The PCI Security Standards Council Jeremy King European Director
Agenda How can you defend your card data? What is the Council doing to help you? What tools are available to get you secure? How can you be involved?
PCI Security Standards Protection of Cardholder Payment Data Manufacturers PCI PTS Pin Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments PCI Security & Compliance P2PE Ecosystem of payment devices, applications, infrastructure and users
About the Council Open, global forum Founded 2006 Responsible for PCI Security Standards Development Management Education Awareness
Global Representation Board of Advisors RSA, The Security Division of EMC TSYS VeriFone Systems, Inc. Wal-Mart Stores, Inc. Starbucks Barclaycard British Airways Cartes Bancaires European Payments Council IATA Ingenico Tesco Stores Limited Cisco Citi First Data Corporation Heartland Payment Systems JPMorgan Chase&Co. McDonald s Corporation Cielo Woolworths Limited
Continued and Sustained Growth PCI SSC Community Meetings Total Attendees 2007 343 2010 2011 926 1509 PO Attendees 271 614 883 QSA/ASV/PTS Lab Attendees 52 231 434
Agenda How can you defend your card data? What is the Council doing to help you? What tools are available to get you secure? How can you be involved?
The Five Stages of Grief Denial It doesn t apply to me PCI compliance is mandatory de ni al 1. : refusal to satisfy a request or desire 2. a (1) : refusal to admit the truth or reality (as of a statement or charge) (2) : assertion that an allegation is false b : refusal to acknowledge a person or a thing : disavowal 3. : the opposing by the defendant of an allegation of the opposite party in a lawsuit Source: http://www.merriam-webster.com/
The Five Stages of Grief Anger It isn t fair PCI applies to all parties in the payment process an ger transitive verb : to make angry <he was angered by the decision> intransitive verb : to become angry Source: http://www.merriam-webster.com/
The Five Stages of Grief Bargaining I ll do some of it Compliance is pass / fail bar gain ing 1. :an agreement between parties settling what each gives or receives in a transaction between them or what course of action or policy each pursues in respect to the other 2. : something acquired by or as if by bargaining; especially : an advantageous purchase <at that price the car is a bargain> 3. : a transaction, situation, or event regarded in the light of its results <a bad bargain> Source: http://www.merriam-webster.com/
The Five Stages of Grief Depression I ll never get there Many merchants already have de pres sion 1. (1) : a state of feeling sad : dejection (2) : a psychoneurotic or psychotic disorder marked especially by sadness, inactivity, difficulty in thinking and concentration, a significant increase or decrease in appetite and time spent sleeping, feelings of dejection and hopelessness, and sometimes suicidal tendencies 2. (1) : a reduction in activity, amount, quality, or force (2) : a lowering of vitality or functional activity Source: http://www.merriam-webster.com/
The Five Stages of Grief Acceptance It ll be OK PCI doesn t introduce any new, alien concepts ac cept ance 1. : an agreeing either expressly or by conduct to the act or offer of another so that a contract is concluded and the parties become legally bound Source: http://www.merriam-webster.com/
What About EMV? Council released guidance on EMV within an overall data security framework defined by the PCI Data Security Standard The guidance clearly highlights the benefits both systems bring to tackling fraud. EMV While EMV does help prevent some types of fraud, in order for a merchant to secure their payment data they must also adopt all elements of the PCI DSS. In today s EMV market, PCI DSS must be adopted and implemented in order to protect cardholder data.
EMV Transaction Auth Track data PIN block J c King PAN Expiry icvv/ icvc Auth Track data PIN block Auth Track data PIN block
Agenda How can you defend your card data? What is the Council doing to help you? What tools are available to get you secure? How can you be involved?
Website
Resources for Merchants and Others
Special Resources for Small Merchants
2012 Training Highlights PCI SSC Internal Security Assessor (ISA) Program Helps security professionals improve their organizations understanding or PCI DSS and validate and maintain ongoing compliance Check out our Training Webinar! PCI Awareness Training Offers general PCI training across your business to ensure a universal understanding of PCI compliance Training Schedule ISA: London, UK 26-27 April, 2012 QSA: London, UK 28-29 April, 2012 PA-QSA: London, UK 22-23 April, 2012 PCI Awareness Training online anytime! https://www.pcisecuritystandards.org/training/index.php
Internal Security Assessor (ISA) Program A comprehensive PCI DSS training and qualification program for eligible internal audit security professionals Objective PCI SSC Internal Security Assessor (ISA) Program Now offered in new hybrid model: online prerequisite course followed by two day instructor-led session! Focus Help security professionals improve their organizations understanding or PCI DSS and validate and maintain ongoing compliance How does this benefit my organization? Opportunity to develop internal security expert for driving and maintaining PCI compliance Increase internal understanding of PCI standards and controls May reduce compliance costs by encouraging development of ongoing security process before and beyond the annual validation Improving understanding of PCI standards and compliance through: Enhancing the quality, reliability, and consistency of internal PCI- DSS self-assessments Supporting the consistent and proper application of PCI-DSS measures and controls Effectively facilitating interactions with QSAs
PCI Awareness Training Who should attend? Open to anyone who is interested in learning more about PCI, with a focus on those individuals working for organizations that must meet compliance with the PCI DSS or have a vested interest in the Payment Card Industry What does it cover? Key topics: What is PCI and what does it mean to a company that must meet compliance with the PCI DSS? Roles and responsibilities of the key actors in the compliance process How the credit card brands differ in their requirements for PCI reporting and validation Overview of the infrastructure used by organizations to accept payment cards and communicate with the verifications and payment facilities Real world examples of PCI challenges and successes How can I sign up? This course is offered both online and as a one day instructor-led session. Please visit the PCI SSC Awareness Training page on the Council website for an up-to-date schedule of courses and registration details: https://www.pcisecuritystandards.org/training/non_certification_training.php Awareness Training available online! Dates & Cost Fees: $995.00 per individual (plus VAT where applicable) Online: (per company) 1-24 people $495; 25-99 people $395; 100+ people $295
PCI DSS Prioritized Approach Prioritized Approach Tools
Fact Sheets
Skimming Prevention Guidance
New Guidance EMV Telephone-based Payment Card Data Virtualization Tokenization Wireless PA-DSS and Mobile
New Guidance Information Supplement: Telephone-based Payment Card Data Key Recommendations: Identifies risks and considerations specific to telephonebased payment card data Provides a step-by-step flowchart to help determine PCI DSS controls for voice recordings Specific guidance addressing capture of SAD Identifies several applicable PCI DSS requirements with recommendations specific to call recording environments Provides sample questions that merchants can ask call center providers to determine how their solution supports PCI DSS compliance
New Guidance Information Supplement: Virtualization Key Recommendations: Perform thorough evaluation of the technology and the impact on PCI DSS Specific security considerations for virtual environments Recommends all virtualization components meet PCI DSS requirements Defense in depth approach across both physical and logical layers
New Guidance Information Supplement: Virtualization Cloud-based architectures Responsibility will vary according to the specific cloud service and/or implementation Considerations for public cloud environments include: Added complexity Dynamic boundaries Often limited visibility or control over underlying infrastructure
New Guidance Information Supplement: Tokenization Key Recommendations: Tokenization does not eliminate the need for PCI DSS Primary goal is to replace sensitive PAN values with non-sensitive token values Tokenization may affect PCI DSS scope by limiting systems that store, process or transmit cardholder data Tokenization can contribute to a layered approach to cardholder data security
New Guidance Information Supplement: Tokenization Scoping Principles: Segment out of scope systems from the tokenization system and the CDE Scoping considerations will vary for each solution Tips for maximizing scope reduction: Limit PAN to point of capture and the card data vault Combine with P2PE Ensure PAN is not retrievable Securely delete PAN and other cardholder data from source systems
New Guidance Information Supplement: Wireless Overview: Updated guidance aligns with PCI DSS v2.0 Incorporates Bluetooth technologies Recommendations for securing wireless technologies Expanded guidance Includes updates per PCI DSS Requirement11.1
New Guidance PCI SSC Update June 2011 Mobile Update & FAQ on applicability of PA-DSS to mobile payment acceptance applications Category 1 and 2 applications are eligible for PA-DSS Category 3 applications are pending development of further guidance and/or standards Category 1 PTS Approved PED Devices Category 2 Purpose Built POS Devices Category 3 General Purpose Smart Device
New Guidance PCI SSC Update June 2011 Mobile Addressing Category 3 Applications via Two Scenarios Scenario 1: Cardholder data is only input using an encrypted solution and transmitted encrypted through a mobile device Device never accesses clear-text PAN New PTS approval class for Secure Card Readers + P2PE is applicable Scenario 2: Cardholder data is input using a nonencrypted solution and transmitted through a mobile device Device has access to clear-text PAN Guidance/best practices for protecting clear-text PAN within mobile applications under development
New Program P2PE Hardware/Hardware Point-to-Point Encryption (P2PE) The Basics: P2PE does not replace PCI DSS Allows merchants to reduce their validation scope Merchant environment is isolated from clear-text account data P2PE incorporates all PCI standards, including elements from: PTS for the Point of Interaction (POI) devices PA-DSS for applications within POI PCI PIN for cryptographic key management PCI DSS for P2PE Solution Provider environment
New Program P2PE Hardware/Hardware Point-to-Point Encryption (P2PE) P2PE Program Schedule Hardware/Hardware Initial Release Validation Requirements September 2011 Final release Validation Requirements with detailed testing procedures Early 2012 P2PE assessor qualification process and solution listings Q1 2012
Council Resources Security standards Quick Reference Searchable List of approved and supporting Guide Frequently Asked QSAs, ASVs, PA- documents Questions QSAs, PED Labs Education and outreach - e.g., fact sheets, webinars Participating membership, meetings, collaboration A global voice for the industry
Agenda How can you defend your card data? What is the Council doing to help you? What tools are available to get you secure? How can you be involved?
Get Involved PCI security landscape and standards are maturing globally
Get Involved Join the PCI Braintrust! Chief Security Officers Information Security Professionals Compliance Officers Join! Become a Participating Organization today Forensic Investigators Technologists IT Managers Risk Managers Chief Information Officers Legal Experts Data Security Experts
Special Interest Groups (SIGS) Guidance & Alignment on Risk Assessment Level 3 and Level 4 E-Commerce Merchants Cloud (Virtualization Phase 2) sigs@pcisecuritystandards.org Projects commenced January 2012
Community Meetings Orlando, Florida, USA September 12 14, 2012 Dublin, Ireland October 22 24, 2012 Join us as a Participating Organization to get involved in setting global PCI standards!
Provide Feedback to the Council Implementation Feedback Formal Feedback Draft Revisions Feedback
How the Process Works Where elements of cardholder data must be protected when stored in conjunction with PAN, can we get some clarification on what in-conjunction means? Technical Working Group Board of Advisors Technical Working Group Standards Issued Technical Working Group Participating Organizations
Summary Focus on security, not compliance Understand the process of PCI standards development Join us as a Participating Organization and increase our global presence Take advantage of the Council s resources and guidance Participate in the 2012 Annual Community Meetings Adopt version 2.0 and share the PCI SSC roadmap with internal stakeholders
Stay Involved People + Processes + Technology = Security
Questions? Any Questions? Please visit our website at www.pcisecuritystandards.org