Published on September 15, 2008
The Payment Card Industry Data Security Standard (PCI DSS) : The Payment Card Industry Data Security Standard (PCI DSS) Presentation outline : Presentation outline Why PCI DSS? Compliance and validation levels Cardholder data The legal perspective Performing a PCI DSS audit Decreasing costs through automation What is the Payment Card Industry Data Security Standard (PCI DSS)? : What is the Payment Card Industry Data Security Standard (PCI DSS)? The PCI DSS is a set of security standards drawn up by the world’s major credit card companies including VISA and MasterCard to protect credit and debit card data To date, these requirements govern all the payment channels including retail, mail orders, telephone orders and e-commerce It was previously a separate information security standard, however it has now become a global security standard Why is the PCI DSS required? : Why is the PCI DSS required? Cardholder data theft and fraud have been around since the mid-80’s and this prompted Visa to establish the first security program The recent TJX security breach in which at least 45.6 million credit and debit card numbers were stolen by hackers who broke into its network highlights the increased need for greater security According to InformationWeek, hackers can sell stolen credit card data on the Black market at a rate of USD 490 for a card number with PIN PCI Data Security Standard v1.1 (1/3) : PCI Data Security Standard v1.1 (1/3) The PCI DSS framework is divided into 12 security requirements which can be grouped into three main areas: Collection and storage of all log data so that it is available for analysis Reporting on all activity so as to be able to prove compliance on the spot Monitoring and alerting whereby administrators can constantly monitor access and usage of data and be warned of problems immediately PCI Data Security Standard v1.1 (2/3) : PCI Data Security Standard v1.1 (2/3) The PCI DSS framework is also made up of six categories as follows: Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Maintain an information security policy Regularly monitor and test networks Implement strong access control measures PCI Data Security Standard v1.1 (3/3) : PCI Data Security Standard v1.1 (3/3) Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security for employees and contractors What is “cardholder data”? : All information from a credit/debit card used in a transaction - pcianswers.com Cardholder data elements Primary Account Number (PAN) Cardholder name Expiration date Sensitive Authentication Data (SAD) Magnetic stripe data Card Validation Code (CVC) Personal identification number (PIN) What is “cardholder data”? 123 Cardholder data storage : Cardholder data storage The PCI DSS provides protection of cardholder data It is permitted to store the following details as long as they are encrypted, hashed or truncated: PAN, Cardholder name, Expiration date, Service Code Typical transaction flow : The merchant submits the credit card transaction to the Payment Gateway Ž Payment Gateway passes transaction via a secure connection to the Merchant’s Bank Ž Typical transaction flow Œ Œ A customer uses a credit card to pay a merchant for purchased goods Merchant’s bank then goes through the Credit Card Interchange for transaction approval Who should be PCI DSS compliant? : Who should be PCI DSS compliant? As from September 30, 2007 all businesses handling cardholder data – irrespective of size – have to be compliant with strict security standards drawn up by the world’s major credit card companies This applies to all entities where cardholder data is Stored Transmitted Processed All entities described as merchants or service providers must become compliant Merchants : Merchants Entities that accept credit cards as payment Examples of sectors affected Online trading (e.g. ebay.com) Retail (e.g. Wal-Mart) Higher Education (e.g. Universities) Health (e.g. Hospitals) Travel and entertainment (e.g. Restaurants) Energy (e.g. Gas/Service stations) Finance (e.g. Insurance companies) Merchant compliance levels : Merchant compliance levels Service providers : Service providers Entities that provide services to merchants Examples of services Payment gateways (e.g. PayPal) Payment processors E-commerce host providers Managed service providers Credit reporting agencies Backup management companies Paper shred companies Service provider compliance levels : Service provider compliance levels PCI DSS compliance procedures : PCI DSS compliance procedures Cardholder data compromises : Cardholder data compromises “Intrusion into computer system where unauthorized disclosure, modification, or destruction of cardholder data is suspected” - PCI DSS glossary Incident response plan Requirement 12.9 Why report a compromise? Limit the damage Reporting channels Internal incident response team Credit card associations and acquirers Local law enforcement Who risks a compromise? Consequences : Consequences Financial Could lead to fines of up to USD 500,000 and expensive litigation costs Reputation A negative incident could have a big impact on a brand name Involvement of law enforcement agencies Operational Level 2, 3 or 4 + compromise = Level 1 Could lead to a potential loss of card processing privileges Preparation for PCI DSS compliance : Preparation for PCI DSS compliance Become familiar with the PCI DSS requirements Identify all cardholder data and remove unnecessary cardholder data Perform a security gap analysis Create an action plan and call in experts for advice if necessary PCI DSS compliance costs : PCI DSS compliance costs Pain points : Pain points Maintain secure systems and applications Audit your network Scan for vulnerabilities Deploy patches/service packs Monitor the network Log user activity Log access to cardholder data Alert on important events Provide documented evidence Maintain secure systems Monitor activity Take remedial action Automation through software : Automation through software Drastically reduce manual, repetitive tasks: Network audits Vulnerability management Activity monitoring Real-time alerts Remedial action Report generation PCI DSS and GFI network security products : PCI DSS and GFI network security products Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied system passwords & other security parameters Protect stored cardholder data Assign a unique ID to each person with computer access GFI EventsManager Track and monitor all access to network resources and cardholder data GFI LANguard N.S.S. ROI and business benefits : ROI and business benefits Automation Reduce manual and repetitive tasks Reduce administrator’s workload Trigger proactive remedial actions Protection Complement your security policy Notify you on potential security threats Gives you peace of mind Savings No PCI DSS fines No outsourced consultancy fees Business continuity Conclusion : Conclusion Since companies are constantly at risk of losing sensitive cardholder data, which could result in fines, legal action and bad publicity, achieving compliance with the PCI DSS should be high on the agenda of companies who store, transmit or process credit card data PCI DSS compliance needs to be achieved by September, 2007 – this is the deadline posed by credit card companies GFI Software offers such businesses two products, GFI EventsManager and GFI LANguard Network Security Scanner (N.S.S.) to help them on their road to becoming compliant Corporate overview : Corporate overview Founded in 1992 Over 200 employees worldwide Offices in Malta, London, Raleigh, Hong Kong and Adelaide GFI products installed on over 200,000 networks worldwide, mostly SMBs A channel-focused company with over 10,000 partners throughout the world The visionTo become the technology of choice for IT security and productivity solutions. The missionTo provide quality, cost-effective content security, network security and messaging solutions to IT professionals around the world.