PCI DSS Overview By Kishor Vaswani CEO, ControlCase
Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key Implementation tips About ControlCase Q&A 1
About PCI DSS
What is PCI DSS? Payment Card Industry Data Security Standard: Guidelines for securely processing, storing, or transmitting payment card account data Established by leading payment card issuers Maintained by the PCI Security Standards Council (PCI SSC) 2
PCI DSS Historical Perspective Different Card Brands (, MasterCard, Amex, Discover, JCB) Different Compliance Requirements Year 2006 Formation PCI SSC 3
PCI Family of Standards Protection of Cardholder Payment Data Manufacturers PCI PTS Pin Entry Devices Software Developers PCI PA DSS Payment Application Vendors Merchant & Processors PCI DSS Data Security Standard Service Providers P2PE 4
Data in Question (Credit and Debit Card Data) Cardholder number Cardholder Name Expiration Date Service Code CVV/CVV2/CVC2 Track Data PIN (Called PAN) 5
Applicability Systems which STORE, PROCESS, TRANSMIT Cardholder Data 6
PCI DSS Requirements Control Objectives Build and maintain a secure network Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security 7
PCI Applicability to Banks, Merchants and Service Providers
PCI Participants Communicate with and educate merchants Report merchant compliance to Card Brands Comply with PCI Secure cardholder data Use compliant service providers Enforce PCI Promote Adoption - Sanctions - Rewards Acquiring Banks Secure cardholder data Comply with PCI Maintain the DSS Certify QSA s & ASV s 5/23/2015 Verify compliance through onsite assessment quarterly vulnerability scans Render opinions to merchant bank on compensating controls Forensics review of compromised entities 8
Merchant Levels (Examples) Merchant Level Description 1 Merchants processing over 6 million transactions annually (all channels) or global merchants identified as Level 1 by any brand Any merchant that,brand at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system. 2 Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 transactions per year. 3 Any merchant processing 20,000 to 1,000,000 e-commerce transactions per year. 4 Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 transactions per year. 9
Merchant Compliance (Examples) Level Validation Action Validated By 1 Annual On-site PCI Data Security Assessment and Quarterly Network Scan Qualified Security Assessor or Internal Audit if signed by Officer of the company Approved Scanning Vendor 2 Annual PCI Self-Assessment Questionnaire (SAQ) and Quarterly Network Scan Merchant Approved Scanning Vendor 3 Annual PCI Self-Assessment Questionnaire (SAQ) and Quarterly Network Scan Merchant Approved Scanning Vendor 4* Annual PCI Self-Assessment Questionnaire (SAQ) and Quarterly Network Scan (if applicable) Merchant Approved Scanning Vendor 10
Service Provider Levels (Examples) Service Provider Level Description 1 Any service provider that stores, processes or transmits more than 300,000 accounts/transactions* annually 2 Any service provider that stores, processes or transmits less than 300,000 accounts/transactions* annually 11
Service Provider Compliance (Examples) Level 1 Level 2 More than 300,000 transactions per year Less than 300,000 transactions per year Annual PCI DSS onsite review by a PCI SSC Qualified Security Assessor (QSA) Mandated Recommended Quarterly network scan by a PCI SSC Approved Scanning Vendor (ASV) Mandated Mandated Annual PCI DSS self-assessment questionnaire (SAQ) Optional Mandated 12
PCI DSS Technical Requirements
PCI DSS Requirements Control Objectives Build and maintain a secure network Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security 13
Requirement 1 Firewalls & DMZ Secure Architecture Firewall Ruleset Reviews 14
Requirement 2: Configuration Standards Ensure that secure configuration standards exist and are updated New and existing systems comply with the latest standards Method to track and validate against standards 15
Requirement 3: Protect Stored Cardholder Data You must ensure stored data is encrypted and protected. 16
Requirement 4: Protect Cardholder Data in Transmission You must ensure data being transmitted is encrypted. 17
Requirement 5: Antivirus Antivirus must be installed on all systems commonly affected by viruses/malware Configuration of antivirus Antivirus logs must be captured, reviewed and stored appropriately 18
Requirement 6: Secure Applications You must ensure all applications are developed securely and without vulnerabilities. 19
Requirements 7 & 8: Access Control Appropriate access control mechanisms Appropriate review of user access Appropriate password strength Appropriate two factor procedures for remote access Appropriate onboarding and termination procedures 20
Requirement 9: Physical Security Badge and other access controls CCTV and access logs Visitor procedures Security of media (including tapes, CD s) Appropriate systems to control badge access Review of access logs 21
Requirement 10: Logging and Monitoring Capturing logs on all devices in the cardholder data environment Appropriate data points to be captured within logs Review of logs and related anomalies in a timely manner Use of Intrusion Detection and File Integrity Monitoring techniques Appropriate synching of time using NTP 22
Requirement 11: Vulnerability Management Quarterly Vulnerability Scanning Wireless Internal External Annual Penetration Tests Internal network External network Application layer Others (such as social engineering and war dialing) 23
Requirement 12: Policies and Procedures Documented information security policies and procedures Annual user awareness training Background checks Vendor (Third Party) management program Incident management program 24
Overview of PCI DSS 3.0 Changes
Timeline of PCI DSS 3.0 Must comply to PCI DSS 3.0 starting 2015 PCI DSS 2.0 is no longer valid Some new requirements of PCI DSS 3.0 trigger during 2015 until when they are a best practice 25
Overview Segmentation Adequacy of segmentation Penetration test Third parties/service providers Must validate PCI DSS compliance; OR Must participate is customers PCI DSS compliance audit 26
Overview contd PCI DSS as Business as Usual Monitoring of security controls Review changes to environment Review changes to org structure Periodic review of controls vs. during audit Separation of duties (operational vs. security) Physical protection of POS, ATM and Kiosks Maintain inventory Periodic inspection for tampering Train personnel 27
PCI DSS Requirements Control Objectives Build and maintain a secure network Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security 28
Key Implementation Tips
PCI DSS High Level Methodology 1 Entity decides to go for PCI DSS Appoints a QSA 2 QSA carries out a Gap Assessment Entity remediates the gap, performs ASV scans Invites QSA for PCI DSS Audit 3 QSA carries out audit procedures and on successful audit, issues ROC (Report on Compliance), and Attestation of Compliance (AOC) 29
PCI DSS Implementation Where to Start Scoping of PCI DSS Identify and document all existence of cardholder data in their environment Verify the PCI DSS scope is appropriate using card data flow diagrams and inventory of cardholder data. The entity considers any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE. If the entity identifies data that is not currently included in the CDE, such data should be securely deleted, migrated/consolidated into the currently defined CDE, or the CDE redefined to include these data. Retain documentation that shows how PCI DSS scope was determined. 30
Key Takeaways Revisit segmentation for adequacy Focus on third party compliance Identify GRC technology for business as usual implementation Revisit penetration testing methodology Identify how to secure physical devices such as POS, ATM and Kiosks 31
Available Documents Various documents are available at https://www.pcisecuritystandards.org/documents/pci_dss_v3.0_third_party_securit y_assurance.pdf https://www.pcisecuritystandards.org/security_standards/documents.php https://www.pcisecuritystandards.org/documents/pci_dss_v3.pdf https://www.pcisecuritystandards.org/documents/dss_and_pa- DSS_Change_Highlights.pdf https://www.pcisecuritystandards.org/security_standards/documents.php?docu ment=pci_best_practices_for_maintaining_compliance 32
About ControlCase
ControlCase Corporate Overview Products/Services include Compliance as a Service (CaaS) PCI, ISO, EI3PA, HIPAA, Data Discovery Product, IT GRCM Product and Certifications/Audits PCI, ISO 27001, EI3PA, HIPAA, HITRUST, FISMA, FedRAMP, SOC1, SOC2 and SOC3 Over 400 clients IN 40 COUNTRIES across US, CEMEA, Europe and Asia/Pacific regions Headquartered out of Reston, VA - USA Offices & Personnel in Canada, Columbia, India, UK, Belgium, Indonesia, Philippines and Dubai 33
Other ControlCase is a Qualified Security Assessor Company, QSAC as certified by PCI Security Standards Council. ControlCase is a Approved Scanning Vendor, ASV as certified by PCI Security Standards Council ControlCase is a certified Application Assessor (PA-DSS) as certified by the PCI Security Standards Council ControlCase a certified Point to Point Encryption (P2PE) Assessor as certified by the PCI Security Standards Council ControlCase is accredited to RvA, Netherland and is a Certifying body for ISO 27001 ControlCase is certified as per CERT IN Empanelled Company ControlCase is a certified product licensee and assessor for the Shared Assessment Program, formerly Financial Institutions Shared Assessments Program (FISAP) by banking institution forum BITS. ControlCase is certified as a TG-3 (TR-39) assessor ControlCase provides EI3PA assessments ControlCase is a certified Health Information Trust Alliance (HITRUST) assessor in support of the HIPAA standards 34
To Learn More About PCI Compliance Visit www.controlcase.com contact@controlcase.com kvaswani@controlcase.com 35
Thank You for Your Time