Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Section divider 1
  • Slide text 2
  • Section divider 1
  • Key Learning Point: Using PCI compliant equipment and software can support merchant efforts to become PCI DSS compliant, but does not make a merchant PCI DSS compliant. The PCI DSS covers all aspects of how a merchant protects cardholder data, which goes beyond using secure equipment and software.
  • Section divider 1
  • Key Learning Point : Not all PCI DSS requirements apply to all merchants. Merchants must review each requirement to determine applicability to the merchant’s card payment acceptance systems and business processes.
  • Section divider 2

    1. 1. PCI-DSSINTRODUCTIONNguyen Ngo, Ninh Dang
    2. 2. AgendaPCI-DSS Fundamental  What is PCI-DSS • Why are the PCI Security Standards Important? • Key Definitions  PCI Standards Boundary  Recommended UnderstandingInstruction  Determine PCI-Level  Validate Requirement  Choose SAQImplementation  Principles  PCI-DSS-Requirements  PA-DSS Requirements  Self Assessment Questionnaire  Report
    3. 3. PCI-DSSFundamental
    4. 4. Payment Card Data Issues 4
    5. 5. What is PCI ???PCI stands for the Payment Card Industry and is used to refer to: The PCI Security Standards Council ™(PCI SSC), an industry body founded by the major card brands to protect cardholder data. Founders: The global Security Standards created and maintained by the PCI SSC to protect cardholder payment data.• Key Learning Point: Compliance with PCI Security Standards is mandatory for merchants and their service providers, and is enforced by the major card brands who established the PCI SSC 5
    6. 6. What is PCI DSS? “The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information…the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.” – PCI Standards Council –
    7. 7. Why are the PCI SecurityStandards Important?The Standards are important because they:Protect cardholder data in order to help prevent data compromises and subsequent fraud activity… • Customers expect merchants and their acquirers to keep their card account data safe • Data compromises can result in significant fines and losses for merchants and can damage the merchant’s reputation with customers • The number of data compromise incidents is increasing annually – organized criminal enterprises are targeting vulnerable merchants 7
    8. 8. PCI-DSS Object
    9. 9. Key DefinitionsData definitions• Cardholder data: PAN (Primary Account Number), Cardholder Name, Service Code. Expiration Code.• Sensitive authentication data: Full Magnetic Stripe Data, CCV, PIN (Personal identification number).Keywords• PCI-DSS: Payment Card Industry Data Security Standards• PA-DSS : Payment Applications Data Security Standards• PTS: PIN Transaction Security• QSA: Qualified Security Assessor• SAQ: Self Assessment Questionnaire• ASV: Approved Scanning Vendor 9
    10. 10. PCI Standards Boundary• The PCI Data Security Standard (PCI DSS) If a business accepts or processes payment cards, it must comply with the PCI DSS. It is the standard merchants, processors, and service providers must meet for the complete protection of payment cardholder data.• The Payment Application-Data Security Standard (PA-DSS) and PIN Transaction Security (PTS) (previously known as PIN Entry Device (PED)) security requirements support the overall implementation of PCI DSS by allowing merchants to choose from Council certified payment application software and PIN entry devices. 10
    11. 11. Recommended UnderstandingPCI DSS tells you what you need to do; what standards you need to meet to be compliantPCI DSS does not tell you how to become compliant. That is individual to your situation and your environment - Your system - Your processes - Your vendors - Your customersBeing compliant does necessary make you secureBeing secure leads to compliance – not the other way around 11
    12. 12. Instructions
    13. 13. Instruction•Determining your PCI Level•Validation requirements•Selecting the SAQ that Best Applies to YourOrganization 13
    14. 14. Determining your PCI LevelYou need to assess where you are on the scale of risk:Level 1 All Channels 6MM Visa or MC transactions per year Level 2 All Channels 1MM - 6MM Visa or MC transactions per year E-Commerce - >150,000 - 6 MM MC transactions per year Level 3 20,000 - 150,000 e-commerce MC transactions per year 20,000 - 999,999 e-commerce Visa transactions per year Level 4 <20,000 Visa or MC e-commerce transactions per year <1MM non-e-commerce Visa or MC transactions per year 14
    15. 15. Validation requirementsLevel 1 Merchants Complete an Annual On-Site PCI Data Security Assessment in accordance with PCI Audit Procedures (Visa website). You can use this template for your Report on Compliance (ROC). Engage a Visa-approved Qualified Data Security Company to complete your ROC. Validate the ROC by the due date (preferably sooner in case issues arise in the ROC. This will help eliminate assessment of fines.) Provide the ROC to Bank of America Merchant Services. Merchant’s internal auditor may prepare the ROC, which must be accompanied by a letter signed by an executive-level officer of Merchant’s organization validating the ROC. Complete quarterly network scans to check your systems for vulnerabilities. Complete annual penetration testing to test that your systems are hacker-resistant. Ensure that these security scans are performed by a qualified independent scan vendor.Level 2, 3 and 4 Merchants Complete and validate an Annual PCI Self-Assessment Questionnaire. Complete Quarterly Network Scans to check your systems for vulnerabilities. Complete annual penetration testing to test that your systems are hacker-resistant. Ensure that these security scans are performed by a qualified independent scan vendor. 15
    16. 16. Selecting the SAQ that Best Appliesto Your OrganizationSAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to- face merchants. B Imprint Only merchants with no electronic cardholder data storage, or standalone, dial out terminal merchant with no electronic cardholder data storageC-VT Merchant using only web-based virtual terminals, no cardholder data storage C Merchants with payment application systems connected to the internet, no electronic cardholder data storage D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ 16
    17. 17. Implements
    18. 18. Implement•Determine Scope•Rebuild system base on requirements•Self Assessment Questionnaires•Report 18
    19. 19. Determining Scope – NetworkSegmented
    20. 20. Determining Scope – NetworkSegmented
    21. 21. Determining Scope – NetworkSegmented
    22. 22. PrinciplesSECURE  TRACK  AUDIT• You need to ensure that your data is first secured … both physical and electronically.• You need to ensure you have mechanism in place to track who access your data and when• You need to review your tracking (audit) to look for anomalies 22
    23. 23. PCI DSS – RequirementsSix Goals, Twelve RequirementsBuild and Maintain a 1. Install and maintain a firewall configuration to protectSecure Network cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parametersProtect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networksMaintain a Vulnerability 5. Use and regularly update anti-virus software or programsManagement Program 6. Develop and maintain secure systems and applicationsImplement Strong 7. Restrict access to cardholder data by business need-to-knowAccess ControlMeasures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder dataRegularly Monitor and 10.Track and monitor all access to network resources andTest Networks cardholder data 11.Regularly test security systems and processesMaintain an Information 12.Maintain a policy that addresses information security forSecurity Policy employees and contractors 23
    24. 24. PA-DSS IntroductionFormerly known as -PABP (Payment Application Best Practices)supervised by VisaGoals Develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data Ensure their payment applications support compliance with the PCI DSSThe requirements for the PA-DSS are derived from the PCI DSSWhy focus on software? Vulnerable payment applications arecurrently the leading cause of data compromise incidents, particularlyfor small merchants. 24
    25. 25. PA-DSS RequirementsFourteen RequirementsRequirement 1 Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block dataRequirement 2 Protect stored cardholder dataRequirement 3 Provide secure authentication featuresRequirement 4 Log payment application activityRequirement 5 Develop secure payment applications (5.2 - OWASP Guide, SANS CWE Top 25, CERT Secure Coding)Requirement 6 Protect wireless transmissionsRequirement 7 Test payment applications to address vulnerabilitiesRequirement 8 Facilitate secure network implementationRequirement 9 Cardholder data must never be stored on a server connected to the InternetRequirement 10 Facilitate secure remote software updatesRequirement 11 Facilitate secure remote access to payment applicationRequirement 12 Encrypt sensitive traffic over public networksRequirement 13 Encrypt all non-console administrative accessRequirement 14 Maintain instructional documentation and training programs for customers, resellers, and integrators 25
    26. 26. SAQ Objectives Self Assessment Questionnaires • Based on industry feedback • Flexibility for multiple merchantSelf-AssessmentQuestionnaire (SAQ) A types • Providing guidance for the intent and applicability of the underlying requirements 26
    27. 27. Self Assessment Questionnaires SAQValidatio Description SAQ n Type Card-Not-Present (e-commerce or MO/TO) merchants, all A 1 cardholder data functions outsourced. This would never apply to face-to-face merchants <11 Questions B 2 Imprint-only merchants with no cardholder data storage 21 Questions B Stand alone dial-up terminal merchants, no cardholder data 3 storage 21 Questions C Merchants with payment application systems connected to 4 the Internet, no cardholder data storage 38 Questions All other merchants (not included in descriptions for SAQs A, D 5 B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ Full DSS 27
    28. 28. ReportsRegular reports are required for PCI DSS compliance.All merchants, service providers and processors may be required to submit quarterly scan reports,All reports must be performed by a PCI SSC approved ASV 28
    29. 29. THANK YOU