PCI DSS Overview Jan2010


Published on

PCI DSS Overview
-How to Comply with PCI DSS

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 银监会在国庆前向公众发布安全使用银行卡提示: 卡在手中≠用卡安全 ----- 倒卖银行卡大军扩大私下交易 900% 暴利 ----- 美 “ 最牛 ” 黑客偷一亿三千万张信用卡信息被起诉 ----- POS 单也有人收购?小心卡被复制! ----- ATM“ 黑手 ” 频现谁为克隆卡埋单? ----- 银行业务员把客户资料 “ 出卖 ” 了 ----- 银行卡复制器网上叫卖猖獗暂无有效打击手段 ----- 银行卡未离身钱却不翼而飞
  • Issuer Bank 发卡行 Acquirer 收单机构 Card Association 卡组织 Cardholder 持卡人 Merchant 商户 Cardholder: the owner of the card used to make a purchase Merchant: the business accepting credit card payments for products or services sold to the cardholder Acquirer: the financial institution or other organization that provides card processing services to the merchant Card association: a network such as VISA® or MasterCard® (and others) that acts as a gateway between the acquirer and issuer for authorizing and funding transactions Issuer: the financial institution or other organization that issued the credit card to the cardholder Payment Brands - Provides authorization and clearing / settlement services Establish operating rules and regulation Service Providers Business entity directly involved in the processing, storage, transmission, and switching of transaction data or cardholder data Includes companies that provides services such as Software Development, Processing, call
  • Prior to September 2004 no standardization across card companies on credit card security requirements difficult for merchants to become familiar with and adhere to competing standards from VISA, MasterCard, and others As fraud losses increased, card industry realized the need for consistent and well defined security standards Card Security Programs: The following programs incorporate PCI DSS: VISA Cardholder Information Security Program (CISP) MasterCard Site Data Protection (SDP) Program American Express Data Security Requirements Discover Financial Services Discover Information Security and Compliance (DISC) Program JCB Data Security Program
  • PCI DSS announced in September 2004 collaboration between VISA and MasterCard endorsed by other card companies as well “… offers a single approach to safeguarding sensitive data for all card brands…”
  • Any merchants that accepts or processes credit card must maintain compliance to the PCI Data Security Standards regardless of organization size or transaction volume. The level of demonstrable assurance varies based upon the credit card transaction processing volumes occurring on a yearly basis. If we know where CLIENT falls we should identify it on the chart above
  • Title verbage: Who should care about PCI? Answer: Who shouldn’t (1 st click) First, let’s look at who has to demonstrate PCI compliance in the first place: Merchants: Include large retailers, online stores, mom & pop shops Level I (merchants processing over 6M transactions/year) to Level IV (fewer than 20K transactions/year) Business Model: accept cards from cardholders/consumers; cards branded by card association, issued by bank; pay transaction fee to payment service provider or issuing bank Payment Service Providers: PayPal, Obopay, others Issuing, Acquiring Bank:
  • The importance of compliance extends beyond corporate responsibility and there are severe consequences of non-compliance: Endangering customer information Exposure could lead to: fines levied by acquiring banks cost of replacing cards and perhaps covering fraudulent charges loss of merchant status elevations to Level 1 status (and resulting compliance validation costs)
  • Detailed Notes Avoid penalties due to non-compliance Fines imposed on merchants, payment service providers, issuing/acquiring banks Entities lose favorable status with card association/bank and pay higher transaction fees, due to higher risk Credit monitoring of cardholder accounts in event of breach Cash reserves to help pay for litigation, credit monitoring, fines due to non-compliance – can’t invest this money and grow buiness 2. Compliance is good for business ! Gain visibility to make better business decisions Leverage effort for other compliance requirements
  • The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.
  • PCI DSS Overview Jan2010

    1. 1. PCI DSS Overview What it is and why you might find it useful. Delivered by Amy Zhu (amyseeger@hotmail.com) Jan 2010
    2. 2. Risks in Payment Industry 06/03/10
    3. 3. Credit card theft is big business! <ul><li>Phishing attempts on the rise </li></ul><ul><ul><li>to trick individuals into divulging financial info </li></ul></ul><ul><li>Dramatic move by “hackers” to compromise machines for profit </li></ul><ul><ul><li>keyboard monitoring software </li></ul></ul><ul><li>Many chat channels devoted to underground trading of credit card #’s </li></ul>06/03/10
    4. 4. PCI SSC and PCI DSS 06/03/10
    5. 5. Payment Card Industry Players 06/03/10 Payment SP/Acquirers Card Association
    6. 6. Prior to 2004… Cardholder Information Security Program (CISP) Site Data Protection Program (SDP) Discover Information Security Compliance (DISC) Data Security Standard (DSS) Confused Merchants ??? 06/03/10
    7. 7. And there Comes the PCI DSS 06/03/10 Payment Card Industry Security Standard Council 支付卡行业安全标准协会
    8. 8. Target Audience “ Payment Card Industry (PCI) Data security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.” *Payment Card Industry Data Security Standard 06/03/10
    9. 9. What is PCI DSS <ul><li>Data Security Requirements </li></ul><ul><ul><li>A set of Targets (6), Requirements (12) and Detailed Controls </li></ul></ul><ul><li>Define the Framework of Secure Payment Environment </li></ul><ul><li>Continuous Process </li></ul><ul><ul><li>Assess </li></ul></ul><ul><ul><li>Remediate </li></ul></ul><ul><ul><li>Report </li></ul></ul>
    10. 10. Data Elements & Protection Req. Data Element Storage Permitted Protection Required PCI DSS Req. 3,4 Cardholder Data Primary Account Number Yes Yes Yes Cardholder Name Yes Yes No Service Code Yes Yes No Expiration Date Yes Yes No Sensitive Authentication Data Full Magnetic Stripe Data No N/A N/A CAV2/CVC2/ CVV2/CID No N/A N/A PIN/PIN Block No N/A N/A
    11. 11. Front Face of Payment Card
    12. 12. Rear Face of Payment Card
    13. 13. PCI DSS Requirements #1 06/03/10 PCI Data Security Standard Build and Maintain a Secure Network <ul><li>Install and maintain a firewall confirmation to protect data </li></ul><ul><li>Do not use vendor-supplied defaults for system passwords and other security parameters </li></ul>Protect Cardholder Data <ul><li>Protect stored cardholder data </li></ul><ul><li>Encrypt transmission of cardholder data across public networks </li></ul>Maintain a Vulnerability Management Program <ul><li>Use and regularly update anti-virus software </li></ul><ul><li>Develop and maintain secure systems and applications </li></ul>
    14. 14. PCI DSS Requirements #2 PCI Data Security Standard Implement Strong Access Control Measures <ul><li>Restrict access to cardholder data by business need-to-know </li></ul><ul><li>Assign a unique ID to each person with computer access </li></ul><ul><li>Restrict physical access to cardholder data </li></ul>Regularly Monitor and Test Networks <ul><li>Track and monitor access to network resources and cardholder data </li></ul><ul><li>Regularly test security systems and processes </li></ul>Maintain an Information Security Policy <ul><li>Maintain a policy that addresses information security </li></ul>
    15. 15. Merchant levels <ul><li>Merchant levels are based on yearly transaction volume of merchant </li></ul><ul><li>Specific criteria for placement in merchant levels varies across card companies </li></ul><ul><li>All merchants, regardless of level, must adhere to PCI DSS requirements </li></ul><ul><li>Level into which merchant is placed determines PCI DSS compliance validation (and ultimately cost) </li></ul><ul><li>Let’s take a quick look at Visa’s levels… </li></ul>
    16. 16. PCI Compliance: Business Need Subject Title 06/03/10 Compliance Validation Levels Annual Assessment Perimeter Scan <ul><li>Merchant Level 1 </li></ul><ul><ul><li>Processing > 6M transactions / year (any channel) </li></ul></ul><ul><ul><li>suffered a hack that resulted in data compromise </li></ul></ul>Independent Security Advisor (on site) Qualified Independent Scan Vendor <ul><li>Merchant Level 2 </li></ul><ul><ul><ul><li>processing 1M - 6M transactions / year (any channel) </li></ul></ul></ul>Self Assessment Required Quarterly Network Scan Required <ul><li>Merchant Level 3 </li></ul><ul><ul><ul><li>processing 20K -1 million e-commerce transactions / year </li></ul></ul></ul>Self Assessment Required Quarterly Network Scan Required <ul><li>Merchant Level 4 </li></ul><ul><ul><ul><li>processing < 20K e-commerce transactions / year </li></ul></ul></ul><ul><ul><ul><li>processing < 1M non-ecommerce transactions / year </li></ul></ul></ul>Self Assessment Recommended Quarterly Network Scan Recommended
    17. 17. Where Do You Fit in the PCI Ecosystem? 06/03/10 PCI Compliance Required Compliance Failure results in… PCI-related fines and cash reserves Damaged reputation Card Association Revocation of favorable transaction fee rates Annual self-assessment questionnaire Vendor: implement controls to address PCI requirements Merchant/Customer: measure against these controls Quarterly scans, annual audits (ASV, QSA) Loss of confidence in merchant, bank
    18. 18. Consequences of Non-Compliance 06/03/10 Fines Up to $500K per incident (VISA alone), government fines, insurance, and litigation Brand Reputation Share price degradation, loss of customer confidence Revocation of Credit Card Processing Inability to process credit card transactions Additional Compliance Requirements Increased PCI validation requirements
    19. 19. <ul><li>Avoid penalties due to non-compliance </li></ul><ul><li>Compliance is good for business —win and retain customers </li></ul>Obvious Benefits of PCI Compliance 06/03/10 FAILED Fines Higher Transaction Fees Lower risk = Lower Transaction Fees with PCI Compliant Entities <ul><li>We know non-compliance isn’t pretty </li></ul>Card Association
    20. 20. PCI Review: Protection against Fraud <ul><li>Standards and requirements for data security </li></ul><ul><li>Applies throughout data and networking environment </li></ul><ul><li>Currently non-legislative*, but enforceable through fines and penalties </li></ul><ul><li>The obligation for compliance is on merchants and service providers </li></ul><ul><li>Key Principles </li></ul><ul><li>Sensitive authentication data cannot be stored </li></ul><ul><li>Card-holder data must be protected </li></ul>In 2004 the major Credit Card companies aligned their individual security policies to create the Payment Card Industry Data Security Standard (PCI DSS). Current requirements are based on the 2008 version 1.2. 06/03/10
    21. 21. How to Comply with PCI DSS 06/03/10
    22. 22. The Steps of PCI DSS Compliance <ul><li>Define the Scope of Assessment </li></ul><ul><li>Sampling of Business Facilities and System Components </li></ul><ul><li>Compensating Controls </li></ul><ul><ul><li>Validated by QSA on annual basis </li></ul></ul><ul><li>Report </li></ul><ul><ul><li>ROC: Report on Compliance </li></ul></ul><ul><ul><li>Evidence of a passing scan </li></ul></ul><ul><ul><li>Attestation of Compliance </li></ul></ul><ul><li>Clarification (if required) </li></ul>
    23. 23. Methods to Achieve the Compliance <ul><li>Independent Assessment </li></ul><ul><ul><li>Applicable to the Merchants/SPs processing big transaction volume </li></ul></ul><ul><ul><li>Appoint QSA to assess the payment system and environments </li></ul></ul><ul><ul><li>Validation on the Compliance </li></ul></ul><ul><li>Self Assessment </li></ul><ul><ul><li>Applicable to the Merchants/SPs processing small transaction volume </li></ul></ul><ul><ul><li>Finish the Self Assessment Questionnaire </li></ul></ul>
    24. 24. The Continuous Process <ul><li>Assess </li></ul><ul><ul><li>All the IT infrastructures and Business Processes </li></ul></ul><ul><ul><li>Analyze the Vulnerabilities </li></ul></ul><ul><li>Remediate </li></ul><ul><ul><li>Fix the Vulnerabilities </li></ul></ul><ul><li>Report </li></ul><ul><ul><li>ROC: Report On Compliance </li></ul></ul><ul><li>-> Ensure the Security of Cardholder Data </li></ul>
    25. 25. A Comprehensive View: Corporate Compliance Framework Although PCI provides compliance requirements in most areas, it is only a subset of what is required when building a comprehensive security compliance program. Each organization will have unique compliance requirements to consider when building their compliance program Compliance Requirements Business Drivers Corporate Security Policies and Standards PCI DSS Data Privacy SOX HIPAA GLBA Processes and Procedures Procedures Standards Baselines Audit Guidelines Technology Enablement Host Agents Network Agents Asset Database Ticketing System Event Sensors Identity and Access Applications Databases Log Collectors Manual Audit Metrics and Reporting Security Framework ISO 27002 / BS 7799
    26. 26. Q & A Following are Supplementary Materials 06/03/10
    27. 27. For More Information <ul><li>www.visa.com/cisp </li></ul><ul><li>www.pcisecuritystandards.org </li></ul>
    28. 28. <ul><li>Sensitive Authentication Data </li></ul><ul><li>Security-related information (card validation codes/values, full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders, appearing in plain-text or otherwise unprotected form. </li></ul>Glossary Cardholder Data At a minimum, cardholder data contains the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: - Cardholder name - Expiration date - Service Code Service Provider Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded. Merchant For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. PAN PAN Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account. QSA Acronym for “Qualified Security Assessor,” company approved by to conduct PCI DSS on-site assessments.
    29. 29. Track 1 & 2
    30. 30. Track 2
    31. 31. Important Card Data <ul><li>Financial card dimensions, location of magnetic stripe, and data encoding and layout all covered in ISO standards </li></ul>www.magtek.com
    32. 32. Important Card Data <ul><li>For processing transactions it is necessary for merchant to present multiple fields to acquiring financial institutions – e.g. PAN, expiry date, CVV/CVC, PVV or Pin Offset. </li></ul>