Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

preso prepared for IDRBT PCI DSS training

Published in: Technology, Economy & Finance


  1. 1. PCI DSS & PIIShanmugavel SankaranFixNix InfoSec Solutions Pvt Ltd
  2. 2. Session Etiquette•  Please turn off all cell phones.•  Please keep side conversations to a minimum.•  If you must leave during the presentation, please do soas quietly as possible.2
  3. 3. 3 What is PCI?"   The Payment Card Industry Data Security Standard (PCI DSS) wascreated jointly in 2004 by four major credit-card companies: Visa,MasterCard, Discover and American Express."   PCI DSS is a widely accepted set of policies and procedures intended tooptimize the security of credit, debit and cash card transactions andprotect cardholders against misuse of their personal information."   Adherence to the PCI DSS aides in securing cardholder payment datathat is stored, processed or transmitted by merchants and processors."   PCI DSS specifies requirements entailing many security technologiesand business processes, and reflects most of the best practices forsecuring sensitive information."   PCI DSS is rapidly becoming the recognized standard for securing allorganizational data, not just credit card information, and is currentlybeing considered as the basis of legislation by several states.•  (Source: PCI Security Standards Council)
  4. 4. 4What Is Cardholder Data?Cardholder data is any Personally IdentifiableInformation (PII) associated with the cardholder§  Card Holder Data§  Primary Account Number (PAN) with:§  Expiration date or§  Card holder name§  Sensitive Authentication Data§  CVV or CVC (Card Verification Values)§  Track 1 and Track 2 Data (magnetic stripe)
  5. 5. Who Must Comply?"   PCI data security requirements apply to all merchants and serviceproviders that store, process or transmit any cardholder data. Allorganizations with access to cardholder information must meet the datasecurity standards."   However, the way in which organizations validate their compliance differsbased on whether they are merchants or service providers and on specificvalidation requirements defined by each credit card brand. Each of thefive major credit card companies has its own set of validationrequirements."   Information regarding service provider levels and validation requirementscan be obtained from each individual credit card company’s Web site."   The security requirements apply to all system components, networkcomponents, servers or applications included in, or connected to, theprocessing of cardholder data.5
  6. 6. What is PCI?•  Payment Card Industry Data Security Standard•  PCI Scope includes:–  Storing, processing and transmitting of cardholder data AND anyconnected system•  Continuous program – not a one time project!6
  7. 7. PCI Version 2.0•  Has changed the way we do business•  Costs have increased•  Documentation, Documentation!7
  8. 8. What’s New in PCI 2.0?•  Scoping?•  Wireless Networks•  Storing Hashed Data•  Self-Assessment Questionnaire C-VT8
  9. 9. PCI Security Standards Council•  Global Forum•  PCIDSS, PA-DSS, PCI PTS•  Approve QSAs, ASVs•  Develop and publish PCI documentation including SAQs•  Training9
  10. 10. Payment Brands, Acquirers and Processors•  Payment Brands–  Track compliance and enforce standards–  Determine event response–  Define merchant levels•  Acquirers and Processors–  Set merchant level–  Determine compliance–  Approve compensating controls10
  11. 11. Updates from Feedback on the PCI Standards•  Request change to existing requirement/testingprocedure (34%)•  Request clarification (27%)•  Request for additional guidance (19%)•  Feedback only – no change requested (12%)•  Request for new requirement/testing procedure (7%)PCI SSC Press Release Dated 9/5/12 "PCI Security Standards Council Releases Summary ofFeedback on PCI Standards"11
  12. 12. Following Topics Most Frequently mentionedSuggestions:•  PCI DSS Req 11.2 – Prescribing use of specific tools,requiring ASCs to perform internal scans and define“significant change”•  PCI DSS Scope of Assessment – Detailed guidance onscoping and segmentation•  PCI DSS Req 12.8 – Clarify terms “service provider” and“shared”, and provide more prescriptive requirementsregarding written agreements that apply to serviceproviders12
  13. 13. Following Topics Most Frequently mentionedSuggestions (Con’t):•  PCI DSS SAQs – Suggestions for updating; either toocomplex or not detailed enough•  PCI DSS Req 3.4 – Further clarification and guidancesince encryption and key management are complexrequirements, and truncation/hashing and tokenization isnot a convenient method to store and retrieve data•  PCI DSS Req 8.5 – Updating password requirementsincluding expanding authentication beyond justpasswords13
  14. 14. PCI SCC Releases•  PCI Mobile Payment Acceptance Security Guidelines–  Offer software developers and mobile devicemanufacturers guidance on designing appropriatesecurity controls to provide solutions for merchants toaccept mobile payments securelyPCI SSC Press Release Dated 9/13/1214
  15. 15. PCI SSC Releases (Con’t)•  Point-to-Point Encryption (P2PE) Resources–  Program Guide and SAQ to support implementationof hardware-based P2PE solutionsPCI SSC Press Release Dated 6/28/1215
  16. 16. New PCI Professional Program (PCIP)•  PCI SSC’s 1st Individual Accreditation Program•  Designed to build greater level of PCI expertise acrossthe industry•  Minimum 2 years IT or IT related experience and baselevel of knowledge and awareness in informationtechnology, network security and architecture andpayment industry participantsPCI SSC Press Release Dated 9/6/1216
  17. 17. PCI DSS Risk Assessment GuidelinesThe supplement outlines the relationship between PCI DSSand risk assessments, including various industry riskmethodologies and key components of a risk assessment.Key components include developing a risk assessmentteam, building a risk assessment methodology, risksintroduced by third parties, risk reporting and criticalsuccess factors.Key recommendations include:•  Formalized risk assessment methodology suited to theculture and requirements of the organization•  Continuous risk assessment•  Risk assessment cannot be used to avoid PCI DSScompliancePCI DSS Press Release Dated 11/16/1217
  18. 18. Info Supplement – E-commerce GuidelinesThis supplement was released to provide guidance tomerchants using electronic commerce (e-commerce) to sellgoods and services in their quest to obtain PCICompliance.•  Merchants may develop their own payment software, usea third-party software, or a combination.•  Merchants may use various technologies: paymentprocessing applications, application-programminginterfaces (APIs), inline frames (iFrames), or hostedpayment pages.•  Merchants may maintain different levels of control andresponsibility for managing the supporting ITinfrastructure.PCI SSC Information Supplement Dated 1/201318
  19. 19. Info Supplement – E-commerce Guidelines (Con’t)Key Considerations:•  No option completely removes PCI DSS responsibilities.NOT even outsourcing!•  Payment applications should be PA-DSS compliant.Check them against the PCI SSC’s list of ValidatedPayment Applications.–  For in-house developed application, use PA-DSS as abest-practice.•  Documentation! Document relationships between themerchant and third parties in regards to PCI DSS!19
  20. 20. PCI DSS Cloud Computing Guidelines•  The Guidelines and Information Supplement provides aoverview of the cloud environment explaining commondeployment and service models and howimplementations may differ.•  Roles and responsibilities between the provider andcustomer across the different models are explained aswell as guidance on how to determine and Documentthese responsibilities.•  PCI DSS considerations and compliance challenges arediscussed including scoping, segmentation andvalidating compliance in the cloud environment.•  Other security considerations are explored on thebusiness and IT side in using cloud technologies.PCI DSS Press Release Dated 2/7/13.20
  21. 21. PCI Mobile Payment Acceptance Security Guidelinesfor Merchants as End-Users•  Document provides a high level introduction andoverview of mobile payments and security risks of mobiledevices. This “unique, complex and evolving mobileenvironment underscores the need for all parties in thepayment chain to work together to ensure mobileacceptance solutions are deployed securely.”•  Key areas:–  Objectives and Guidance for the Security of a PaymentTransaction–  Guidelines for Securing the Mobile Device–  Guidelines for Securing the Payment Acceptance SolutionAppendices providedPCI DSS Press Release Dated 2/14/13.21
  22. 22. Merchant Issues on Campus•  CDE – Cardholder Data Environment (where does thedata reside – everywhere?)•  Call Centers – Voice Recording•  VOIP – Voice Over Internet Protocol•  Service Providers•  Remote Events22
  23. 23. Merchant Issues on Campus (Con’t)•  Bookstores•  Medical practices•  Patient collections•  Conferences•  Pledge drives23
  24. 24. Merchant Issues on Campus (Con’t)•  Food service•  Kiosks•  Paper forms•  Unrelated third parties–  Does this make you a service provider?Treasury Institute for Higher Education 2012 PCI Workshop - Walt Conway, QSA 403 Labs24
  25. 25. What is PII?PII (Personally Identifiable Information) is any informationabout an individual that can be used to distinguish or tracean individual’s identity or can be linked to an individual.Examples:–  Name: full name, mother’s maiden name, alias–  Personal ID number: SS number, Passport, driver’slicense or credit card numbers–  Medical, educational, financial and employmentinformation25
  26. 26. Personally Identifiable Information (PII)The escalation of security breaches involving personallyidentifiable information (PII) has contributed to the loss ofmillions of records over the past several years.Individual Harm Organizational Harm–  Identity theft - Loss of public trust–  Embarrassment - Legal liability–  Blackmail - Remediation cost ($$$)26
  27. 27. Risk-Based Approach to Guarding the Security of PIIIf we guard our toothbrushesand diamonds with equal zeal,we will lose fewer toothbrushesand more diamonds.McGeorge Bundyfmr US National SecurityAdvisor•  Identify all PII residing inthe data environment•  Minimize the use,collection, and retention ofPII•  Categorize PII byconfidentiality impact level•  Apply appropriatesafeguards based onconfidentiality level•  Develop an incidentresponse plan to handlePII breaches•  Exercise a coordinatedeffort in managing PIIissues27
  28. 28. Identify ALL PII Residing in Your Environment•  An organization cannot properly protect PII it does notknow about!•  Be sure to consider your environment:–  Databases–  Shared network drives–  Backup tapes–  Contractor sites28
  29. 29. Minimize PII Used, Collected and Stored•  The likelihood of harm caused by a breach involving PIIis greatly reduced if an organization minimizes theamount of PII it uses, collects and stores.•  Best Practices:–  Review current holdings of PII and ensure they areaccurate, relevant, timely and complete–  Reduce PII holdings to the minimum necessary forproper performance of business functions–  Develop a schedule for periodic review of PII holdings–  Establish a plan to eliminate the unnecessarycollection and use of SSNs29
  30. 30. Categorize PII by Confidentiality Impact Level•  All PII is not created equal.•  PII should be evaluated to determine its PIIconfidentiality impact level – low, moderate, or high–  The impact level indicates the potential harm thatcould result to the individuals and/or theorganization if the PII were inappropriatelyaccessed, used, or disclosed.30
  31. 31. Develop an Incident Response Plan for PIIBreaches•  Breaches involving PII are hazardous to both individualsand organizations•  Harm to individuals and organizations can be containedand minimized through the development of an effectiveIRP for breaches involving PII, including:–  Determining when and how individuals should benotified–  How a breach should be reported–  Whether to provide remedial services, like creditmonitoring, to affected individuals31
  32. 32. Encourage a Concerted Effort Regarding PIIIssues•  Protecting the confidentiality of PII requires knowledge ofinformation systems, information security, privacy as wellas legal requirements.•  Organizations should encourage close coordinationamong their chief privacy officers, chief informationofficers, chief information security officers and legalcounsel when making decisions related to PII policies32
  33. 33. PCI Compliance – Trends and Tips§  Follow industry best practices for network and ITsecurity§  Use tools and services geared toward PCI Compliance§  Align with a larger partner for credit card processingJoel Dubbin, CISSP.
  34. 34. PCI is not about securing sensitive data, it’sabout eliminating data altogether.John Kindervag, Forrester Analyst and former QSAPCI Compliance – Trends and Tips
  35. 35. Virtualization§  Servers- Req 2.2.1 – One primary function per server§  Entire box in-scope?§  PCI DSS is technology neutral§  No guidance for QSAsPCI Compliance – Trends and Tips
  36. 36. Segmenta(on  §  Reduce  the  cardholder  data  landscape  §  Reduces  cost  of  remedia(on  §  Reduces  exposure  PCI Compliance – Trends and Tips
  37. 37. Outsourcing (Card data, Service Providers, Shared Hosting, ManagedServices)§  Must third party be PCI certified?§  Who owns the liability?§  What entities does a PCI assessment cover?PCI Compliance – Trends and Tips
  38. 38. “PCI SWALLOWS ITS OWN TAIL”•  “I’m concerned that as long as the payment cardindustry is writing the standards, we’ll never seea more secure system,” (Rep. Bennie) Thompsonsaid. “We in Congress must consider whether wecan continue to rely on industry-createdstandards, particularly if they’re inadequate toaddress the ongoing threat.”• Compliance – Trends and Tips
  39. 39. 39
  40. 40. 40
  41. 41. 41
  42. 42. 42
  43. 43. 43
  44. 44. 44
  45. 45. 45•  PCI Security Standards Council-•  The SANS Institute-•  The National Institute of Standards and Technology-•  The Center for Internet Security-•  Approved QSA Listing-•  Approved ASV Listing-•  PCI KnowledgeBase•  PCI Auditor Community Site (Message Board)•  PCI DSS Compliance Demystified (Blog) links
  46. 46. Questions?46