PCI-DSS_Overview

Payment Card Industry Data
Security Standard (PCI-DSS)
By: Sameh Abulfotooh

Agenda
• Credit Cards History
• PCI Oversight and History
• Cardholder Data
• Payment Transaction Cycle
• PCI DSS at a High Level (Sections)

Before Credit Card
Charge Coin
Charge
Plates/Cards

• PCI SSC is a collaborative agreement between five members of credit card lending including: Visa,
MasterCard, American Express, Discover Financial Services, and JCB International (referred to
commonly as Brands).
• The Council was founded in 2006 by American Express, Discover, JCB International, MasterCard and
Visa Inc. They share equally in governance and execution of the Council's work.
• They used before to use their own requirements for business partners:
✦ Mastercard: SDP
✦ Visa: CISP
• The PCI Security Standards Council (PCI-SSC) is a global open body formed to develop, enhance,
disseminate and assist with the understanding of security standards for payment account security.
• The body formed as a unified framework for improving security and reducing the threat of breaches.
• PCI SCC is committed to the development, awareness, and education of PCI
• PCI SSC is also responsible for setting PCI standards to which merchants are to comply.

• 2004 -PCI Data Security Standards effectively started in when MasterCard,
Visa, American Express, Discover, and JCB created and collaborated
payment card practices. The companies referred with each other's
standards to create a concise and singular set of compliance standards.
• January 2005- The PCI SSC has estimated that 234 million records with
sensitive data have been breached, thus noting the need for a regulatory
body.
• June, 30, 2005- Regulations took effect and were monitored collectively by
the five PCI SSC founders.
• 2008 - Particular instances have included breaches at large companies
such as TJX, Shell, and Hannaford. The recent breach at Hannaford
occurred in 2008, which has led to the development and implementation
of PCI DSS version 1.2.

Versions:
• 1.0 was released on December 15, 2004.
• 1.1 in September 2006 provide clarification and minor revisions.
• 1.2 was released on October 1, 2008. It enhanced clarity, improved flexibility, and addressed
evolving risks and threats.
• 1.2.1 in August 2009 made minor corrections designed to create more clarity and consistency
among the standards and supporting documents.
• 2.0 was released in October 2010.
• 3.0 was released in November 2013 and is active from January 1, 2014 to December 31, 2017.
• 3.1 was released in April 2015, and will be retired October 31 2016.
• 3.2 was released in April 2016.

Terms and Acronyms
• SSC: The governing body of PCI
• DSS: Data Security Standard
• QSA: Qualified Security Assessor
• ASV: Approved Scanning Vendor (validated annually by SCC to
perform external quarterly vulnerability scan)
• SAQ: Self-Assessment Questionnaire
• ROC: Report on Compliance
• CDE: Cardholder Data Environment

WHY to Comply?
• Protect Account data that consists of cardholder
data and/or sensitive authentication data
• Banks or Processors should be complainant with
brands as a merchant or service provider.
• Fines in case of not complaint or turn off your
business

Major Breaches
Target Evernote Sony Online Sony PSN JP Morgan
Home Depot
Living Social Anthem
EBay

How to Comply?
Assess: identifying all locations of cardholder data, taking an
inventory of your IT assets and business processes for payment card
processing and analyzing them for vulnerabilities that could expose
cardholder data
Repair: fixing identified vulnerabilities, securely removing any
unnecessary cardholder data storage, and implementing secure
business processes
Report: documenting assessment and remediation details, and
submitting compliance reports to the acquiring bank and card
brands you do business with (or other requesting entity if you’re a
service provider)

Manufacturers
PCI PTS
PIN Entry
Devices
Software
Developers
PCI PA-DSS
Payment
Applications
Merchants &
Service
Providers
PCI DSS
Secure
Environments
Protection of
Cardholder Payment
Data
P2PE
Ecosystem of payment devices,
applications, infrastructure and users

Penalties
Potential cost of a security breach:
• Fines of $500,000 per incident for being PCI non-compliant
• Increased audit requirements
• Cost of printing and postage for customer notification mailing
• Cost of staff time (payroll) during security recovery
• Cost of lost business during register or store closures and processing time
• Decreased sales due to marred public image and loss of customer
confidence

Cardholder Data – Cont.
• Point-of-sale devices
• Mobile devices, personal computers or servers
• Wireless hotspots
• Web shopping applications
• Paper-based storage systems
• Transmission of cardholder data to service providers
• Remote access connections

Resources
• PCI DSS – Summary of Changes from PCI DSS version 2.0 to 3.0
• PCI DSS Quick Reference Guide
• PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms
• Information Supplements and Guidelines
• Prioritized Approach for PCI DSS
• Report on Compliance (ROC) Reporting Template and Reporting Instructions
• Self-assessment Questionnaires (SAQs) and SAQ Instructions and Guidelines
• Attestations of Compliance (AOCs)
• Frequently Asked Questions (FAQs)
• PCI for Small Merchants website
• PCI training courses and informational webinars
• List of Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs)
• List of PTS approved devices and PA-DSS validated payment applications
Please refer to www.pcisecuritystandards.org for information about these and other resources.

Card Brands PCI SSC
Acquirers Merchants
Created the SSC and
responsible for approving the
DSS controls framework
Developed the DSS, PA-DSS,
PIN standards, and conduct
training and certification for
QSAs and ASVs
Banks and payment
processors that own the
responsibility for enforcing DSS
Responsible for implementing
DSS controls, as well as
demonstrating and maintaining
compliance
Major Players

Credit Card Transaction
Cycle
Merchant
Merchant’s Bank
Issuing Bank
Brands
Cardholder

Brands
Cardholder
Merchant
Merchant’s Bank
Issuing Bank

PCI DSS at a High
Level (Sections)

• Six major areas
• Twelve requirements
• about 50 pages of objectives
• for each objective, as statement of what’s required,
and associated testing procedure.

Ex:Install and maintain a firewall
configuration to protect cardholder data
PCI DSS Requirements Testing Procedures Guidance
1.1.3 Current diagram that
shows all cardholder data
flows across systems and
networks
1.1.3 Examine data-flow
diagram and interview
personnel to verify the
diagram:
• Shows all cardholder
data flows across
systems and networks.
• Is kept current and
updated as needed
upon changes to the
environment.
Cardholder data-flow
diagrams identify the
location of all cardholder
data that is stored,
processed, or transmitted
within the network.
Network and cardholder
data-flow diagrams help
an organization to
understand and keep
track of the scope of their
environment, by showing
how cardholder data flows
across networks and
between individual
systems and devices.

Masking Primary Account
Number (PAN)
• 5555 9999 0000 8888
• 5555 99XX XXXX XXXX
• XXXX XXXX XXXX 8888

Scope
• Define scope assessment
• Backup & restore assessment

SSL and TLS
• No SSL for new systems (3.2)
• NO SSL after 2018
• TLS 1.2 or above

Multi-Factor Authentication
(MFA)
• MFA required for remote network access by users,
administrators, and vendors (3.0)
• MFA required in local access for any payment data
systems and network segments

Change Management
• Formal process should exist
• No significant change without passing through the
change manageement.

Service Providers
• Provide detailed documentation describing how
authentication is used to protect payment card
data
• Quickly detect and report failures in any security
control
• Engage executive management
• Perform at least quarterly review to confirm policy
compliance.

PCI-DSS_Overview

More Related Content

What's hot

Viewers also liked

Similar to PCI-DSS_Overview

PCI-DSS_Overview