Month-Year Introduction to PCI DSS March 2015
Agenda PCI DSS History What is PCI DSS? / PCI DSS Requirements What is Cardholder Data? What does PCI DSS apply to? Payment Ecosystem How is PCI DSS Enforced? Benefits of Compliance / Non-Compliance Consequences Capabilities 2 6/1/2015 Security Services Template
PCI DSS History Visa developed the Cardholder Information Security Program (CISP) in 2001 MasterCard and other card providers started developing separate criteria In 2004, Visa and MasterCard formally agreed to combine efforts Created the Payment Card Industry (PCI) Data Security Standard (PCI DSS) PCI DSS 1.1 released September 2006 PCI DSS 1.2 released October 2008 PCI DSS 1.2.1 released July 2009 PCI DSS 2.0 released in October 2010 PCI DSS 3.0 released in October 2013 3 6/1/2015 Introduction to PCI DSS
What is PCI DSS? PCI DSS stands for Payment Card Industry Data Security Standard. It is a global security program that was created to increase confidence in the payment card industry and reduce risks to the Payment Card Brands, Merchants, Service Providers and Consumers. 4 6/1/2015 Security Services Template
PCI DSS Requirements Build and Maintain a Secure Ntwork 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data sent across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel 5 6/1/2015 Security Services Template
What is Cardholder Data? Cardholder data includes: Primary Account Number (PAN) Cardholder Name Service Code Expiration Date Cardholder data may be stored, but only the PAN must be masked when displayed (Req. 3.3) and rendered unreadable (Req. 3.4) The PAN is the defining factor in the applicability of PCI DSS requirements. PCI DSS requirements are applicable if a PAN is stored, processed, or transmitted. If PAN data is not stored, processed or transmitted, PCI DSS requirements do not apply. Sensitive authentication data includes: Full Magnetic Stripe CVC2/CVV2/CID/CAV2 PIN / PIN Block Sensitive authentication data may not be stored after authorization (Req 3.2) 6 6/1/2015 Security Services Template
Who Does PCI DSS apply to? Any entity that stores, process and/or transmits cardholder data must comply with the PCI Data Security Standard (DSS). Additionally, any entities which provide services that could impact the security of cardholder data may have a PCI compliance obligation. Entities may include, but are not limited to, merchants and service providers. Applies to: Retail (online & brick & mortar) Hospitality (restaurants, hotel chains, etc.) Transportation (i.e. airlines, car rental, etc.) Financial Services (banks, credit unions, card processors, etc.) Energy (oil, gas, utilities, etc), Healthcare/Education (hospitals, universities) Government (Federal, Provincial, Municipal) Not-For-Profit Organizations (Red Cross, churches, etc) 7 6/1/2015 Security Services Template
Payment Ecosystem Merchants Acquirers / Processors Payment Brand Networks Issuers Service Providers 8 6/1/2015 Introduction to PCI DSS
How is PCI DSS Enforced? PCI DSS is enforced contractually. Payment Card Brands Issuers Acquirers / Processors Merchants Service Providers 9 6/1/2015 Introduction to PCI DSS
Benefits of Compliance Compliance with the PCI DSS means that your systems are secure, and customers can trust you with their sensitive payment card information: Trust means your customers have confidence in doing business with you Confident customers are more likely to be repeat customers, and to recommend you to others Implementation of PCI DSS controls protects sensitive data, reduces the risk of compromise, and helps maintain your corporate reputation Compliance improves your reputation with acquirers and payment brands These are the partners you need in order to do business Compliance has indirect benefits as well: Through your efforts to comply with PCI Security Standards, you ll likely be better prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc. The PCI DSS can help form the basis for a corporate security strategy Assets and processes developed for PCI Compliance can be leveraged generally across the organization as information security best practices You will likely identify ways to improve the efficiency of your IT infrastructure 10 6/1/2015 Security Services Template
Non-Compliance Consequences If non-compliant and a breach occurs: Breached entity is liable for the acquirer/issuer's losses and card re-issuance costs Breached entity will likely have significant investigative and legal costs Possible fines or restrictions imposed by card brands (prohibiting future credit card processing) Repayment of losses may exceed the ability to pay and cause total failure of the organization Other potential consequences: Damaged brand reputation Negative publicity Loss of customers and corporate trust Penalties and fees levied by card brands for non-compliance Visa USA fining some non-compliant merchants $25K per month MasterCard s fee structure for Level 1 & 2 merchants and service providers includes quarterly escalating fines of up to $25K, $50K, $100K, $200K. Some Canadian merchants are being fined. Fines are in the range of $5K - $10K per month. 11 6/1/2015 Security Services Template
Capabilities is a PCI QSA (Qualified Security Assessor), Approved Scanning Vendor (ASV), and PFI (PCI Forensic Investigator) is authorized to certify organizations. 40+ Certified PCI QSAs across the different regions cannot certify its own business units or services to avoid a conflict of interest. A third-party QSA company will have to be retained to obtain a certification PCI QSAs can assist performing gap analysis and provide remediation advice 12 6/1/2015 Introduction to PCI DSS
Questions? 13 6/1/2015 Introduction to PCI DSS
Appendix 14 6/1/2015 Introduction to PCI DSS
Defining a Cardholder Data Environment A critical strategic step in any PCI compliance initiative is formally defining a cardholder data environment. If a system stores, processes, or transmits cardholder data, it must be included in the cardholder data environment. The PCI DSS applies to any network component, server, or application that is included in or connected to the cardholder data environment. In flat networks where an organization does not pursue scope reduction strategies, the entire network is in scope of the PCI DSS assessment. In complex environments, achieving PCI compliance of the entire network infrastructure may be financially and operationally unachievable. In this case, every server, desktop, network device and application must comply with each and every control of the PCI DSS. 15 6/1/2015 Introduction to PCI DSS
Defining a Cardholder Data Environment The CDE boundary is is typically implemented via firewall rules or strong access control lists on the security device forming the boundary of the CDE normally a firewall or a router with a firewall module capable of performing stateful inspection. In order to adequately form a boundary of the CDE, all inbound and outbound connectivity to the CDE must be limited to those specific ports and protocols required for the business. All such allowed connectivity must be via secure protocols, and have a documented business justification. 16 6/1/2015 Introduction to PCI DSS
Supporting Infrastructure It is important to consider systems outside of the CDE, which although they do not store, process, or transmit cardholder data, are still connected to the CDE. These may be systems which are providing security services to the CDE or which are simply allowed to communicate with the CDE. In each such case, such a supporting system must be evaluated in order to determine whether it should be considered in PCI scope as well. Ultimately, if the compromise of such a system outside of the CDE, may impact the security of a system within the CDE or cardholder data, then it should be considered in PCI scope. For example, a server providing management of a CDE firewall would be considered in scope, as a compromise of such a system may allow an attacker to modify firewall rules, and therefore impact the security of the CDE and cardholder data. 17 6/1/2015 Introduction to PCI DSS
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security Copyright Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of software. References in these materials to products, programs, or services do not imply that they will be available in all countries in which operates. Product release dates and/or capabilities referenced in these materials may change at any time at s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way., the logo, and other products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.