Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010
Credit Card Credit Card Number Generator Video: 0.5
Let s Focus -1 Issuer Identification Number Check digit (Luhn or Mod 10 check) Leaving 9 numbers is the account Number Arrangement 10 9 1 bn combinations Amex: 15 digits, Acc Numbers are 8 digit long
Let s Focus -2 CVV/ CSC/ CVV2 Amex 4 digit Not your PIN
Video: Case Study -1 Carla Yorborough used to run SPANKY Restaurant. She does not expect to fully resolve the issues of her security breach for another 12 months. To date this ordeal has cost her $110,000. She says: No one can expect that such things also happen
Agenda Creation, Need & Reason History of PCI Overview of PCIDSS Card Security Programs 12 PCIDSS Requirements 6 control Objectives Merchant Levels Levels Compliance Validation Non Compliance Risks and Consequences Breach Risk and Consequences Recommendations Approved Assessor and Certifying Organizations Self Assessment Questionnaire Common PCI Myths Case Study Questions
Who created, the need and Reason Creators American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc International Need - Attack on network, theft & misuse of cardholders info. Reason- Reassurance to customer, Proactive protection establishes common processes & procedures
History of PCI Own standard with different requirements(encryption strength etc) In 2004 the PCI Security Standards Council was formed with 1 umbrella concept Level 1 merchants were required to be compliant by Dec. 31, 2007 Level 2-4 merchants were required to be compliant by June 30, 2007
Overview of PCI DSS Prior to September 2004 difficult for merchants to become familiar with and adhere to competing standards from VISA, MasterCard, and others As fraud losses increased, card industry realized the need for consistent and well defined security standards
Technology Age to PCIDSS What is PCIDSS Video:1
Overview of PCI DSS Applies to all merchants that store, process, or transmit cardholder data all payment (acceptance) channels, including brick-andmortar, mail, telephone, e-commerce (Internet) mortar, mail, telephone, e-commerce (Internet) Includes 12 requirements, based on administrative controls (policies, procedures, etc.) physical security (locks, physical barriers, etc.) technical security (passwords, encryption, etc.)
Card Security Programs The following programs incorporate PCI DSS: VISA Cardholder Information Security Program (CISP) MasterCard Site Data Protection (SDP) Program American Express Data Security Requirements Discover Discover Information Security and Compliance (DISC) Program
VISA Cardholder Information Security Program (CISP) PDF: 2
4. Understanding the 12 requirements of PCIDSS PDF: 4
3. How actually cards get stolen and used Video: 3
Merchant levels Merchant levels are based on yearly transaction volume of merchant Specific criteria for placement in merchant levels varies across card companies All merchants, regardless of level, must adhere to PCI DSS requirements Level into which merchant is placed determines PCI DSS compliance validation (and ultimately cost) Let s take a quick look at Visa s levels
Merchant levels Visa (Same for Master Card) Level 1: merchants, regardless of acceptance channel, processing over 60,00,000 Visa transactions any merchant that has suffered a data compromise any merchant so selected by Visa any merchant identified by other card brand as level 1
Merchant levels - Visa Level 2: merchants, regardless of acceptance channel, processing 10,00,000 to 60,00,000 Visa transactions Level 3: any merchant processing 20,000 to 10,00,000 Visa e-commerce (Internet) transactions
Merchant levels - Visa Level 4: any merchant processing fewer than 20,000 Visa e-commerce (Internet) transactions all other merchants, regardless of acceptance all other merchants, regardless of acceptance channel, processing up to 1,000,000 Visa transactions
PCI DSS compliance validation Level 1 merchants annual on-site assessment by Qualified security assessor (generates a report on compliance) quarterly network security scan by approved scan vendor Level 2 and 3 merchants self-assessment questionnaire quarterly network security scan by approved scan vendor
PCI DSS compliance validation Level 4 merchants self-assessment questionnaire if required by acquirer quarterly network security scan by approved scan vendor if required by acquirer
What are the implications of non compliance? Failure to prove compliance can carry severe penalties, including fines increased transaction fees or losing the right to access a payment card network s resources at any level. For example, in 2006, Visa levied $4.6 million in fines versus $3.4 million in 2005. Visa announced that merchants found to be storing sensitive credit card data will be subjected to fines up to $10,000 per month. American Express, on its side, is fining merchants up to $15,000 per day for failures to comply and forcing them to bring in a third party contractor to bring systems into compliance.
Non Compliant Risk and Consequences Visa Regardless of level requirements 1 st Violation Up to $50,000 USD for rolling 12-month period 2nd Violation Up to $100,000 USD for rolling 12-month period 3 rd Violation Visa s discretion to refuse future transactions until complaint period of 12 consecutive months determined on a rolling basis with a new 12-month period beginning on the first day of each calendar month.
Non Compliant Risk and Consequences Master Card Level 1 Up to $25,000 USD annual fee per Merchant Level 2 Up to $5,000 USD annual fee per Merchant Level 3 Up to $5,000 USD annual fee per Merchant
Risks of non-compliance Endangering customer information Exposure could lead to: fines levied loss of merchant status elevations to Level 1 status (and resulting compliance validation costs)
Breach Risk and Consequences Reputation Risk What will the impact be on your companies brand? Mandatory involvement of federal law enforcement in investigation enforcement in investigation Financial Risk $20 - $90 fine per credit card number that COULD have been exposed or compromised Civil liability and cost of providing ID theft protection Average cost of a security breach is $5,000,000
Breach Risk and Consequences Compliance Risk Exposure to Level 1 validation requirements Operational Risk Potential loss of card processing privileges
Some facts 84% of breaches are from merchants in Level II, III and IV 60% of people do not trade with merchants that are breached The criminal steal not only money but also trust.
I am a merchant with no money What I can do is Firewall Keep patches Change passwords timely Turn off remote access Contact POS to check what information is getting saved Save only what you require
Approved assessor and certyfying organizations QSA stands for Qualified Security Assessor. It is a certification obtained by experienced security consultants Enable them to conduct the On-Site Data Security Assessment for PCI DSS Required to attend training by PCI every year and pass the exam. A recertifying QSA must obtain additional CPE's from training and other experiences in order to obtain certification. Some QSA's also maintain other certifications. For example ISO 27001 Lead Auditors. There are over 100 QSA companies. QSA Services: On-Site Data Security Assessments (PCI "Audits"), Gap Analysis, Remediation Services, General PCI consulting and advice. The cost to make an application PCI compliant averages about $100k. PDF:5 List of Qualified Security Assessor PDF:6 Qualified Security Assessor Agreement Webpage: Approved Scanning Vendors List
Self Assessment Questionnaire https://www.pcisecuritystandards.org/saq/instructi ons.shtml PDF:8 PCI_Self assessment questionaire_c PDF: 9 SAQ Guidelines (Flowchart page 14)
Some Common PCI Myths One vendor and product will make us compliant Outsourcing card processing makes us compliant PCI compliance is an IT project PCI will make us secure PCI requires us to hire a QSA
Some Common PCI Myths PCI is unreasonable and it requires too much We don t take enough credit cards to be compliant We completed a SAQ so we re compliant PCI makes us store cardholder data
Case Study Solution Carla Yorborough used to run SPANKY Restaurant. She does not expect to fully resolve the issues of her security breach for another 12 months. To date this ordeal has cost her $110,000. 10 minutes video Revision + Case study
Additional reading https://www.pcisecuritystandards.org/index.sht ml http://usa.visa.com/business/accepting_visa/ops_ risk_management/cisp.html http://www.time.com/time/world/article/0,8599,122 4273,00.html?cnn=yes http://www.no1proxy.com/proxy-list.html http://searchsecurity.techtarget.com/originalconte nt/0,289142,sid14_gci1146949,00.html http://money.cnn.com/2006/05/11/technology/fastf orward_fortune/index.htm
Payment Card Industry Data Security Standard February 13th, 2010 Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter