VISA Ais Guide Stepspcicompliant
-
Upload
wissam-jgroup -
Category
Documents
-
view
225 -
download
2
Transcript of VISA Ais Guide Stepspcicompliant
-
8/2/2019 VISA Ais Guide Stepspcicompliant
1/15
Steps for staying PCI DSS compliantVisa Account Information Security Guide
October 2009
The guide describes how you can make sure your business
does not store sensitive cardholder data
-
8/2/2019 VISA Ais Guide Stepspcicompliant
2/15
1Contents
Contents
How to make sure your business does not store Sensitive Cardholder Data 2
Introduction 2 UnderstandingCardholderData 2
Sensitive Authentication Data Explained 4
TrackData 4
CardVerificationValue2(CVV2) 5
PersonalIdentificationNumber(PIN)andPINBlock 5
Understanding Other Types of Cardholder Data 6
PrimaryAccountNumber(PAN) 6
CardholderNameandExpirationDate 7
ServiceCode 7
Finding Sensitive Authentication Data Where to Look 8
Detecting Sensitive Authentication Data How to Look 10
Removing Sensitive Authentication Data 12
MethodsbyMedia 12
Contact Information 13
-
8/2/2019 VISA Ais Guide Stepspcicompliant
3/15
2
Introduction
CardtransactionshavebecomeacommonwayforcustomerstopurchasegoodsandservicesattheirlocalretailstoresovertheInternetandwhileshoppingabroad.Tohelpkeepcardpaymentssafeandconvenient,VisahashelpedformanorganizationcalledthePaymentCardIndustrySecurityStandardsCouncil(PCISSC).
PCISSCmaintainsandsupportsanumberofdifferentsecuritystandards,withperhapsthemostwellknownbeingthePCIDataSecurityStandard(PCIDSS).Thisstandarddetailstherequirementswhichallentitiesthatstore,processortransmitcardholderdatamustfollowtoensurethatcardholderdataiskeptsecure.Twokeyrequirements
ofthePCIDSSaddressdirectlythehandlingofcardholderdata.
Theserequirementsare: Donotstore1sensitiveauthenticationdatasubsequenttoauthorization Securenon-sensitiveauthenticationdata,whereveritisstored
Understanding Cardholder Data
Duringtransactionauthorization,themerchantcollectsdatafromthepaymentcardandtransmitsthisdatato thecardissuer.Basedonthisinformationthecardissuermayeither approve ordecline thetransaction andsend theauthorizationresponsebacktothemerchant.Thistransactionprocessisillustratedbelow:
1Storageisnotpermitted,evenifencrypted.
HowtomakesureyourbusinessdoesnotstoreSensitiveCardholderData
PROCESSORMERCHANT ACQUIRER
VISANET
AUTHORIZATION
REQUEST
AUTHORIZATION
RESPONSE
Figure 1
How to make sure your business does
not store Sensitive Cardholder Data
ISSUER
-
8/2/2019 VISA Ais Guide Stepspcicompliant
4/15
3HowtomakesureyourbusinessdoesnotstoreSensitiveCardholderData
Transactionsareperformedusinginformationfromthecardholderspaymentcardandmayincludeotherauthenticationdataprovidedbythecustomerthemselves,suchasasignatureorapersonalidentificationnumber(PIN).Thisinformationisusedbythecardissuertoverifyandapprovetransactions,andthereforeitisvitalthatsuchdataisprotected.
Arepresentationofapaymentcardisprovidedbelow:
Figure 2
Sensitive cardholder data refers to cardholder data that must not be storedsubsequent to transaction authorization. Storage of such data is not permittedunderanycircumstances,evenifthedataisencryptedorotherwiseprotected.Thereare three types ofsensitive cardholderdata values, collectivelyknownas sensitiveauthenticationdata,whichareusedbythecardissuertoconfirmthepresenceofthephysicalcardplasticand/orcardholderatthetimeoftheauthorization.Thethreetypesofsensitiveauthenticationdataare:
Fullcontentsofthemagneticstripe,alsoreferredtoasTrackData Securitycode(calledaCardVerificationValue2,orCVV2,byVisa) PINorPINblock
Inthenormaloperationofyourbusinessthereshouldnotbeneedtostoresensitiveauthenticationdatasubsequenttoauthorization.Storageofthisdatadecreasestheeffectivenessofauthorizationandfrauddetectionsystemsintheauthorizationprocessandcanleadtoincreasedcreditcardfraudifcompromised.VisadoesnotrequirethatsensitiveauthorizationdatabekeptsubsequenttoauthorizationinfactitisaviolationofthePCIDSSrequirementsandVisasInternationalOperatingRegulationstostoresuchdataafterauthorization.
Rear face of apayment card
1-Magneticstrip
2-Cardholdersignature
3-Visasecuritycode (CVV2)
4-VisaHologram
1
23
4
1
2
3
4
Front face of apayment card
1-Chipofasmartcard
2-PrimaryAccount Number(PAN)
3-Expirydateofthe card
4-Cardholdername
-
8/2/2019 VISA Ais Guide Stepspcicompliant
5/15
4 SensitiveAuthenticationDataExplained
2DependentonthelengthofotherfieldsinTrack1.
3DependentonotherfieldsinTrack2.
Track Data
Trackdataisatermusedtodescribetheinformationthatisstoredonthemagneticstripeof thepaymentcard.Trackdatais usedbytheissuertoconfirm thephysicalpresenceofthepaymentcardduringthetransaction.Thedataisgeneratedbythecardissuerandisrecordedonthemagneticstripeonthebackofthecardholdersplastic,inthechiporboth.Eachcardissuerisabletorecorddiscretionarydatatowardstheendofthetrack.
Insomeinstances,itispossibleforthetrackdatatobere-constructedusinginformationtakenfromthemagneticstripeitselforfromthechiponthecard.
Themagneticstripecancontainuptothreetracksofdata,eachformatteddifferently,knownasTrack1,Track2andTrack3.OnlyTrack1andTrack2areusedinthepaymentindustry.Trackdataisdefinedbyinternationalstandardsandisthesameforallcardbrands.
Track1
Track2
ThesensitiveauthenticationdatacanbefoundtowardstheendofbothTrack1andTrack2.ItisaviolationoftheVisaInternationalOperatingRegulationsandthePCIDataSecurityStandardstostoresensitiveauthenticationdatasubsequenttoauthorization.Non-sensitive authentication on thetrackmay be stored butmust be protected inaccordancetothePCIDSSrequirements.
Sensitive Authentication
Data Explained
-
8/2/2019 VISA Ais Guide Stepspcicompliant
6/15
5SensitiveAuthenticationDataExplained
Card Verification Value 2 (CVV2)
Visadevelopeda3-digitcodetohelppreventfraudonallmanuallykeyedtransactions.TheCVV2codevalueisdifferentforeachpaymentcardevenifthecardshavethe
samePrimaryAccountNumber(PAN).
TheCVV2residesonthebackofthecardbesideorinthesignaturepanelandisusedtoconfirm thepresenceof theplastic card insituationswhereit is notpossible toprocessthemagneticstripeorchipdatai.e.manuallykeyedtransactionsincludingtelephone/mailordertransactionsandInternettransactions.
Eachpaymentbrandhasaslightdifferenceinthenameandlocationofthiscode:
CVV2:CardVerificationValue2(Visa) CVC2:CardValidationCode2(MasterCard) CID:CardIdentificationNumber(AmericanExpressandDiscover) CAV2:CardAuthenticationValue2(JCB)
Greatcareneedstobe takenwithCVV2sincea cardholdermaycommunicatethisvaluetoyoudirectly,forexample,viayourcallcenterorwebsite.Eveninthesecases,theCVV2mustnotbestoredpostauthorization.
Personal Identification Number (PIN) and PIN Block
PIN/PINblockvaluesareusedbythecardissuertoconfirmthatthecardholderispresentwhenthepurchaseismade.AcardholdersPINvalueisonlyknowntothecardholder,andthecorrectvaluecanbeverifiedbythecardissueranditsauthorizedagents.
CardholderPINs are encrypted into a PINblockfor transmission tothe merchants
acquirer this should occur within a secure PIN Entry Device (PED). However,sometimessystemsarefoundthatallowforexposureofthecustomerPINoutsideofsuchsecuredevices.Inbothinstances,itisnotpermittedtostorethecustomerPINblock,whetherencryptedornotencrypted,aftertheauthorization.
TheformatforunencryptedPINblocksisshownbelow:
Format code
(1 digit)
Number of PIN digits
(1 hex character)
PIN digits
(2 digits)
PIN digits or
padding
(10 hex
characters)
Padding
(2 hex
characters)
0,1,2,3 09orAC 09 09orAF 69orAF
Encrypt edPINblockstaketheformof64bits,or16hexadecimalnumbers,ofrandomdigits.TheencryptedPINblockistransmittedinISO8583compliantmessagesinfield454.
-
8/2/2019 VISA Ais Guide Stepspcicompliant
7/15
6
Assensitiveauthenticationdata,suchastheencryptedcustomerPINblockandtheCVV2value,canbedifficulttolocatewithinsystemsthatcontaindifferentfieldsandvalues,itisoftenusefultolookforareaswhereothertypesofcardholderdataisstoredandthenattempttofindsensitiveauthenticationdatathatmaybestoredwithinthesameareas.
Primary Account Number (PAN)
ThePrimaryAccountNumber,alsocommonlyknownasthecardnumber,isusedtouniquelyidentifythespecificcustomeraccount,withinaspecificcardissueranywherearoundtheworld.EverycardholderhasauniquePANvalueandthisvalueisfoundina
numberoflocations:
Embossedorprintedonthefrontofthephysicalplastic DigitallyrecordinTrack1andTrack2orinthechip Databasesandpaperfiles TransactionrecordsThePANmaybeofanylengthbetween13and19digits,although16-digitPANsarethemostcommon.
All Personal Account Numbers issued by the payment brands have the followingproperties,describedbelow.
Starting digits The digits atthestartof thePANidentifythecardissuer.Theexactmethodfordeterminingthisisnotpublicinformation.
ThefollowingruleofthumbcanbeusedtoidentifycardsissuedunderthefivePCIpaymentbrands.
Visa 4
MasterCard 5155
AmericanExpress 34,37
Discover6011,622126622925,644
649,65
JCB 35283589
Understanding Other Types
of Cardholder Data
UnderstandingOtherTypesofCardholderData
-
8/2/2019 VISA Ais Guide Stepspcicompliant
8/15
7
Luhn 10 check TheLuhn10checkformulaverifiesanumberagainstitscheckdigit(therightmostdigit).
Acompliantaccountnumbermustpassthefollowingtest:
1. Counting from the check digit, which is therightmostdigit,andmovingleft,doublethevalueofeveryseconddigit.
2. Sumthedigitsoftheproductstogetherwiththenon-doubleddigitsfromtheoriginalnumber.
3. If thetotal ends in 0, then thenumberisvalidaccordingtotheLuhnformula;otherwiseitisnotavalidPAN.
Asanillustration,if the accountnumber is 49927398716,
itwillbevalidatedasfollows:
1. Doubleeveryseconddigit,fromtherightmost:(1x2)=2,(8x2)=16,(3x2)=6,(2x2)=4,(9x2)=18
2. Sum all digits (digits in parentheses are theproductsfromStep1:6+(2)+7+(1+6)+9+(6)+7+(4)+9+(1+8)+4=70
3. As the result (70) has a zero on the end andtherefore can bedivided by ten, the result isa
validPANvalue.
Cardholder Name and Expiration Date
LikethePAN,thecardholdernameandexpirationdatemayberecordedinanumberofplaces:
Embossedorprintedonthefrontofthephysicalplastic DigitallyrecordinTrack1andTrack2orinthechip Databasesandpaperfiles Callcentervoicerecording Transactionrecords
Whenprintedorembossed,theexpirationdateisrecordedinMM/YYformat,butisrecordedintrackdataasYYMM.Thisdateisgeneratedbythecardissuer.
Service Code
Theservicecodedefinesvariousservices,differentiatescardsusedininternationalordomesticenvironmentsandidentifiescardrestrictions.TheservicecodeisdigitallyrecordedinTrack1andTrack2orinthechip.Itisa3decimaldigitnumberandisgeneratedbythecardissuer.Commonservicecodevaluesare101or104.
UnderstandingOtherTypesofCardholderData
-
8/2/2019 VISA Ais Guide Stepspcicompliant
9/15
8
Manybusinessesbelievetheyarenotstoringsensitivedatabecausetheycannotseeit,orbecausethestorageofthisdataisnotaspecificpartoftheirbusiness.However,itisimportanttounderstandthatcomputersystemsandnetworkdevicesoftenautomaticallystoredatawithoutyourknowledgeandyoumustlookinallpossiblestoragelocations,evenifyoubelievethatcardholderdataisnotdeliberatelystored.
When looking for sensitive authentication data, it is important to have a goodunderstandingofthetypesofpaymentsthatyourcompanyaccepts.AmerchantthatneveracceptspaymentsinpersonwouldnotbehandlingtrackorPINdata.AmerchantthatonlyacceptspaymentsbyswipingacustomercardthroughaPOSterminalwouldnothandleCVV2data.
Therefore,thefirststepinfindingthisdataistoreviewthewaysinwhichcardholderdataentersandflowsthroughyourbusiness.Exceptforthesimplestofmerchants,this must be documented, as it will form the cornerstone of your PCI DSScomplianceefforts.
Thetablebelowindicatescommonwayssensitivedatamayenteryourbusiness.Onceitisin,ifnotcorrectlymanaged,thedatamaybefoundanywhereinyourbusinessenvironment!
Business
type
Transaction
type
Transaction
method
Sensitive
authentication
data5
Cardholder data
Track CV V2 P IN PA N Na me S ervi ce Code
Expiry
Merchant Card
Present
Magneticstrip
orchip
Manuallykeyed
CardNot
Present
Manuallykeyed
E-commerce
Recurring
transaction
3rdpartyfile,
e.g.outsourcedcallcenter
Service
Provider
Cardnot
Present
Mailorder/
telephoneorder
E-commerce
O the rs O th ers
5Storageofthisdata(evenifencrypted)postauthorizationisaviolationofthedatahandlingrequirements.
Finding Sensitive Authentication
Data Where to Look
FindingSensitiveAuthenticationDataWheretoLook
-
8/2/2019 VISA Ais Guide Stepspcicompliant
10/15
9
Otherprocessesthatmayinvolvetheuseofcardholderdatainclude:
Customerservice/transactiondispute Merchantsettlement Customeridentification
Itisimportanttotakespecialcarewhenthedatapassesthroughcomputersystems.Modern computer systems often create logs or use virtual memory to ensuresmooth system processing these must also be taken into account while lookingforthestorage ofsensitivedata.Thescopeof yourinvestigationon yourcomputerinfrastructurecanbesignificantlyreduced(withassociatedtimeandmoneysavings)bytheimplementationofnetworksegmentation(e.g.usingVLANs)andfirewalls.
However, it should be understood that when looking for the storage of sensitiveauthenticationdatayouareessentiallyvalidatinganynetworksegregationthatyouhaveputinplacetherefore,itisvitalthatsystemsthatshouldnotbestoring,processingortransmittingsuchdataarecheckedtoconfirmthatthisisindeedthecase.
FindingSensitiveAuthenticationDataWheretoLook
-
8/2/2019 VISA Ais Guide Stepspcicompliant
11/15
10
The table below describes a number of basic techniques used to find sensitiveauthenticationdata.Noonewayworksbestinallsitu atio nsanditisrecommendedthatthesemethodsbeadaptedandusedasbefitsyourenvironment.
WhencheckingforsensitiveauthenticationdataitisimportanttorememberthatPCIDSSappliestoallsystemsthatstore,processortransmitcreditcarddata.ThisincludeshardwaresystemssuchasPOSdevicesandATMs,aswellassoftwaresystems.
Method Procedure Comments
Manuallymap
theflow(s)
1. Manuallyidentifywherethe
dataentersyourbusiness.
2. Identify(anddocument)the
dataflowincludingallpaper-
based,voiceandsystem
infrastructure,e.g.firewalls,
routes,datalogs,backups.
3. Investigateeachiteminthe
transactionflow,lookingfor
sensitivedata.
4. Additionally,ifthedatais
processedonacomputer
system:
Documentthecomputer
infrastructure,operating
systemsandprograms
usedtoprocessthedata
Confirmiftheprograms
areonthePA-DSSlistand
havebeenimplementedin
acompliantmanner
Confirmifdatabackups
aremadeandwhat
informationisbeing
capturedaspartofnormal
businessoperation
Itisrecommendedthat
thisbeperformedforallbusinesses.Althoughitmay
bealabor-intensivetaskfor
complexbusinesses,onceit
iscompletedtheresultsare
invaluableandwillassist
youwithmanyofyourother
PCIDSScompliancetasks.
Detecting Sensitive
Authentication Data How to Look
DetectingSensitiveAuthenticationDataHowtoLook
-
8/2/2019 VISA Ais Guide Stepspcicompliant
12/15
11
Method Procedure Comments
Scanfor
knownvalues
oncomputer
infrastructure
1. Foreachofthetransaction
typesusedbyyourbusiness,
enteratransactionmaking
noteofthevalues,e.g.PAN,expirydate,CVV2,Track1,
Track2.
2. Investigateeachiteminthe
transactionflow,lookingfor
sensitiveauthenticationdata.
Thismethodisusefulfor
checkingforCVV2and
encryptedPINblockvalues
wherethedatamaybedifficulttofindotherwise.
Scanforknown
patternson
computer
infrastructure
Thefollowingdataitemshave
knownpatternsandcanbe
scannedusingscanningtools:
PAN(Luhn10check)
PANstartingdigits Track1andTrack2formats
PlaintextPINblockformats
Examine
databaselayout
forsuspicious
columns
Reviewthelayoutorschema
ofthedatabasesusedinyour
companytoseeifanycolumns
orentrieshaveheadings(suchas
trackdataorCVV2)thatmay
indicatethatsensitivedatais
beingstored.
Donotlookforsensitive
authenticationdataonlyin
placeswhereyouexpectit
maybe.Thisdatacanoccur
inmanydifferentDatabases
maybeusedbycompany-
specificsystemsormay
bepartofacommercial
softwarepackageLocations
formanydifferentreasons.
Reviewlogand
errorfiles
Sensitiveauthenticationdata
maybestoredeitherdeliberately
orinadvertentlyinmanydifferent
places.Paymentsoftware
maybedesignedtostoredata
deliberatelyforerrorrecoveryor
communicationssoftwarelogs
maybeinadvertentlystoringdata.
Donotlookforsensitive
authenticationdataonlyin
placeswhereyouexpectit
maybe.Thisdatacanoccur
inmanydifferentlocations
formanydifferentreasons.
Confirmerror
recovery
methodsfor
yourpayment
systems
Talktoyourpaymentsystem
vendorsanddeterminehow
theirsystemsoperateifthere
isanerror.Oftensystemsstore
sensitiveauthenticationdata
toassistinfinalizingpayment
processingwhenanerroroccurs.
Whenlookingforsensitive
authenticationdataitis
importanttounderstand
thetransactionprocessnot
onlywhenthepayment
works,butalsowhat
happenswhenthepayment
doesnotwork.
DetectingSensitiveAuthenticationDataHowtoLook
-
8/2/2019 VISA Ais Guide Stepspcicompliant
13/15
12
ThekeytoachievingPCIDSScomplianceistoreducethenumberofitemsthatareinscope;thatis,toeliminatecardholderdatafromthebusinessunless itisabsolutelyrequired.Thelessdatayouhaveinyourbusinessthelessyouhavetocontrolandtheeasiercompliancebecomes.
Where prohibited datais found, take actionto eliminate the dataas soonaspossibleandconsiderchangingyourbusinessprocesssothedataisnolongerretainedafterauthorization
Introduce proceduresso the datais controlled,keptfora minimumtimeandsecurelydeletedonceitsnolongerrequired.
Methods by Media
Thefollowingtabledetailscommonstoragelocationsandsuggestedactionstoassistincompliance.
Media Actions
Paper/fax Shredpostauthorization
Blackoutcardholderdatawithink
Softcopy
images(scanned
documents,fax
servers)
Alterprocessessodataisnolongerrequired
Deletepostauthorization
Ifpossible,electronicallyblacksensitivefields
Callcentercall
recording
ConfirmifCVV2isbeingrecorded;ifitis,consider
blankingtechnology
Encryptandsecurelystoreallcalldataataminimum6
Computersand
computerstorage
UseonlyPA-DSSapprovedapplications
Consultwithsoftwaredeveloperandconfirmif
applicationisPCIDSScompliantandifanyspecial
settingsarerequired
Analyzeallapplicationsknowntohandlesensitivedata
ScanallstorageforPANandtrackdata,includinglog
andbackups
Networkequipment ConsultwithmanufacturerandconfirmifdeviceisPCI
DSScompliantandifanyspecialsettingsarerequired
Analyzealllogfileforsensitivedata
Backups Ifbackupispre-authorization,reviewthepurposeofthe
backupandwherepossiblemodify
Encryptbackups
6Storageofsensitiveauthenticationdatawithinvoicerecordingsisacceptableonlyifthereisnocommerciallyfeasiblemethodof
removingthisdata,andanysuchdatathatisstoredissecurelyencrypted.
Removing Sensitive
Authentication Data
RemovingSensitiveAuthenticationData
-
8/2/2019 VISA Ais Guide Stepspcicompliant
14/15
13ContactInformation
FormoreinformationonthisdocumentortheAISprogram,pleasevisitourwebsiteat
www.visa-asia.com/securedorcontact:
Data Security [email protected]
OryourespectiveVisaCountryRiskManagers :
Ian McKindleyRiskManagement
Australia,NewZealand&thePacificIslands
Tony ZhuRiskManagement
China
Murugesh KrishnanRiskManagement
South&SoutheastAsia
Navy LiRiskManagement
China
Abdul Rahim Abdul RahmanRiskManagement
SoutheastAsia
Vincent LeeRiskManagement
SouthKorea
Raveendhrun AnantharamanRiskManagement
SouthAsia
Ryoji IharaRiskManagement
Japan
Michael ChanRiskManagement
HongKong&Taiwan
Igarashi KoujiRiskManagement
Japan
Contact Information
-
8/2/2019 VISA Ais Guide Stepspcicompliant
15/15