visa ais guide stepspcicompliant

8/2/2019 VISA Ais Guide Stepspcicompliant

1/15

Steps for staying PCI DSS compliantVisa Account Information Security Guide

October 2009

The guide describes how you can make sure your business

does not store sensitive cardholder data


2/15

1Contents

Contents

How to make sure your business does not store Sensitive Cardholder Data 2

Introduction 2 UnderstandingCardholderData 2

Sensitive Authentication Data Explained 4

TrackData 4

CardVerificationValue2(CVV2) 5

PersonalIdentificationNumber(PIN)andPINBlock 5

Understanding Other Types of Cardholder Data 6

PrimaryAccountNumber(PAN) 6

CardholderNameandExpirationDate 7

ServiceCode 7

Finding Sensitive Authentication Data Where to Look 8

Detecting Sensitive Authentication Data How to Look 10

Removing Sensitive Authentication Data 12

MethodsbyMedia 12

Contact Information 13


3/15

2

Introduction

CardtransactionshavebecomeacommonwayforcustomerstopurchasegoodsandservicesattheirlocalretailstoresovertheInternetandwhileshoppingabroad.Tohelpkeepcardpaymentssafeandconvenient,VisahashelpedformanorganizationcalledthePaymentCardIndustrySecurityStandardsCouncil(PCISSC).

PCISSCmaintainsandsupportsanumberofdifferentsecuritystandards,withperhapsthemostwellknownbeingthePCIDataSecurityStandard(PCIDSS).Thisstandarddetailstherequirementswhichallentitiesthatstore,processortransmitcardholderdatamustfollowtoensurethatcardholderdataiskeptsecure.Twokeyrequirements

ofthePCIDSSaddressdirectlythehandlingofcardholderdata.

Theserequirementsare: Donotstore1sensitiveauthenticationdatasubsequenttoauthorization Securenon-sensitiveauthenticationdata,whereveritisstored

Understanding Cardholder Data

Duringtransactionauthorization,themerchantcollectsdatafromthepaymentcardandtransmitsthisdatato thecardissuer.Basedonthisinformationthecardissuermayeither approve ordecline thetransaction andsend theauthorizationresponsebacktothemerchant.Thistransactionprocessisillustratedbelow:

1Storageisnotpermitted,evenifencrypted.

HowtomakesureyourbusinessdoesnotstoreSensitiveCardholderData

PROCESSORMERCHANT ACQUIRER

VISANET

AUTHORIZATION

REQUEST

AUTHORIZATION

RESPONSE

Figure 1

How to make sure your business does

not store Sensitive Cardholder Data

ISSUER


4/15

3HowtomakesureyourbusinessdoesnotstoreSensitiveCardholderData

Transactionsareperformedusinginformationfromthecardholderspaymentcardandmayincludeotherauthenticationdataprovidedbythecustomerthemselves,suchasasignatureorapersonalidentificationnumber(PIN).Thisinformationisusedbythecardissuertoverifyandapprovetransactions,andthereforeitisvitalthatsuchdataisprotected.

Arepresentationofapaymentcardisprovidedbelow:

Figure 2

Sensitive cardholder data refers to cardholder data that must not be storedsubsequent to transaction authorization. Storage of such data is not permittedunderanycircumstances,evenifthedataisencryptedorotherwiseprotected.Thereare three types ofsensitive cardholderdata values, collectivelyknownas sensitiveauthenticationdata,whichareusedbythecardissuertoconfirmthepresenceofthephysicalcardplasticand/orcardholderatthetimeoftheauthorization.Thethreetypesofsensitiveauthenticationdataare:

Fullcontentsofthemagneticstripe,alsoreferredtoasTrackData Securitycode(calledaCardVerificationValue2,orCVV2,byVisa) PINorPINblock

Inthenormaloperationofyourbusinessthereshouldnotbeneedtostoresensitiveauthenticationdatasubsequenttoauthorization.Storageofthisdatadecreasestheeffectivenessofauthorizationandfrauddetectionsystemsintheauthorizationprocessandcanleadtoincreasedcreditcardfraudifcompromised.VisadoesnotrequirethatsensitiveauthorizationdatabekeptsubsequenttoauthorizationinfactitisaviolationofthePCIDSSrequirementsandVisasInternationalOperatingRegulationstostoresuchdataafterauthorization.

Rear face of apayment card

1-Magneticstrip

2-Cardholdersignature

3-Visasecuritycode (CVV2)

4-VisaHologram

1

23

4

1

2

3

4

Front face of apayment card

1-Chipofasmartcard

2-PrimaryAccount Number(PAN)

3-Expirydateofthe card

4-Cardholdername


5/15

4 SensitiveAuthenticationDataExplained

2DependentonthelengthofotherfieldsinTrack1.

3DependentonotherfieldsinTrack2.

Track Data

Trackdataisatermusedtodescribetheinformationthatisstoredonthemagneticstripeof thepaymentcard.Trackdatais usedbytheissuertoconfirm thephysicalpresenceofthepaymentcardduringthetransaction.Thedataisgeneratedbythecardissuerandisrecordedonthemagneticstripeonthebackofthecardholdersplastic,inthechiporboth.Eachcardissuerisabletorecorddiscretionarydatatowardstheendofthetrack.

Insomeinstances,itispossibleforthetrackdatatobere-constructedusinginformationtakenfromthemagneticstripeitselforfromthechiponthecard.

Themagneticstripecancontainuptothreetracksofdata,eachformatteddifferently,knownasTrack1,Track2andTrack3.OnlyTrack1andTrack2areusedinthepaymentindustry.Trackdataisdefinedbyinternationalstandardsandisthesameforallcardbrands.

Track1

Track2

ThesensitiveauthenticationdatacanbefoundtowardstheendofbothTrack1andTrack2.ItisaviolationoftheVisaInternationalOperatingRegulationsandthePCIDataSecurityStandardstostoresensitiveauthenticationdatasubsequenttoauthorization.Non-sensitive authentication on thetrackmay be stored butmust be protected inaccordancetothePCIDSSrequirements.

Sensitive Authentication

Data Explained


6/15

5SensitiveAuthenticationDataExplained

Card Verification Value 2 (CVV2)

Visadevelopeda3-digitcodetohelppreventfraudonallmanuallykeyedtransactions.TheCVV2codevalueisdifferentforeachpaymentcardevenifthecardshavethe

samePrimaryAccountNumber(PAN).

TheCVV2residesonthebackofthecardbesideorinthesignaturepanelandisusedtoconfirm thepresenceof theplastic card insituationswhereit is notpossible toprocessthemagneticstripeorchipdatai.e.manuallykeyedtransactionsincludingtelephone/mailordertransactionsandInternettransactions.

Eachpaymentbrandhasaslightdifferenceinthenameandlocationofthiscode:

CVV2:CardVerificationValue2(Visa) CVC2:CardValidationCode2(MasterCard) CID:CardIdentificationNumber(AmericanExpressandDiscover) CAV2:CardAuthenticationValue2(JCB)

Greatcareneedstobe takenwithCVV2sincea cardholdermaycommunicatethisvaluetoyoudirectly,forexample,viayourcallcenterorwebsite.Eveninthesecases,theCVV2mustnotbestoredpostauthorization.

Personal Identification Number (PIN) and PIN Block

PIN/PINblockvaluesareusedbythecardissuertoconfirmthatthecardholderispresentwhenthepurchaseismade.AcardholdersPINvalueisonlyknowntothecardholder,andthecorrectvaluecanbeverifiedbythecardissueranditsauthorizedagents.

CardholderPINs are encrypted into a PINblockfor transmission tothe merchants

acquirer this should occur within a secure PIN Entry Device (PED). However,sometimessystemsarefoundthatallowforexposureofthecustomerPINoutsideofsuchsecuredevices.Inbothinstances,itisnotpermittedtostorethecustomerPINblock,whetherencryptedornotencrypted,aftertheauthorization.

TheformatforunencryptedPINblocksisshownbelow:

Format code

(1 digit)

Number of PIN digits

(1 hex character)

PIN digits

(2 digits)

PIN digits or

padding

(10 hex

characters)

Padding

(2 hex

characters)

0,1,2,3 09orAC 09 09orAF 69orAF

Encrypt edPINblockstaketheformof64bits,or16hexadecimalnumbers,ofrandomdigits.TheencryptedPINblockistransmittedinISO8583compliantmessagesinfield454.


7/15

6

Assensitiveauthenticationdata,suchastheencryptedcustomerPINblockandtheCVV2value,canbedifficulttolocatewithinsystemsthatcontaindifferentfieldsandvalues,itisoftenusefultolookforareaswhereothertypesofcardholderdataisstoredandthenattempttofindsensitiveauthenticationdatathatmaybestoredwithinthesameareas.

Primary Account Number (PAN)

ThePrimaryAccountNumber,alsocommonlyknownasthecardnumber,isusedtouniquelyidentifythespecificcustomeraccount,withinaspecificcardissueranywherearoundtheworld.EverycardholderhasauniquePANvalueandthisvalueisfoundina

numberoflocations:

Embossedorprintedonthefrontofthephysicalplastic DigitallyrecordinTrack1andTrack2orinthechip Databasesandpaperfiles TransactionrecordsThePANmaybeofanylengthbetween13and19digits,although16-digitPANsarethemostcommon.

All Personal Account Numbers issued by the payment brands have the followingproperties,describedbelow.

Starting digits The digits atthestartof thePANidentifythecardissuer.Theexactmethodfordeterminingthisisnotpublicinformation.

ThefollowingruleofthumbcanbeusedtoidentifycardsissuedunderthefivePCIpaymentbrands.

Visa 4

MasterCard 5155

AmericanExpress 34,37

Discover6011,622126622925,644

649,65

JCB 35283589

Understanding Other Types

of Cardholder Data

UnderstandingOtherTypesofCardholderData


8/15

7

Luhn 10 check TheLuhn10checkformulaverifiesanumberagainstitscheckdigit(therightmostdigit).

Acompliantaccountnumbermustpassthefollowingtest:

1. Counting from the check digit, which is therightmostdigit,andmovingleft,doublethevalueofeveryseconddigit.

2. Sumthedigitsoftheproductstogetherwiththenon-doubleddigitsfromtheoriginalnumber.

3. If thetotal ends in 0, then thenumberisvalidaccordingtotheLuhnformula;otherwiseitisnotavalidPAN.

Asanillustration,if the accountnumber is 49927398716,

itwillbevalidatedasfollows:

1. Doubleeveryseconddigit,fromtherightmost:(1x2)=2,(8x2)=16,(3x2)=6,(2x2)=4,(9x2)=18

2. Sum all digits (digits in parentheses are theproductsfromStep1:6+(2)+7+(1+6)+9+(6)+7+(4)+9+(1+8)+4=70

3. As the result (70) has a zero on the end andtherefore can bedivided by ten, the result isa

validPANvalue.

Cardholder Name and Expiration Date

LikethePAN,thecardholdernameandexpirationdatemayberecordedinanumberofplaces:

Embossedorprintedonthefrontofthephysicalplastic DigitallyrecordinTrack1andTrack2orinthechip Databasesandpaperfiles Callcentervoicerecording Transactionrecords

Whenprintedorembossed,theexpirationdateisrecordedinMM/YYformat,butisrecordedintrackdataasYYMM.Thisdateisgeneratedbythecardissuer.

Service Code

Theservicecodedefinesvariousservices,differentiatescardsusedininternationalordomesticenvironmentsandidentifiescardrestrictions.TheservicecodeisdigitallyrecordedinTrack1andTrack2orinthechip.Itisa3decimaldigitnumberandisgeneratedbythecardissuer.Commonservicecodevaluesare101or104.

UnderstandingOtherTypesofCardholderData


9/15

8

Manybusinessesbelievetheyarenotstoringsensitivedatabecausetheycannotseeit,orbecausethestorageofthisdataisnotaspecificpartoftheirbusiness.However,itisimportanttounderstandthatcomputersystemsandnetworkdevicesoftenautomaticallystoredatawithoutyourknowledgeandyoumustlookinallpossiblestoragelocations,evenifyoubelievethatcardholderdataisnotdeliberatelystored.

When looking for sensitive authentication data, it is important to have a goodunderstandingofthetypesofpaymentsthatyourcompanyaccepts.AmerchantthatneveracceptspaymentsinpersonwouldnotbehandlingtrackorPINdata.AmerchantthatonlyacceptspaymentsbyswipingacustomercardthroughaPOSterminalwouldnothandleCVV2data.

Therefore,thefirststepinfindingthisdataistoreviewthewaysinwhichcardholderdataentersandflowsthroughyourbusiness.Exceptforthesimplestofmerchants,this must be documented, as it will form the cornerstone of your PCI DSScomplianceefforts.

Thetablebelowindicatescommonwayssensitivedatamayenteryourbusiness.Onceitisin,ifnotcorrectlymanaged,thedatamaybefoundanywhereinyourbusinessenvironment!

Business

type

Transaction

type

Transaction

method

Sensitive

authentication

data5

Cardholder data

Track CV V2 P IN PA N Na me S ervi ce Code

Expiry

Merchant Card

Present

Magneticstrip

orchip

Manuallykeyed

CardNot

Present

Manuallykeyed

E-commerce

Recurring

transaction

3rdpartyfile,

e.g.outsourcedcallcenter

Service

Provider

Cardnot

Present

Mailorder/

telephoneorder

E-commerce

O the rs O th ers

5Storageofthisdata(evenifencrypted)postauthorizationisaviolationofthedatahandlingrequirements.

Finding Sensitive Authentication

Data Where to Look

FindingSensitiveAuthenticationDataWheretoLook


10/15

9

Otherprocessesthatmayinvolvetheuseofcardholderdatainclude:

Customerservice/transactiondispute Merchantsettlement Customeridentification

Itisimportanttotakespecialcarewhenthedatapassesthroughcomputersystems.Modern computer systems often create logs or use virtual memory to ensuresmooth system processing these must also be taken into account while lookingforthestorage ofsensitivedata.Thescopeof yourinvestigationon yourcomputerinfrastructurecanbesignificantlyreduced(withassociatedtimeandmoneysavings)bytheimplementationofnetworksegmentation(e.g.usingVLANs)andfirewalls.

However, it should be understood that when looking for the storage of sensitiveauthenticationdatayouareessentiallyvalidatinganynetworksegregationthatyouhaveputinplacetherefore,itisvitalthatsystemsthatshouldnotbestoring,processingortransmittingsuchdataarecheckedtoconfirmthatthisisindeedthecase.

FindingSensitiveAuthenticationDataWheretoLook


11/15

10

The table below describes a number of basic techniques used to find sensitiveauthenticationdata.Noonewayworksbestinallsitu atio nsanditisrecommendedthatthesemethodsbeadaptedandusedasbefitsyourenvironment.

WhencheckingforsensitiveauthenticationdataitisimportanttorememberthatPCIDSSappliestoallsystemsthatstore,processortransmitcreditcarddata.ThisincludeshardwaresystemssuchasPOSdevicesandATMs,aswellassoftwaresystems.

Method Procedure Comments

Manuallymap

theflow(s)

1. Manuallyidentifywherethe

dataentersyourbusiness.

2. Identify(anddocument)the

dataflowincludingallpaper-

based,voiceandsystem

infrastructure,e.g.firewalls,

routes,datalogs,backups.

3. Investigateeachiteminthe

transactionflow,lookingfor

sensitivedata.

4. Additionally,ifthedatais

processedonacomputer

system:

Documentthecomputer

infrastructure,operating

systemsandprograms

usedtoprocessthedata

Confirmiftheprograms

areonthePA-DSSlistand

havebeenimplementedin

acompliantmanner

Confirmifdatabackups

aremadeandwhat

informationisbeing

capturedaspartofnormal

businessoperation

Itisrecommendedthat

thisbeperformedforallbusinesses.Althoughitmay

bealabor-intensivetaskfor

complexbusinesses,onceit

iscompletedtheresultsare

invaluableandwillassist

youwithmanyofyourother

PCIDSScompliancetasks.

Detecting Sensitive

Authentication Data How to Look

DetectingSensitiveAuthenticationDataHowtoLook


12/15

11

Method Procedure Comments

Scanfor

knownvalues

oncomputer

infrastructure

1. Foreachofthetransaction

typesusedbyyourbusiness,

enteratransactionmaking

noteofthevalues,e.g.PAN,expirydate,CVV2,Track1,

Track2.

2. Investigateeachiteminthe

transactionflow,lookingfor

sensitiveauthenticationdata.

Thismethodisusefulfor

checkingforCVV2and

encryptedPINblockvalues

wherethedatamaybedifficulttofindotherwise.

Scanforknown

patternson

computer

infrastructure

Thefollowingdataitemshave

knownpatternsandcanbe

scannedusingscanningtools:

PAN(Luhn10check)

PANstartingdigits Track1andTrack2formats

PlaintextPINblockformats

Examine

databaselayout

forsuspicious

columns

Reviewthelayoutorschema

ofthedatabasesusedinyour

companytoseeifanycolumns

orentrieshaveheadings(suchas

trackdataorCVV2)thatmay

indicatethatsensitivedatais

beingstored.

Donotlookforsensitive

authenticationdataonlyin

placeswhereyouexpectit

maybe.Thisdatacanoccur

inmanydifferentDatabases

maybeusedbycompany-

specificsystemsormay

bepartofacommercial

softwarepackageLocations

formanydifferentreasons.

Reviewlogand

errorfiles

Sensitiveauthenticationdata

maybestoredeitherdeliberately

orinadvertentlyinmanydifferent

places.Paymentsoftware

maybedesignedtostoredata

deliberatelyforerrorrecoveryor

communicationssoftwarelogs

maybeinadvertentlystoringdata.

Donotlookforsensitive

authenticationdataonlyin

placeswhereyouexpectit

maybe.Thisdatacanoccur

inmanydifferentlocations

formanydifferentreasons.

Confirmerror

recovery

methodsfor

yourpayment

systems

Talktoyourpaymentsystem

vendorsanddeterminehow

theirsystemsoperateifthere

isanerror.Oftensystemsstore

sensitiveauthenticationdata

toassistinfinalizingpayment

processingwhenanerroroccurs.

Whenlookingforsensitive

authenticationdataitis

importanttounderstand

thetransactionprocessnot

onlywhenthepayment

works,butalsowhat

happenswhenthepayment

doesnotwork.

DetectingSensitiveAuthenticationDataHowtoLook


13/15

12

ThekeytoachievingPCIDSScomplianceistoreducethenumberofitemsthatareinscope;thatis,toeliminatecardholderdatafromthebusinessunless itisabsolutelyrequired.Thelessdatayouhaveinyourbusinessthelessyouhavetocontrolandtheeasiercompliancebecomes.

Where prohibited datais found, take actionto eliminate the dataas soonaspossibleandconsiderchangingyourbusinessprocesssothedataisnolongerretainedafterauthorization

Introduce proceduresso the datais controlled,keptfora minimumtimeandsecurelydeletedonceitsnolongerrequired.

Methods by Media

Thefollowingtabledetailscommonstoragelocationsandsuggestedactionstoassistincompliance.

Media Actions

Paper/fax Shredpostauthorization

Blackoutcardholderdatawithink

Softcopy

images(scanned

documents,fax

servers)

Alterprocessessodataisnolongerrequired

Deletepostauthorization

Ifpossible,electronicallyblacksensitivefields

Callcentercall

recording

ConfirmifCVV2isbeingrecorded;ifitis,consider

blankingtechnology

Encryptandsecurelystoreallcalldataataminimum6

Computersand

computerstorage

UseonlyPA-DSSapprovedapplications

Consultwithsoftwaredeveloperandconfirmif

applicationisPCIDSScompliantandifanyspecial

settingsarerequired

Analyzeallapplicationsknowntohandlesensitivedata

ScanallstorageforPANandtrackdata,includinglog

andbackups

Networkequipment ConsultwithmanufacturerandconfirmifdeviceisPCI

DSScompliantandifanyspecialsettingsarerequired

Analyzealllogfileforsensitivedata

Backups Ifbackupispre-authorization,reviewthepurposeofthe

backupandwherepossiblemodify

Encryptbackups

6Storageofsensitiveauthenticationdatawithinvoicerecordingsisacceptableonlyifthereisnocommerciallyfeasiblemethodof

removingthisdata,andanysuchdatathatisstoredissecurelyencrypted.

Removing Sensitive

Authentication Data

RemovingSensitiveAuthenticationData


14/15

13ContactInformation

FormoreinformationonthisdocumentortheAISprogram,pleasevisitourwebsiteat

www.visa-asia.com/securedorcontact:

Data Security [email protected]

OryourespectiveVisaCountryRiskManagers :

Ian McKindleyRiskManagement

Australia,NewZealand&thePacificIslands

[email protected]

Tony ZhuRiskManagement

China

[email protected]

Murugesh KrishnanRiskManagement

South&SoutheastAsia

[email protected]

Navy LiRiskManagement

China

[email protected]

Abdul Rahim Abdul RahmanRiskManagement

SoutheastAsia

[email protected]

Vincent LeeRiskManagement

SouthKorea

[email protected]

Raveendhrun AnantharamanRiskManagement

SouthAsia

[email protected]

Ryoji IharaRiskManagement

Japan

[email protected]

Michael ChanRiskManagement

HongKong&Taiwan

[email protected]

Igarashi KoujiRiskManagement

Japan

[email protected]

Contact Information


15/15

visa ais guide stepspcicompliant

Documents