What You Need to Know About PCI SSC Guiding open standards for global payment card security

Transcription

1 What You Need to Know About PCI SSC 2014

2 About the PCI Council Founded in Guiding open standards for payment card security Development Management Education Awareness

3 Expanding Global Representation PCI Council Participating Organizations

4 Expanding Global Representation

5 Everyone is Aware of Breaches!

6 National Attention on Payment Security Multiple Congressional Committees involved Bi-partisan interest in data security, data breach notification and cybersecurity legislation The FTC has requested expanded authority and enforcement powers to combat data breach PCI SSC continues to educate lawmakers on effectiveness of PCI Standards

7 Evolution of Cyber Attacks Viruses Worms Trojan Horses Custom Malware Advanced Persistent Threats

8 Modern Malware Hides Itself

9 A Multi-layered Approach is Needed + + = Technology Processes People Security

10 PCI Standards are the Foundation With version 3.0, PCI DSS is more mature than ever, and covers a broad base of technologies and processes such as encryption, access control, and vulnerability scanning to offer a sound baseline of security. PCI DSS has made comprehensive security controls more commonplace in larger organizations. Therefore, the organizations become more difficult to compromise. Source: 2013 Trustwave Global Security Report 92% 97%

11 PCI Security Standards Suite Protection of Cardholder Payment Data Manufacturers PCI PTS Pin Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments PCI Security & Compliance P2PE Ecosystem of payment devices, applications, infrastructure and users

12 The Standards Continually Evolve

13 Top Mistakes Revealed by Forensic Audits Weak or default passwords Lack of employee education Security deficiencies introduced by third parties Slow self-detection Source: 2013 Trustwave Global Security Report

14 PCI DSS, PA-DSS 3.0 Key Themes Education Awareness Flexibility Security as a Shared Responsibility Make PCI your compass, not your roadmap

15 Payment Security Must be BAU Best Practices for Implementing PCI DSS into Business-as-Usual (BAU) Processes Focus on security not compliance PCI DSS is not a once-a-year activity Don t forget about people

16 There Are No Silver Bullets EMV (chip-and-pin) is a great anti-fraud mechanism for F2F environments complements PCI DSS and P2PE controls provides authentication, not confidentiality need to consider multi-channel fraud are in scope for PCI DSS

17 More Reducing the cardholder data footprint efficient security Less complicated for PCI DSS

18 Where the Footprint Begins 66% of data breaches, the organization didn t know the data was on the compromised system VERIZON DATA BREACH INVESTIGATIONS REPORT

19 Ways to Reduce Footprint Reduce the need or ability to store or transmit cardholder data Business process for retention P2PE Tokenization

20 Point-to-Point Encryption (P2PE)

21 P2PE and Merchants Only PCI-listed P2PE solutions are recognized as meeting requirements for reducing merchant PCI DSS scope Merchants and their acquirers accept the risk when using encryption solutions not listed by the Council

22 Tokenization Standard Expected in 2014 Ensure that token a cannot or collection be used of in tokens lieu of by Ensure that adequate process of controls creating exist token over from themselves PAN cannot feasibly allow discovery of PAN de-tokenization Work doesn t on tokenization leak process information standards about has PAN begun PAN for impermissible purposes PAN Tokenization

23 Industry Coordination Continued cooperation to align tokenization efforts for the benefit of payment industry EMVCo ANSI X9 NIST

24 Maintaining Security is Running a Marathon, not a Sprint

25 Preparation What are your personal PCI education goals for the next three years? For yourself For your staff

26 Training Highlights Online Internal Security Assessor (ISA) Training P2PE Assessor Training Corporate Group Training Let Us Come To You! Online Awareness Training in Four Hours Qualified Integrators and Resellers (QIR) Program PCI Professional Program (PCIP) To learn more, visit:

27 2014 Special Interest Groups (SIG) Security Awareness Penetration Testing Guidance

28 Save the Dates Community Meetings North America Europe Asia-Pacific 9-11 September Orlando, Florida 7-9 October Berlin, Germany November Sydney, Australia

29 Get Involved We Need Your Input Join Learn Input Network Nominate Vote Share Influence

30 Questions? Please visit our website at

31 Josh Knopp, VP & Sr. Business Leader MasterCard and PCI 2014 MasterCard. Proprietary and Confidential

32 Compromise Statistics

33 PCI Vulnerabilities Leading to ADC Breaches PCI Vulnerabilities Leading to ADC Breaches % 11% 0% 49% Remote Access without Two-Factor Authentication (Requirement 8) Web Application Vulnerabilities (Requirement 6) Storage of Sensitive Authentication Data and Lack of Firewall (Requirements 3 and 1) Others Source Data: MasterCard investigated Account Data Compromises resulting in forensic investigations with conclusive evidence of a security breach 2014 MasterCard. Proprietary and Confidential

34 Primary Attack Vector for Brick & Mortar Merchants Primary Attack Vector for Brick & Mortar Merchants % 3% 18% Insecure Firewalls Insecure Remote Access Weak Passwords phishing 70% Source Data: MasterCard investigated Account Data Compromises resulting in forensic investigations with conclusive evidence of a security breach 2014 MasterCard. Proprietary and Confidential

35 Primary Attack Vector for e-commerce Merchants Primary Attack Vector for e-commerce Merchants % 24% Improper System Configuration SQL Injection Cross-Site Scripting 6% Insufficent Patching 41% Source Data: MasterCard investigated Account Data Compromises resulting in forensic investigations with conclusive evidence of a security breach 2014 MasterCard. Proprietary and Confidential

36 Malware Types Used in ADC Breaches PCI Requirements Not In-Place at Time of Breach (2013) Requirement 10 Requirement 11 73% 73% Requirement 8 60% Requirement 6 Requirement 12 Requirement 3 Requirement 1 67% 64% 62% 60% Requirement 2 Requirement 5 53% 53% Requirement 7 36% Requirement 9 16% Requirement 4 7% 0% 10% 20% 30% 40% 50% 60% 70% 80% Source Data: MasterCard investigated Account Data Compromises resulting in forensic investigations with conclusive evidence of a security breach 2014 MasterCard. Proprietary and Confidential

37 MasterCard Compliance Rules

38 MasterCard Merchant Level Definitions Category Level 1 Criteria Any merchant that has suffered a hack or an attack that resulted in an account data compromise Any merchant having greater than six million total combined MasterCard and Maestro transactions annually Any merchant meeting the Level 1 criteria of Visa Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system Level 2 Any merchant with greater than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually Any merchant meeting the Level 2 criteria of Visa Level 3 Any merchant with greater than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro ecommerce transactions annually Any merchant meeting the Level 3 criteria of Visa Validation Requirements Annual Onsite Assessment 1 Quarterly Network Scan conducted by an ASV 3 Annual Self-Assessment 2 Onsite Assessment at Merchant Discretion 2 Quarterly Network Scan conducted by an ASV 3 Annual Self-Assessment Quarterly Network Scan conducted by an ASV 3 Level 4 All other merchants 4 Annual Self-Assessment Quarterly Network Scan Compliance Date 30 June June June '05 Consult Acquirer conducted by an ASV 3 1 Effective 30 June 2012, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors. 2 Effective 30 June 2012, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire. 3 Quarterly Network Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV). 4 Level 4 Merchants are required to comply with the PCI Data Security Standard. Level 4 Merchants should consult their acquirer to determine if compliance validation is also required. 5 Initial Compliance Date for Level 1 merchants has passed. 30 June 2011 affects merchants that choose to conduct an annual onsite assessment using an internal auditor MasterCard. Proprietary and Confidential

39 MasterCard Service Provider Level Definitions Category Criteria Validation Requirements Level 1 All TPPs All DSEs with greater than 300,000 annual transactions Annual Onsite Assessment conducted by a QSA 1 Quarterly Network Scan conducted by an ASV 2 Level 2 All DSEs with less than 300,000 annual transactions Annual Self-Assessment Quarterly Network Scan conducted by an ASV 2 1 All Level 1 Service Providers must complete an annual onsite assessment conducted by a PCI SSC certified QSA 2 Merchant and Service Providers must conduct quarterly network scans using a PCI SSC Approved Scanning Vendor 2014 MasterCard. Proprietary and Confidential

40 Payment Technologies

41 Point to Point Encryption Overview Optional Standard for Scope Reduction Above and Beyond DSS Properly validated P2PE solutions help merchants reduce Risk of data compromise Scope their Cardholder Data Environment Scope of their PCI DSS assessment Multiple parties involved in overall solution P2PE Service Provider holds primary solutions responsibility Merchant retains reduced level of DSS requirements Some requirements will still apply Merchant s implementation must be validated P2P Encryption 2014 MasterCard. Proprietary and Confidential

42 Tokenization Guidance Q: What is Tokenization? A: Tokenization is a process by which the primary account number (PAN) is replaced with a surrogate value called a token. Q: What is De-tokenization? A: De-tokenization is the reverse process of redeeming a token for its associated PAN value. Tokens do not need to be reversible! Tokenization 2014 MasterCard. Proprietary and Confidential

43 EMV Great for protection against counterfeit! EMV Chip provides protection against counterfeiting of a payment card Substantially reduces the risk of face to face fraud Although merchants can still use PAN key entry EMV Chip transactions do not protect against the compromise of PAN, cardholder name and expiry date which are all available in the clear EMV 2014 MasterCard. Proprietary and Confidential

44 Mobile Payment Acceptance Using a mobile device for payment acceptance Mobile devices are generally unsecure Ensure mobile device does not have access to unencrypted account data Encrypt payment data in the reader before the data enters the mobile device P2Pe technology can be used to mitigate risk in Mobile Payment Acceptance Mobile 2014 MasterCard. Proprietary and Confidential

45 More Information and Additional Resources The SDP Website - SDP Program information sdp@mastercard.com with questions Merchant level definitions and compliance requirements PCI Complimentary access to our PCI 360 webinar series PCI Security Standards Council PCI SSC Merchant Resource Website : PCI SSC Small Merchant Site: For additional Fraud Prevention Tools and Resources nagement.html 2014 MasterCard. Proprietary and Confidential

46 Questions? Questions? 2014 MasterCard. Proprietary and Confidential