The PCI Security Standards Council

Transcription

1 The PCI Security Standards Council 9/12/2008

2 The PCI Security Standards Council An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI Security Standards, including: Data Security Standard (DSS) Payment Application Data Security Standard (PA-DSS) Pin-Entry Device (PED) PCI PED PCI PA-DSS PCI DSS 9/12/2008 2

3 PCI SSC - The Standards PCI PED addresses device characteristics impacting security of PIN Entry Device (PED) during financial transactions PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where those applications are sold, distributed, or licensed to third parties. PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data, and specifically to those system components included in or connected to the cardholder data environment (the part of the network with cardholder data) 9/12/2008 3

4 The PCI Security Standards Council Founders 9/12/2008 4

5 Organizational Structure 9/12/2008 5

6 PCI DSS Drivers Industry Best Practices ADC Forensics Results Security Scans Advisory Board PCI Data Security Standard On Site Audits Community Meeting Proactive feedback from QSAs, ASVs and POs Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs) Self- Assessment Questionnaire 9/12/2008 6

7 2007 Successes Over 420 Participating Organizations around the World Successful Community Meeting with over 300 attendees from around the world Board of Advisors elected and working (i.e. Task Forces) 1,500 QSA Assessors trained and certified The New PED Standard announced Successful feedback processes in place for DSS & SAQ (for release in 2008) Started Special Interest Group Program Influential Outreach Program 9/12/2008 7

8 2008 PCI SSC Objectives & Accomplishments 9/12/2008 8

9 2008 PCI SSC Objectives North America and Europe Community Meetings planned for Q Manage new and existing standards PCI DSS Version 1.2 to be released Q Updates to PED Program for Q Unattended Payment Terminals (UPT) Hardware Security Modules (HSM) Enhance cardholder data security 9/12/2008 9

10 SC16 Roles and Responsibilities of the Council PCI SSC. Is an Independent Industry Standard Manages the technical and business requirements for how payment data should be stored and protected Maintains List of Qualified PCI Assessors QSAs, ASVs PCI SSC Does Not Manage or drive Compliance Each brand continues to maintain its own compliance programs Identifies stakeholders that need to validate compliance Definitions of Validation Levels Fines and Fees 9/12/

11 Slide 10 SC16 Fix grammar/tenses Sarah Cummins, 1/9/2008

12 Resources Provided by Council Security Standards and Supporting Documents Frequently Asked Questions List of Approved QSAs, ASVs, PED Labs Education and Outreach Programs Participating Organization Membership, Community Meetings, Feedback One Global Voice for the Industry 9/12/

13 Frequently Asked Questions New Searchable FAQ Tool available on PCI SSC Website Responses developed by all five payment brands help pave the way for PCI DSS evolution Available first half of /12/

14 PCI SSC Standards 9/12/2008

15 Threat Landscape Implementing the standard is a Journey Not a Destination Threats in one month: August % of was spam (new record) Trojans made up 78% of new malware 264,133 new zombies detected Average of 11,906 new malicious websites found daily 9/12/

16 The Cost of Complying Three Categories of Compliance Upgrading Payments Systems and Security Verifying Compliance (Assessment) Sustaining Compliance How much does this cost your organization? For merchants with complex or older systems, it may cost millions The Cost of Not Complying Same study estimated non-compliance costs significantly higher, including Crisis cost upgrades Repeat assessments Notification costs Brand reputation Shareholder and consumer lawsuits The cost of a breach can easily be 20 times the cost of PCI Compliance PCI Compliance Cost Analysis: A Justified Expense. A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex. Jan [This study utilized data from several sources including level 1 and level 2 merchants with 2,000 2,500 retail locations.] 9/12/

17 Forensics Statistics Inside Jobs vs. Intrusions 17% Inside ~77% are partial insiders Incident Detection >75% via allegation of compromise Findings Percentages 92% Confirmed Security Breach >60% Confirmed Data Compromise Law Enforcement Involvement 87% of cases Incident Detection >75% via allegation of compromise > 60% Payment Cards vs. Others Consumer data: Payment card information -Credit / Debit -Card-present / CNP Personal Check information Identity-related data: Name, address, Social security, Social insurance IRS / tax return information Company-proprietary: Financial records HR / employee data Product strategy & roadmap Trade secrets & technology Breach Sources ~13% Inside US Case Commonalities 19% SQL injection 45% POS systems 10% Wireless infrastructure ~50% Via 3rd party connections Vulnerability Scanning SQL Injection cases: 71% had commercial scanning 63% detected SQL vulnerability 15% in scan reports for 1 year + 9/12/

18 The Five Stages of Grief Denial Anger Bargaining Depression 17 It doesn t t apply to me PCI compliance is mandatory It isn t t fair PCI applies to all parties in the payment process I ll do some of it Compliance is pass / fail I ll never get there Many merchants already have Acceptance It ll be OK PCI doesn t t introduce any new, alien concepts 9/12/

19 SC10 The PCI Data Security Standard The PCI DSS version 1.1 is a set of comprehensive requirements for enhancing payment account data security The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures This comprehensive standard is intended to help organizations proactively protect customer payment data 9/12/

20 Slide 18 SC10 This will likely tie in to the risk-based approach. Sarah Cummins, 1/9/2008

21 SC13 The PCI Data Security Standard Six Goals, Twelve Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks Maintain an Information Security Policy 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security 9/12/

22 Slide 19 SC13 This will likely tie in to the risk-based approach. Sarah Cummins, 1/9/2008

23 October 2008: Updates to PCI DSS PCI DSS Revision v1.2 Assessed and Incorporated feedback received from over 2,500 queries and suggested changes from Community Stakeholders 1.2 revision address the existing six goals and twelve requirements of the DSS with future effective dates for potential new sub requirements Areas of focus Clarity and flexibility of requirements Incorporate existing and new best practices Scoping and reporting clarification Eliminate overlapping sub requirements and consolidate documentation Expanded FAQ and glossary 9/12/

24 CB1 The Payment Application Data Security Standard Payment Application (PA DSS) Data Security Standard Based on Visa USA s PABP, PA-DSS is a comprehensive set of requirements designed for payment application software vendors to facilitate their customers PCI DSS compliance This comprehensive standard is intended to help organizations minimize the potential for security breaches due to flawed payment applications, leading to compromise of full magnetic stripe data Distinct from but aligned with PCI DSS 9/12/

25 Slide 21 CB1 This will likely tie in to the risk-based approach. Chris Burd, 9/12/2008

26 The Payment Application Data Security Standard Fourteen Requirements Protecting Payment Application Transactions Do not retain full magnetic strip, card validation code or value (CAV2, CID, CVC2, CVV2) or PIN block data Provide secure password features Protect stored cardholder data Log Application Activity Develop Secure Applications Protect wireless transmissions Test Applications to address vulnerabilities Facilitate secure network implementation Cardholder data must never be stored on a server connected to the Internet Facilitate secure remote software updates Facilitate secure remote access to application Encrypt sensitive traffic over public networks Encrypt all non-console administrative access Maintain instructional documentation and training programs for customers, resellers, and integrators 9/12/

27 SC23 The PIN Entry Device Requirements PIN Entry Device (PED) Requirements These requirements are divided into the following categories: Device Characteristics: Physical Security Characteristics Logical Security Characteristics Device Management Device Management During Mft. Device Management Between Mft. and Initial Key Loading Considers how the PED is produced, controlled, transported, stored and used throughout its life cycle. If the device is not properly managed, unauthorized modifications might be made to its physical or logical security characteristics. 9/12/

28 Slide 23 SC23 This will likely tie in to the risk-based approach. Sarah Cummins, 1/9/2008

29 PABP becomes PA-DSS PA-DSS is the Council-managed program formerly called the Payment Application Best Practices (PABP) under the supervision of Visa Inc. PA-DSS helps software vendors and others develop secure payment applications that do not store prohibited data and ensures their payment applications support compliance with the PCI DSS. Organizations must use applications certified under PA-DSS or grandfathered under PABP. The PA-DSS will be updated in October 2008 to version 1.2 and will reflect changes made in the next iteration of the PCI DSS. 9/12/

30 PABP becomes PA-DSS Sample Clarifications Scope of PA-DSS: adds clarification Applicability to hardware terminals: specifies criteria for hardware exempt from review Responsible Parties: identifies responsibilities of: Vendors ; customers; resellers; payment brands; PCI SSC Completion Steps: provides guidance to PA-QSAs on how to complete and submit documentation Sample Additions Requirement 2.1: provides guidance on purging of cardholder data Requirement 7.2: adds testing procedures to address integrity during patches and updates Appendix A: summarizes and explains the PA-DSS Implementation Guide Appendix B: tool for PA-QSAs to confirm status of lab environment and validation process in an assessment 9/12/

31 PIN Entry Device Requirements Physical Attributes Attributes that deter physical Attacks ex penetration of device to determine key(s) Planting a PIN disclosing bug within Logical Attributes Logical security characteristics include functional capabilities that preclude: Allowing device to output clear text PIN encryption key The PED Security Requirements are designed to secure personal identification number (PIN)-based transactions globally and applies to devices (attended or unattended) that accept PIN entry for all PIN-based transactions as well as non-cardholder interface devices (hardware security modules) 9/12/

32 PIN Entry Device Requirements Device Types Under PED Traditional Devices include Point-of-sale PED Designed for Secure PIN Entry Attended devices (e.g., sales clerk, cashier) New Devices scheduled for 2008 include Unattended Payment Terminals (UPTs) Fuel Pumps, Kiosks, Ticketing Machines Hardware (or Host) Security Modules (HSMs) Non-cardholder interface Embedded devices that are used for: PIN translation, Card Personalization, Data Protection, Electronic Commerce 9/12/

33 PIN Entry Device Requirements UPT Process/Requirements Evaluation process same as other PCI PED evaluation processes Vendor questionnaire Assessment performed by PCI approved lab Security requirements broken down by: Core physical security Core logical security Additional online Additional offline 9/12/

34 PIN Entry Device Requirements UPT Security Requirements UPT is broken down into following key areas PIN pad expected to be a PCI approved encrypting PIN pad Separate card reader Customer display UPT controller UPT cabinet Additional cryptographic controller Communication interface Security Requirements reflect which area should be assessed in order to meet the requirement 9/12/

35 PIN Entry Device Requirements HSM Evaluations Structured like existing POS/EPP testing Security Requirements are physical and logical Vendor questionnaire to complete Testing scripts Existing labs skill sets applicable If you re a manufacturer of HSM or UPT devices, join the Council as a Participating Organization! 9/12/

36 New SAQ Objectives Self Assessment Questionnaires Self Assessment Questionnaire (SAQ) A Alignment with the PCI DSS v1.1 Based on industry feedback Flexibility for multiple merchant types Providing guidance for the intent and applicability of the underlying requirements 9/12/

37 Self Assessment Questionnaire SAQ Validation Type Description SAQ 1 Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced. This would never apply to face to face merchants A <20 Questions 2 Imprint-only merchants with no cardholder data storage B 3 Stand alone dial-up terminal merchants, no cardholder data storage 21 Questions B 21 Questions 4 Merchants with payment application systems connected to the Internet, no cardholder data storage C 38 Questions 5 All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ D Full DSS 9/12/

38 Data Storage Clarification * Data elements must be protected when stored in conjunction with PAN 9/12/

39 New Application Level Requirement Effective June 30, 2008 Addresses SQL injection, cross-site scripting and other application level attacks Complements existing requirements for secure coding of web applications (6.5) and application level penetration testing (11.3.2) Seeks to provide added assurance that sites are not vulnerable, by either of the following methods: Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security. Installing an application layer firewall in front of web-facing applications 9/12/

40 Top PCI DSS Violations Requirement 1: Install and maintain a firewall to protect cardholder data Requirement 3: Protect stored data Requirement 6: Develop and maintain secure systems and applications Requirement 8: Assign a unique ID to each person with computer access Requirement 10: Track and monitor access to network and card data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses information security Violations >50% Found During Forensic Investigations Violations <50% Found During Forensic Investigations Violations Found During Initial PCI DSS Audits 9/12/

41 A Phased Approach to Standard Updates Revised PCI Standard Revisions for Consideration Community Meeting Input from Participating Organizations, QSA s and ASV s Phase 1 Phase 2 Phase 3 PHASED APPROACH 9/12/

42 PCI SSC Vendor Programs 9/12/2008

43 QSAs Organizations that validate an entity s adherence to PCI DSS requirements are known as Qualified Security Assessors (QSAs). Over 100 QSA companies To find more about the program: urces/qualified_security_assessors.htm 9/12/

44 Qualified Security Assessor Certification Prospective QSAs Apply as a company for qualification by providing documentation adhering to the Validation Requirements for Qualified Security Assessors (QSA) v 1.1 Qualify individual employees, through training and testing, to perform security assessments Execute agreement with the PCI Security Standards Council governing performance 9/12/

45 ASVs Organizations that validate adherence by performing vulnerability scans of internet facing environments of merchants and service providers are known as Approved Scanning Vendors (ASVs). Over 130 ASVs _scanning_vendors.htm 9/12/

46 Approved Scanning Vendor Certification Prospective ASVs Apply for approval by providing documentation adhering to the Validation Requirements for Approved Scanning Vendors (ASVs) v 1.1 Successfully complete the security scanning vendor testing and approval process. Execute agreement with the PCI Security Standards Council governing performance 9/12/

47 PED Vendors Organizations that manufacture PIN acceptance devices for use in the acceptance of PINs during a financial transaction using a payment card Approximately seventy vendors with over 170 approved devices org/pin 9/12/

48 PED Vendor Certification PED Vendors Product Approval Process Download the Program Manual, Security Requirements and supporting documents from Select a PCI recognized PED lab, enter evaluation contract and NDA with selected lab Complete the PCI PIN Entry Device Security Requirements forms and the PCI PIN Entry Device Evaluation Vendor Questionnaire Please see PCI SSC Website for complete approval process. 9/12/

49 PCI SSC Community Meetings 9/12/2008

50 Community Meeting Merchants Acquirers Approved Scanning Vendors Qualified Security Assessors Community Meeting Service Providers Brands 9/12/

51 Community Meetings Two Meetings. Responsive to Industry Orlando, Fla., September Vendor Showcase opportunity Brussels, Belgium, October Program in conjunction with PCI Europe Your Opportunity to Get Involved in Setting the Global PCI Standards Not Yet a Participating Organization? Join Us At 9/12/

52 North America When: Sept. 23 Pre Conference Workshop Sept. 24 & 25 Main Conference Where: Omni Orlando Resort at ChampionsGate 9/12/

53 Europe When: Joint Cocktail Reception with PCI Europe: October 21 Main Conference: October 22 Post Conference Workshop: October 23 Where: Crowne Plaza Brussels City Centre 9/12/

54 How To Get Involved 9/12/2008

55 Global Participation & Representation More than 400 organizations have been accepted United States 73% Asia Pacific Canada Europe Latin America/ Caribbean Central Europe /Middle East /Africa 2% 6% 16% 1% 2% 9/12/

56 Participating Organizations Categories 2% Multiple 41% Other 34% Merchant 15% Processor 8% Financial Institution 9/12/

57 A Seat at the Table Financial Institutions Merchants Gateways Processors Service Providers EFT Networks Associations Vendors Board Representation & Special Interest Groups 9/12/

58 SC8 Participating Organization Privileges Vote and Run for Participating Organization Board of Advisors Comment on DSS, SAQ, PED, PA DSS and on other PCI SSC documentation, prior to public release Attend Community Meetings Attend Quarterly Webinar Meetings Recommend new initiatives and standards Early updates on upcoming press releases Monthly bulletin from SSC General Manager Reserve Your Seat at the Table 9/12/

59 Slide 53 SC8 Update for PO priviledges etc... SIGs Merchant training Free Community Meeting Sarah Cummins, 1/9/2008

60 Board of Advisors Financial Institutions Bank of America JP Morgan Chase and Co. Citibank N.A., Global Consumer Group Commonwealth Bank of Australia The Royal Bank of Scotland Merchants British Airways, plc Exxon Mobil Corporation McDonalds Corporation Microsoft Tesco Stores Ltd. Wal-Mart Stores, Inc. Processors Chase Paymentech Solutions First Data Corporation Interac Association Moneris Solutions Corporation SERVICIOS ELECTRONICOS GLOBALES S.A. DE C.V. TSYS Acquiring Solutions Associations & Vendors APACS EPC PayPal, Inc. VeriFone, Inc. 9/12/

61 Roles and Responsibilities Provide Feedback Set Strategy Emerging Security Issues Additional Standards Evolving the Current Standard(s) Set Agenda/Programs for Community Meetings Time Commitments Face to Face Meetings (as needed) Conference Calls (regularly scheduled) SME, Panelists, Moderator (Community Meetings/Webinars) Regional & Business Category Market Feedback Ad Hoc Working Groups 9/12/

62 Board of Advisors (Working Groups) PA DSS Task Force Develop Best Practices into to Industry Standards Evolution of testing criteria in the applications Driving Marketplace adoption Members Include: Paypal Verifone Moneris JP Morgan Chase Community Meeting Agenda Task Force Restructure Agenda Define clear business models to use going forward Members Include: Paypal TSYS Acquiring Solutions Microsoft RBS Outreach and Education Task Force Identify additional marketing and educational needs, based on industry size, region, etc. Members Include: Walmart Stores Inc. APACS British Airways First Data Corporation 9/12/

63 Participating Organizations Financial Associations Other POS Processors Merchants Vendors Institutions For a full list: For a full list: 9/12/

64 Need More Information? Go to: and find information on: Frequently Asked Questions PCI Documentation Contact Information 9/12/

65 Thank You! 9/12/2008