Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012
Agenda Check-In 9:00-9:30 PCI Intro and History 9:30-10:00 History Why PCI is Important The Players PCI Enforcement PCI Scoping Discussion 10:00-10:45 PCI Deep Dive and Roadmap Part 1 11:00-12:15 Lunch 12:15-1:00 PCI Deep Dive and Roadmap Part 2 1:00-2:00 PCI Deep Dive and Roadmap Part 3 2:15-3:30 Q&A 3:30-4:00
PCI INTRODUCTION AND HISTORY
PCI Introduction and History INTRODUCTION
What is PCI DSS? PCI DSS: Payment Card Industry Data Security Standard 1. It is a private initiative set forth by the Payment Card Industry 2. A set of standards outlining how sensitive data is handled both operationally and technically.
PCI: Technical and Operational Controls Technical Firewalls Intrusion Detection Two-Factor Authentication Anti-Virus Encryption Security Event Logging Operational Policy Security Awareness Training Incident Response Testing Change Control Employee Screening Risk Assessment
PCI is not Law Through your Merchant Agreement with your acquiring bank, you are contractually bound to abide by all relevant PCI standards No threat of incarceration for non-compliance with PCI DSS Security Breach Notification Laws See N.C. Gen. Stat 75-65
PCI DSS: 6 goals with 12 Requirements Build and Maintain A Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain A Vulnerability Management Program 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security
Merchant Level* 1 2 3 4 *** Merchant Levels Description Validation Action Validated By Any merchant-regardless of acceptance channelprocessing over 6,000,000 Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Any merchant-regardless of acceptance channelprocessing 1,000,000 to 6,000,000 Visa transactions per year. Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year. Any merchant processing fewer than 20,000 Visa e- commerce transactions per year, and all other merchants-regardless of acceptance channelprocessing up to 1,000,000 Visa transactions per year. Annual On-site PCI Data Security Assessment and Quarterly Network Scan Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan (if applicable) Qualified Security Assessor or Internal Audit if signed by Officer of the company Approved Scanning Vendor Merchant Approved Scanning Vendor * New merchant level definitions effective of July 18, 2006. ** Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level. *** The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.
Self Assessment Questionnaire v1.2 (SAQ) Description Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. SAQ A Imprint-only merchants with no electronic cardholder data storage. Stand-alone dial-up terminal merchants, no electronic cardholder data storage. Merchants with payment application systems connected to the Internet, no electronic cardholder data storage, not connected to other systems. Merchants using only web-based virtual terminals, no electronic cardholder data storage All other merchants (not included in descriptions for SAQs A-C above), and all service providers defined by a payment brand as eligible to complete an SAQ. B B C C-VT D See: https://www.pcisecuritystandards.org/saq/instructions_dss.shtml
PCI Introduction and History HISTORY
Payment Brand Compliance Programs Each payment brand develops and maintains its own PCI DSS compliance programs in accordance with its own security risk management policies American Express: Data Security Operating Policy (DSOP) Discover: Discover Information Security Compliance (DISC) JCB: Data Security Program MasterCard: Site Data Protection (SDP) Visa USA: Cardholder Information Security Program (CISP) Other Visa Regions: Account Information Security (AIS) Program
PCI Security Standards Council PCI DSS created in December 2004 Original Compliance Deadline was June 2005 PCI SSC formed in Sept of 2006 and Version 1.1 of the standard released Version 1.2 released October of 2008 Version 2.0 release October 2010
PCI Introduction and History THE PLAYERS
Cardholder The Players The customer purchasing goods either through a card present or card not present transaction Receives bills from the issuer Issuer The bank or organization issuing a payment card on behalf of a card brand (Visa, MasterCard, etc.)
Acquirer The Players The bank or entity the merchant uses to process their payment Receives authorization requests and forwards to the issuer for approval Provides authorization, clearing, and settlement services AKA: Merchant Bank
The Players Acquirers Responsibilities Responsible for their merchant compliance Ensure that merchants understand PCI compliance requirements and track compliance efforts Work with the merchant until full compliance has been validated Provide merchant compliance status to the brands Incur any liability that may result from noncompliance
Merchant The Players Organization accepting the payment card for purchase Merchant Responsibilities Review and understand the PCI DSS Understand the compliance validation and reporting requirements of the card brands Validate and report compliance to the acquirer or payment brand
Service Providers A service provider is a business entity directly involved in the processing, storage, transmission, and switching of transaction data and cardholder data Usually not a payment card brand member Sometimes a service provider is a merchant Includes companies that provide services to merchants that control or could impact the security of cardholder data
Service Provider Examples Transaction Processors Enables transactions such as authorization and settlement between merchants and issuers or acquirers Payment Gateways Enables transactions between merchants and processors Managed Service Providers Firewalls, IDS, logging, etc Web hosting / Datacenter hosting
PCI Introduction and History WHY PCI IS IMPORTANT
Security Breaches Hackers are attacking: Brick-and-mortar merchants E-commerce merchants Third-party entities in the payment system Hackers looking for: Software that stores sensitive cardholder data Track data and primary account numbers (PANs) Personal information, corporate intellectual property
Why Is PCI DSS Compliance Important? Investigations after compromises consistently show common PCI DSS violations, including but not limited to: Storage of magnetic stripe data Inadequate access controls due to improperly installed merchant POS systems Default system settings and passwords not changed when system was set up Unnecessary and insecure services not removed or fixed when system was set up Poorly coded web applications resulting in SQL injection and other vulnerabilities Missing and outdated security patches Lack of logging Lack of monitoring Lack of segmentation in a network, making cardholder data easily accessible 3.2 7.1, 7.2, 8.2 & 8.3 2.1 2.2.2 6.5 6.1 10 10.6, 11.2, 11.4 & 11.5 1.3 & 1.4
Why Is PCI DSS Compliance Important? Who is behind data breaches? 92% resulted from external sources (+22%) 17% implicated insiders (-31%) <1% resulted from business partners (-10%) 9% involved multiple parties (-18%) How do breaches occur? 50% utilized some form of hacking (+10%) 49% incorporated malware (+11%) 29% involved physical attacks (+14%) 17% involved privilege misuse (-31%) 11% employed social tactics (-17%) What commonalities exist? 83% were targets of opportunity (<>) 92% of attacks were not highly difficult (+7%) 76% of all data was compromised from servers (-22%) 86% were discovered by a third party (+25%) 96% of breaches were avoidable through simple or intermediate controls (<>) 89% of victims subject to PCI- DSS had not achieved compliance (+10%) Source: 2011 Data Breach Investigation Report, Verizon Business
Why Is PCI DSS Compliance Important? Compromised data types by percent of breaches (black) and records (red) Payment card numbers/data 78% / 96% Authentication credentials 45% / 3% (usernames, pwds, etc) What data was stolen? Personal information Sensitive organizational data Bank account numbers/data Intellectual property 15% / 1% 11% / 0% 8% / <1% 5% / <1% (name, SS#, addr, etc) (reports, plans, etc) System information 5% / unknown (config, SVCS, SW, etc) Classified information 3% / unknown Medical records 1% / unknown Unknown 1% / 0% Attack pathways by percent of breaches within Hacking and percent of records (red) What was attacked? Remote access services Backdoor or control channel Web application Network file sharing services 34% / 38% 22% / 38% 11% / 24% 71% / 27% Unknown 8% / 10% Source: 2011 Data Breach Investigation Report, Verizon Business
Why Is Compliance With PCI DSS Important? These compromises cover the full spectrum of organization, from the very small to very large merchants and service providers A security breach and subsequent compromise of payment card data has far-reaching consequences including: Regulatory notification requirements Loss of reputation Loss of customers Potential financial liabilities (for example fees and fines) Litigation
Take immediate action! If Compromised Merchants and service providers that have experienced a suspected or confirmed security breach must take immediate action to help prevent additional damage and adhere to Visa CISP requirements. Loss or theft of account information Merchants must immediately report the suspected or confirmed loss or theft of any material or records that contain Visa cardholder data. If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of cardholder data they will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $500,000 per incident, for any merchant that is compromised and not compliant at the time of the incident.
PCI Introduction and History PCI ENFORCEMENT
Feedback Report Guidance and Enforcement PCI Security Standards Council Card Brands QSA ASV Acquirers Merchants
What Are the Penalties for Non-compliance? We Are All Responsible for Safeguarding Consumer Data Processors are responsible for ensuring that all of their merchants are compliant with CISP and for including CISP provisions in all contracts and merchant agreements and with agents. Merchants, regardless of processing volume or merchant category, are responsible for safeguarding their customers data and are subject to penalties and fines if they do not do so. A security breach, in addition to fines, can lead to distrust from customers and ruin a business reputation VISA and MasterCard have warned that they may restrict or terminate a merchant s acceptance privileges for issues of non-compliance. In addition, the following fines can apply:
Possible Fines for Non-compliance First Violation Up to $50,000 Second Violation Up to $100,000 Third Violation Up to Management Discretion Failure to Report a Compromise Up to $100,000 Egregious Violation Up to $500,000 Level 1 Merchant (6,000,000+ transactions per year) Up to $100,000 AND If not compliant after 60 days, MasterCard or Visa additional fines of $10,000 per day (not to exceed $500,000 per year) Level 2 Merchant (150,000 6,000,000 transactions per year) Up to $50,000 AND If not compliant after 60 days, MasterCard or Visa additional fines of $10,000 per day (not to exceed $500,000 per year) Level 3 Merchant (20,000 150,000 transactions per year) Up to $25,000 AND If not compliant after 60 days, MasterCard or Visa additional fines of $10,000 per day (not to exceed $500,000 per year)