Payment Card Industry Data Security Standards

Transcription

1 Payment Card Industry Data Security Standards

2 Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

3 PCI DSS Overview and History

4 Global Payment Card Statistics Need for the Payment Card Industry Data Security Standard (PCI DSS) Source: Issuers, merchants, and acquirers of credit, debit, and prepaid general purpose and private label payment cards worldwide experienced gross fraud losses of $11.27 billion in 2012, up 14.6% over the prior year, according to The Nilson Report, a leading payment industry newsletter. Of that $11.27 billion, card issuers lost 63% and merchants and acquirers lost the other 37%. Fraud as percentage of total volume was lowest for PIN-based debit networks worldwide at 1.10 per $100 in total volume. The global brand cards Visa, MasterCard, American Express, UnionPay, Diners Club, and JCB averaged fraud losses of 6.13 for every $100 in total volume. Card issuer losses occur mainly at the point of sale from counterfeit cards. Issuers bear the fraud loss if they give merchants authorization to accept the payment. Merchant and acquirer losses occur mainly on card-not-present (CNP) transactions on the Web, at a call center, or through mail order because issuers can chargeback fraudulent transactions Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

5 PCI DSS Overview The Payment Card Industry Data Security Standard (PCI DSS) The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that store, process or transmit credit card information maintain a secure environment. About PCI DSS U.S. Purchase Volume - Consumer vs. Commercial Cards The PCI DSS is administered and managed by the PCI Security Standards Council (SSC), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply. Source: Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

6 PCI DSS Version 3.0 Build and Maintain a Secure Network and Systems Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults or system passwords and other security parameters. Protect Cardholder Data Protect Stored Cardholder Data. Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Protect all systems against malware and regularly update anti-virus software or programs. Develop and maintain security systems and applications Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

7 PCI DSS Version 3.0 Implement Strong Access Control Measures Restrict access to cardholder data by business need to know. Identify and authenticate access to system components. Restrict physical access to cardholder data. Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. Maintain an Information Security Policy Maintain a policy that addresses information security for all personnel Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

8 Merchant Scope Any organization that enters into a Merchant processing agreement with an acquirer will typically be signing a contract requiring that the Merchant fully comply with operating regulations outlined by the Payment Card Brands (Visa, MasterCard etc.). This includes full compliance with all requirements outlined within the PCI DSS and the requirement to report that compliance annually, irrespective of the organization s processing volumes. Failing to comply with the PCI DSS, be it 1 control or many, would therefore be considered a breach of contract and provides the opportunity for the acquirer to levy contract based penalties. This could include fines or termination of the contract. In addition to contractual compliance penalties, the merchant services contract also allows the acquirer to recover costs applied to them by the card brands resulting from a breach of any CHD by the Merchant. These contractual requirements therefore necessitate that Merchants assess and report their compliance as a complete entity for all areas where they collect or process CHD. It does not provide the ability for a Merchant to assess compliance on individual business processes. While Merchants may choose to outsource aspects of their business that relate to the processing of Payment Card transactions or support of IT systems that store, process or transmit CHD, if the organization maintains the acquirer Merchant ID for those transactions, they retain responsibility for compliance with the PCI DSS Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

9 Service Provider Scope Service Providers are any entity that performs functions on behalf Merchants, Issuers, Acquirers, Card Brands or even other Service Providers related to protection of CHD. This could include the full development, support, maintenance and management of the entire CHD processing environment (such as occurs with Web Development and Hosting providers) It could be as small as providing local or remote support for an application on a desktop that is part of the CDE or performing a process such as User Access Management or Vulnerability Scanning Compliance with the PCI DSS and subsequent reporting by Service Providers is determined by their contracts with their customers. It is up to the customer to determine how to monitor the compliance of their Service Provider. The scope of a Service Provider s PCI DSS compliance assessment is driven by: The CHD they store, process or transmit on behalf of their customer; or The system/process they support on behalf of their customer. Service Providers can assess services or products they provide individually to meet their customer s requirements, rather than perform an entire PCI DSS assessment over their complete environment Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

10 PCI DSS Version 3.0: Changes Overview The new standard Version 3 has brought with it policy and procedural changes that will impact the security of the entire electronic payment ecosystem. The core 12 security areas remain the same, but the updates include several new sub-requirements that did not exist previously. The updated standards will help organizations not by making the requirements more prescriptive, but by adding more flexibility and guidance for integrating card security into their business-as-usual activities. The changes will provide increased stringency for validating that these controls have been implemented properly, with more rigorous and specific testing procedures that clarify the level of validation the assessor is expected to perform. Overall, the changes are designed to give organizations a strong but flexible security architecture with principles that can be applied to their unique technology, payment, and business environments. Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

11 PCI DSS Version 3.0: Change Drivers Common challenge areas and drivers for change include: 1 Lack of education and awareness around payment security 2 Weak passwords, authentication Challenge Areas 3 Third-party security challenges 4 Slow self-detection, malware 5 Inconsistency in assessments Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

12 Key Takeaways The changes in PCI DSS 3.0 are likely to result in significant additional effort for companies processing credit card payments 1 The bar for Segmentation is raised Point-to-point encryption as a more valuable scope reduction strategy This technology encrypts card data at the point of swipe and maintains that encryption all the way to the processor such that the merchant cannot ever decrypt the data. Use of point-to-point encryption remains one of the most effective ways to reduce PCI scope. 2 Merchants and service providers alike will require time to address these new requirements and expanded scoping. 3 Nevertheless, those entities that are able to implement the new rules effectively can gain competitive advantage and ensure better protection of personal payment information, as well as avoid serious reputational harm caused by unauthorized exposure of customers credit card data. Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 Key Changes and New Requirements Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

13 Assessors Role and Obligations Qualified Security Assessors (QSA) are external parties hired by the a Merchant or Service Provider to undertaken an independent assessment of the organization s compliance with the PCI DSS. The assessment and resulting Attestation of Compliance is used by the Merchant or Service Provider to validate to a third party, be it an acquirer, Card Brand, or customer, adherence to the PCI DSS across all components in scope for compliance. While the Merchant or Service Provider engaging the QSA is paying the bill, the Attestation of Compliance legally binds the QSA organization to the third party who receives it. The QSA must therefore be comfortable that their assessment has not been compromised and fairly represents the compliance state of their client. It is therefore imperative that the QSA determines the scope, level of testing required, and validates the compliance of the environment without conceding to the pressures of their customers Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

14 The Protiviti Difference

15 About Protiviti Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. 6 th Largest Risk Consulting Firm 2,500+ professionals 1,000+ clients 70+ offices Over 20 countries in Americas, Europe and Asia-Pacific Protiviti is one of the fastest growing consulting firms worldwide. Our revenues have increased from US $15 million in 2002, to US $385.6 million in Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

16 About Protiviti IT Security Services The Protiviti IT Consulting practice encompasses three broad areas Managing the Business of IT, Managing Applications and data, and Managing IT Security and Privacy. IT Security and Privacy primarily covers Security Strategy & Program Management, and Identity and Access Management In this domain Protiviti has a demonstrated track record of helping companies react to security incidents, establish security programs, manage identity access, and handle industry specific data security and privacy issues, including PCI and HITRUST. Solution Segment Security Strategy & Program Management Identity and Access Management Service Offerings Security Policy & Program Services Security Strategy & Architecture Services Security Implementation & Deployment Services Security Metrics Incident Response Services Awareness and Training Other Security Services Access Management Policy & Standards Services IDAM Design & Implementation Services Identity Credential Selection Services Identity Federation Strategy & Implementation Services Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

17 Protiviti Qualifications Protiviti holds all major PCI related certifications including: PCI DSS Qualified Security Assessor (QSA) Perform PCI DSS Gap Assessments Develop creative, cost effective solutions to address PCI DSS compliance gaps and reduce PCI DSS scope Complete PCI DSS ROC assessments Payment Application Qualified Security Assessor (PA-QSA) Assess payment applications for compliance with the PA-DSS Approved Scanning Vendor (ASV) Perform quarterly external vulnerability scanning PCI Forensic Investigator (PFI) Undertake forensic investigations associated with CHD breaches Advise breached organizations on how to manage the breach Lead the identification, containment, recovery and remediation of breaches Develop plans to reduce the likelihood of future breaches Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

18 Compliance vs. Security Following almost all of the large breaches that have been reported in the last 5 years (especially those that have reported compliance with the PCI DSS), key executives have stated that the PCI DSS does not provide security. In almost every case of these breaches, the entity has: Failed to adequately scope the CDE, missing key systems that store, process or transmit CHD. Assumed that firewall segmentation between those systems that store, process or transmit CHD is adequate to protect those systems from a breach in IT infrastructure that is shared between the less secure corporate environment and the CDE. Systems providing services such as Authentication and Authorization (Active Directory/LDAP etc.), Patch Management, Monitoring and Availability, etc. are often not adequately protected. Assumed that their Service Providers are aligned and adhering with the PCI DSS. Failed to continue to operate integral processes such as user access management, patch management, virus management, threat monitoring etc. across all systems components to maintain the security posture of the CDE. Accepted or convinced their QSA to accept poor or sub standard compensating controls. At Protiviti, we believe that compliance with the PCI DSS can achieve true security for cardholder data if the risk is properly scoped and controls are applied correctly and maintained by the organization Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

19 Questions Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

20 "This presentation contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly owned subsidiary of Robert Half ("RH"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to the "Client", and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents of this presentation are intended for the use of the Client and may not be distributed to third parties. This presentation does not constitute an agreement between Protiviti and the Client. Any services Protiviti may provide to the Client will be governed by the terms of a separate written agreement signed by both Protiviti and Client.