1. PCI DSS & PII
Shanmugavel Sankaran
FixNix InfoSec Solutions Pvt Ltd

2. Session Etiquette
• Please turn off all cell phones.
• Please keep side conversations to a minimum.
• If you must leave during the presentation, please do so
as quietly as possible.
2

3. 3
What is PCI?
" The Payment Card Industry Data Security Standard (PCI DSS) was
created jointly in 2004 by four major credit-card companies: Visa,
MasterCard, Discover and American Express.
" PCI DSS is a widely accepted set of policies and procedures intended to
optimize the security of credit, debit and cash card transactions and
protect cardholders against misuse of their personal information.
" Adherence to the PCI DSS aides in securing cardholder payment data
that is stored, processed or transmitted by merchants and processors.
" PCI DSS specifies requirements entailing many security technologies
and business processes, and reflects most of the best practices for
securing sensitive information.
" PCI DSS is rapidly becoming the recognized standard for securing all
organizational data, not just credit card information, and is currently
being considered as the basis of legislation by several states.
• (Source: PCI Security Standards Council)

4. 4
What Is Cardholder Data?
Cardholder data is any Personally Identifiable
Information (PII) associated with the cardholder
§ Card Holder Data
§ Primary Account Number (PAN) with:
§ Expiration date or
§ Card holder name
§ Sensitive Authentication Data
§ CVV or CVC (Card Verification Values)
§ Track 1 and Track 2 Data (magnetic stripe)

5. Who Must Comply?
" PCI data security requirements apply to all merchants and service
providers that store, process or transmit any cardholder data. All
organizations with access to cardholder information must meet the data
security standards.
" However, the way in which organizations validate their compliance differs
based on whether they are merchants or service providers and on specific
validation requirements defined by each credit card brand. Each of the
five major credit card companies has its own set of validation
requirements.
" Information regarding service provider levels and validation requirements
can be obtained from each individual credit card company’s Web site.
" The security requirements apply to all system components, network
components, servers or applications included in, or connected to, the
processing of cardholder data.
5

6. What is PCI?
• Payment Card Industry Data Security Standard
• PCI Scope includes:
– Storing, processing and transmitting of cardholder data AND any
connected system
• Continuous program – not a one time project!
6

7. PCI Version 2.0
• Has changed the way we do business
• Costs have increased
• Documentation, Documentation!
7

8. What’s New in PCI 2.0?
• Scoping?
• Wireless Networks
• Storing Hashed Data
• Self-Assessment Questionnaire C-VT
8

9. PCI Security Standards Council
• Global Forum
• PCIDSS, PA-DSS, PCI PTS
• Approve QSAs, ASVs
• Develop and publish PCI documentation including SAQs
• Training
9

10. Payment Brands, Acquirers and Processors
• Payment Brands
– Track compliance and enforce standards
– Determine event response
– Define merchant levels
• Acquirers and Processors
– Set merchant level
– Determine compliance
– Approve compensating controls
10

11. Updates from Feedback on the PCI Standards
• Request change to existing requirement/testing
procedure (34%)
• Request clarification (27%)
• Request for additional guidance (19%)
• Feedback only – no change requested (12%)
• Request for new requirement/testing procedure (7%)
PCI SSC Press Release Dated 9/5/12 "PCI Security Standards Council Releases Summary of
Feedback on PCI Standards"
11

12. Following Topics Most Frequently mentioned
Suggestions:
• PCI DSS Req 11.2 – Prescribing use of specific tools,
requiring ASCs to perform internal scans and define
“significant change”
• PCI DSS Scope of Assessment – Detailed guidance on
scoping and segmentation
• PCI DSS Req 12.8 – Clarify terms “service provider” and
“shared”, and provide more prescriptive requirements
regarding written agreements that apply to service
providers
12

13. Following Topics Most Frequently mentioned
Suggestions (Con’t):
• PCI DSS SAQs – Suggestions for updating; either too
complex or not detailed enough
• PCI DSS Req 3.4 – Further clarification and guidance
since encryption and key management are complex
requirements, and truncation/hashing and tokenization is
not a convenient method to store and retrieve data
• PCI DSS Req 8.5 – Updating password requirements
including expanding authentication beyond just
passwords
13

14. PCI SCC Releases
• PCI Mobile Payment Acceptance Security Guidelines
– Offer software developers and mobile device
manufacturers guidance on designing appropriate
security controls to provide solutions for merchants to
accept mobile payments securely
PCI SSC Press Release Dated 9/13/12
14

15. PCI SSC Releases (Con’t)
• Point-to-Point Encryption (P2PE) Resources
– Program Guide and SAQ to support implementation
of hardware-based P2PE solutions
PCI SSC Press Release Dated 6/28/12
15

16. New PCI Professional Program (PCIP)
• PCI SSC’s 1st Individual Accreditation Program
• Designed to build greater level of PCI expertise across
the industry
• Minimum 2 years IT or IT related experience and base
level of knowledge and awareness in information
technology, network security and architecture and
payment industry participants
PCI SSC Press Release Dated 9/6/12
16

17. PCI DSS Risk Assessment Guidelines
The supplement outlines the relationship between PCI DSS
and risk assessments, including various industry risk
methodologies and key components of a risk assessment.
Key components include developing a risk assessment
team, building a risk assessment methodology, risks
introduced by third parties, risk reporting and critical
success factors.
Key recommendations include:
• Formalized risk assessment methodology suited to the
culture and requirements of the organization
• Continuous risk assessment
• Risk assessment cannot be used to avoid PCI DSS
compliance
PCI DSS Press Release Dated 11/16/12
17

18. Info Supplement – E-commerce Guidelines
This supplement was released to provide guidance to
merchants using electronic commerce (e-commerce) to sell
goods and services in their quest to obtain PCI
Compliance.
• Merchants may develop their own payment software, use
a third-party software, or a combination.
• Merchants may use various technologies: payment
processing applications, application-programming
interfaces (APIs), inline frames (iFrames), or hosted
payment pages.
• Merchants may maintain different levels of control and
responsibility for managing the supporting IT
infrastructure.
PCI SSC Information Supplement Dated 1/2013
18

19. Info Supplement – E-commerce Guidelines (Con’t)
Key Considerations:
• No option completely removes PCI DSS responsibilities.
NOT even outsourcing!
• Payment applications should be PA-DSS compliant.
Check them against the PCI SSC’s list of Validated
Payment Applications.
– For in-house developed application, use PA-DSS as a
best-practice.
• Documentation! Document relationships between the
merchant and third parties in regards to PCI DSS!
19

20. PCI DSS Cloud Computing Guidelines
• The Guidelines and Information Supplement provides a
overview of the cloud environment explaining common
deployment and service models and how
implementations may differ.
• Roles and responsibilities between the provider and
customer across the different models are explained as
well as guidance on how to determine and Document
these responsibilities.
• PCI DSS considerations and compliance challenges are
discussed including scoping, segmentation and
validating compliance in the cloud environment.
• Other security considerations are explored on the
business and IT side in using cloud technologies.
PCI DSS Press Release Dated 2/7/13.
20

21. PCI Mobile Payment Acceptance Security Guidelines
for Merchants as End-Users
• Document provides a high level introduction and
overview of mobile payments and security risks of mobile
devices. This “unique, complex and evolving mobile
environment underscores the need for all parties in the
payment chain to work together to ensure mobile
acceptance solutions are deployed securely.”
• Key areas:
– Objectives and Guidance for the Security of a Payment
Transaction
– Guidelines for Securing the Mobile Device
– Guidelines for Securing the Payment Acceptance Solution
Appendices provided
PCI DSS Press Release Dated 2/14/13.
21

22. Merchant Issues on Campus
• CDE – Cardholder Data Environment (where does the
data reside – everywhere?)
• Call Centers – Voice Recording
• VOIP – Voice Over Internet Protocol
• Service Providers
• Remote Events
22

23. Merchant Issues on Campus (Con’t)
• Bookstores
• Medical practices
• Patient collections
• Conferences
• Pledge drives
23

24. Merchant Issues on Campus (Con’t)
• Food service
• Kiosks
• Paper forms
• Unrelated third parties
– Does this make you a service provider?
Treasury Institute for Higher Education 2012 PCI Workshop - Walt Conway, QSA 403 Labs
24

25. What is PII?
PII (Personally Identifiable Information) is any information
about an individual that can be used to distinguish or trace
an individual’s identity or can be linked to an individual.
Examples:
– Name: full name, mother’s maiden name, alias
– Personal ID number: SS number, Passport, driver’s
license or credit card numbers
– Medical, educational, financial and employment
information
25

26. Personally Identifiable Information (PII)
The escalation of security breaches involving personally
identifiable information (PII) has contributed to the loss of
millions of records over the past several years.
Individual Harm Organizational Harm
– Identity theft - Loss of public trust
– Embarrassment - Legal liability
– Blackmail - Remediation cost ($$$)
26

27. Risk-Based Approach to Guarding the Security of PII
If we guard our toothbrushes
and diamonds with equal zeal,
we will lose fewer toothbrushes
and more diamonds.
McGeorge Bundy
fmr US National Security
Advisor
• Identify all PII residing in
the data environment
• Minimize the use,
collection, and retention of
PII
• Categorize PII by
confidentiality impact level
• Apply appropriate
safeguards based on
confidentiality level
• Develop an incident
response plan to handle
PII breaches
• Exercise a coordinated
effort in managing PII
issues
27

28. Identify ALL PII Residing in Your Environment
• An organization cannot properly protect PII it does not
know about!
• Be sure to consider your environment:
– Databases
– Shared network drives
– Backup tapes
– Contractor sites
28

29. Minimize PII Used, Collected and Stored
• The likelihood of harm caused by a breach involving PII
is greatly reduced if an organization minimizes the
amount of PII it uses, collects and stores.
• Best Practices:
– Review current holdings of PII and ensure they are
accurate, relevant, timely and complete
– Reduce PII holdings to the minimum necessary for
proper performance of business functions
– Develop a schedule for periodic review of PII holdings
– Establish a plan to eliminate the unnecessary
collection and use of SSNs
29

30. Categorize PII by Confidentiality Impact Level
• All PII is not created equal.
• PII should be evaluated to determine its PII
confidentiality impact level – low, moderate, or high
– The impact level indicates the potential harm that
could result to the individuals and/or the
organization if the PII were inappropriately
accessed, used, or disclosed.
30

31. Develop an Incident Response Plan for PII
Breaches
• Breaches involving PII are hazardous to both individuals
and organizations
• Harm to individuals and organizations can be contained
and minimized through the development of an effective
IRP for breaches involving PII, including:
– Determining when and how individuals should be
notified
– How a breach should be reported
– Whether to provide remedial services, like credit
monitoring, to affected individuals
31

32. Encourage a Concerted Effort Regarding PII
Issues
• Protecting the confidentiality of PII requires knowledge of
information systems, information security, privacy as well
as legal requirements.
• Organizations should encourage close coordination
among their chief privacy officers, chief information
officers, chief information security officers and legal
counsel when making decisions related to PII policies
32

33. PCI Compliance – Trends and Tips
§ Follow industry best practices for network and IT
security
§ Use tools and services geared toward PCI Compliance
§ Align with a larger partner for credit card processing
Joel Dubbin, CISSP. SearchCIO.com

34. PCI is not about securing sensitive data, it’s
about eliminating data altogether.
John Kindervag, Forrester Analyst and former QSA
PCI Compliance – Trends and Tips

35. Virtualization
§ Servers
- Req 2.2.1 – One primary function per server
§ Entire box in-scope?
§ PCI DSS is technology neutral
§ No guidance for QSAs
PCI Compliance – Trends and Tips

36. Segmenta(on
§ Reduce
the
cardholder
data
landscape
§ Reduces
cost
of
remedia(on
§ Reduces
exposure
PCI Compliance – Trends and Tips

37. Outsourcing (Card data, Service Providers, Shared Hosting, Managed
Services)
§ Must third party be PCI certified?
§ Who owns the liability?
§ What entities does a PCI assessment cover?
PCI Compliance – Trends and Tips

38. “PCI SWALLOWS ITS OWN TAIL”
• “I’m concerned that as long as the payment card
industry is writing the standards, we’ll never see
a more secure system,” (Rep. Bennie) Thompson
said. “We in Congress must consider whether we
can continue to rely on industry-created
standards, particularly if they’re inadequate to
address the ongoing threat.”
• http://information-security-resources.com/2009/04/01/payment-card-
industry-swallows-its-own-tail
PCI Compliance – Trends and Tips

39. 39

40. 40

41. 41

42. 42

43. 43

44. 44

45. 45
• PCI Security Standards Council- www.pcisecuritystandards.org
• The SANS Institute- www.sans.org
• The National Institute of Standards and Technology- www.nist.gov
• The Center for Internet Security- www.cisecurity.org
• Approved QSA Listing-
https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm
• Approved ASV Listing-
https://www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm
• PCI KnowledgeBase
http://www.knowpci.com
• PCI Auditor Community Site (Message Board)
http://pcifile.org/phpBB2/index.php
• PCI DSS Compliance Demystified (Blog)
http://pcianswers.com/
Useful links

46. Questions?
46