugust 31, 2007 will be eligible to receive a reduced one-time payment for each qualifying merchant."Locking down cardholder data is an important security component that will benefit financialinstitutions and merchants, and is equally important to maintain consumer trust in Visa," said MichaelE. Smith, senior vice president of Enterprise Risk and Compliance at Visa USA, in a Visa pressrelease."By combining both incentives and fines, we expect acquirers to increase their efforts with merchantsto accelerate their progress toward becoming PCI compliant and eliminating the storage of sensitivecard data. Nothing is more important to Visa than securing commerce."As well, under the CAP plan, acquirers are required to validate Level 1 and 2 merchant compliancewith PIN security. This means that Level 1 and Level 2 merchants must not use payment devicessuch as PIN pads, and encourages the use of unique encryption keys for every device.For Level 3 and 4 merchants, acquirers must establish a thorough compliance program for thosemerchants. According to Visa, as of October 1, 2007, acquirers whose transactions qualify for lower 12
  13. 13. interchange rates available in the Visa and Interlink tiers must ensure that the merchants generatingthe transactions are PCI compliant in order to receive this benefit.Defining Service Provider Validation LevelsIn addition to merchants, PCI DSS validation requirements extend to service providers as well.According to Visa, service providers are defined as organizations that process, store, or transmit Visacardholder data on behalf of Visa members, merchants, or other third parties. Card issuers andacquirers are responsible for making sure that their merchants utilize service providers that arecompliant with the PCI DSS, even though there might not be a true contract between merchantservice providers and acquirers.MasterCard defines a service provider as an encompassing term for Third Party Processors (TPPs)and Data Storage Entities (DSEs).According to the MasterCard Web site, Web merchants routinely contract with service providers to"facilitate many business functions, including, but not limited to, offering and selling their contentonline, payment services, hosting applications and processing."Visa and MasterCard service providers are responsible for any liability that may occur as a result ofnon-compliance.The current Service Provider Levels for Visa and MasterCard are as follows: • Level 1 Visa - All VisaNet processors (member and Nonmember) and all payment gateways--agent or service provider that stores, processes, and/or transmits cardholder data as part of a payment transaction. • Level 2 Visa - Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually. • Level 3 Visa - Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually. • Level 4 Visa - Merchants processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel processing up to 1,000,000 Visa transactions per year. • Level 1 MasterCard - All TPPs and DSEs that store account data on behalf of Level 1 or Level 2 merchants. • Level 2 MasterCard - Includes all DSEs that store account data on behalf of level 3 merchants. • Level 3 MasterCard - All other DSEs not included in Levels 1 and 2. 13
  14. 14. • Level 4 MasterCard - Any other merchant not covered in Level 1, Level 2 and Level 3 compliance qualifications.The current Visa and MasterCard Service Provider Validation Requirements are as follows: • Level 1 Visa - Annual On-Site PCI Data Security Assessment and Quarterly Network Scan, validated by a quality Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). • Level 2 Visa - Annual On-Site PCI Data Security Assessment and Quarterly Network Scan, validated by a quality QSA and ASV. • Level 3 Visa -Annual PCI Self-Assessment Questionnaire, validated by the service provider and a Quarterly Network Scan, validated by a quality ASV. • Level 1 MasterCard - Annual onsite review by merchants internal auditor or a QSA, and a quarterly network security scan with an ASV. • Level 2 MasterCard - Annual onsite review by merchants internal auditor or a QSA, and a quarterly network security scan with an ASV. • Level 3 MasterCard - Annual PCI Self-Assessment Questionnaire, validated by the service provider and a Quarterly Network Scan, validated by a quality ASV.High Risk Merchant or Service ProviderAny merchant or service provider, who continues to use non-compliant payment applications-applications that store magnetic strip, CVV or CVV2 and PIN data, is considered a High Risk.If a merchant or service provider is considered High Risk, they will be contacted by the acquirer andno matter the merchant or service provider compliance level, will be subject to an onsite review by aninternal auditor or QSA.Competing Cards: American Express and DiscoverAs stated earlier in this article, American Express and Discover Card, as of now, do not have actualguidelines or procedures in place, such as Visa and MasterCard have, however they do direct theirmerchants to follow PCI DSS standards.As a caveat within the CISP guidelines, Visa and MasterCard reserve the right to requiremerchants/service providers who process competing cards-most merchants process more than onecredit card brand-to adhere to the CISP/PCI guidelines if Visa or MasterCard feels that the merchanthas or is compromising credit card data in some way, that there is evidence of a previous hack orattack that compromised data, and if the competing card has transactions that equal a Level 1merchant. 14
  15. 15. Acquirer PCI Compliance ResponsibilityIts up to the specific acquirer, along with the issuing credit card company, to educate and enforcetheir merchants, vendors, service providers, or any entity that stores or processes credit card data, tocomply and validate PCI DSS and CISP standards.If you are a merchant, vendor or service provider reading this information for the first time, it might betime-or past time-to question and contact your acquirer and credit card issuer.To take it one step further, in 2006, Visa levied $4.6 million in fines, up from a 2005 total of $3.4million, to its acquirers.PCI DSS 1.1 sets an enforcement date for acquirers to validate PCI compliance for Level 1 and Level2 merchants.The enforcement dates are as follows: • Level 1 Merchants-Enforcement date: September 30, 2007 • New Level 1 Merchants-Enforcement date: One year after identification as Level 1 • Level 2 Merchants-Enforcement date: December 31, 2007 • New Level 2 Merchants-Enforcement date: September 20, 2007 • Level 1 and 2 Merchants-Prohibited Data Retention Attestation form, or Confirmation of Report Accuracy to acquirer by March 31, 2007 • Level 3 Merchants-Contact acquirer or Credit Card Company. • Level 4 Merchants-Must have compliance plan submitted, via acquirer, to Visa by July 30, 2007.For PCI compliance only, the acquirer will be fined between $5,000 dollars and $25,000 dollarsper month for each Level 1 and Level 2 merchant who hasnt reached PCI compliance andPCI/CISP validation by September 30 and December 31, 2007.As of March 31, 2007, if an acquirer has a Level 1 or Level 2 merchant who is still retaining full-trackdata, Card Verification Value (CVV2) or PIN data after the transaction authorization, Visa can fine theacquirer up to $10,000 a month per merchant, if progress toward compliance is not made in a timelymanner.According to the Visa Web site, Level 1 and 2 merchants must validate that prohibited data is notretained subsequent to authorization by submitting a completed Prohibited Data Retention Attestationform or Confirmation of Report Accuracy form to their acquirer by March 31, 2007. 15
  16. 16. Calculating Merchant Transactions for PCI DSSAccording to the Visa, Inc. CISP Program Web site, merchants fall into one of the four merchantlevels based on Visa transaction volume over a 12-month period. MasterCards SDP is similar toVisas CISP program.Gathering the correct numbers for transaction volume can be confusing, but for Visa, Inc., themerchants transaction volume is based on the aggregate number of Visa transactions-credit cards,debit cards, prepaid cards-from a merchant Doing Business As ("DBA").For merchants and/or merchant corporations who operate more than one DBA, the aggregatevolume of stored, processed or transmitted transactions by the corporate entity must be considered,to determine the validation level.If the corporate entity does not store, process or transmit cardholder data on behalf of the multipleDBAs, members will continue to consider the DBAs individual transaction volume to determine thevalidation level.Confusing?Here is Karks answer to the same question about how to calculate transactions for more than onemerchant."If an organization has several merchants, you have to aggregate all of those [merchant transaction]numbers, in order to come up with a number that you have in terms of the credit card data thatresides within your organization, and the amount of transactions that you are processing within yourorganization," said Kark.Continuing, he said, "If you house credit card information, in whatever form, if you house it in yourserver, that you own or you added, then you are basically responsible for complying withPCI…merchants need to be added [to the transaction volume] if you are housing credit cardinformation for the specific merchant."PCI DSS: Visa and MasterCard Quick Reference GuideMerchant, Service Provider and Compliance Level 1Merchant Qualification Criteria for Visa and MasterCard: • Retail and eCommerce Merchants with greater than 6 million Visa and MasterCard transactions annually. • Merchants that have suffered a hack or an attack that resulted in an account data compromise. • Merchants that Visa and MasterCard determines should meet the Level 1 merchant requirements to minimize risk to the Visa system, or merchants identified by any other payment card brand as Level 1. 16
  17. 17. Service Provider Qualification Criteria: • Visa-All VisaNet processors (member and Nonmember) and all payment gateways-- agent or service provider that stores, processes, and/or transmits cardholder data as part of a payment transaction. • MasterCard-All TPPs and DSEs that store account data on behalf of Level 1 or Level 2 merchants.Validation Requirement: • Visa-- Annual onsite review by a QSA or Internal Audit if signed by Officer of the company, and a quarterly network security scan with an ASV. • MasterCard-Annual onsite review by merchants internal auditor or a Qualified Security Assessor (QSA), and a quarterly network security scan with an Approved Scanning Vendor (ASV).Deadline: September 30, 2007Merchant, Service Provider and Compliance Level 2Merchant Qualification Criteria: • E-Commerce merchants with 150,000 to 6 million Visa or MasterCard transactions annually. • All merchants meeting the Level 2 criteria of a competing payment brand.Service Provider Qualification Criteria: • Visa--Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually. • MasterCard--Includes all those DSEs that store account data on behalf of level 3 merchants.Validation Requirement: • Visa-Annual onsite review by QSA and quarterly network security scan with an approved ASV. • MasterCard-- Annual onsite review by QSA and quarterly network security scan with an approved ASV.Deadline: December 31, 2007Merchant and Service Provider Compliance Level 3Merchant Qualification Criteria: 17
  18. 18. • Visa-Merchants with annual e-commerce transactions greater than 20,000 but less than one million total transactions. • MasterCard-Merchants with annual e-commerce transactions greater than 20,000 but less than one million total transactions, and all merchants meeting the Level 3 criteria of a competing payment brand.Service Provider Qualification Criteria: • Visa- Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually. • MasterCard-All other DSEs not included in Levels 1 and 2.Validation Requirement: • Visa-Completion of PCI DSS Self Assessment Questionnaire and quarterly network security scan with an approved ASV. • MasterCard-Completion of PCI DSS Self Assessment Questionnaire and quarterly network security scan with an approved ASV.Deadline: Contact acquirer or card brand representative.Merchant and Service Provider Compliance Level 4Merchant Qualification Criteria: • Visa-Merchants processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants regardless of acceptance channel processing up to 1,000,000 Visa transactions per year. Completion of PCI DSS Self Assessment Questionnaire annually and quarterly network security scan with an approved ASV. Acquirer submits summary of PCI compliance plan to Visa by July 30, 2007. If a breach has been reported, or found, Visa reserves the right to move the Level 4 merchant to a Level 1. If so, the Level 4 merchant must abide by the Level 1 validation requirements. (See Level 4 Merchant Compliance for more information). • MasterCard-Any other merchant not covered in Level 1, Level 2 and Level 3 compliance qualifications. " Validation Requirement: • Visa--Completion of PCI DSS Self Assessment Questionnaire and quarterly network security scan with an approved ASV. Complete a • MasterCard-Completion of PCI DSS Self Assessment Questionnaire and quarterly network security scan with an approved ASV.Deadline: Summary of PCI compliance plan, via acquirer, by July 30, 2007.Step 3: Attaining PCI DSS Compliance - MerchantSecurity Audits: 12 Requirements 18
  19. 19. The actual PCI Data Security Standards include 12 major requirements for validation and certificationunder six main auditing areas or "control objectives". All of the compliance areas include basicsecurity rules that most merchants and service providers should already have in place, or have afamiliarity with them when audited.If a merchant, Independent Sales Organization (ISO) or service provider is at a Level 1 or Level 2,one of the major PCI DSS validation components is the Annual On-Site PCI Data SecurityAssessment, which is based entirely from the PCI DSS Audit Procedures document.Merchants and service providers should select a Qualified Security Assessor (QSA) to perform theaudit or-in the case of a Level 1 merchant or service provider-an internal audit, signed by the chiefofficer for the organization.Visa and MasterCard offer a list of approved QSAs on their Web site. These assessors should strictlyadhere to the Audit Procedures document and complete the mandatory Report on Compliancerequired for PCI certification and validation on behalf of the merchant or service provider.According to the PCI Security Standards Council, all QSAs must attend a training class and pass anexam in order to have a basic knowledge and understanding of PCI DSS.PCI DSS consists of 12 key requirements: 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. 3. Protect stored cardholder data. 4. Encrypt the transmission of cardholder data across open, public networks. 5. Use and regularly update anti-virus software. 6. Develop and maintain secure systems and applications. 7. Restrict access to cardholder data. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. 12. Maintain a policy that addresses information security.Compliance:Visa requires you to comply with PCI DSS to help reduce your exposure to the reputation andfinancial risks associated with account payment data compromises. Your bank can help guide youthrough the relevant PCI DSS validation process.However, if you do not comply with PCI DSS requirements, you could face financial or operationalconsequences—especially if you experience a breach and are found to be noncompliant.The main control objectives for PCI DSS compliance and validation are as follows: 19
  20. 20. • Build and Maintain a Secure Network • Protect Cardholder Data • Maintain a Vulnerability Management Program • Implement Strong Access Control Measures • Regularly Monitor and Test NetworksBuild and maintain a secure network:In order to build and maintain a secure network, and to comply with the PCI DSS, systemcomponents, network components, and data elements related to authorization, data retention, datastorage and data transmitting must be secure.This article gives a high level overview of the PCI DSS and is a brief overview of the audit checklist.Please refer to the PCI DSS documentation and the PCI Security Standards Web site for a detailedbreakdown of all requirements.The scope of PCI DSS for Level 1 merchants includes the following areas: • Cardholder Data-Primary Account Number, Cardholder Name, Service Code, Expiration Data, Full Magnetic Stripe, CVC2/CVV2/CID, PIN/PIN Block, including any data repository outside of the authorization environment, where more than 50,000 or more account numbers reside. • System Components-Network components, servers or applications included or connected to cardholder data. Applications include all purchased and proprietary/custom applications, as well as internal and external Internet applications. (External connections into the merchant network like employee remote access, VisaNet and third party access for processing and maintenance). • Network Components-Firewalls, switches, routers, wireless access points, network appliances and other security appliances. Server types include: Web, database, authentication, mail, proxy, network time protocol (NTP) and domain name server (DNS) (all connections to and from the authorization and settlement environment, such as connections for employee access or for devices such as firewalls and routers).Point of Sale (POS) EnvironmentsPOS needs its own category, because depending on the type of POS environment that exists for amerchant, that type will determine whether it needs to be included in the audit.If the POS environment is IP-based, along with having external access via the Internet, wirelessdevice, Virtual Private Network (VPN), dial-up connection, broadband connection, or with accessiblemachines like kiosks to the merchant location, the POS environment is required to be in the scope ofthe on-site review. 20
  21. 21. If the POS environment is neither IP-based, nor does it have an external connection or access to themerchant location, then the on-site audit begins at the point of connection into the authorization andsettlement environment.Wireless EnvironmentsAccording to the PCI DSS, Wireless environments and technologies are the least secure. Thetechnologies are still considered fairly new, and caution is encouraged for any merchant or serviceprovider who is considering using a wireless environment.The rules, according to version 1.1 of PCI DSS, are as follows: • If wireless technology is used to store, process or transmit credit card data, Requirements and Testing Procedures for wireless environments apply and are mandatory. • If a wireless local area network (LAN) is connected to, or is a part of the cardholder environment, Requirements and Testing Procedures for wireless environments apply and are mandatory. • If a merchant wishes to use wireless technologies or environments, consider using wireless technologies for only non-sensitive data transmission.Outsourcing and Service ProvidersFor merchants that outsource storage, processing or transmission of credit card data to third partyservice providers, separate Report on Compliance documents must explain the role of each serviceprovider.Conversely, all service providers are responsible for validating their own compliance with the PCIDSS requirements, independent of their customers audits.Merchants and service providers must work together, producing a contract to submit to all associatedthird parties, which states that the third-party service providers will agree to follow the PCI DSS.Requirement 1: Install and maintain a firewall configuration to protect cardholder dataA firewall protects all traffic in and out of an organizations network, and it examines all networktraffic, while blocking intrusive or unknown transmissions that do not meet the security criteria.According to PCI DSS, installing and maintaining a firewall that protects the merchant or serviceprovider from unauthorized access from the Internet by Internet-based access through desktops,employee email accounts and/or e-commerce are key protection mechanisms for any computernetwork.Requirement 2: Dont use vendor-supplied defaults for system passwords and other securityparametersThis requirement is pretty self-explanatory, as vendor-supplied defaults for system passwords areeasily hacked. In the world of the hacker, its the first and easiest way to infiltrate a network system. 21
  22. 22. Though there are many other checkpoints for auditing purposes, the gist of this requirement is toalways change vendor-supplied defaults before installing a system on the network (for example,include passwords, simple network management protocol (SNMP) community strings, andelimination of unnecessary accounts).For wireless environments, the audit includes checking the vendor defaults, the wireless equivalentprivacy (WEP) keys; default service set identifier (SSID), passwords and SNMP community strings.Requirement 3: Protect stored card holder dataThe basic tenet of Requirement 3 is to make sure that all sensitive cardholder data is unreadable, nomatter where it is stored-portable media, backup media, logs, or wireless networks.As well, storing sensitive credit card data such as the full magnetic strip track data, CVV and CVV2 isprohibited under PCI DSS.However there is an exception to this rule. In instances where some of the data elements are neededfrom the magnetic stripe track data, storing the accountholders name, primary account number(PAN), expiration and service code is acceptable.At no time should a merchant or service provider store the card verification code or PIN verificationdata elements.Other methods of cardholder data protection include truncating cardholder data if full PAN is notneeded, and not sending PAN in an unencrypted e-mail.Requirement 4: Encrypt transmission of cardholder data across open, public networksOne of the major reasons TJX Companies, Inc. suffered the massive data breach that they did wasdue, in part, to faulty encryption security.TJX management believes that hackers were able to get their hands on the decryption software,rendering the network system hostage to the hackers whims.If TJX had had a strong encryption program, the hackers could have gained access to the encrypteddata, but they would not be able to read the data without the proper cryptographic keys.Confusion abounds concerning this requirement; however one of the most reliable encryptionalgorithms is AES-256.AES is the official encryption algorithm of the U.S. government, and information encrypted with it isconsidered secure until the year 2030. AES offers 128, 196 and 256 key lengths, making it verysecure. Data stored with AES cannot be decrypted without the key.A QSA assessor can research and decide on the effectiveness of AES and/or other algorithms. 22
  23. 23. Requirement 5: Use and regularly update anti-virus softwareAcross the board, whether merchant, service provider, or average citizen, up-to-date anti-virussoftware can protect systems from viruses and malicious intrusions.The three main points of this requirement are: • Deploy anti-virus software on all systems commonly affected by viruses-Personal computers and servers. • Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spy ware and adware. • Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.Requirement 6: Develop and maintain secure systems and applicationsContinuously updated, vendor-provided security patches and software patches can stop hackersfrom gaining access to network systems.Attacks can come from not only hackers, but also employees and viruses.The following PCI DSS requisites represent a sample of Requirement 6: • All systems must have the most recently released appropriate software patches to protect against exploitation by employees, external hackers, and viruses. • Implement a process to identify newly discovered security vulnerabilities-Subscribe to alert services on the Internet, or via anti-virus software. • Develop software applications based on industry best practices-Visas Payment Application Best Practices (PABP), for payment applications. • Test all security patches system and software configurations before deployment. • Removal of custom application accounts, usernames and passwords before applications become active or are released to customers. • Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.Requirement 7: Restrict to cardholder data by business need to knowOne of the most common, yet overlooked, vulnerability for any organization and for the systemswithin that organization, is a lax access control policy.Many organizations still allow employees, with no direct connection with the data, to view sensitivecardholder data or to access network systems.In order to adhere to Requirement 7, a merchant or service provider must do the following: 23
  24. 24. • Computing resources and cardholder information-Limit access to employees whose job requires that they have access to the data. • Implement a "deny all" mechanism-For systems with multiple users, put in place a mechanism that automatically denies any employee who is not authorized to view the data.Requirement 8: Assign a unique ID to each person with computer accessIn order to comply with PCI DSS, each computer user in your organization should be assigned aunique ID, before you allow the user to access your system and the cardholder data stored withinyour system.The following PCI DSS requisites represent a sample of Requirement 8: • Employ either a password, token devices, or Biometrics. • Use remote authentication, dial-in service, terminal access, controller access, controller system (TCACS) with tokens, or VPN with individual certificates for employees, administrators and third parties. • Encrypt all passwords during transmission and storage on all system components.Requirement 9: Restrict physical access to Cardholder dataThe lack of enforcing restrictions on an employees physical proximity to sensitive data, such ascredit card data, continues to be a very common and basic violation.This requirement forces organizations to apply rules on access and proximity to the actual credit carddata, and it develops procedures to identify employees and visitors.The following PCI DSS requisites represent a sample of Requirement 9: • Restrict physical access to wireless access points, gateways and handheld devices. • Restrict physical access to publicly accessible network jacks. • Store media back-ups in a secure location, preferably an off-site facility. • Physically secure all paper and electronic media-computers, electronic media, networking and communications.Requirement 10: Track and monitor access to network resources and Cardholder dataThe use of logging mechanisms and audit trials allow an organization to track user activities.According to the PCI DSS, having the ability to log and track helps to determine where a problemoccurred.The following PCI DSS requisites represent a sample of Requirement 10: • Establish a process for linking all access to system components to each individual user. 24
  25. 25. • Implement automated audit trails for all system components, with administrative privileges to each individual. • Secure audit trails so they cannot be altered. • Limit viewing of audit trails to those with a job-related need. • Promptly back up audit trail files to a centralized log server or media that is difficult to alter.Requirement 11: Regularly test security systems and processesWithout continual testing of the security systems in place, hackers can capitalize on system-widevulnerabilities within processes and custom software.The following PCI DSS requisites represent a sample of Requirement 11: • Quarterly Security Testing-Test all security controls, network connections and restrictions annually, and use a wireless analyzer at least quarterly to identify all wireless devices in use. • Quarterly Vulnerability Scans-Run internal and external network vulnerability scans quarterly, especially after any change in the network. • Penetration Testing-Once a year, perform penetration testing, especially after an operation system upgrade, a sub-network added to the environment, or a web server added to the environment.Requirement 12: Maintain a policy that addresses information securityOne of the most basic tools to combat a security breach is an actual written policy for all employeesin the organization.As the PCI DSS states, "A strong security policy sets the security tone for the whole company andinforms the employees what is expected of them."The following PCI DSS requisites represent a sample of Requirement 12: • Establish, publish, maintain, and disseminate a security policy that addresses all of the requirements in the specifications. • Develop daily operational security procedures that are consistent with requirements in this specification. • Develop usage polices for critical employee-facing technologies to define proper use of these technologies for all employees and contractors. • Prohibit cardholder data storage onto local hard drives, floppy disks, or other external media, when accessing cardholder data remotely via a modem.Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV)Do You Need an ASV? 25
  26. 26. In order to meet the quarterly network scanning requirements, merchants and service providers witha Level of 1, 2, 3, 4, need an ASV to facilitate the scanning.Any merchant or service provider with annual transactions totaling 10,000 or more is required to havea quarterly network system scan.According to the PCI Security Standards Council, the MasterCard ASV program was terminated onor about October 7, 2006, and Visa Internationals QSA certification program transitioned fromOctober to December 2006 to revert to the PCI SSCs guidelines and ASV lists.Currently, the PCI Security Standards Council administers all ASV contracts, and the PCI SSC alsotrains and certifies ASVs.All scans must be conducted by an ASV and are required to conduct scans in accordance with the"Technical and Operational Requirements for Approved Scanning Vendors (ASVs)" procedures.The main points of the technical and operational requirements for ASVs are as follows: • The normal customer environment is not to be impacted. • The ASV should never penetrate or alter the customer environment.PCI DSS: Security Scanning ProceduresMerchant and Service Provider Scanning RequirementsPCI Security Scans provide merchants and service providers with invaluable information concerningtheir network system and work hand-in-hand with a comprehensive vulnerability managementprogram.PCI approved scans can help a merchant or service provider find misconfigurations of Web sites,applications and IT infrastructures with Internet-facing IP addressesThe results of a PCI approved scan can provide knowledge that can lead to efficient patchmanagement and other security measures that can rectify problems and improve protection againstfuture Internet attacks.The following is an overview of the basic scanning requirements for merchants, serviceproviders and ASVs: • Internet-facing IP Addresses--Merchants and service providers must scan their web sites or IT infrastructures that have externally facing IP addresses. If active IP addresses are found that were not originally provided by the customer, the ASV must consult with the customer to determine if these IP addresses should be in scope. If an account data compromise occurs via an IP address or component not included in the scan, the merchant or service provider is responsible. 26
  27. 27. • Domain-based virtual hosting-- Provide the ASV with a list of all domains that should be scanned if domain-based virtual hosting is used.• Defining the scope of the scan-If an organization has a large number of IP addresses, but they only use a small number for card acceptance or processing, the ASV can help the merchant or service provider define the scope of the network scan.• Applying segmentation-To reduce the scope of the network scan, an ASV can actually help the merchant or service provider segment the IP addresses in one of two ways: (1) by providing physical segmentation between the segment handling cardholder data and other segments, and (2) by employing appropriate logical segmentation where traffic is prohibited.• Filtering devices-- The ASV must scan all filtering devices such as firewalls or external routers (if used to filter traffic). Firewalls and routers, used to establish a demilitarized zone (DMZ) must also be scanned for vulnerabilities.• Web Servers-Internet users view Web pages, and/or buy merchandise through Web merchants via a Web server. Because these servers are fully accessible from the public Internet, scanning for vulnerabilities is essential.• Application Servers-When a cardholder sends account numbers in a transaction with a merchant or service provider, the application server is the actual interface that allows data to be transferred in and out of a network via backend databases. The ASV must scan application servers, or the Web server itself, when its configured to act as an application server.• Domain Name Servers (DNS)-The DNS server is the server that translates domain names into IP addresses. A merchant or service provider either uses the DNS provided by an Internet Service Provider (ISP), or their own DNS. Either way, an AVS must scan all DNSs, because hackers can create a fake merchant or service provider Web site, and ask for and collect credit card data fraudulently on behalf of the organization.• Mail Servers-ASVs must scan mail servers, as mail servers are routinely vulnerable to hacker attacks.• Scan all Load Balancers-If merchants or service providers use a load balancer to spread the traffic load to more than one server, then they should scan all of the individual servers behind the load balancer.• Virtual Hosts-If a merchant or service provider shares a server through a Web hosting company, then they are also sharing that server with the other customers of that Web hosting company. Its the merchant or service providers responsibility to request that their hosting company provide a scan of their entire Internet-facing IP 27
  28. 28. range and demonstrate compliance, while the merchant or service providers are required to have their own domains scanned by an ASV. • Wireless Access Points-Wireless LANs (WLANs) set up data security risks-like misconfigurations-that need to be identified and resolved. The ASV must scan wireless access points in wireless LANs (WLANs), along with other wireless components that are connected to the Internet. • Intrusion detection and prevention-Merchants and service providers must configure the intrusion detection system/intrusion prevention system (IDS/IPS) to accept the originating IP address of the ASV. If this is not feasible, the scan should originate in a location that prevents IDS/IPS interference.Vulnerability LevelsBased on the results of the network scan, ASVs produce an exhaustive report that describesthe following: • Vulnerability type or risk • Diagnosis of issues linked to the vulnerability type • Consult on how to fix or patch the isolated vulnerabilities • Assign a rating for vulnerabilitiesEach ASV may have a distinctive method of reporting vulnerabilities, but all high-level risks will bereported consistently to ensure a fair and consistent compliance rating.In order to be PCI DSS compliant, or compliant with any card brand program, a scan must notcontain any vulnerability concerning features or configurations that are a PCI DSS violation.If the ASV determines that these exist, the ASV meets with the merchant or service provider todetermine if these are really PCI DSS violations. If so, the ASV issues a noncompliant scan report.High-level vulnerabilities are designated as level 3, 4, or 5.Level 5 VulnerabilitiesLevel 5 (Urgent) -With this level of vulnerability, hackers can compromise the entire host. Thisvulnerability type allows hackers to have complete access to full file-system read and writecapabilities, remote execution of commands as a root or administrator user, as well as the presenceof backdoors and Trojans.Level 4 VulnerabilitiesLevel 4 (Critical) -Gives hackers partial access to file-systems and also provides them with remoteuser capabilities. These vulnerabilities expose highly sensitive information. 28
  29. 29. Level 3 VulnerabilitiesLevel 3 (High) -Gives hackers access to information stored on the host, including security settings. Itsets up misuse of the host by intruders. Examples include access to specific files, denial of serviceattacks, directory browsing, mail relaying.Level 2 VulnerabilitiesLevel 2 (Medium) -Gives hackers a chance to research attacks against the host, and access to somesensitive information from the host, such as exact versions of services.Level 1 VulnerabilitiesLevel 1 (Low) --Vulnerabilities expose information, such as open ports. Information can be obtainedby hackers on configuration.Compliance ReportingThough the PCI SSC has assumed ownership and management of Visa and MasterCardscompliance reporting programs, its still incumbent upon merchants and service providers to followeach card companys compliance reporting requirements, to ensure that the card company acceptsand verifies their compliance status.Compliance reports must be submitted according to each cards requirements. According to the PCISCC, payment brands-MasterCard, Visa, American Express, and Discover-will continue to focus oncompliance of the security standards."Any entity that achieves PCI DSS compliance will need to continue sending the appropriatecompliance validation documentation to the payment brands, financial institutes, or other agents thathave a contractual relationship with the compliant entity," According to the PCI SSC FAQ."PCI SSC cannot be the central repository for this information. Our focus will remain on definingeffective payment-related security standards, as well as educating and providing resources to themarketplace to drive awareness and adoption of these standards."Qualified Security Assessors (QSA)As with the ASVs, the Qualified Security Assessors (QSAs) conduct PCI validation assessmentscompliant with the PCI DSS. The skill level and competence of a QSA must meet the PCI SSCstandards.Individual QSAs, who perform PCI Data Security Assessments for merchants and service providersmust be approved as a Qualified Security Assessor ("QSA") by the PCI SSC.The PCI SSC defines the qualifications for QSAs and ASVs, as well as training, testing and certifying 29
  30. 30. both. The PCI SSC Web sites, and the Visa and MasterCard Web sites, post the lists of qualifiedQSAs.Visa and Compliance ReportingLevel 1 MerchantsAccording to the Visa Web site, the template for the Report on Compliance is the actual Annual On-Site PCI Data Security Assessment document.In order to complete the Report on Compliance, Level 1 merchants need a Qualified SecurityAssessor (QSA) to complete the Report on Compliance and present the report to themerchant/service providers acquirer.A merchants acquirer may choose to accept the Report on Compliance from a Level 1 merchant,with a letter signed by a merchant officer within the organization, along with the report. Level 1merchants must also submit the Confirmation of Report Accuracy form completed by their QSA totheir acquirers.Once the acquirer accepts the information, the acquirer must submit the Confirmation of ReportAccuracy form and a letter accepting the merchants full compliance validation to Visa upon receiptand acceptance of the merchants validation documentation.Level 1, 2 and 3 MerchantsAccording to the Visa Web site, acquirers are responsible for ensuring that the quarterly networksecurity scans required of their levels 1, 2, and 3 merchants are performed by an ASV. The QuarterlyNetwork Security Scan may be required of level 4 merchants as specified by their acquirer.Level 2 and Level 3 MerchantsLevel 2 and 3 merchants must complete the Annual PCI Self-Assessment Questionnaire. Level 4merchants may be required to complete the PCI Self-Assessment Questionnaire as specified by theiracquirer.Level 1 and Level 2 Service ProvidersLevel 1 and 2 service providers must complete the Annual Self-Assessment Questionnaire andAnnual On-Site PCI Data Security Assessment. The results from both must be supplied to theacquirer, and the documents may serve as the template for the Report on Compliance.Levels 1 and 2 service providers must employ a (QSA) to complete the Report on Compliance.Level 1, 2 and 3 Service ProvidersLevel 1, 2, and 3 service providers are accountable for ensuring that an ASV performs a quarterlynetwork scan on the Internet-facing network perimeter systems.Level 3 Service ProvidersLevel 3 service providers must complete the Annual PCI Self-Assessment Questionnaire. 30
  31. 31. MasterCard and Compliance ReportingLevel 1 MerchantsFor the annual onsite review, MasterCard allows the review to be conducted by either the merchantsinternal auditor or a QSA.Level 1, 2, 3 and 4 MerchantsTo fulfill the network-scanning requirement, all merchants must conduct scans on a quarterly basisusing an Approved Scanning Vendor.Level 4 MerchantsLevel 4 Merchants should consult their acquirer to determine if compliance validation is also required.Level 1 and 2 Service ProvidersFor the annual onsite review, MasterCard Service Providers must use a QSA.Level 1, 2 and 3 Service ProvidersFor the quarterly network-scanning requirement, all Level 1, 2 and 3 service providers must use anAVS.MasterCard SDP ComplianceAlong with following PCI DSS, MasterCard merchants must follow these steps: • Associate the level classification in the SDP Program. • Go through the PCI documentation and compliance validation tools. • Make contact with an approved vendor, if needed, and follow the compliance procedures. • Validate compliance with acquirer--the acquirer will register you with MasterCard on an annual basis, signifying compliance with the SDP Program.Step 5: Completing the PCI DSS Self QuestionnaireFor Level 2, 3 and-in some instances-Level 4 merchants and service providers, responding to thePCI Self Questionnaire is one validation requirement that must be met.It is divided into six sections based on the 12 PCI DSS requirements.It serves as somewhat of a checklist, to make certain that a merchant has completed the PCI DSSsecurity steps to protect credit card data.The questionnaire identifies any area of non-compliance.Preparing to AnswerIn order to properly answer the questionnaire, make sure to read and review the PCI Data Security 31
  32. 32. Standard.If, after going through the PCI DSS documents, your organization already meets the PCI SSCrequirements, do the following: • Fill out the PCI Self Questionnaire. • Convert the questionnaire to a PDF file. • Send the document to your acquiring bank.If your organization does not meet the PCI SSC requirements stated in the questionnaire, do thefollowing: • Print and distribute the questionnaire to the appropriate authorities within your organization to obtain accurate answers. • Take the steps necessary to establish a set of correct answers. • Complete the questionnaire.Scoring the QuestionnaireIn order to send a valid PCI Self Assessment Questionnaire, merchants/service providers have toanswer all of the questions with a Yes or N/A in order to be compliant per the PCI DSS.If a merchant/service provider answers No to any question, the organization is deemed NonCompliant.The security threat areas identified by the questionnaire must be resolved, in conjunction withrecommendations from the selected ASV or QSA.Organizations must continue to retake the questionnaire, until all questions can be answered with aYes or N/A.Step 5: Sending the PCI DSS QuestionnaireOnce the requirements have been met and the questionnaire has been completed, it should be sentto the merchants acquiring bank alongside a successful PCI scan report from an approved scanningvendor.As well, if the organizations acquirer or credit card brand requires other certifying documentation inaddition to the questionnaire, those accompanying documents must be sent to the acquirer.Please check with your acquirer or credit card company for more information. Source: www.pcicomplianceguide.org 32
  33. 33. Cardholder Data Theft and Fraud – real life cases• February 18, 2005 – Bank of America claimed that it had lost more than 1.2 million customerrecords – though it said there was no evidence that the data had fallen into the hands of criminals.• June 16, 2005 – CardSystems, a merchant payment-processing provider, was sued in a series ofclass action cases alleging that it failed to adequately protect the personal information of 40 millioncustomers. CardSystems’ business faced collapse as VISA and American Express cut their ties withthe company, prohibiting it from processing their card data. CardSystems was subsequently acquiredby another company.• February 9, 2006 – It was estimated that around 200,000 debit card accounts were disclosed byunknown retail merchants, apparently OfficeMax and others. These included accounts related tobank and credit union acquirers nationwide such as Citibank and Wells Fargo.• January 31, 2006 – Boston Globe and The Worcester Telegram & Gazette unwittingly exposed240,000 credit and debit card records along with routing information for personal checks printed onrecycled paper used in wrapping newspaper bundles for distribution.• January 12, 2007 – MoneyGram, a payment service provider, reported that a company server wasunlawfully accessed over the Internet last month. It contained information on about 79,000 billpayment customers, including names, addresses, phone numbers, and in some cases, bank accountnumbers.• January 17, 2007 – TJX Companies Inc. publicly disclosed that they had experienced anunauthorized intrusion into the electronic credit/debit card processing system. In what is consideredthe most glamorous security breaches to date, as much as 45,700,000 credit/debit card accountnumbers and over 455,000 merchandise return records (containing customer names and driverslicense numbers) were stolen from the company’s IT system. Source: “PCI DSS made easy” from ittoolbox.com 33

×