PCI Data Security Standards An Introduction to Bankcard Data Security
Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million confidential customer records were compromised millions of those records included a social security number 1 The average institutional cost in 2009 for a data security breach was $7.2 million 2 Approximately 15 million Americans suffer an ID theft each calendar year The corporate cost of a breach includes legal fees, customer / compensation, loss of stock value, loss of customer confidence, loss of business, board of director embarrassment 1 Privacy Rights Clearinghouse (www.privacyrights.org) 2 - Ponemon Institute 2010 Annual Study: US Cost of a Data Breach
Unlimited markets exist to trade stolen data
How/Where is Data Lost or Stolen? 44% lost by or due to third party error 1 41% due to negligence vs. 31% malicious acts 1 Lost/stolen laptop or other mobile device 1 16% by companies that had previously suffered a data breach 1 Entities/Industries suffering losses: Government Agencies Health Care Providers Financial Services Industry Retailers Schools and Universities Payment processors (e.g. issuers, acquirers) 1 Ponemon Institute 2010 Annual Study: US Cost of a Data Breach
What is PCI? The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements developed by the banking industry for the protection of payment card data. PCI DSS is not ASSESS A federal or state regulation A comprehensive data security program A guarantee against data loss REPORT REMEDIATE A one-time objective. PCI DSS is An exceptionally useful tool in improving payment data security and reducing the risk of loss A requirement of all bankcard networks and payment acquirers A set of guidelines that can be generally applied to an institutional data protection plan
Bankcard Payments Ecosystem Merchant Acquirer PIN Debit Network Customer Payment Credit Card Network Statement Card Issuer
PCI DSS Overview (Merchant Levels) Level* Amex Discover JCB MasterCard Visa Level 1 Annual QSA review / Quarterly scan by ASV Annual QSA review / Quarterly scan by ASV Annual QSA review / Quarterly scan by ASV Annual QSA review / Quarterly scan by ASV Annual QSA review / Quarterly scan by ASV Annual Vol >2.5 Million N/A > 1 Million > 6 Million > 6 Million Level 2 Quarterly scan by ASV N/A Annual selfassessment / Quarterly scan by ASV Annual selfassessment / Quarterly scan by ASV Annual selfassessment / Quarterly scan by ASV Annual Vol 50K 2.5 Million N/A < 1 Million 1 M 6 Million 1 M 6 Million Level 3 Quarterly scan by ASV N/A N/A Annual selfassessment / Quarterly scan by ASV Annual selfassessment / Quarterly scan by ASV Annual Vol < 50K N/A N/A 20K 1 Million 20K 1 Million Level 4 N/A N/A N/A Annual selfassessment / Quarterly scan by ASV Annual Vol N/A N/A N/A < 20K < 20K Annual selfassessment / Quarterly scan by ASV
Payment Card Data PAN CARDHOLDER NAME EXPIRATION DATE CID
PCI DSS Overview (Basic Rules) PCI DSS applies only if the merchant stores the PAN (personal account number) 12 core requirements and approximately 200 subrequirements are organized within six groups Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Between stored data and all external systems Between stored data and other internal systems Between the payment processing system and all other programs By minimizing communications traffic and access to that data On all remote devices used to access the data Do not use vendor-supplied defaults for system passwords and other security parameters Change passwords regularly Disable unnecessary and unsecure services and protocols
Protect Cardholder Data Protect cardholder data When obtained from cardholders over the phone When provided on paper or in any electronic medium When stored in any form When transmitted or transferred in any form When electronic copies are accessed Store it ONLY when required to support business processes Never store prohibited payment data Render PAN useless to unauthorized persons Protection cryptographic keys Encrypt transmission of cardholder data across open, public networks Apply strong encryption to wireless networks Never send unencrypted PANs via common messaging systems (e.g. e- mail, chat, IM)
Maintain a Vulnerability Management Program Use and regularly update anti-virus software On central systems and desktop devices Configure for automated use Develop and maintain secure systems and applications Monitor, validate and track system accesses Use encryption and limit access to data whenever/wherever possible Maintain a schedule for installing and testing patches and updating virus ware Maintain separate environments for testing and production Strict change control
Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know Automated process for access control User access based on roles and responsibilities Process for user to access set-up and changes Process for user access setup and changes Establish minimum required access (not maximum) Assign a unique ID to each person with computer access Unique ID for each user Two-factor login Establish rules requiring strong passwords Restrict or remove system accesses, where required Establish auto-lockout after multiple logon errors Restrict physical access to cardholder data Monitor and record all access to data storage facilities Secure shipping and transport Require and verify IDs for employees and visitors Badge access only for restricted areas Restrict remote access
Regularly Monitor and Test Networks Track and monitor all accesses to network resources and cardholder data Log all accesses to the network and / or data including Unsuccessful attempts Viewing of audit trails Creation, deletion of system-level objects Record everything (e.g. User ID, date, time, data accessed) Limit access to audit logs and prohibit changes Regularly test security systems and processes Run vulnerability scans Test for wireless access points Deploy file integrity monitoring Conduct annual internal and external penetration testing Utilize intrusion detection
Maintain an Information Security Policy Maintain a policy that addresses information security Create the Policy Distribute it Review and update it annually Define consistent policies Establish corresponding procedures Establish CISO and security team Educate Staff and vendors Maintain an incident response plan
PCC DSS Overview (Audits and Scans) Certified Vendor Community QSV (Qualified Security Assessors) PA QSQ (Payment Application Qualified Security Assessor) ASV (Approved Scanning Vendor) Self-Assessment Questionnaire Tool used to perform self-evaluation of compliance with the Standard Always valid for use by any organization Meets full audit requirements for certain merchant levels
The Self Assessment Questionnaire Description Card Not Present (e-commerce and Mail Order / Telephone Order MOTO). All cardholder data functions outsourced. Imprint-only merchants with no cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage SAQ A B Merchants using only web-based virtual terminals, no electronic cardholder data storage Merchants with payment application systems connected to the Internet, no electronic cardholder data storage All other merchants (not included in descriptions for SAQ types A through C above) and all service providers defined by a card brand as eligible to complete an SAQ. C-VT C D
Questionnaire Sample
About édept LLC is an independent consultancy providing business and technical assistance and advice regarding the applicability and implementation of payment systems. It specializes in the evaluation, development and implementation of payment solutions and security. For additional information regarding our services, contact: Gary Yamamura g_yamamura@msn.com 760-443-3967 Artwork featured in this presentation are by the late artist Frank Frazetta