PCI-DSS_Overview
-
Upload
sameh-abulfotooh -
Category
Documents
-
view
104 -
download
0
Transcript of PCI-DSS_Overview
![Page 1: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/1.jpg)
Payment Card Industry Data Security Standard (PCI-DSS)
By: Sameh Abulfotooh
![Page 2: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/2.jpg)
Agenda
• Credit Cards History
• PCI Oversight and History
• Cardholder Data
• Payment Transaction Cycle
• PCI DSS at a High Level (Sections)
![Page 3: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/3.jpg)
Credit Cards History
![Page 4: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/4.jpg)
Before Credit Card
Charge Coin
Charge Plates/Cards
![Page 5: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/5.jpg)
PCI Oversight and History
![Page 6: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/6.jpg)
• PCI SSC is a collaborative agreement between five members of credit card lending including: Visa, MasterCard, American Express, Discover Financial Services, and JCB International (referred to commonly as Brands).
• The Council was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. They share equally in governance and execution of the Council's work.
• They used before to use their own requirements for business partners:
✦ Mastercard: SDP
✦ Visa: CISP
• The PCI Security Standards Council (PCI-SSC) is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security.
• The body formed as a unified framework for improving security and reducing the threat of breaches.
• PCI SCC is committed to the development, awareness, and education of PCI
• PCI SSC is also responsible for setting PCI standards to which merchants are to comply.
![Page 7: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/7.jpg)
• 2004 -PCI Data Security Standards effectively started in when MasterCard, Visa, American Express, Discover, and JCB created and collaborated payment card practices. The companies referred with each other's standards to create a concise and singular set of compliance standards.
• January 2005- The PCI SSC has estimated that 234 million records with sensitive data have been breached, thus noting the need for a regulatory body.
• June, 30, 2005- Regulations took effect and were monitored collectively by the five PCI SSC founders.
• 2008 - Particular instances have included breaches at large companies such as TJX, Shell, and Hannaford. The recent breach at Hannaford occurred in 2008, which has led to the development and implementation of PCI DSS version 1.2.
![Page 8: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/8.jpg)
Versions:• 1.0 was released on December 15, 2004.
• 1.1 in September 2006 provide clarification and minor revisions.
• 1.2 was released on October 1, 2008. It enhanced clarity, improved flexibility, and addressed evolving risks and threats.
• 1.2.1 in August 2009 made minor corrections designed to create more clarity and consistency among the standards and supporting documents.
• 2.0 was released in October 2010.
• 3.0 was released in November 2013 and is active from January 1, 2014 to December 31, 2017.
• 3.1 was released in April 2015, and will be retired October 31 2016.
• 3.2 was released in April 2016.
![Page 9: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/9.jpg)
Terms and Acronyms• SSC: The governing body of PCI
• DSS: Data Security Standard
• QSA: Qualified Security Assessor
• ASV: Approved Scanning Vendor (validated annually by SCC to perform external quarterly vulnerability scan)
• SAQ: Self-Assessment Questionnaire
• ROC: Report on Compliance
• CDE: Cardholder Data Environment
![Page 10: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/10.jpg)
WHY to Comply?
• Protect Account data that consists of cardholder data and/or sensitive authentication data
• Banks or Processors should be complainant with brands as a merchant or service provider.
• Fines in case of not complaint or turn off your business
![Page 11: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/11.jpg)
Major Breaches
Target Evernote Sony Online Sony PSN JP Morgan
Home Depot Living Social Anthem
EBay
![Page 12: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/12.jpg)
How to Comply?
Assess: identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data
Repair: fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes
Report: documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider)
![Page 13: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/13.jpg)
Manufacturers PCI PTS PIN Entry Devices
Software Developers PCI PA-DSS
Payment Applications
Merchants & Service
Providers PCI DSS Secure
Environments
Protection of Cardholder Payment
Data
P2PE
Ecosystem of payment devices, applications, infrastructure and users
![Page 14: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/14.jpg)
Penalties Potential cost of a security breach:
• Fines of $500,000 per incident for being PCI non-compliant
• Increased audit requirements
• Cost of printing and postage for customer notification mailing
• Cost of staff time (payroll) during security recovery
• Cost of lost business during register or store closures and processing time
• Decreased sales due to marred public image and loss of customer confidence
![Page 15: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/15.jpg)
Cardholder Data
![Page 16: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/16.jpg)
Cardholder Data
![Page 17: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/17.jpg)
Cardholder Data – Cont.
• Point-of-sale devices • Mobile devices, personal computers or servers • Wireless hotspots • Web shopping applications • Paper-based storage systems • Transmission of cardholder data to service providers • Remote access connections
![Page 18: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/18.jpg)
Resources• PCI DSS – Summary of Changes from PCI DSS version 2.0 to 3.0
• PCI DSS Quick Reference Guide
• PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms
• Information Supplements and Guidelines
• Prioritized Approach for PCI DSS
• Report on Compliance (ROC) Reporting Template and Reporting Instructions
• Self-assessment Questionnaires (SAQs) and SAQ Instructions and Guidelines
• Attestations of Compliance (AOCs)
• Frequently Asked Questions (FAQs)
• PCI for Small Merchants website
• PCI training courses and informational webinars
• List of Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs)
• List of PTS approved devices and PA-DSS validated payment applications
Please refer to www.pcisecuritystandards.org for information about these and other resources.
![Page 19: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/19.jpg)
Transaction Cycle
![Page 20: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/20.jpg)
Card Brands PCI SSC
Acquirers Merchants
Created the SSC and responsible for approving the DSS controls framework
Developed the DSS, PA-DSS, PIN standards, and conduct training and certification for QSAs and ASVs
Banks and payment processors that own the responsibility for enforcing DSS
Responsible for implementing DSS controls, as well as demonstrating and maintaining compliance
Major Players
![Page 21: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/21.jpg)
Credit Card Transaction Cycle
Merchant
Merchant’s Bank
Issuing Bank Brands
Cardholder
![Page 22: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/22.jpg)
Brands
Cardholder
MerchantMerchant’s Bank
Issuing Bank
![Page 23: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/23.jpg)
PCI DSS at a High Level (Sections)
![Page 24: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/24.jpg)
• Six major areas
• Twelve requirements
• about 50 pages of objectives
• for each objective, as statement of what’s required, and associated testing procedure.
![Page 25: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/25.jpg)
![Page 26: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/26.jpg)
Ex:Install and maintain a firewall configuration to protect cardholder data
PCI DSS Requirements Testing Procedures Guidance1.1.3 Current diagram that shows all cardholder data flows across systems and
networks
1.1.3 Examine data-flow diagram and interview personnel to verify the
diagram:
• Shows all cardholder data flows across systems and networks.
• Is kept current and updated as needed upon changes to the environment.
Cardholder data-flow diagrams identify the
location of all cardholder data that is stored,
processed, or transmitted within the network.
Network and cardholder data-flow diagrams help
an organization to understand and keep
track of the scope of their environment, by showing
how cardholder data flows across networks and between individual
systems and devices.
![Page 27: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/27.jpg)
Masking Primary Account Number (PAN)
• 5555 9999 0000 8888
• 5555 99XX XXXX XXXX
• XXXX XXXX XXXX 8888
![Page 28: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/28.jpg)
Scope• Define scope assessment
• Backup & restore assessment
![Page 29: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/29.jpg)
SSL and TLS
• No SSL for new systems (3.2)
• NO SSL after 2018
• TLS 1.2 or above
![Page 30: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/30.jpg)
Multi-Factor Authentication (MFA)
• MFA required for remote network access by users, administrators, and vendors (3.0)
• MFA required in local access for any payment data systems and network segments
![Page 31: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/31.jpg)
Change Management
• Formal process should exist
• No significant change without passing through the change manageement.
![Page 32: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/32.jpg)
Service Providers• Provide detailed documentation describing how
authentication is used to protect payment card data
• Quickly detect and report failures in any security control
• Engage executive management
• Perform at least quarterly review to confirm policy compliance.
![Page 33: PCI-DSS_Overview](https://reader031.fdocuments.us/reader031/viewer/2022021815/587897801a28ab375f8b6d5f/html5/thumbnails/33.jpg)
Thank You J