navigating the pci dss challenge 29 apr 2011 (1).pdf · payment application datasecurity standard...

Navigating the PCI DSS Challenge

29 April 2011

Agenda

1. Overview of Threat and Compliance Landscape

2. Introduction to the PCI Security Standards

3. Payment Brand Compliance Programs

4. PCI DSS Scope of Applicability

5. Lunch

6 Deep Dive of PCI DSS Requirements

© 2011 KPMG Service Pte Ltd, a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.

6. Deep Dive of PCI DSS Requirements

7. Break

8. Deep Dive of PCI DSS Requirements

9. Use of Compensating Controls

10. Case Studies Discussion

2

Overview of Threat & Compliance Landscape

Payment Card Data is Valuable

20%of incidents are related to banking and financial data

The Data Loss Barometer analyzes data loss incidents reported around the world since 2005. This data is freely available in some countries thanks to legislation that requires full disclosure of data loss incidents. In other countries, information is obtained via KPMG’s network of international firms and consultants.


4

81%or more than 100M records breached are payment card data

banking and financial data

Underground Marketplace

1. Quick Bite (“cvv2s”) US$1 – 9

Includes card number, expiration date, cardholder name and address, and the CVV2 security code.

Menu


2. Set Lunch (“full-info”) US$10 – 14

Includes “cvv2” and enhanced with other data about the cardholder such as date of birth, mother’s maiden name, Social Security Number, place of birth, and other information for authenticating fraudulent transactions.

3. Chef’s Special (“dump”) starting from US$15

Includes credit card track data (electronic data from the magnetic stripe on the back of a credit card).

5

Looming Compliance Deadlines


6

Looming Compliance Deadlines – Acquirers

Client Acquiring VNPs to disclose whether any prohibited data is being stored post authorization and if so, provide a remediation plan.

Client Acquiring VNPs Submit PCI DSS Report on Compliance (ROC) identifying level of compliance. If not fully compliant, a remediation plan must be provided to Visa.


7

Sep 30, 2010 Sep 30, 2011

Introduction to the PCI Security Standards

PCI Security Standards Council

Payment Brands

Payment Card Industry Overview


y

Cardholder

Merchant

Service Provider

Acquirer

Payment Brand Network

Issuer

9

Overview of PCI Security Standards


10

Source: PCI SSC

Overview of PCI Security Standards

PCI Data Security Standard (PCI DSS)

Set of technical and operational requirements set by the PCI SSC to protect payment card data.

Applicable to all entities that store, process or transmit payment card data.

Consists of common security best practices

Payment Application DataSecurity Standard (PA-DSS)

Standard for de elopers of pa ment applications based on Visa Pa ment

PCI DSS Quick Facts PCI DSS v1.0

released Dec 2004

Current PCI DSS 2.0 released Oct 28, 2010

Was two-year lifecycle and now moving to three-year lifecycle


Standard for developers of payment applications based on Visa Payment Application Best Practice (PABP)

Applies to payment applications sold, distributed or licensed to third parties

Excludes in-house applications not sold but must still meet PCI DSS requirements

PIN Transaction Security (PTS)

Applies to point-of-interaction devices (POIs) used for PIN entry and also devices used for securing payment processing at data centers and for the production of payment cards.

Device characteristics and device management requirements

Global standard applicable to payment card data from cards branded with the logo of one of Visa, MasterCard, American Express, JCB and Discover

11

Components of Account Data

Account Data consists of Cardholder Data (CHD) and Sensitive Authentication Data (SAD).


12

Source: PCI SSC

PCI DSS Key Objective – Protect Cardholder Payment Data

1

2 3


Cardholder Name, Service Code and Expiration Date must be protected in accordance with all PCI DSS requirements (except 3.3 & 3.4) if present in the cardholder data environment.

Sensitive authentication data must not be stored after authorization (even if encrypted).

Full track data from the magnetic stripe, equivalent data on the chip, or elsewhere.

13

1

2

3

Source: PCI DSS Requirements and Security Assessment Procedures v2.0

Requirements Have a Broad Coverage …

Goals Requirements

1 Build and Maintain a Secure Network

1: Install and maintain a firewall configuration to protect cardholder data

2: Do not use vendor-supplied defaults for system passwords and other security parameters

2 Protect Cardholder Data3: Protect stored cardholder data

4: Encrypt transmission of cardholder data across open, public networks

3 Maintain a Vulnerability 5: Use and regularly update anti-virus software or programs


14

3 Maintain a Vulnerability Management Program 6: Develop and maintain secure systems and applications

4Implement Strong Access

Control Measures

7: Restrict access to cardholder data by business need to know

8: Assign a unique ID to each person with computer access

9: Restrict physical access to cardholder data

5 Regularly Monitor and Test Networks

10: Track and monitor all access to network resources and cardholder data

11: Regularly test security systems and processes

6 Maintain an Information Security Policy

12: Maintain a policy that addresses information security for employees and contractors

… and Not a Light Weight Standard

Consists of 215 Sub-Requirements and 326 Testing Procedures (previously 270).

Requirement Sub-Requirements

Testing Procedures

1. Install and maintain a firewall configuration to protect cardholder data 21 292. Do not use vendor-supplied defaults for system passwords and other

security parameters9 26

3. Protect stored cardholder data 21 374. Encrypt transmission of cardholder data across open, public networks 3 9


15

5. Use and regularly update anti-virus software or programs 3 66. Develop and maintain secure systems and applications 26 367. Restrict access to cardholder data by business need to know 9 98. Assign a unique ID to each person with computer access 21 339. Restrict physical access to cardholder data 20 2910. Track and monitor all access to network resources and cardholder data 28 33

11. Regularly test security systems and processes 10 2412. Maintain a policy that addresses information security for employees and

contractors39 44

Appendix A 5 9

TOTAL 215 326

Payment Brand Compliance Programs

PCI DSS Compliance Programs

Payment Brands develop and maintain own compliance programs in accordance with their risk management framework and policies.

Site Data Protection (SDP)USA – Cardholder Information Security Program (CISP)


17

Data Security Operating Policy (DSOP)

Discover Information Security Compliance (DISC)

Data Security Program

Other Regions – Account Information Security (AIS) Program

Compliance Program Components

Each Payment Brand has own set of validation requirements but all relies on:

Quarterly Network Scan

Self Assessment Q ti i

Any entity that stores, processes and/or transmits

All payment brand compliance programs consist of the same three components.

Payment


18

Questionnaire

Onsite Assessment

Each Payment Brand has own set of reporting requirements and deadlines.

a d/o t a s tscardholder data. Payment Brands define merchant and service provider levels based on transactions

Payment Brands

Compliance Programs

Reporting

Quarterly Network Scan

PCI DSS Requirement 11.2 requires quarterly vulnerability scans of all externally accessible (Internet-facing) system components

owned or utilized by the scan customer;

part of the cardholder data environment; or

provides a path to the cardholder data environment.

For a compliant result, a scan must not contain high and medium severity vulnerabilities.

CVSS Score Severity Level Scan Results7.0 – 10.0 High Fail*4.0 – 6.9 Medium Fail*0.0 – 3.9 Low Pass


All scans must be performed by an Approved Scanning Vendor (ASV).

Validation by independent and qualified security companies is important to ensure the effectiveness of PCI DSS.

Quality, reliability, and consistency of an ASV’s work are essential to ensure the protection of cardholder data.

19

* Vulnerabilities must be fix and rescan until a compliant report is obtained.

Self-Assessment Questionnaire (SAQ)

Type Compliance Criteria SAQ

1Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. This SAQ Type does not require scanning. (11 Questions)

A

2Imprint-only merchants with no electronic cardholder data storage. This SAQ Type does not require scanning. (21 Questions)

B

Used as a validation tool for merchants and service providers to evaluate their compliance with PCI DSS.

Available in multiple versions with varying scope and complexity for various scenarios.


q g ( )

3Stand-alone terminal merchants, no electronic cardholder data storage. This SAQ Type does not require scanning. (21 Questions)

B

4Merchants with POS systems connected to the Internet, no electronic cardholder data storage. Scanning Requirements 11.1 and 11.2 only apply to this SAQ Type. (38 questions)

C

5All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. Requirement 11 in its entirety applies to this SAQ Type. (226 questions)

D

p y

Mandated in certain situations for merchants and service providers not required to undergo an onsite assessment.

20

Onsite Assessment

Onsite assessments are security audits for merchants and service providers who must validate compliance.

Qualified Security Assessor (QSA) companies qualified by the PCI SSC performs standard defined testing procedures to validate compliance

QSAs are employees of these organizations certified to validate an entity’s adherence to the PCI DSS


to validate an entity s adherence to the PCI DSS.

Outcome of the onsite assessments performed by QSAs are:

Report on Compliance (ROC) describing the compliance status of the entity under review.

Attestation on Compliance (AOC) demonstrating the entity’s compliance status and is signed by the QSA and an Officer of the company,

21

Visa Inc. AIS (CEMEA)

Customer Type Compliance Criteria Validation Requirements Reporting Requirements

Merchant 1 Over 6 million transactions (all channels) annually or deemed as level 1 by Visa (all regions) or compromised merchant or deemed as level 1 by Visa

Annual Onsite Assessment by QSA or internal audit and signed by Officer of the company

Quarterly Network Scan by ASV

AOC

ROC

Merchant 2 Between 1 to 6 million transactions (all channels) annually

Annual SAQ


AOC

ROC (upon request)

Merchant 3 Between 20,000 to 1 million e-t ti ll

Annual SAQ N/A


22

commerce transactions annually Quarterly Network Scan by ASV

Merchant 4 Less than 20,000 e-commerce transactions annually and all other merchants with less than 1 million transactions annually

Annual SAQ (recommended)

Quarterly Network Scan by ASV (recommended)

Dependent on Acquirer

Service Provider 1 VisaNet processors or any service provider with over 300,000 transactions annually

Annual Onsite Assessment by QSA


Annual SAQ (optional)

Executive Summary of ROC and AOC

Service Provider 2 Any service providers with less than 300,000 transactions annually

Annual Onsite Assessment by QSA (recommended)

Annual SAQ


SAQ

MasterCard SDP

Customer Type Compliance Criteria Validation Requirements Reporting Requirements

Merchant 1 Over 6 million transactions (MasterCard & Maestro) annually or deemed as level 1 by MasterCard/Visa or compromised merchant

Annual Onsite Assessment by QSA or internal ISA qualified staff


Acquirers register compliant merchants and report quarterly

Merchant 2 Between 1 to 6 million transactions (MasterCard & Maestro) annually or deemed as level 2 by Visa

Annual Onsite Assessment by QSA (at merchant discretion) or SAQ by internal ISA qualified staff




23

y y

Merchant 3 Between 20,000 to 1 million e-commerce transactions (MasterCard & Maestro) annually

Annual SAQ



Merchant 4 All other Merchants Annual SAQ

Quarterly Network Scan by ASV(Note: Discretion of Acquirer)

N/A

Service Provider 1 All TPPs

All DSEs with more than 300,000 transactions annually (MasterCard & Maestro)

Annual Onsite Assessment by QSA


AOC

Service Provider 2 All DSEs with less than 300,000 transactions annually (MasterCard & Maestro)

Annual SAQ


AOC

navigating the pci dss challenge 29 apr 2011 (1).pdf · payment application datasecurity standard...

Documents