PCI Security Standards Council

Transcription

1 PCI Security Standards Council Jeremy King, European Director 2013

2 Why PCI Matters Applying PCI How You Can Participate Agenda 2

3 Why PCI Matters Applying PCI How You Can Participate Agenda

4 About the PCI Council Open, global forum Founded 2006 Guiding open standards for payment card security Development Management Education Awareness

5 PCI: Architecture for Payment Card Security 5 major card brands drive efforts for payment card security PCI Security Standards Council manages the technical standards and process

6 Community Over 650 Participating Organisations

7 Your Card Data is a Gold Mine for Criminals Types of Data on a Payment Card CID (American Express) CAV2/CID/CVC2/CW2 (Discover, JCB, MasterCard, Visa) Chip Pan Cardholder Data Expiration Date Magnetic Strip (data on tracks 1 & 2)

8 PCI Security Standards Suite Protection of Cardholder Payment Data Manufacturers PCI PTS Pin Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments PCI Security & Compliance P2PE Ecosystem of payment devices, applications, infrastructure and users

9 EMV Helps Reduce Face-to-Face Fraud + - Countries that have implemented EMV have reported a decrease in card fraud. According to the UK Cards Association, Fraud on lost and stolen cards is now at its lowest level for two decades and counterfeit card fraud losses have also fallen and are at their lowest level since 1999.* *Smart Card Alliance EMV FAQ EMV by itself does not protect the confidentiality of, or inappropriate access to sensitive authentication data and/or cardholder data in card-not-present or Internet transactions

10 EMV Needs PCI for Full Protection!

11 Business Sectors With the Most Breaches High Technology 2% Health & Beauty 2% Nonprofit 3% Financial Services 7% Hospitality 9% Other 8% Retail 45% Systems that store, process or transmit cardholder data remain primary targets for criminals Food & Beverage 24%

12 Organisations Ignored PCI and Were Breached 96% of those breached were not PCI compliant as of their last assessment (or were never assessed/validated) Top attack methods used to breach organizations: 81% of incidents involved hacking 69% incorporated malware 10% involved physical attack 12

13 Top Mistakes By Those Breached Revealed by Forensic Audits Weak Passwords Lack of employee education Security deficiencies introduced by third parties responsible for system support, development and/or maintenance Slow self-detection

14 Why? Why we fail to maintain secure environments Lack of awareness by IT practitioners Incentive to keep security a primary focus Quickly evolving technology landscape Rapid development and distribution of new solutions Still unnecessary exposure of CHD

15 PCI Standards Help Secure Your Data 92% of compromises were simple 97% were avoidable through simple or intermediate controls 92% 97% Source: Verizon 2012 Data Breach Investigations Report

16 The PCI Data Security Standard Six Goals Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Twelve Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors

17 PCI Standards for Applications & Devices PIN Transaction Security (PTS) Addresses characteristics & management of devices for processing payment cards PTS is followed by device manufacturers Merchants must use validated PTS devices Payment Application Security Data Security Standard (PA-DSS) Addresses applications for payment, authorisation and settlement PA-DSS is followed by software developers Merchants must use validated payment applications Manufacturers PCI PTS Pin Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments

18 Getting Ready for PCI Focus: Updating PCI Standards and supporting documents based on Community feedback

19 The Bottom Line + + = People Processes Technology Security Compliance Doesn t Equal Security

20 Why PCI Matters Applying PCI How You Can Participate Applying PCI 20

21 Applying PCI in Your Environment Mobile P2PE Virtualisation ATM Tokenisation Cloud EMV

22 EMV Helps Reduce Face-to-Face Fraud EMV by itself does not protect the confidentiality of, or inappropriate access to sensitive authentication data and/or cardholder data in card-not-present or Internet transactions

23 Even EMV Security Needs PCI

24 Mobile Payment Acceptance retail $19 payment accepted Thank You!

25 Areas of Focus for Mobile MOBILE Devices Tamper-responsive, PTS Devices (e.g. SCR) using P2PE Applications Requirements and/or Best Practices for authorisation and settlement Service Providers Service provider protection of cardholder data and validation

26 Mobile payments and the PCI Council Identified mobile applications that can be validated to PA-DSS Published merchant guidance for mobile solutions leveraging P2PE Developed best practices for developers Next steps explored by PCI SSC

27 Guidance on Mobile Payment Acceptance Security

28 New Mobile Guidance for Merchants Guidance for merchants on the factors and risks that need to be addressed in order to protect card data when using mobile devices, such as smart phones and tablets, to accept payments, including: Objectives and guidance for the security of a payment transaction Guidelines for securing the mobile device Guidelines for securing the payment acceptance solution

29 Point-to-Point Encryption Point-to-Point Encryption Available to all members of the payment chain Also called P2PE Optional standard for decreasing scope PCI 2PE hardware /hardware requirements available PCI P2PE Hybrid requirements available

30 Tokenisation Work on tokenization standards has begun PAN Ensure that process of creating token from PAN doesn t leak information about PAN Ensure that a token or collection of tokens by themselves cannot feasibly allow discovery of PAN Ensure that adequate controls exist over detokenisation process T Token Ensure that token cannot be used in lieu of PAN for impermissible purposes

31 2013 Training Highlights Online Internal Security Assessor (ISA) Training P2PE Assessor Training Corporate PCI Awareness Let Us Come To You! Online Awareness Training in Four Hours Qualified Integrators and Resellers (QIR) Program PCI Professional Program (PCIP) To learn more, visit: training/index.php

32

33 QIR Addresses Common Misconceptions I m using a PA-DSS validated application, so I must be OK. I m using a reputable 3 rd party, so they must be doing a secure installation. This applies only to brick and mortar establishments.

34 Payment Card Industry Professional (PCIP) Support your organisation Professional credibility Competitive advantage Global directory Now Available

35 Internal Security Assessor (ISA) Program A comprehensive PCI DSS training and qualification program for eligible internal audit security professionals that you asked for! Improves your understanding of PCI DSS and compliance procedures Helps your organisation build internal expertise Teaches processes that can reduce the cost of compliance

36 PCI Awareness Training Team Building Convenience Cost We come to you!

37 Multilingual Resources on the PCI Website French Spanish Japanese German Italian Portuguese Chinese

38 Resources for Small Business Owners View at:

39 Why PCI Matters Applying PCI How You Can Participate How You Can Participate 39

40 Be Involved Contribute Your Expertise! Chief Security Officers IT Managers Information Security Professionals Risk Managers Compliance Officers Join! Become a Participating Organisation today Chief Information Officers Forensic Investigators Legal Experts Technologists Data Security Experts

41 Help Participate in Standards Development Implementation Feedback Formal Feedback Draft Revisions Feedback

42 PCI SSC Special Interest Groups (SIG) Risk Assessment ecommerce Cloud Best Practices for Maintaining PCI Compliance Third Party Security Assurance

43 Products of SIG Collaboration

44 New SIG Guidance PCI DSS Risk Assessment Risk Assessment Guidance for choosing the risk assessment approach that works best for your business to secure your card data Go to our website today to download these new guidelines!

45 New SIG Guidance ecommerce ecommerce Guidance on the use of e- commerce technologies in accordance with the PCI DSS Go to our website today to download these new guidelines!

46 New SIG Guidance Cloud Cloud Guidance on the use of cloud technologies and considerations for maintaining PCI DSS controls in cloud environment Go to our website today to download these new guidelines!

47 2013 Special Interest Groups- Join us! Best Practices for Maintaining PCI Compliance Third Party Security Assurance Visit PCI SSC website to sign up

48 Board of Advisor Nominations and Elections January Nominations Open 25 February Nominations Close 7 March Voting Commences Join as a Participating Organisation by going to And play a role in electing the next Board of Advisors

49

50 Get Involved We Need Your Input Join Learn Input Network Nominate Vote Share Influence

51 The Formula for PCI Success People + Processes + Technology = Security

52 Summary: Why PCI Matters to You! Community Guidance Vigilance Training Engagement

53 Questions? Please visit our website at