PCI DSS Compliance Services January 2016

Transcription

1 PCI DSS Compliance Services January Galitt-PCI DSS Compliance Services.pptx

2 Agenda 1. Introduction 2. Overview of the PCI DSS standard 3. PCI DSS compliance approach Copyright Galitt 2

3 Introduction Global trends Advances in the payment sector have created opportunities for card-based payments over various channels : face-to-face, internet, mobile Contactless Cards & NFC Mobile Acceptance E-commerce & M-commerce Digital Wallets Chip on the Cloud / HCE Rise of card payments across the globe (Card Present & Card Not Present) Growth of fraud and security breaches In 2014, card-based payment fraud in France is estimated to 395,6 million euros, with a projection for a 10% increase every year Copyright Galitt 3

4 Introduction The French card-based payment eco-system Embedded security at various levels Payment transaction authorisation management (e-rsb) Use of EMV Chip-and-PIN vs. magnetic stripe cards Extended interoperability between domestic banks Benefits Convenience for the cardholder High transaction processing and payment guarantee for merchants Following a data breach in France, fraud may be performed wherever an equivalent security framework is not enforced. This risk must not be underestimated; everyone must take responsibility for protecting cardholder data from compromise. BUT BEWARE! Copyright Galitt 4

5 Introduction The impacts of a data breach Damage of reputation and loss of credibility Depending on the extent of the breach, brand value may be highly impacted, dropping of 17% to 31% Average reputation recovery time is of 11,8 months Financial loss Average cost of data breach (total): 2,9M Average cost of data breach (per record) : 127 Re-issuing of compromised cards Loss of revenue Penalties from card brands Collateral damages: business consequences Loss of credibility by business partners: card brands, banks, service providers, merchants, Key impacts Damage of reputation and brand value Remediation of security vulnerabilities Card brand penalties Fraud costs High attrition rate (e.g. 4,4% in France) 5 (*) Source: «2011-Ponemon_reputation_impact_of_a_compromission» (**) Source: Report ''Cost of Data Breach' of Ponemon Institute et Symantec June, 2013 Copyright Galitt 5

6 Introduction Data breach figures in France and abroad Attacks and fraud schemes perpetrated in France 3x Compromise of merchant points of sale and ATMs has tripled between 2011 and 2012, according to the GIE CB report. 160K Loss of euros in a MIM card fraud scheme performed against a large merchant in 2014/ Approximately 200 points of sale terminals were hacked in 2013 while only 30 were compromised in Over 500 gas pumps were compromised in 2014, rising from 188 in 2012 (source: 2014 OSCP report) Data breaches abroad Hacking of a US leading hotel group in September 2015, compromising payment terminals in restaurants, bars and gifts shops. 80M 80 millions customers could be impacted by data compromised within a US leading health insurance company (2015) Increase of face-to-face merchants accepting CB counterfeit cards in France, compromised through fraud schemes abroad (source: GIE CB report) (**) OSCP : Observatoire de la Sécurité des Cartes de Paiement Copyright Galitt 6

7 Introduction Darknet markets Large volumes of card data reselling on «Carding» websites Average value on the market: Stolen cardholder data Primary Account Number (PAN) and CVX2: 1 Magnetic stripe data: from 8 to 73 «White plastic» card with magnetic stripe: 100 Magnetic stripe data and PIN code: Fraud kits Malware: from to Skimming equipment: from to Fraud opportunities based on stolen cardholder data PAN: purchase of goods in insecure e-commerce websites (no CVX2 validation) PAN + Expiry Date + CVX2: purchase of goods in classic e-commerce websites Complete ISO2 magnetic stripe : card-present transactions in non-emv environments Complete ISO2 magnetic stripe data + PIN : card-present transactions and cash withdrawal in non-emv environments Copyright Galitt 7

8 Agenda 1. Introduction 2. Overview of the PCI DSS standard 3. PCI DSS compliance approach Copyright Galitt 8

9 Overview of the PCI DSS standard Background Initially developed by the 5 card brands below Supported by major players in the payment card industry (e.g. smartcard and terminal manufacturers) Objectives of PCI standards Reduce card fraud by protecting cardholder data Define a common approach and set of rules to be adopted by major card brands, based on existing cardholder data protection programmes Define a set of industry-wide requirements and processes through different standards Copyright Galitt 9

10 Overview of the PCI DSS standard PCI DSS aims to protect Cardholder Identification and Sensitive Authentication Data Track-equivalent data also stored in the chip Magnetic stripes (tracks 1 and 2 containing PIN block Personal Identification Number encrypted PIN and Service Code) Bank Logo Primary Account Number (PAN) 123 Cardholder name Expiry date Card verification code (CAV2/CVC2/CVV2/CID) Cardholder Identification Data Primary Account Number (PAN) Cardholder Name Expiration Date Service Code Sensitive Authentication Data Full track data (magnetic-stripe data or equivalent on a chip) CVX2 (CAV2/CVC2/CVV2/CID) PINs/PIN blocks Copyright Galitt 10

11 Overview of the PCI DSS standard Who s subject to PCI DSS? PCI DSS applies to all entities involved in payment card processing that either store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD): Merchants that accepts card-based payments from one or many card brands Payment Service Providers (PSP) Acquiring and Issuing banks PCI DSS is used as a technical and operational standard to protect cardholder data. The table below provides a high-level overview of the 12 PCI DSS requirement groups: Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel Copyright Galitt 11

12 Overview of the PCI DSS standard Merchant profiles vs. PCI DSS compliance validation requirements LEVEL MERCHANT PROFILE COMPLIANCE VALIDATION REQUIREMENTS Merchants processing more than 6 million Visa or MasterCard transactions annually via all channels Merchants that have been compromised Merchants identified as a level 1 by another card brand Any merchant designated by the card brand at its discretion Merchants processing between 1 and 6 million Visa or MasterCard transactions annually via all channels. Merchants identified as a level 2 by another card brand Merchants processing from 20,000 to 1 million Visa or MasterCard e-commerce transactions annually. Merchants identified as a level 3 by another card brand. Merchants processing fewer than 20,000 Visa or MasterCard e-commerce transactions annually. Non e-commerce merchants processing up to 1 million Visa transactions annually. Annual Report on Compliance (ROC) following an on-site audit by either a Qualified Security Assessor (QSA) or qualified Internal Security Auditor (ISA) Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) Attestation of Compliance form (AoC) Exemption: declassification to a level 2 in case of 95% EMV transactions Annual Self-Assessment Questionnaire (SAQ). Assistance by a Qualified Security Assessor is required. Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) Attestation of Compliance form (AoC) Annual Self-Assessment Questionnaire (SAQ) Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) Attestation of Compliance form (AoC) Exemption: scan exemption for merchants using certified solutions Annual Self-Assessment Questionnaire (SAQ) Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) Attestation of Compliance form (AoC) The merchant profile is defined based on the total number of transactions processed by the merchant s multiple acquiring banks. Domestic transactions performed with co-badged cards (VISA or MasterCard + Carte Bancaire) must also be accounted for. Copyright Galitt 12

13 Agenda 1. Introduction 2. Overview of the PCI DSS standard 3. PCI DSS compliance approach Copyright Galitt 13

14 PCI DSS compliance approach A PCI DSS compliance program may transform the organisation not only from a technical perspective, but also from a business processes standpoint. The success of such a program depends on the involvement and contribution of different business functions : people. Key questions 1 2 What is the scope of my organisation subject to PCI DSS? How can this scope be reduced? Platforms Operating Systems HR Payment processes Project sponsors Contributors Information Systems IT Business processes People Project governance Finance Accounting Project Managers Senior Management Legal Networks Databases 3 What is the best compliance strategy for my organisation? Applications Copyright Galitt 14

15 PCI DSS compliance approach Key drivers and challenges for conducting a PCI DSS compliance program Drivers Challenges X Improved risk management approach, which as a result, reduces the likelihood of security breaches and data theft. Perception as a trusted partner as security is demonstrated to be a priority within organisation. Reduce or avoid financial penalties by card brands in case of data theft by demonstrating compliance and a strong security posture. Defining the scope of the program is a complex task and often requires the help of a QSA. Roles and responsibilities to deliver the program are often unclear. Obtaining support from Senior Management is key to the success of the program and therefore mandatory. Maintaining the state of compliance as the environment rapidly evolves. Adopt PCI DSS as a security baseline, enforcing best practice to protection general sensitive data. PCI DSS work streams being deprioritized due to budget constraints and other internal, competing initiatives. Copyright Galitt 15

16 COMPLIANCE REMEDIATION Project management PLANNING & PREPARATION PCI DSS compliance approach Galitt can assist your organisation throughout all phases of a PCI DSS compliance program Definition of the Cardholder Data Environment (scope) Business Process and Applications Mapping PCI DSS Compliance Strategy and Roadmap PCI DSS training and awareness PCI DSS Gap Analysis and Remediation Plan Consulting, implementation of security controls, remediation of findings Certification audit (Level 1 merchants) Self Assessment Questionnaire (Merchants of level 2, 3 and 4) External vulnerability scans from an «Approved Scanning Vendor» Copyright Galitt 16

17 Galitt contact details Thank you! Contacts Rémi GITZINGER Director - Payment Consulting r.gitzinger@galitt.com Bruno KOVACS Consulting Manager & QSA b.kovacs@galitt.com Copyright Galitt US 17