PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL Session 1 Payment Card Industry (PCI) Security Standards Slide 1
Top 3 Largest Security Incidents Reported Worldwide = CREDIT CARDS Related *Source: datalossdb.org Payment Card Industry (PCI) Security Standards Slide 2
Credit / Debit Card Usage A Transaction Lifecycle - $$$ Credit Card Information Collection Credit Card Information Routing Credit Card Information Authorization Cardholder to Merchant Merchant to Acquirer/Service Provider Acquirer/Service Provider to Payment Brand Payment Brand to Issuer Card Present Transaction Credit/Debit Card Track data (PIN) Acquirer / Service Provider(s) Authorization Request Authorization Request Card Not Present Transaction Credit/Debit Card e- Commerce data (CVV2) Payment Card Industry (PCI) Security Standards Slide 3
Terminology Participants in a Transaction Lifecycle.. Entity Description Merchant Any business that, having met the qualification standards of a payment brand and having been approved by any Acquiring member, accepts payment cards in exchange for goods and services. Acquirer Payment brand member that maintains relationships and accounts for merchants that accept payment cards. Serves as the intermediary figure between merchants and the payment brands. (e.g., Chase Paymentech Solutions, First Data, BA Merchant Services, Nova Information systems, Fifth Third Bank, Wells Fargo Merchant Serv, Global Payments, Heartland Payment Systems, First Nat l Merchant Solutions, RBS Lynk) Service Provider (e.g., Processor, Gateway, Hosting Provider) Business entity that is not a payment brand member or a merchant directly involved in the processing, storage, transmission, and switching of transaction data and cardholder information or both. This also includes companies that provide services to merchants, services providers or members that control or could impact the security of cardholder data (e.g., service providers that provide managed firewalls, IDS and other services, hosting providers, etc). Payment Brand Processing organization that licenses members and merchants to issue and accept credit cards, respectively. The organization serves as an intermediary between Acquirers and Issuers. (e.g., Visa.Inc, MasterCard Worlwide, America Express, Discover Financial Services & JCB International) Issuer The financial institution (a licensed member of a payment brand) that holds contractual agreements with and issues cards to cardholders. Also responsible for managing cardholder accounts and approving authorizing requests. Payment Card Industry (PCI) Security Standards Slide 4
Past Events Security Breach!!!! Implications of a cardholder data breach could be huge Fines imposed* by payment brands (Visa, Mastercard, etc) and other regulatory bodies (FTC, etc) on acquirer banks / merchants / service providers Merchants loosing their ability to process customers credit card transactions Notification to legal authorities* and offering free credit-protection services to those affected Legal action* being taken by cardholders Bad Publicity Customer Attrition and eventual loss of business *TJX approximately $118 Million (Regulatory fines, Legal fees, Call center costs), Heartland Payment Systems approximately $12.6 Million (Legal costs and Fines from Visa & Mastercard) Payment Card Industry (PCI) Security Standards Slide 5
RISK! Cost of Security Breach $$$ Detection or Discovery, Escalation, Notification & Ex-post Response* Activities that enable a company to reasonably detect the breach of personal data either at risk (in storage) or in motion Activities necessary to report breach of protected information to appropriate personnel within a specified time period Activities that enable the company to notify data subjects with a letter, outbound telephone call, e-mail or general notice that personal information was lost or stolen Activities to help victims of a breach communicate with the company to ask additional questions or obtain recommendations in order to minimize potential harms. Redress activities also include ex-post response such as credit report monitoring or the reissuing of a new account (or credit card) *Source: ponemon.org Payment Card Industry (PCI) Security Standards Slide 6
Payment Card Industry Security Standards Council Background PCI Security Standards Council Organization founded by America Express, Visa.Inc, MasterCard Worlwide, Discover Financial Services & JCB International An open global forum for ongoing development, enhancement, storage, dissemination & implementation of security standards for account data protection *Source: pcisecuritystandards.org Payment Card Industry (PCI) Security Standards Slide 7
Payment Card Industry Security Standards Council Background PCI Security Standards Council PCI security standards are technical and operational requirements set by the council The standards globally govern all Merchants and organizations that store, process and transmit card data Software developers and manufacturers of applications and devices used in the card transaction PCI Data Security Standard (PCI DSS), PIN Transaction Security (PTS) & Payment Application Data Security Standard (PA-DSS) *Source: pcisecuritystandards.org Payment Card Industry (PCI) Security Standards Slide 8
Payment Card Industry Data Security Standard (PCI DSS) PCI DSS 1.2 Data Security Standard 1.2* PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data Covers technical and operational system components included in or connected to cardholder data 6 principles/goals and 12 requirements If your business accepts or processes payment cards, it must comply with the PCI DSS *The effective date of the new PCI DSS v1.2 standard was October 1, 2008, and the sunset date of the PCI DSS v1.1 was December 31, 2008. Payment Card Industry (PCI) Security Standards Slide 9
Payment Card Industry Data Security Standard (PCI DSS) PCI DSS (Principles) Build and Maintain a Secure Network Protect Card Holder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measure Regularly Monitor and Test Networks Maintain an Information Security Policy Payment Card Industry (PCI) Security Standards Slide 10
Payment Card Industry Data Security Standard (PCI DSS) PCI DSS (Requirements) Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Card Holder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Payment Card Industry (PCI) Security Standards Slide 11
Payment Card Industry Data Security Standard (PCI DSS) PCI DSS (Requirements) Implement Strong Access Control Measure 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security Payment Card Industry (PCI) Security Standards Slide 12
Payment Card Industry Security Standards Council Stay Tuned Session 2 PCI DSS - Deepdive Changes from PCI DSS 1.1 to 1.2 Payment Application Data Security Standard PIN Transaction Security Standard Payment Card Industry (PCI) Security Standards Slide 13
Payment Card Industry Security Standards Council THANK YOU Payment Card Industry (PCI) Security Standards Slide 14