Information about this New Manual

Transcription

1 Information about this New Manual New Manual This MasterCard Security Standard Applicable to Merchants and Member Service Providers, dated April 2003 is an entirely new manual. Contents This manual contains security standards for merchants and Member Service Providers who store MasterCard accountholder data in an electronic commerce environment. Please refer to Using this Manual for a complete list of the contents of this manual. Billing MasterCard will not bill for this document. Questions? If you have questions about this manual, please contact the Global Member Operations Support team or your regional help desk. Please refer to Using this Manual for more contact information. MasterCard is Listening Please take a moment to provide us with your feedback about the material and usefulness of the MasterCard Security Standard Applicable to Merchants and Member Service Providers using the following address: publications@mastercard.com We continually strive to improve our publications. Your input will help us accomplish our goal of providing you with the information you need.

2 MasterCard Security Standard Applicable to Merchants and Member Service Providers April 2003

3 Copyright The information contained in this manual is proprietary and confidential to MasterCard International Incorporated (MasterCard) and its members. This material may not be duplicated, published, or disclosed, in whole or in part, without the prior written permission of MasterCard. Trademarks Trademark notices and symbols used in this manual reflect the registration status of MasterCard trademarks in the United States. Please consult with the Global Member Operations Support team or the MasterCard Law Department for the registration status of particular product, program, or service names outside the United States. All third-party product and service names are trademarks or registered trademarks of their respective owners. Media This document is available: On MasterCard OnLine On the MasterCard Site Data Protection Web site, MasterCard International Incorporated 2200 MasterCard Boulevard O Fallon MO USA MasterCard Security Standard Applicable to Merchants and Member Service Providers April 2003 Pub Code: SDP

4 Table of Contents Using this Manual Purpose...1 Audience...1 Overview...1 Excerpted Text...2 Language Use...2 Times Expressed...2 Revisions...3 Related Information...3 Support...4 Member Relations Representative...4 Regional Representative...5 Chapter 1 MasterCard Site Data Protection Program Background MasterCard Site Data Protection Program MasterCard Security Standard Components Solutions Rules Security Vendor Certification Meeting Compliance Requirements MasterCard Security Standard Applicable to Merchants and Member Service Providers April 2003 i

5 Table of Contents Chapter 2 MasterCard E-commerce Self-Assessment Requirements Overview MasterCard E-commerce Annual Security Self-Assessment Self-Assessment Rating System Self-Assessment Requirements and Best Practices Chapter 3 Network Scan Requirements Overview Requirements for Conducting Network Scans Scan Reporting Glossary ii April 2003 MasterCard Security Standard Applicable to Merchants and Member Service Providers

6 Using this Manual This chapter contains information that helps you understand and use this document. Purpose...1 Audience...1 Overview...1 Excerpted Text...2 Language Use...2 Times Expressed...2 Revisions...3 Related Information...3 Support...4 Member Relations Representative...4 Regional Representative...5 MasterCard Security Standard Applicable to Merchants and Member Service Providers April 2003 i

7 Using this Manual Purpose Purpose The MasterCard Security Standard Applicable to Merchants and Member Service Providers guide provides electronic commerce acquirers and their merchants and related Member Service Providers (MSP) with Standards for participating in the MasterCard Site Data Protection Program and for demonstrating compliance. Audience MasterCard provides this manual to members and to their merchants and MSPs that store MasterCard accountholder data in an electronic commerce environment. Overview The following table provides an overview of this manual: Chapter Table of Contents Using this Manual 1 MasterCard Site Data Protection Program 2 MasterCard E-commerce Self-Assessment 3 Network Scan Requirements Glossary A list of the manual s chapters and subsections. Each entry references a chapter and page number. A description of the manual s purpose and its contents. An overview of electronic commerce transactions and the Site Data Protection Program developed by MasterCard to combat the security threats associated with electronic commerce. A description of the MasterCard E-commerce Self- Assessment for e-commerce merchants and Member Service Providers. Outlines the SDP scan requirements for scanning merchant and Member Service Provider e-commerce infrastructures. A dictionary of terms and acronyms used by MasterCard in the Site Data Protection Program. MasterCard Security Standard Applicable to Merchants and Member Service Providers April

8 Using this Manual Excerpted Text Excerpted Text At times, this document may include text excerpted from another document. A note before the repeated text always identifies the source document. In such cases, we include the repeated text solely for the reader s convenience. The original text in the source document always takes legal precedence. Language Use The spelling of English words in this manual follows the convention used for U.S. English as defined in Webster s New Collegiate Dictionary. MasterCard is incorporated in the United States and publishes in the United States. Therefore, this publication uses U.S. English spelling and grammar rules. An exception to the above spelling rule concerns the spelling of proper nouns. In this case, we use the local English spelling. Times Expressed MasterCard is a global company with locations in many time zones. The MasterCard operations and business centers are in the United States. The operations center is in St. Louis, Missouri, and the business center is in Purchase, New York. For operational purposes, MasterCard refers to time frames in this manual as either St. Louis time or New York time. Coordinated Universal Time (UTC) is the basis for measuring time throughout the world. You can use the following table to convert any time used in this manual into the correct time in another zone: St. Louis, Missouri USA Central Time Purchase, New York USA Eastern Time UTC Standard time (last Sunday in October to the first Sunday in April a ) Daylight saving time (first Sunday in April to last Sunday in October) 9:00 10:00 15:00 9:00 10:00 14:00 a For Central European Time, last Sunday in October to last Sunday in March. 2 April 2003 MasterCard Security Standard Applicable to Merchants and Member Service Providers

9 Using this Manual Revisions Revisions MasterCard periodically will issue revisions to this document as we implement enhancements and changes, or as corrections are required. With each revision, we include a Summary of Changes describing how the text changed. Revision markers (vertical lines in the right margin) indicate where the text changed. The date of the revision appears in the footer of each page. Occasionally, we may publish revisions or additions to this document in an Operations Bulletin or other bulletin. Revisions announced in another publication, such as a bulletin, are effective as of the date indicated in that publication, regardless of when the changes are published in this manual. Related Information The following documents and resources provide information related to the subjects discussed in this manual. MasterCard Security Standard Applicable to Vendors Electronic Commerce Security Architecture Best Practices Electronic Commerce Requirements and Best Practices for Acquirers MasterCard Security Standard Applicable to Merchants and Member Service Providers April

10 Using this Manual Support Support Please address your questions to the Global Member Operations Support team as follows: Phone: or (Spanish Language support) Fax: Canada, Caribbean, and U.S. Asia/Pacific Europe South Asia/Middle East/Africa Latin America (Spanish Language support) Address: MasterCard International Incorporated Global Member Operations Support 2200 MasterCard Boulevard O Fallon MO USA Telex: answerback: ITAC UI Member Relations Representative Member Relations representatives assist U.S. members with marketing inquiries. They interpret member requests and requirements, analyze them, and if approved, monitor their progress through the various MasterCard departments. This does not cover support for day-to-day operational problems, which the Global Member Operations Support team addresses. To find out who your U.S. Member Relations representative is, contact your local Member Relations office: Atlanta Chicago Purchase San Francisco April 2003 MasterCard Security Standard Applicable to Merchants and Member Service Providers

11 Using this Manual Support Regional Representative The regional representatives work out of the regional offices. Their role is to serve as intermediaries between the members and other departments in MasterCard. Members can inquire and receive responses in their own language and during their office s hours of operation. To find out the location of the regional office serving your area, call the Global Member Operations Support team at: Phone: or (Spanish Language support) MasterCard Security Standard Applicable to Merchants and Member Service Providers April

12 1 MasterCard Site Data Protection Program This chapter provides an overview of electronic commerce transactions and the Site Data Protection Program developed by MasterCard to combat the security threats associated with electronic commerce. Background MasterCard Site Data Protection Program MasterCard Security Standard Components Solutions Rules Security Vendor Certification Meeting Compliance Requirements MasterCard Security Standard Applicable to Merchants and Member Service Providers April i

13 MasterCard Site Data Protection Program Background Background Electronic commerce is the business of buying and selling products, information, or services in an Internet based environment. Unlike traditional face-to-face transactions, e-commerce shoppers and merchants communicate through a public computer network. E-commerce transactions are predominantly conducted via a credit or debit card. Typically, e-commerce merchants store cardholder information in databases to streamline the consumer checkout process. In doing so, Web merchants compile databases containing hundreds, thousands, or even millions of payment card accounts. For hackers, these databases represent a tremendous opportunity for theft and fraud. MasterCard research indicates that Internet security concerns continue to play a major role in consumer reluctance to make online purchases. In fact, one study shows that three-quarters of those who do not shop online are concerned about unauthorized individuals gaining access to their personal information. Media reports about the hacking of top Web sites and the resulting theft of payment card information further fuels consumer concern. For online merchants, a hacker break-in can have potentially devastating consequences, including service disruptions, vandalism, extortion, and the loss of consumer confidence. Hacker intrusions that result in an account data compromise present a particular source of financial risk for MasterCard and for members. MasterCard Site Data Protection Program To help combat the security threats associated with electronic commerce, MasterCard launched the MasterCard Site Data Protection (SDP) Service in February To encourage the adoption of security measures online, MasterCard has expanded the concept and developed the MasterCard Site Data Protection Program. This comprehensive, flexible program calls for members to adopt, implement, and maintain data security compliance programs for themselves and for their electronic commerce merchants and Member Service Providers (MSP) that participate or support MasterCard-branded electronic commerce. A MasterCard member that wishes to benefit from participation in the SDP Program is fully responsible for ongoing compliance with the MasterCard Security Standard by itself and by all participants in the member s programs. MasterCard Security Standard Applicable to Merchants and Member Service Providers April

14 MasterCard Site Data Protection Program MasterCard Site Data Protection Program MASTERCARD MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, WITH RESPECT TO THE SUBJECT MATTER OF THE SITE DATA PROTECTION PROGRAM OR THE CONTENTS OF THIS MASTERCARD SECURITY STANDARD APPLICABLE TO MERCHANTS AND MEMBER SERVICE PROVIDERS MANUAL. MASTERCARD SPECIFICALLY DISCLAIMS ANY AND ALL REPRESENTATIONS AND WARRANTIES, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR ANY PARTICULAR PURPOSE. Member acknowledges and agrees that MasterCard shall not be liable to the member (or any third party, including customers of the member) for any: Loss, or Damages (including direct, special, punitive, exemplary, incidental, or consequential damages), or Costs (including attorney s fees) that, arise from the member s (or the member s merchants or MSP) participation, use of, or failure to participate in or use the SDP Program (or any component thereof), or otherwise arise from or related to the SDP Program. The foregoing limitation of liability shall apply to any claim or cause of action under law or equity whatsoever, including contract, warranty, strict liability, or negligence, even if MasterCard has been notified of the possibility of such damages or claim. MasterCard is deploying the MasterCard Site Data Protection Program through its acquirers worldwide and on a voluntary basis. Through active participation, MasterCard acquirers can ensure that e-commerce merchants and MSPs adequately protect their environments against hacker intrusions. Additionally, acquirers that ensure that merchants and MSPs comply with the requirements detailed in the program may be afforded a partial or full waiver of assessments in cases of an account data compromise. The MasterCard Site Data Protection Program consists of the following elements: MasterCard Security Standard MasterCard Security Standard Applicable to Vendors MasterCard Security Standard Applicable to Merchants and Member Service Providers Electronic Commerce Security Architecture Best Practices Electronic Commerce Requirements and Best Practices for Acquirers 1-2 April 2003 MasterCard Security Standard Applicable to Merchants and Member Service Providers

15 MasterCard Site Data Protection Program MasterCard Site Data Protection Program Components Electronic commerce self-assessment tool for merchants and Member Service Providers Security scanning tools Solutions Existing MasterCard Site Data Protection Service, a solution offered by MasterCard through acquiring members Alternative Vendor Solutions that are compliant with the MasterCard Security Standard Applicable to Vendors Rules Account Data Compromise Rules, including the associated waiver process through SDP Program compliance Merchant Registration Process through MasterCard Alerts for MasterCard Standard compliance Security Vendor Certification Voluntary, fee-based service for the vendor community to gain MasterCard Standard compliant certification for marketing security services to acquirers, members, and Member Service Providers MasterCard Security Standard Applicable to Merchants and Member Service Providers April

16 MasterCard Site Data Protection Program MasterCard Site Data Protection Program MasterCard Security Standard MasterCard has developed the following four documents that encompass the MasterCard Security Standard: 1. MasterCard Security Standard Applicable to Vendors: Presents requirements for third-party vendor solutions to be considered MasterCard compliant. 2. MasterCard Security Standard Applicable to Merchants and Member Service Providers: Provides e-commerce acquirers, merchants, and MSPs with MasterCard requirements for participating in the MasterCard Site Data Protection Program and for demonstrating compliance. 3. Electronic Commerce Security Architecture Best Practices: Provides e-commerce merchants and MSPs with best practices for developing and maintaining secure electronic commerce platforms. 4. Electronic Commerce Requirements and Best Practices for Acquirers: An electronic commerce resource for acquirers covering topics such as coding transactions, privacy, security, and more. All of the above documents are available to members via the Member Publications product on MasterCard OnLine. Components E-commerce merchants and MSPs that elect to participate in the MasterCard Site Data Protection Program must use two tools to determine their compliance with this Standard: 1. The Electronic Commerce Self-Assessment is a tool that asks merchants and MSPs a series of questions relating to information and network security. The assessment provides a self-grading mechanism, which allows immediate determination of compliance with the MasterCard Security Standard. 2. Security Scanning tools are vulnerability assessment tools which determine flaws in e-commerce merchant and MSP network infrastructures. The detailed requirements for the security self-assessment and network scans are contained in chapters 2 and 3 of this document. 1-4 April 2003 MasterCard Security Standard Applicable to Merchants and Member Service Providers

17 MasterCard Site Data Protection Program MasterCard Site Data Protection Program Solutions MasterCard members, e-commerce merchants, and MSPs can select the solution that best fits their needs. They can use either of the following: 1. The MasterCard Site Data Protection (SDP) Service, which is a service offered by MasterCard through the acquirer. 2. A third-party vendor or security consultant solution that is compliant with the MasterCard Security Standard Applicable to Vendors. te MasterCard acquirers that choose to deploy third party solutions are responsible for ensuring that those solutions meet the requirements detailed in the MasterCard Security Standard Applicable to Vendors manual. MasterCard will offer an optional vendor certification program that will facilitate this evaluation. Rules A MasterCard acquirer is subject to an assessment in cases of account data compromise. MasterCard rules require members to ensure that all e-commerce merchants and MSPs keep all systems and media containing MasterCard account, cardholder, or transaction information (whether physical or electronic) in a secure manner to prevent access by, or disclosure to any unauthorized party. Additionally, all sensitive cardholder information that the merchant or MSP no longer considers necessary to retain must be destroyed in a manner that will render the data unreadable. If an intrusion occurs, whether in the acquirer s merchant systems or MSP systems, the acquirer must provide MasterCard with complete information about the compromise and engage a data security firm in compliance with the MasterCard Security Standard Applicable to Vendors manual to assess the vulnerabilities of the merchant or MSP systems. MasterCard may impose assessments, including an incident assessment, administration fees, and issuer card-recovery fees on the acquirer. Members should consult the Security Rules and Procedures manual, chapter 7, and Bylaws and Rules, chapter 9, for more information. MasterCard Security Standard Applicable to Merchants and Member Service Providers April

18 MasterCard Site Data Protection Program MasterCard Site Data Protection Program An acquirer can request a waiver from assessments based on a MasterCard review of the security situation at the time of the compromise. Eligibility criteria include, but are not limited to: The compromised party has used a solution that meets the MasterCard Security Standard. The compromised merchant or MSP is found to be SDP compliant at the time of the account data compromise. Additionally, the compromised party must produce self-assessment reports with a Green or Yellow rating, and scan reports with no level three, four, or five vulnerabilities, to demonstrate compliance with the MasterCard Security Standard Applicable to Merchants and Member Service Providers. The acquirer has registered the compromised merchant and/or associated MSP as being compliant with the MasterCard Security Standard Applicable to Merchants and Member Service Providers. Acquirers can register merchants and associated MSPs through the MasterCard Merchant Registration Program (available through the MasterCard Alerts Product). Details regarding merchant registration procedures and pricing can be found in the Security Rules and Procedures manual. MasterCard will examine all circumstances to determine if a waiver or partial waiver of assessment is appropriate. Any such determination is made in MasterCard s sole discretion and is final and not subject to appeal. Security Vendor Certification To be eligible for any waiver of an assessment resulting from an account data compromise, MasterCard acquirers must ensure that their electronic commerce merchants and MSPs use the services of a security vendor that complies with the MasterCard Security Standard Applicable to Vendors. Using the MasterCard Security Standard Applicable to Vendors, members can selfevaluate vendors for compliance. Security vendors that wish to be certified by MasterCard should visit the MasterCard SDP Program Web site at for certification procedures. Additionally, MasterCard will deploy a voluntary, fee-based security vendor certification service in A list of certified security vendors will be available on the MasterCard SDP Web site. 1-6 April 2003 MasterCard Security Standard Applicable to Merchants and Member Service Providers

19 MasterCard Site Data Protection Program Meeting Compliance Requirements Meeting Compliance Requirements An acquirer must ensure that any of its merchants, or MSPs that are afforded access to, or store account data, or both, is in compliance with the MasterCard Security Standard. Specifically, an acquirer must ensure its e-commerce merchants and MSPs meet the following conditions in order to qualify as SDP compliant: All e-commerce merchants and MSPs must complete an annual selfassessment which is included in this manual, and posted in a PDF file format on the MasterCard Site Data Protection Web site at Using the self-assessment grading system, e-commerce merchants and MSPs can immediately determine if their security measures are acceptable (Green and Yellow) or unacceptable (Red). A merchant having an average monthly e-commerce gross dollar volume (edgv) in excess of USD 50,000 or with greater than 1,000 transactions per month is defined as a large merchant. Large merchants and all e-commerce MSPs must scan their Web infrastructure quarterly. An e-commerce merchant having less than USD 50,000 egdv or less than 1,000 transactions per month must scan its Web infrastructure annually. te Acquirers should determine merchant monthly edgv and transaction volumes based on an average of the previous 12 months. The scan reports must indicate that no level 3, 4, or 5 vulnerabilities exist. If these risks do exist, corrective measures must be taken to bring security into compliance as outlined in this document. After taking corrective measures, users must retake the survey and produce a clean scan report to demonstrate compliance. To ensure compliance, acquirers should request and review completed merchant and MSP reports (self-assessment and scan reports). Once the acquirer determines compliance, the merchant or MSP must be registered through the MasterCard Alerts product on MasterCard Online. Acquirers should also strongly suggest that Web site infrastructure designs be in accordance with the Electronic Commerce Security Architecture Best Practices manual. MasterCard Security Standard Applicable to Merchants and Member Service Providers April

20 2 MasterCard E-commerce Self-Assessment Requirements This chapter provides a description of the MasterCard E-commerce Self-Assessment for e-commerce merchants and Member Service Providers. Overview MasterCard E-commerce Annual Security Self-Assessment Self-Assessment Rating System Determining the Issue Severity Rating the Assessment Results Self-Assessment Requirements and Best Practices Section 1: Security Management Section 2: Access Control Section 3: Operational Security Section 4: Application and System Development Section 5: Network Security Section 6: Physical Security MasterCard Security Standard Applicable to Merchants and Member Service Providers April i

21 MasterCard E-commerce Self-Assessment Requirements Overview Overview This chapter provides a description of the MasterCard E-commerce Self- Assessment. SDP compliance by an acquirer requires that all of its e-commerce merchants and Member Service Providers (MSP) successfully complete an annual security self-assessment, which is included following this chapter, and posted on the MasterCard Web site at Before completing the assessment, acquirers, merchants, and Member Service Providers should read and understand the following information and guidelines. MasterCard E-commerce Annual Security Self-Assessment The Annual Self-Assessment sorts security issues into six distinct categories: 1. Security Management 2. Access Control 3. Operational Security 4. Application and System Development 5. Network Security 6. Physical Security Within each category, MasterCard has developed requirements and best practices applicable to e-commerce merchants and MSPs. Each requirement and best practice has a description, an indication of the severity of the issue, and the intended audience of the practice. The security requirements and best practices set forth in this chapter correspond to a series of questions that e-commerce merchants and MSPs are required to answer as part of the self-assessment. Select either the small merchant self-assessment or the large merchant selfassessment based on the following definitions: Definition MasterCard defines a small merchant as a merchant with an average monthly MasterCard e-commerce gross dollar volume (egdv) less than USD 50,000 or with less than 1,000 e-commerce transactions per month. MasterCard Security Standard Applicable to Merchants and Member Service Providers April

22 MasterCard E-commerce Self-Assessment Requirements MasterCard E-commerce Annual Security Self-Assessment Definition MasterCard defines a large merchant as a merchant with an average monthly MasterCard egdv greater than USD 50,000 or with greater than 1,000 e- commerce transactions per month. Definition As used herein, Member Service Provider means an entity (other than MasterCard or any of its related companies) that provides services to an acquirer, an electronic commerce merchant of the acquirer, or both, and that stores, displays, complies, creates or transfers, directly or indirectly, account data or components therof. Examples of Member Service Providers include, but are not limited to, Third Party Processors (TPPs), Transaction Gateways and Web Hosting providers that store and have access to MasterCard account data. If an acquiring member operates a payment gateway or host solution that stores or has access to account information, then the acquirer itself is deemed a Member Service Provider for purposes of the SDP Program Standards, and is required to meet the SDP minimum security requirements outlined for large merchants, as presented in this document. MasterCard Member Service Provider (MSP) rules require any entity that stores or is afforded access to MasterCard account data must be registered as a Member Service Provider. Details regarding MSP rules can be found in the Bylaws and Rules manual. Self-Assessment Rating System The MasterCard E-commerce Self-Assessment is one component of the SDP Program. It provides a self-rating mechanism to help merchants determine whether their security measures meet the MasterCard guidelines. The self-assessment consists of questions, each with a yes or no answer. Determining the Issue Severity Symbol Critical security requirement Security best practice Could potentially leave cardholder data at risk. E-commerce merchants and MSPs must successfully incorporate these requirements to have an acceptable rating. MasterCard recommends these best practices to reduce the long-term risk of account data compromise. 2-2 April 2003 MasterCard Security Standard Applicable to Merchants and Member Service Providers

23 MasterCard E-commerce Self-Assessment Requirements MasterCard E-commerce Annual Security Self-Assessment Rating the Assessment Results Each of the six security categories has a separate rating in the assessment. The overall assessment rating is determined by the individual section ratings. IF ALL questions identified with, or are answered with yes ALL questions identified with are answered with yes, but some questions identified with are answered with no ANY questions identified with are answered with no THEN the category rating is GREEN means that the e-commerce merchant or MSP is compliant with the self-assessment portion of the SDP program. YELLOW means that although the e-commerce merchant or MSP has achieved compliance with the SDP self-assessment, there are security risks that need examination. RED means that the e-commerce merchant or MSP is not considered compliant. To reach compliance with the self-assessment, the risk(s) must be resolved, and the survey must be retaken to demonstrate compliance. Self-Assessment Requirements and Best Practices Following are all of the security requirements and best practices that appear on the actual MasterCard E-commerce Self-Assessment, sorted by security category. Section 1: Security Management Applies only to large merchants and service providers. Information Security Management Information security management is the process of ensuring authorized Web infrastructure use, maintaining confidentiality and data integrity, and auditing information systems and the data they contain. It involves identifying assets, threats, and vulnerabilities that could potentially lead to cardholder information compromise, and taking appropriate protective measures to prevent a compromise. Failure to have an information security management process can result in unexpected losses, incidents, and unknown or mismanaged risks. Implement an information security management process. MasterCard Security Standard Applicable to Merchants and Member Service Providers April

24 MasterCard E-commerce Self-Assessment Requirements MasterCard E-commerce Annual Security Self-Assessment Applies only to large merchants and service providers. Information Security Policy An information security policy establishes an authorization process for accessing information. A good policy clearly defines user authority. It is important to distribute the policy to all parties critical to the information security situation, including employees, contractors, and business partners. It is also important to update the policy if the environment changes. Failure to have an information security policy can result in information security risks. Establish an information security policy, and review annually. Analysis analysis is the process of taking inventory of all potential threats and vulnerabilities associated with the storage and processing of cardholder information. The goal of risk analysis is to identify all risks and ensure the necessary controls are in place to prevent any disclosure or compromise of cardholder information. Failure to conduct a regular risk analysis could leave risks hidden or inadequately addressed. Implement a risk analysis process. Awareness Training Awareness training educates people on the risks and threats involved with the merchant or MSP e-commerce environment. People are often the weakest link in a security environment; good awareness training can educate them about potential risks and about avoiding exposure. Awareness training also creates a common vocabulary enabling the communication and understanding of security risks. Failure to have an awareness-training program invites irresponsibility, and vulnerability to commit errors that may result in a security compromise. Implement an awareness-training program, and repeat the program on a yearly basis. 2-4 April 2003 MasterCard Security Standard Applicable to Merchants and Member Service Providers

25 MasterCard E-commerce Self-Assessment Requirements MasterCard E-commerce Annual Security Self-Assessment Incident Response Management All e-commerce merchants or MSPs can be subject to an incident that either attempts or results in an account data compromise. A good incident response plan is critical to successfully manage this type of event. Failure to have an adequate incident response plan could leave the merchant or MSP unable to react or recover in a timely manner. In addition, the lack of an incident response plan increases the risk that an incident could go unnoticed. Implement an incident response plan. The incident plan should detail a core response team, an incident reporting procedure, and an incident handling policy. Roles and Responsibilities Good security management should include definition of roles and responsibilities of the people working in the e-commerce merchant or MSP organization. Failure to appoint a person responsible for information security could result in a lack of security focus and lead to a security compromise. At a minimum, the organization should designate a person responsible for information security. In larger organizations, this person is typically an information security officer. An information security officer is dedicated to information security and the protection of assets. Applies only to large merchants and service providers. Compliance Audit A security compliance audit verifies that a security policy is in place, and that employees are following procedures. Failure to audit compliance on a regular basis can result in noncompliance of the policy and procedures, and allow threats and risks to go unnoticed. Assess organizational and employee compliance to the security policy on a regular basis. MasterCard Security Standard Applicable to Merchants and Member Service Providers April

26 MasterCard E-commerce Self-Assessment Requirements MasterCard E-commerce Annual Security Self-Assessment Confidentiality Merchants that outsource all or parts of their operation to the management of a third party need to exercise care when entering contracts with these entities to protect the confidentiality of account data information. Failure to have a confidentiality clause in the contracts with parties having access to confidential cardholder information puts the merchant or MSP in a weak legal position if sensitive cardholder information is disclosed. Contracts with third parties that store or have access to sensitive cardholder information should contain a confidentiality clause to guarantee the protection of account data. This is particularly applicable to contractors and external suppliers. All service providers that have access to and/or store MasterCard account data must be registered with MasterCard as a Member Service Provider. 2-6 April 2003 MasterCard Security Standard Applicable to Merchants and Member Service Providers

27 MasterCard E-commerce Self-Assessment Requirements MasterCard E-commerce Annual Security Self-Assessment Section 2: Access Control Access Control and Accountability Access control mechanisms prevent unauthorized access to systems that store or process sensitive account data information. The most common form of access control is a username and password. If additional security is required, user authentication may require the use of more complex scenarios such as smart cards, tokens, or Secure ID cards. Authentication with these devices is known as strong authentication or two-factor authentication because the user requires both the device and the associated Personal Identification Number (PIN). Access control mechanisms restrict access and create accountability. Accountability allows the organization to trace a situation back to the individual who performed the operation. Failure to restrict access based on an individual s need to know the information unnecessarily increases the risk associated with information security management, and increases the risk of unauthorized access and an account data compromise. Requirement: Control customer and employee account access using a username and password. Best Practice: Adopt a two-factor authentication method for MSP access to systems that store or process sensitive cardholder information. Issue everyone an individual username and password to facilitate accountability. Log all operations on systems with an audit trail reference to the user. Avoid the use of shared accounts. Log all successful and unsuccessful authentication attempts. The logs should contain the username and a timestamp. Review logs regularly for anomalies. Monitor logon attempts outside normal office hours, because they could be an indication of unauthorized access. MasterCard Security Standard Applicable to Merchants and Member Service Providers April

28 MasterCard E-commerce Self-Assessment Requirements MasterCard E-commerce Annual Security Self-Assessment Need-to-know Define a job description for every person working in the merchant or MSP organization, and use the job description to permit or deny access. Do not grant access to an employee or business partner that does not need access to a particular system or to specific information. Restricted access reduces risks. Failure to restrict access on a need-to-know basis unnecessarily increases the risk associated with information security management, and increases the risk of unauthorized access. Restrict access to systems, both physical and electronic, on a need-toknow-basis. Password Policy Password policies specify the rules employed to create and manage passwords for customers, employees, and business partners. Failure to have a password policy can result in unauthorized access and lead to an account data compromise. Implement a password policy to accomplish username and password authentication. Password policies must apply to customer, employee, and business partner access. Acceptable password policies must consider the following: At a minimum, change employee passwords on a yearly basis. The longer the password is in use, the higher the risk of exposure. Passwords for employees and customers must meet adequate complexity requirements. Each password should consist of a mix of uppercase and lowercase, special characters, and numbers. A complex password reduces the risk of unauthorized access. Longer passwords present less risk. All passwords must be at least six characters in length. Merchants and MSPs must discourage the use of names of relatives and pets, and nouns in general. Merchants and MSPs must establish access attempt thresholds that lock out an account after multiple unsuccessful attempts. At a minimum, the account should lock on the fourth attempt. This eliminates the risk of a malicious user discovering the password by attempting all possible combinations. Delete or change all system default, testing, and temporary passwords on a regular basis. 2-8 April 2003 MasterCard Security Standard Applicable to Merchants and Member Service Providers

29 MasterCard E-commerce Self-Assessment Requirements MasterCard E-commerce Annual Security Self-Assessment Applies only to large merchants and service providers. Administrator Accounts, Power Users, and Power Tools Power users include any user who has administration privileges and full access and control of management systems, or who has access to sensitive cardholder information. This includes merchants with access to payment provider platforms. Exercise special care with regard to access of powerful accounts and the use of powerful utilities. Failure to restrict access and secure administrator accounts, power user accounts, and power tools unnecessarily increases the risk of system abuse and the disclosure of sensitive cardholder information. Requirement Control and log access to secure administrator accounts, power user accounts, and power-tools. Best Practice Authenticate access to power user accounts with a two-factor authentication method such as Secure ID cards. Remote Access Accounts Accounts accessed over a public network require special attention. Failure to protect a username and password used for authentication over a network could result in a compromise of the username and password by a malicious hacker monitoring the communication. This type of compromise can directly lead to an account data compromise. Protect remote access accounts against eavesdropping. This applies to customer, employee, and business partner access. When authenticating to remote systems using a public network, do not send the username and password in clear text. Use Secure Socket Layer (SSL) encryption to protect the username and password from eavesdropping. Protect the encrypted data against replay-attacks. A replay-attack captures and stores the encrypted information and replays it later without knowing the contents of the message. A timestamp or a challenge/response are examples of anti-replay defenses. MasterCard Security Standard Applicable to Merchants and Member Service Providers April

30 MasterCard E-commerce Self-Assessment Requirements MasterCard E-commerce Annual Security Self-Assessment Remote Maintenance Accounts When service providers have remote access to maintain equipment or systems, it should be a special point of concern. Failure to control accounts used by service providers for remote maintenance could leave the system vulnerable to abuse. Closely monitor these accounts because they can allow unauthorized users to access sensitive cardholder information. Good practices are to block access to these accounts and only allow access on an as needed basis. Screen Saver Session Lock Screen savers automatically lock employee workstations and protect against unauthorized access in the workplace. Failure to have a screen saver or session time-out lock could leave the workstation vulnerable for an unauthorized person to access the system. Systems should automatically lock when not in use. An automatic screensaver with a password, requiring re-authentication after a period of inactivity on the workstation, is a good practice. This reduces the risk of a malicious user abusing a terminal left unattended. Sleeping Accounts Account Revocation When employees leave the company or change positions in the company, their systems access requires special attention. Failure to remove access rights when an individual no longer needs them creates a higher risk for account abuse. When an employee or contractor leaves the company, revoke his or her access to systems immediately to avoid abuse of the account. To avoid authorization creep, review access when someone s function within the company changes. Authorization creep typically happens when people have performed different tasks within the company and have accumulated access rights. A best practice is to remove access rights no longer needed for the job function. Merchants and MSPs must conduct a yearly review of all the user accounts on every system. Disable and remove unnecessary user accounts. Some systems allow the organization to automatically disable accounts not used for a defined period. This removes the risk that a sleeping account may be used for unauthorized activity on the system April 2003 MasterCard Security Standard Applicable to Merchants and Member Service Providers

31 MasterCard E-commerce Self-Assessment Requirements MasterCard E-commerce Annual Security Self-Assessment Section 3: Operational Security Incident Handling Team Each merchant and MSP should develop a plan for handling security incidents. In the event of an account data compromise, an incident handling capability allows merchants and MSPs to react in a timely manner. An important statement used in incident handling is the users of the system are the eyes of the organization. Failure to have a security incident point-of-contact for reporting, handling and investigation, could leave the merchant or MSP organization unable to protect itself or recover timely when a security incident occurs. Incident handling consists of several steps executed by a core team. The core team should consist of people with the necessary skills to handle a security incident. These skills include a detailed knowledge of the security and network environment, knowledge of the incident handling plan and forensics. If internal resources are not available to deal with a security incident, use a professional incident handling team. It is important to have a point of contact established in the company in case of a security incident; often this is the help desk. Security Assessment and Penetration Testing Thoroughly test operation systems and applications before they are put into production. Failure to test the operation system and remediate risks could leave the system vulnerable to attacks resulting in a compromise of sensitive cardholder information. Before putting any system or application into production, test for security, and complete a thorough penetration test. Correct any weaknesses resulting in an unacceptable risk before going into production. Reassess security of applications, and the production environment on a regular basis. In addition, complete a penetration test on a quarterly basis to confirm that the system is still operating at adequate security levels. It is important to note that a security audit only gives a cursory indication of the current situation. Continuous effort is required to keep up with new vulnerabilities published for products and applications. MasterCard Security Standard Applicable to Merchants and Member Service Providers April

32 MasterCard E-commerce Self-Assessment Requirements MasterCard E-commerce Annual Security Self-Assessment Dual Control Separation of Duties A sound operational environment gives proper attention to roles and responsibilities and provides a separation of duties, which reduces risk. Failure to install dual control and separation of duties creates an unacceptable risk. At no time should any one person have full control over the system. There should be a separation between the staff working in operations and the staff working in development. Development staff should not have access to production data. Applies only to large merchants and service providers. Media Backup Media Information backup restores environments in case of a failure or interruption. Backups of cardholder information require special attention. Failure to protect backup media and other media could result in the compromise of sensitive cardholder information. Always encrypt cardholder data stored on backup media. Physically protect backup media against unauthorized access, and store in a nonproduction system. Ideally, backup operators should not have a production or development role in the company. Also, protect any other media in the production environment that may contain sensitive cardholder information. Physically destroy backup media and other media that is no longer useful. Deleted data, or overwritten data can still be recovered using advanced techniques. Applies only to large merchants and service providers. Audit Log Audit logs contain a detailed trace of all operations performed on the system, including successful and unsuccessful logon attempts. If audit logs lack protection, an intruder could erase traces in the audit log. Failure to have a detailed audit log could prevent merchants and MSPs from detecting anomalies and establishing accountability. These risks could lead to an account data compromise. Audit logs must contain a timestamp, which tracks user activity. Review audit logs on a regular basis and protect against alteration, deletion, and access. Ensure that it is impossible to disable an audit log April 2003 MasterCard Security Standard Applicable to Merchants and Member Service Providers

33 MasterCard E-commerce Self-Assessment Requirements MasterCard E-commerce Annual Security Self-Assessment Remote Administration Remote administration and remote usage of systems can create particular problems. Failure to secure remote administration can result in unauthorized access and may lead to an account data compromise. For remote system administration, use two-factor authentication, such as smart cards, tokens or secure ID cards to prevent unauthorized people from entering the system remotely. Protect the communication channel for remote administration against eavesdropping. Encryption can be used to prevent sniffing and alteration of messages. Do not use protocols like TELNET, Remote Shell (RSH), and File Transfer Protocol (FTP) for remote administration. Instead, use secure protocols such as Secure Shell (SSH). Hardening When an operating system, Web server, application server, or other component is installed using the default configuration, the result is an insecure installation. To improve security, additional steps are required after installation. Failure to harden a system can leave it vulnerable to attacks and a compromise of sensitive cardholder information. To effectively harden a system, merchants and MSPs must: Remove unnecessary tools installed by default. Some manufacturers ship software with demonstrations of advanced features or with user tutorials. In a production environment, these examples and tutorials are not necessary, and may introduce vulnerabilities to the system. Change the default passwords and rename the default accounts. Some default installations create default accounts with known or easily deduced passwords. Modify these accounts and assign another password before the system goes into production. Install necessary patches. Vendors regularly publish patches (updates to the software) that solve known vulnerabilities. After product installation, install all patches to resolve any known issues since the software release. Once the system is in production, the merchant or MSP needs to keep up-to-date with the latest patches. MasterCard Security Standard Applicable to Merchants and Member Service Providers April