Post on 15-Apr-2017
Payment Card Industry Data Security Standard (PCI-DSS)
By: Sameh Abulfotooh
Agenda
• Credit Cards History
• PCI Oversight and History
• Cardholder Data
• Payment Transaction Cycle
• PCI DSS at a High Level (Sections)
Credit Cards History
Before Credit Card
Charge Coin
Charge Plates/Cards
PCI Oversight and History
• PCI SSC is a collaborative agreement between five members of credit card lending including: Visa, MasterCard, American Express, Discover Financial Services, and JCB International (referred to commonly as Brands).
• The Council was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. They share equally in governance and execution of the Council's work.
• They used before to use their own requirements for business partners:
✦ Mastercard: SDP
✦ Visa: CISP
• The PCI Security Standards Council (PCI-SSC) is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security.
• The body formed as a unified framework for improving security and reducing the threat of breaches.
• PCI SCC is committed to the development, awareness, and education of PCI
• PCI SSC is also responsible for setting PCI standards to which merchants are to comply.
• 2004 -PCI Data Security Standards effectively started in when MasterCard, Visa, American Express, Discover, and JCB created and collaborated payment card practices. The companies referred with each other's standards to create a concise and singular set of compliance standards.
• January 2005- The PCI SSC has estimated that 234 million records with sensitive data have been breached, thus noting the need for a regulatory body.
• June, 30, 2005- Regulations took effect and were monitored collectively by the five PCI SSC founders.
• 2008 - Particular instances have included breaches at large companies such as TJX, Shell, and Hannaford. The recent breach at Hannaford occurred in 2008, which has led to the development and implementation of PCI DSS version 1.2.
Versions:• 1.0 was released on December 15, 2004.
• 1.1 in September 2006 provide clarification and minor revisions.
• 1.2 was released on October 1, 2008. It enhanced clarity, improved flexibility, and addressed evolving risks and threats.
• 1.2.1 in August 2009 made minor corrections designed to create more clarity and consistency among the standards and supporting documents.
• 2.0 was released in October 2010.
• 3.0 was released in November 2013 and is active from January 1, 2014 to December 31, 2017.
• 3.1 was released in April 2015, and will be retired October 31 2016.
• 3.2 was released in April 2016.
Terms and Acronyms• SSC: The governing body of PCI
• DSS: Data Security Standard
• QSA: Qualified Security Assessor
• ASV: Approved Scanning Vendor (validated annually by SCC to perform external quarterly vulnerability scan)
• SAQ: Self-Assessment Questionnaire
• ROC: Report on Compliance
• CDE: Cardholder Data Environment
WHY to Comply?
• Protect Account data that consists of cardholder data and/or sensitive authentication data
• Banks or Processors should be complainant with brands as a merchant or service provider.
• Fines in case of not complaint or turn off your business
Major Breaches
Target Evernote Sony Online Sony PSN JP Morgan
Home Depot Living Social Anthem
EBay
How to Comply?
Assess: identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data
Repair: fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes
Report: documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider)
Manufacturers PCI PTS PIN Entry Devices
Software Developers PCI PA-DSS
Payment Applications
Merchants & Service
Providers PCI DSS Secure
Environments
Protection of Cardholder Payment
Data
P2PE
Ecosystem of payment devices, applications, infrastructure and users
Penalties Potential cost of a security breach:
• Fines of $500,000 per incident for being PCI non-compliant
• Increased audit requirements
• Cost of printing and postage for customer notification mailing
• Cost of staff time (payroll) during security recovery
• Cost of lost business during register or store closures and processing time
• Decreased sales due to marred public image and loss of customer confidence
Cardholder Data
Cardholder Data
Cardholder Data – Cont.
• Point-of-sale devices • Mobile devices, personal computers or servers • Wireless hotspots • Web shopping applications • Paper-based storage systems • Transmission of cardholder data to service providers • Remote access connections
Resources• PCI DSS – Summary of Changes from PCI DSS version 2.0 to 3.0
• PCI DSS Quick Reference Guide
• PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms
• Information Supplements and Guidelines
• Prioritized Approach for PCI DSS
• Report on Compliance (ROC) Reporting Template and Reporting Instructions
• Self-assessment Questionnaires (SAQs) and SAQ Instructions and Guidelines
• Attestations of Compliance (AOCs)
• Frequently Asked Questions (FAQs)
• PCI for Small Merchants website
• PCI training courses and informational webinars
• List of Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs)
• List of PTS approved devices and PA-DSS validated payment applications
Please refer to www.pcisecuritystandards.org for information about these and other resources.
Transaction Cycle
Card Brands PCI SSC
Acquirers Merchants
Created the SSC and responsible for approving the DSS controls framework
Developed the DSS, PA-DSS, PIN standards, and conduct training and certification for QSAs and ASVs
Banks and payment processors that own the responsibility for enforcing DSS
Responsible for implementing DSS controls, as well as demonstrating and maintaining compliance
Major Players
Credit Card Transaction Cycle
Merchant
Merchant’s Bank
Issuing Bank Brands
Cardholder
Brands
Cardholder
MerchantMerchant’s Bank
Issuing Bank
PCI DSS at a High Level (Sections)
• Six major areas
• Twelve requirements
• about 50 pages of objectives
• for each objective, as statement of what’s required, and associated testing procedure.
Ex:Install and maintain a firewall configuration to protect cardholder data
PCI DSS Requirements Testing Procedures Guidance1.1.3 Current diagram that shows all cardholder data flows across systems and
networks
1.1.3 Examine data-flow diagram and interview personnel to verify the
diagram:
• Shows all cardholder data flows across systems and networks.
• Is kept current and updated as needed upon changes to the environment.
Cardholder data-flow diagrams identify the
location of all cardholder data that is stored,
processed, or transmitted within the network.
Network and cardholder data-flow diagrams help
an organization to understand and keep
track of the scope of their environment, by showing
how cardholder data flows across networks and between individual
systems and devices.
Masking Primary Account Number (PAN)
• 5555 9999 0000 8888
• 5555 99XX XXXX XXXX
• XXXX XXXX XXXX 8888
Scope• Define scope assessment
• Backup & restore assessment
SSL and TLS
• No SSL for new systems (3.2)
• NO SSL after 2018
• TLS 1.2 or above
Multi-Factor Authentication (MFA)
• MFA required for remote network access by users, administrators, and vendors (3.0)
• MFA required in local access for any payment data systems and network segments
Change Management
• Formal process should exist
• No significant change without passing through the change manageement.
Service Providers• Provide detailed documentation describing how
authentication is used to protect payment card data
• Quickly detect and report failures in any security control
• Engage executive management
• Perform at least quarterly review to confirm policy compliance.
Thank You J