Payment Card Industry Data Security Standards

The Card Associations are concerned about cardholder information getting into the wrong hands for illegal use. Therefore, the Card Associations have adopted the PCI Standards to better secure cardholder information.

What is PCI & PCIDSSPayment Card Industry (PCI)Data Security Standard (DSS) so (PCIDSS)PCIDSS was developed jointly by all the credit card

brands (Amex, DC, JCB, MC and Visa) to protect the merchants business, their customers (cardholders), and the integrity of the payment system from the rising incidences of stolen cardholder account data.

Why is PCI compliance important?

PCI helps protect the merchant business from: fraud substantial fines from the card associations customer dissatisfaction and distrust if their cardholder data

is compromised and misused as result of the merchants business being compromised.

The credit card brands have made PCI compliance mandatory for merchants.

How Could Cardholder Information be Compromised?

►Hackers could illegally access a merchant’s POS System.

►Employees could be conned into revealing passwords, logons, or other sensitive data.

►Credit card data such as reports or receipts could be thrown in the trash by merchants and retrieved by anyone digging through the dumpster.

Who Must Comply with the PCI Data Security Standards?

►All merchants who accept credit and debit

cards.

►All credit card processors, issuers and acquirers (such as Heartland), third party processors, and gateways.

►Developers and software providers.

PCI Data Security Standards Defined by the Card Associations Require Merchants to:

1. Build and maintain a secure network.

2. Protect cardholder data.

3. Maintain a Vulnerability Management Program.

4. Implement strong access control measures.

5. Regularly monitor and test networks.

6. Maintain an information security policy.

1. Build and Maintain a Secure Network

►Merchants using the Internet for transmitting credit/debit card information, must install and maintain a firewall. Internet firewall security needs to be installed and functional on all computers and POS Systems using IP connectivity. POS systems with a dial connection to the Internet are required to comply with this standard as well.

2. Protect Cardholder Data

Merchants Must Use Passwords and Other Security Measures

►Merchants must implement personalized logons and passwords for all users of computers and POS systems to limit access to cardholder information.

3. Maintain a Vulnerability Management Program to Protect Stored Data.►Hard copies of batch reports and paper receipts must be placed in a secured area where only authorized personnel can enter.

►Unneeded reports and receipts must be shredded before disposal.

►Databases and files containing credit/debit card information must be encrypted.

►Encryption software is required for POS systems using internet connectivity for transmission of cardholder information.

4. Install Antivirus Software.

►Merchants must install and maintain updated antivirus software on their computers and POS Systems.

5. Regularly Monitor and Test Networks.

►Merchants must track and monitor all access to network resources.

►Merchants must show proof that they track and monitor who has access to their computers and POS systems.

6. Maintain an Information Security Policy.

►Merchants must have a written and enforceable policy that details safeguarding of credit/debit card information

Merchant Levels of Compliance

Level 1 – Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transaction per year.

Any merchant that has suffered a hack or an attack that resulted in an account data compromise.

Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system

Any merchant identified by any other payment card brand as level 1.

Level 2 –Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.

eCommerce merchants (1m trans/yr – 6M trans/yr)

Must comply & pass third party audits

►Levels of PCI Security compliance are based on size, type of business and the number of transactions per year.

►Compliance requirements are based on 4 levels.

Merchant Levels of Compliance

Level 3 – Any Merchant processing 20,000 to 1,000,000 Visa e-commerce transaction per year.

Required to comply

►Levels of PCI Security compliance are based on size, type of business and the number of transactions per year.

►Compliance requirements are based on 4 levels.

Level 4 –All other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. And all merchant processing fewer than 20,000 Visa e-commerce transactions per year,

Level 1 – Large Retail Merchants

Level of compliance is determined by merchant’s size

►Level 1 merchants must undergo annual on-site audits by certified auditors.

►Level 1 merchants must incur the cost of quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers.

►Adhering to the PCI standards can cost Level 1 merchants hundreds of thousands of dollars per year to ensure compliance.

All merchants (regardless of size) are subject to annual audits and quarterly scans if they have a compromised data situation.

Large Retail Merchants

(Wal-Mart, Target, etc)

Level 1 – Large Retail MerchantsValidation Action Validated By Due Date

Annual On-site PCI Data Security Assessment

Qualified Data Security Company of Internal Audit if signed by Office of the Company

9/30/2004

Quarterly Network Scan

Qualified Independent Scan Vendor

New Level 1 merchants have up to one year from identification to validate

Level 2 - Mid/Large Merchants

►Level 2 and 3 merchants must undergo annual self-assessments (no outside validation required).

►Level 2 and 3 merchants must undergo quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers.

►Internet facing system scans can generally cost $1,000 to $3,000 dollars.

Level 2 - Mid/Large MerchantsValidation Action Validated By Due Date

Annual On-site PCI Self-Assessment Questionnaire

Merchant Current

Quarterly Network Scan

Qualified Independent Scan Vendor

New Level 2 merchants: 9/30/2007

Level 3 – Mid/Low Merchants

►Level 2 and 3 merchants must undergo annual self-assessments (no outside validation required).

►Level 2 and 3 merchants must undergo quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers.

►Internet facing system scans can generally cost $1,000 to $3,000 dollars.

Level 3 – Mid/Low Merchants

Validation Action Validated By Due Date

Annual On-site Self-Assessment Questionnaire

Merchant Current

Quarterly Network Scan

Qualified Independent Scan Vendor

6/30/2005

Level 4 - Small Merchants

►PCI standards recommend Level 4 merchants undergo annual self-assessment (no outside validation required).

►The standards also recommend the merchant conduct quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers.

►These are only “recommendations” for security practices.

Level 4* - Small MerchantsValidation Action Validated By Due Date

Annual On-site PCI Self-Assessment Questionnaire

Merchant Current

Quarterly Network Scan

Qualified Independent Scan Vendor

Validation requirements and dates are determined by the merchant’s acquirer

*The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

POS Software Developers must be PABP Compliant

Merchant’s software can never store the CVV data

►POS system software should only extract and store the cardholder number, expiration date, and cardholder name from the magnetic stripe.

►The POS software must encrypt all cardholder information.

►The POS software must truncate the cardholder number on receipts, reports and display screens.

►The POS software must encrypt all Internet transactions, generally done by SSL (Secure Socket Layer) encryption.

POS Software Developers must be PABP Compliant

►POS

►CCV Card Code is never allowed to be stored

How do you know which POS Software Complies with PABP Standards?

►Merchants must contact their VAR/dealer or software developer to determine if their POS System software is PABP compliant.

Why Should Merchants Comply with PCI Standards?

►To protect their business reputation.

►To protect their customer’s card information.

►To limit their risk of being fined and forced to undergo forensics (Visa/MasterCard on-site audit to determine the cause of the compromise) which can cost tens of thousands of dollars and put them out of business.

Potential Cost to a Merchant for a Compromise

First Violation

Second Violation

Third Violation

$50,000

$100,000

Management discretion

►If security is compromised, regardless of the

merchant’s tier level, they will be required to

undergo an on-site security audit.

►Merchants will be fined and assessed all costs and expenses related to the

forensic investigation. They must pay a consultant to conduct the audit. The

merchant must pass the audit and continue to do audits on an annual basis.

Failure to notify Visa of a suspected or confirmed loss or theft of credit card

data is subject to a fine of $100,000 per incident.

►Costs of forensic investigations begin at $50,000 and could be as high as

$100,000 per investigation.

►Costs of audits can range from $15,000 - $20,000 per audit.

Summary of Steps to Compliance► PCI standards apply to all credit and debit cards.

► Every merchant is mandated by the Card Associations to comply.

► The six basic standards are as follows:

► Build and Maintain a Secure Network

► Protect Cardholder Data

► Maintain a Vulnerability Management Program

► Implement Strong Access Control Measures

► Regularly Monitor and Test Networks

► Maintain an Information Security Policy

►The fines, investigations and audits for certification and compromises can be expensive.

Visa Alerts 10:54:07 by David Press

News Green Sheet Magazine “Visa alerts restaurants to lax POS installation a

spike in data security compromises at restaurants prompted Visa U.S.A. to issue a data security alert in July. It emphasized the proper installation and use of POS equipment and systems. The card association also issued a reminder of ways merchants can protect themselves against lapses.”

Visa alertsVisa alerts restaurants to lax POS installation Visa's

recommended mitigation strategy "If there is one theme that is most helpful to the merchant and ISO community, it is to make sure your payment applications are not inadvertently storing track data.“ – Martin Elliott, Visa's Vice President for Emerging Risk

Credit Firms Push to Thwart Fraud

Credit Firms Push to Thwart Fraud Merchants Face a Penalty If Steps Aren't Taken to Curb Identity Theft; Visa Misses Own Security Deadline By ROBIN SIDEL, Wall Street JournalSeptember 25, 2006; Page C1

.

MasterCard Inc. and Visa USA Inc. are clamping down on merchants that flout rules aimed at protecting card transactions from fraudsters.

An article appeared in the September 25th edition of the Wall Street Journal “The Journal article begins “MasterCard Inc. and Visa

USA Inc. are clamping down on merchants that flout rules aimed at protecting card transactions from fraudsters. In recent weeks, MasterCard has imposed fines on merchants that haven't met its requirements to keep transactions secure. Saturday, Visa will take aim at the nation's largest merchants with fines that start at $10,000 a month and can rise to $100,000 a month.”

An article appeared in the September 25th edition of the Wall Street Journal The article goes on to describe the various issues the credit

card industry faces regarding data security and how it plans to deal with them in the coming months and years. The fact is that although the credit card companies are starting their efforts to enforce PCIDSS standards with the big retailers, it is the small and mid sized businesses like yours that are the easiest and most lucrative targets for cyber criminals.

An article appeared in the September 25th edition of the Wall Street Journal For example, restaurants from coast to coast have

already had to pay fines ranging from $5,000 to $350,000. In addition, they faced the immediate loss of their ability to accept credit cards and had to pay for initial and ongoing security audits that cost thousands more.”

5%

61%

2%12%

1%

1%7%

2% 1%

5%2%

1%

Profesional Org.

Entertainment

Financial

Food Service

Government

Hosting

Media

Payment Process

Recreation

Retail

Transportation

University

Compromise Statistics: Industry

SpiderLabs data is gathered from more than 140 card compromise cases.

Food Service Industry represents the majority of the compromises.

Cases By Industry

Card Not Present

20%

Card Present80%

Compromise Statistics: AcceptanceCases by Card Acceptance

About 4 out of every 5 cases is a traditional Brick and Mortar environment.

Card Present Merchants are not aware of these risks!

1% 17%

1%

71%

5%

1%4% Backend

Hardware

Mainframe

Physical

Cart

Virtual

Software

Compromise Statistics: System Type

Majority of the cases involved a compromise of a Software based POS system.

None of these systems were Visa PABP or PCI DSS compliant.

Cases By System Type

Dial-up24%

DSL/Cable47%

T129%

Compromise Statistics: Connectivity

All Internet connectivity should be considered high risk.

SpiderLabs has tracked a trend in migration from T1 and Dial-Up to DSL/Cable.

Cases By Connectivity

Merchant Error50%

3rd Party Error50%

Compromise Statistics: ErrorMerchant Error vs. 3rd Party Error

Half of the compromises were caused by a fault in the service provided by a 3rd party to a Merchant.

POS Developers, Integrators, IT Firms are not following PCI DSS and leaving Merchants at Risk!

Yes96%

No4%

Compromise Statistics: Track Data

Track Data storage is never permitted in any environment post authorization.

Non-Compliant software packages are storing Track Data and the Merchants did not know until it was too late!

Brick and Mortar Cases w/ Track Data Storage

Compromise Statistics: PCI DSS Violations

Most Common “Not In-Place”

Requirement 1: Install and maintain a firewall to protect data

Requirement 3: Protect stored data

Requirement 6: Develop and maintain secure systems and applications

Requirement 8: Assign a unique ID to each person with computer access

Requirement 10: Track and monitor all access to network and card data

Requirement 11: Regularly test security systems and processes

Compromise Statistics: SpiderLabs Top 10

Top 10 Reasons/Methods of Compromise

1. Backdoor / Trojan2. No Firewall3. SQL Injection4. Internal Theft5. Remote Access6. FTP Access to Data7. Remote Exploit8. Remote Buffer Overflow9. Login Credential Leak10. Password Brute Force

Compromise Statistics: Riskiest Merchant

Profile of the Merchant w/ Greatest Compromise Potential

Industry: Food Service

Payment Acceptance: Card Present

System Type: Non-Compliant Software POS

Connectivity: DSL or Cable Modem

Websites http://www.usa.visa.com/business/accepting_visa/ops_risk_managem

ent/cisp_merchants.html https://www.pcisecuritystandards.org/tech/supporting_documents.htm

https://www.pcisecuritystandards.org/index.htm