11/24/2010 5:24:05 PM. 1Public

PCI DSSMyths and Truths

Nick Steele Director of Consultancy Services

Qualified Security Assessor

Red Island Consulting

11/24/2010 5:24:24 PM

November 2010

Public

11/24/2010 5:24:05 PM. 2Public

• Management System specialists & Europe's most successful providers of ISO27001 solutions

• Over 25% of all UK ISO27001 certificates

• Qualified Security Assessors (PCI DSS)

• Global Client base includes:

– Government Departments (Inc; UK, Saudi, IoM, Eire, Cyprus)

– Defense Contractors

– Health Service and Suppliers

– Telco's, I.T. Developers, Hi Tech Organisations, Media

– Financial Institutions

• Dedicated Red Island consultants – no sub-contractors

• All experienced with deep technical knowledge across IT systems & supporting infrastructure. Strong expertise in Operational Risk, IT Governance & linkage to Corporate Governance

ISO 27001

Risk Management

ITIL (ISO20000)

ISO9001

PCI DSS

Business Continuity Planning &

Disaster Recovery

CESG RMADS & IS1

Red Island Consulting

11/24/2010 5:24:05 PM. 3Public

Contents

1. PCI DSS Background

2. PCI DSS – Myths & Truths

3. PCI DSS – Call Centre Specific Requirements Actions

11/24/2010 5:24:05 PM. 4Public

PCI DSS – Background

11/24/2010 5:24:05 PM. 5Public

• All companies that store, process or transmit payment card information

• Includes Merchants & Service Providers

• Card companies place burden of compliance on Acquirers, Acquirers place burden on Merchant

• Merchants & Service Providers must report back to Acquirers & Payment Brands on compliance

Compliance mandatory as of now

PCI DSS Requirement Business Considerations

• Fines for Breaches can be passed contractually from Card Brand, to Acquirer, from Acquirer to Merchant

• Business impact of a card data breach may be more significant than fines:

• Negative Press & Media

• Loss of customers

• Increased transaction rate

• Loss of card processing

• Litigation & legal proceedings

• Major SP’s lost 100 Million card details –publicly branded non-compliant by Visa in March 2009

PCI Requirements and Considerations

11/24/2010 5:24:05 PM. 6Public

PCI Relevant Data

11/24/2010 5:24:05 PM. 7Public

PCI DSS Requirements

11/24/2010 5:24:05 PM. 8Public

PCI DSS – Myths & Truths

11/24/2010 5:24:05 PM. 9Public

Myth:

PCI DSS is all about compliance

Truth

• Risk assessment of the business and cardholder data is essential

• Manage the risk as well as compliance

• Compliance does not guarantee security

• Significant breaches have happened to certified Level 1 Merchants & Service Providers

PCI Compliance & Risk

11/24/2010 5:24:05 PM. 10Public

Myth:

We need the card numbers for business & regulatory requirements

Truth

• There is no regulatory requirement to store PAN’s

• Most business processes only require the numbers for a short time

• Truncated numbers (first 6 & last 4 digits) are not PAN’s but can be used to identify customers

• Most organisations keep numbers for no real reason

PCI Compliance & Risk

11/24/2010 5:24:05 PM. 11Public

Myth:

Call Recordings can’t contain cardholder data, or are out of scope

Truth

• Call recordings are considered electronic storage of cardholder data, and so are in scope

• The same level of control and protection must be applied to call recordings as other electronic data

• Some dispensation is allowed for storage of CVV in call recordings, under certain circumstances

• Think about the risk of access to recordings and content

PCI Compliance & Risk

11/24/2010 5:24:05 PM. 12Public

Myth:

One product will make us Compliant

Truth

•There are many great products to assist in managing compliance to the PCI DSS, but not one that will do everything

•Some elements of PCI DSS are documentation and management requirements

•There are open source as well as commercial products

PCI Compliance & Risk

11/24/2010 5:24:05 PM. 13Public

Myth:

We’ve outsourced the payment process so we don’t have to do anything

Truth

• Even if you hand off payments to an external party, you still retain the obligation for compliance

• Understanding your external parties that handle card data and managing their compliance is part of the PCI DSS

• You need to validate that external parties are PCI DSS compliant

PCI Compliance & Risk

11/24/2010 5:24:05 PM. 14Public

Myth:

There’s no risk assessment in PCI DSS

Truth

• The level of implementation of a control in many cases is risk based – admin access, secure storage etc.

• Compensating controls are risk assessments

• Section 12 requires an annual risk assessment

PCI Compliance & Risk

11/24/2010 5:24:05 PM. 15Public

Myth:

PCI DSS is an IT Project

Truth

• Information Security needs to involve the whole business

• Training and awareness is critical as well as mandatory

• Paper and physical security is just as important

• Policies & procedures should cover all people & processes

• Management commitment and direction is key

PCI Compliance & Risk

11/24/2010 5:24:05 PM. 16Public

Myth:

We have to hire a QSA

Truth

• Level 2,3 & 4 Merchants and Level 2 Service providers can self assess

• You will always know your business better than any auditor

• But QSA’s can provide valuable insight even if self assessing

• Own it

PCI Compliance & Risk

11/24/2010 5:24:05 PM. 17Public

Myth:

We are fully compliant and certified, so nothing can go wrong.......

Truth

• Minimum requirements for PCI DSS is annual assessment, quarterly technical tests

• Make PCI DSS compliance part of the governance & Information Security processes

PCI Compliance & Risk

11/24/2010 5:24:05 PM. 18Public

•Manage the risk to the business – don't lose the data

•Use compensating controls where appropriate

•Go beyond the PCI DSS, its just a baseline

•Think about ownership & Security management – one audit per annum is not enough

•IT should not own compliance to PCI DSS

•Incorporate PCI into general Governance. Use existing management systems such as ISO27001

•Compliance is just the starting point, use audit, review, testing, Security Management to manage the risks

PCI Compliance & Risk

11/24/2010 5:24:05 PM. 19Public

PCI – Call Centre Specific Issues

11/24/2010 5:24:05 PM. 20Public

•Call Recording

•Screen Scraping / Recording

•Databases & Applications

•3rd Party Access

•Call Centre Agents

•Paper forms as fallback, note taking

•Notes Fields

•Data Transfer

PCI Call Centre PCI Risks Areas

11/24/2010 5:24:05 PM. 21Public

•Call centres are easy targets

•High staff turnover

•Easy access to sensitive data, as well as hardware

•Credit card data is easiest to generate revenue

•Manage the risks not just compliance

PCI Call Centre PCI Risks Assessment

11/24/2010 5:24:05 PM. 22Public

Call Recordings:

•Used in most call centres

•FSA compliance can require calls to be recorded

•PCI DSS says you can’t store “Sensitive Authentication Data” –i.e. CVV numbers

•Many legacy systems pre-date PCI DSS

PCI Call Recordings

11/24/2010 5:24:05 PM. 23Public

This response is intended to provide clarification for call centres that record cardholder data

in audio recordings, and applies only to the storage of card validation codes and values

(referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).

It is a violation of PCI DSS requirement 3.2 to store any sensitive authentication data,

including card validation codes and values, after authorization even if encrypted.

It is therefore prohibited to use any form of digital audio recording (using formats such as

wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data

can be queried; recognizing that multiple tools exist that potentially could query a variety of

digital recordings.

Where technology exists to prevent recording of these data elements, such technology

should be enabled.

If these recordings cannot be data mined, storage of CAV2, CVC2, CVV2 or CID codes

after authorization may be permissible as long as appropriate validation has been

performed. This includes the physical and logical protections defined in PCI DSS that

must still be applied to these call recording formats.

This requirement does not supersede local or regional laws that may govern the retention of

audio recordings.

PCI Call Recordings

11/24/2010 5:24:06 PM. 24Public

Sensitive Cardholder Data Call Recording

•Difficulties / considerations:

•Encryption may be difficult, key management, loss of recordings significant

•By their nature, recordings are to be used

•Manual solutions may be ineffective & impractical

•Technical Solutions may add cost

•Consider archive data as well as future process

PCI Call Recordings

11/24/2010 5:24:06 PM. 25Public

Possible Options for not storing CVV

•Agent manual recording drop

•Script tracking or automated process to stop / start recording

•Word spotting to find & delete CHD

•Redirect to IVR or Outsource to take payment

*If you do it for CVV, do it for all CHD – reduce scope*

PCI Call Recordings - Options

11/24/2010 5:24:06 PM. 26Public

•Risk Assess your current setup

•Discuss options with vendors / service providers

•Balance options of keeping / not keeping the SAD against cost of technology & process change

•Assess whether current system can meet the FAQ requirements

•Assess the risk – admin access, encryption, removable media, access to calls, client access & sharing

PCI Call Recordings - Actions

11/24/2010 5:24:06 PM. 27Public

Thank You