Payment Card Industry Data Security Standard

Transcription

1 Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010

2 Credit Card Credit Card Number Generator Video: 0.5

3 Let s Focus -1 Issuer Identification Number Check digit (Luhn or Mod 10 check) Leaving 9 numbers is the account Number Arrangement bn combinations Amex: 15 digits, Acc Numbers are 8 digit long

4 Let s Focus -2 CVV/ CSC/ CVV2 Amex 4 digit Not your PIN

5 Video: Case Study -1 Carla Yorborough used to run SPANKY Restaurant. She does not expect to fully resolve the issues of her security breach for another 12 months. To date this ordeal has cost her $110,000. She says: No one can expect that such things also happen

6 Agenda Creation, Need & Reason History of PCI Overview of PCIDSS Card Security Programs 12 PCIDSS Requirements 6 control Objectives Merchant Levels Levels Compliance Validation Non Compliance Risks and Consequences Breach Risk and Consequences Recommendations Approved Assessor and Certifying Organizations Self Assessment Questionnaire Common PCI Myths Case Study Questions

7 Who created, the need and Reason Creators American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc International Need - Attack on network, theft & misuse of cardholders info. Reason- Reassurance to customer, Proactive protection establishes common processes & procedures

8 History of PCI Own standard with different requirements(encryption strength etc) In 2004 the PCI Security Standards Council was formed with 1 umbrella concept Level 1 merchants were required to be compliant by Dec. 31, 2007 Level 2-4 merchants were required to be compliant by June 30, 2007

9 Overview of PCI DSS Prior to September 2004 difficult for merchants to become familiar with and adhere to competing standards from VISA, MasterCard, and others As fraud losses increased, card industry realized the need for consistent and well defined security standards

10 Technology Age to PCIDSS What is PCIDSS Video:1

11 Overview of PCI DSS Applies to all merchants that store, process, or transmit cardholder data all payment (acceptance) channels, including brick-andmortar, mail, telephone, e-commerce (Internet) mortar, mail, telephone, e-commerce (Internet) Includes 12 requirements, based on administrative controls (policies, procedures, etc.) physical security (locks, physical barriers, etc.) technical security (passwords, encryption, etc.)

12 Card Security Programs The following programs incorporate PCI DSS: VISA Cardholder Information Security Program (CISP) MasterCard Site Data Protection (SDP) Program American Express Data Security Requirements Discover Discover Information Security and Compliance (DISC) Program

13 VISA Cardholder Information Security Program (CISP) PDF: 2

14

15 4. Understanding the 12 requirements of PCIDSS PDF: 4

16

17

18

19

20

21 3. How actually cards get stolen and used Video: 3

22 Merchant levels Merchant levels are based on yearly transaction volume of merchant Specific criteria for placement in merchant levels varies across card companies All merchants, regardless of level, must adhere to PCI DSS requirements Level into which merchant is placed determines PCI DSS compliance validation (and ultimately cost) Let s take a quick look at Visa s levels

23 Merchant levels Visa (Same for Master Card) Level 1: merchants, regardless of acceptance channel, processing over 60,00,000 Visa transactions any merchant that has suffered a data compromise any merchant so selected by Visa any merchant identified by other card brand as level 1

24 Merchant levels - Visa Level 2: merchants, regardless of acceptance channel, processing 10,00,000 to 60,00,000 Visa transactions Level 3: any merchant processing 20,000 to 10,00,000 Visa e-commerce (Internet) transactions

25 Merchant levels - Visa Level 4: any merchant processing fewer than 20,000 Visa e-commerce (Internet) transactions all other merchants, regardless of acceptance all other merchants, regardless of acceptance channel, processing up to 1,000,000 Visa transactions

26 PCI DSS compliance validation Level 1 merchants annual on-site assessment by Qualified security assessor (generates a report on compliance) quarterly network security scan by approved scan vendor Level 2 and 3 merchants self-assessment questionnaire quarterly network security scan by approved scan vendor

27 PCI DSS compliance validation Level 4 merchants self-assessment questionnaire if required by acquirer quarterly network security scan by approved scan vendor if required by acquirer

28 What are the implications of non compliance? Failure to prove compliance can carry severe penalties, including fines increased transaction fees or losing the right to access a payment card network s resources at any level. For example, in 2006, Visa levied $4.6 million in fines versus $3.4 million in Visa announced that merchants found to be storing sensitive credit card data will be subjected to fines up to $10,000 per month. American Express, on its side, is fining merchants up to $15,000 per day for failures to comply and forcing them to bring in a third party contractor to bring systems into compliance.

29 Non Compliant Risk and Consequences Visa Regardless of level requirements 1 st Violation Up to $50,000 USD for rolling 12-month period 2nd Violation Up to $100,000 USD for rolling 12-month period 3 rd Violation Visa s discretion to refuse future transactions until complaint period of 12 consecutive months determined on a rolling basis with a new 12-month period beginning on the first day of each calendar month.

30 Non Compliant Risk and Consequences Master Card Level 1 Up to $25,000 USD annual fee per Merchant Level 2 Up to $5,000 USD annual fee per Merchant Level 3 Up to $5,000 USD annual fee per Merchant

31 Risks of non-compliance Endangering customer information Exposure could lead to: fines levied loss of merchant status elevations to Level 1 status (and resulting compliance validation costs)

32 Breach Risk and Consequences Reputation Risk What will the impact be on your companies brand? Mandatory involvement of federal law enforcement in investigation enforcement in investigation Financial Risk $20 - $90 fine per credit card number that COULD have been exposed or compromised Civil liability and cost of providing ID theft protection Average cost of a security breach is $5,000,000

33 Breach Risk and Consequences Compliance Risk Exposure to Level 1 validation requirements Operational Risk Potential loss of card processing privileges

34 Some facts 84% of breaches are from merchants in Level II, III and IV 60% of people do not trade with merchants that are breached The criminal steal not only money but also trust.

35 I am a merchant with no money What I can do is Firewall Keep patches Change passwords timely Turn off remote access Contact POS to check what information is getting saved Save only what you require

36 Approved assessor and certyfying organizations QSA stands for Qualified Security Assessor. It is a certification obtained by experienced security consultants Enable them to conduct the On-Site Data Security Assessment for PCI DSS Required to attend training by PCI every year and pass the exam. A recertifying QSA must obtain additional CPE's from training and other experiences in order to obtain certification. Some QSA's also maintain other certifications. For example ISO Lead Auditors. There are over 100 QSA companies. QSA Services: On-Site Data Security Assessments (PCI "Audits"), Gap Analysis, Remediation Services, General PCI consulting and advice. The cost to make an application PCI compliant averages about $100k. PDF:5 List of Qualified Security Assessor PDF:6 Qualified Security Assessor Agreement Webpage: Approved Scanning Vendors List

37 Self Assessment Questionnaire ons.shtml PDF:8 PCI_Self assessment questionaire_c PDF: 9 SAQ Guidelines (Flowchart page 14)

38 Some Common PCI Myths One vendor and product will make us compliant Outsourcing card processing makes us compliant PCI compliance is an IT project PCI will make us secure PCI requires us to hire a QSA

39 Some Common PCI Myths PCI is unreasonable and it requires too much We don t take enough credit cards to be compliant We completed a SAQ so we re compliant PCI makes us store cardholder data

40 Case Study Solution Carla Yorborough used to run SPANKY Restaurant. She does not expect to fully resolve the issues of her security breach for another 12 months. To date this ordeal has cost her $110, minutes video Revision + Case study

41 Additional reading ml risk_management/cisp.html ,00.html?cnn=yes nt/0,289142,sid14_gci ,00.html orward_fortune/index.htm

42 Payment Card Industry Data Security Standard February 13th, 2010 Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter