PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

Transcription

1 PCI Data Security Standards Presented by Pat Bergamo for the NJTC February 6, 2014

2 Introduction 3/3/2014 2

3 Your Speaker Patrick Bergamo, CISSP Director of Information Security & Delivery Delta Corporate Services Security consultant to Fortune 500 companies and the Federal government Over 35 years of IT experience ITIL Certified 3/3/2014 3

4 Definition of PCI 3/3/2014 4

5 PCI = Payment Card Industry Payment Card Industry (PCI) Security Standards Council Formed in 2006 Discover, American Express, JCB (Japan), MasterCard and Visa Council consists of representatives of founding organizations PCI Security Standards Council s Purpose Councils Purpose: To achieve best practice standardization within the credit card industry as an on-going activity 3/3/2014 5

6 Payment Card Industry Data Security Standard (PCI DSS) 3/3/2014 6

7 PCI DSS Consists of 12 Requirements Numerous directives for each requirement Security-based 3/3/2014 7

8 The 12 PCS DSS Requirements PCI Data Security Standard - High Level Overview Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel 3/3/2014 8

9 PCI Compliance Level Determination PCI Compliance Determined by each card provider Based on volume of transactions and the number of points where information is stored Four PCI Compliance Levels Level 1 requires complete compliance and assessment on an annual basis Levels 2 4 requires compliance on specific security controls evaluated using a Self Assessment Questionnaire (SAQ) 3/3/2014 9

10 PCI Compliance Levels: Visa Example PCI Level 1 Over 6 million annual transactions PCI Level 2 1 to 6 million annual transactions PCI Level 3 20,000 to 1 million annual transactions PCI Level 4 Less than 20,000 annual transactions 3/3/

11 Enforcement & Penalties Determined by Card Provider Up to $500,000 per data security incident Up to $50,000/day for non-compliance with PCI DSS Liability for losses due to fraud Payment for Card re-issuance Suspension of account 3/3/

12 PCI DSS A Common Set of Data Tools Card Number Name (and address) Expiration Date Security Code PIN 3/3/

13 Track 1 Magnetic Strips/Stripes Card number and expiration date, name, country code, and a three-digit service code Discretionary information, such as an account flag or PIN Track 2 Developed by the American Banking Association Read by standard ATMs and point of sale credit card readers Mostly the same information as track one, including the cardholder's name, account number, expiration date, encrypted PIN number and service code, as well as leaving room for other discretionary data Track 3 No standard for data format or contents May be used to store country codes, transaction authorizations, currency units, balance limits or other account information. On some credit cards, track three is omitted altogether 3/3/

14 Security Code Types CVC1 or CVV1 CVC1 or CVV1 is encoded on track-2 of the magnetic strip of the card and used for card present transactions CVV2 or CVC2 The most cited code, CVV2 or CVC2, is often sought by merchants for card not present transactions. 3/3/

15 PCI Considerations 3/3/

16 PCI Considerations Encrypted retail information has been decoded 3/3/

17 PCI Considerations Credit cards have security codes, but they typically have a reasonable maximum for which credit card holder is liable. 3/3/

18 PCI Considerations Debit cards require a PIN, but your entire account is exposed. 3/3/

19 PCI Future Trends 3/3/

20 PCI Future Trends Intelligent Chips (instead of magnetic strips) Biometrics Cash? 3/3/

21 PCI Considerations PCI DSS Compliance does not mean compliance with nationally recognized standards (NIST, ISO). 3/3/

22 Contact Information Patrick Bergamo, CISSP Director of Information Security & Delivery 800-delta20 x4948 mobile: Delta Corporate Services, Inc. A Business & IT Consulting Company 3/3/