360 likes | 533 Views
Payment Card Industry (PCI) Data Security Standards (DSS) Fundamentals. Presented by: Rose Andert and Lance Wright July 24, 2008. Learning Points. What is the Payment Card Industry (PCI) Data Security Standard (DSS)? Recent Data Breaches and Cost
E N D
Payment Card Industry (PCI)Data Security Standards (DSS)Fundamentals Presented by: Rose Andert and Lance WrightJuly 24, 2008
Learning Points • What is the Payment Card Industry (PCI) Data Security Standard (DSS)? • Recent Data Breaches and Cost • Card Brand Programs History and Non-compliance Problems • Complimentary Regulatory Compliance Efforts • PCI Component Overview • Member Requirements and Merchant Levels • Identifying, Finding, Storing & Eliminating Sensitive Cardholder Info • Scope of PCI • PCI DSS (Digital 12) • Self-Assessment versus Audit Requirements
What is the PCI DSS? Definition: The Payment Card Industry (PCI) Data Security Standard (DSS) is a rigorous set of requirements designed to assist retailers protect their customers’ identity by securing their payment account transactions (credit card/debit card) and stored card information. • Not a federal law nor a certification process • It is a set of requirements standardized by the PCI council
What is the PCI DSS? Main Objective: Consistency in “due care” through mandated requirements surrounding protection of payment account, transaction and authentication of data of customers The PCI DSS includes requirements for: • Security Management • Policies and Procedures • Network Architecture • Software Design • Other standards mandated around processing, storage and transmission of cardholder data
The TJX Companies, Inc. Data Breach • July 2005 to January 2007, TJX suffered the largest computer data breach in corporate history, affecting over 45 million credit and debit cards • 451,000 customers exposed to identity theft, including Social Security numbers and driver’s license numbers Source: http://online.wsj.com/article_email/article_print/SB117824446226991797.html • August 2007, TJX disclosed that the costs of the data breach – including lawsuits, computer system improvements, security upgrades, fraud monitoring and other claims – have soared to $256 million, up from the initial estimate of $25 million Source: http://www.boston.com/business/globe/articles/2007/08/15/cost_of_data_breach _at_tjx_soars_to_256m/ • Experts estimate that breach-related costs could potentially reach $1 billion dollars • December 2007, TJX agreed to fund up to $40.9 million pre-tax for recovery payments to financial institutions as part of a settlement agreement Source: http://www.boston.com/news/local/massachusetts/articles/2008/03/19/state_warns_hannaford_about_laws_on_data_leaks/
Hannaford Bros. Data Breach • In March 2008, the Massachusetts Bankers Association (MBA) notified 60 to 70 of its 200 member banks of a large data breach originating from a “major retailer” between December 2007 to March 2008 • It has been reported that the data breach occurred within Hannaford Bros., a Maine-based supermarket chain, exposing as many as 4.2 million credit and debit cards to fraud in Massachusetts and the northern New England states • Hannaford has already reported that at least 1,800 cases have occurred where cards were used fraudulently Source: http://www.boston.com/news/local/massachusetts/articles/2008/03/19/ state_warns_hannaford_about_laws_on_data_leaks/
Cost of Security Breaches Continue to Increase • Breaches cost companies an average of $182 per compromised record* • This was a 31% increase over 2005* • Gartner analysts estimate that the cost of sensitive data break will increase 20 percent per year through 2009 ** *Ponemon Institute **http://security.tekrati.com/research/9457/
Card Brand Programs - History • In June 2001, Visa developed a robust security audit program (CISP) • In December 2004 the expanded Payment Card Industry (PCI) Data Security Standard (DSS) was adopted by American Express, Discover Financial Services, JCB International, MasterCard Worldwide (includes Diners Club) and Visa International • September 2006 PCI Security Standards Council Formed
Non-compliance is a Problem Retailers Failing to Comply with Credit Card Security Standards • Despite five years and two deadlines, just 65 percent of level one merchants (6 million+ annual transactions) and an estimated 43 percent of lower-volume merchants have fully validated with cardholder data security standards (as of Sept 30, 2007) • Source: http://www.ecorablog.com/the_compliance_and_securi/ pci_compliance/index.html
Non-compliance is a Problem Penalties are Severe • Companies can be barred from processing credit card transactions, higher processing fees can be applied; and in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance Source http://www.internetretailer.com/internet/marketing-conference/80146-compliance-dilemma.html
Non-compliance is a Problem Member Fines and Penalties In case of a compromise, Members proven to be non-compliant or whose merchants or agents are non-compliant may be assessed: • Non-compliance fine (egregious violations up to $500k) • Forensic investigation costs • Issuer/Acquirer losses • Unlimited liability for fraudulent transactions • Potential additional Issuer compensation (e.g., card replacement) • Dispute resolution costs • Disclosure costs
Complementary Regulatory Compliance Efforts Sarbanes-Oxley Act • Requires that public companies have effective internal controls on financial reporting information with independent auditor attestation • Prudent private companies comply as well • It comes down to this: • Access control: Who has access to what information? • Auditability: Can you monitor and track access to information?
Complementary Regulatory Compliance Efforts Gramm-Leach-Bliley Act (GLBA) • Requires that financial institutions safeguard “Personally Identifiable information” (PII) • Prudent retailers consider GLBA compliance a “best practice” • Personal service depends on secure access to PII • Data Privacy: Do your best customers trust you? State Breach Notification Laws (SB1386) • Require notification of customers if customer data is compromised
and/or is a member of is a member of Acquirer Issuer may or may not be the same as provides processing services to issues cards to Cardholder Merchant uses card to buy from PCI Component Overview
Member Compliance Requirements • All Members must comply with the PCI Data Security Standard • Issuing and Acquiring Members are not YET required to validate compliance unless they are a VisaNet Processor • Members are responsible for ensuring the compliance of their merchants and service providers who store, process, or transmit cardholder data • Compliance dates have come and gone. Banks established new reporting dates (e.g., 6/30/07 and 9/30/07 were common dates)
Self Assessment vs. Audit Requirements • All Merchants are responsible to comply with the PCI Standard • Validation varies based on merchant level • Level 1 requires onsite audit using audit procedures document • Level 2 and below require Self-assessment Questionnaire • Questionnaire is extremely high level… could result in a merchant thinking they are fully compliant with the standard when they are missing key controls • Merchants should read the PCI standard document and refer to the audit procedures for additional information and clarification regarding the controls and then fill out the Questionnaire with this information in mind
Credit Card Processing Prerequisites • Merchant processing agreements for card processing, including multiple Merchant IDs for each business unit and currencies • Merchant bank account for settlement deposits • Communication method for routing transaction data between SAP and each processor used (US, Europe, American Express, etc.)
Visa Safe Harbor • Safe harbor provides Members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise. To attain safe harbor: • The entity must be in full compliance with the PCI Data Security Standards at the time of the breach, as demonstrated during a forensic investigation • The entity must have validated full compliance prior to the compromise • Submission of a Report on Compliance (ROC), in and of itself, does not provide a Member safe harbor status • Compromised entity must have adhered to all the requirements at the time of the breach
Identifying, Finding, Storing & Eliminating Sensitive Cardholder Data • What information is at risk? • Account and transaction information includes: • Track Data • CVV2/CVC2 • PIN block • Primary Account Number (PAN) • Expiration Date • Password, name, e-mail, address, other personal data (when with PAN)
Identifying, Finding, Storing & Eliminating Sensitive Cardholder Data
Storing Cardholder Data • What is allowed to be stored, transmitted, or processed? • Encrypted PAN, expiration date, and name • How should the PAN be protected when stored? • Encrypted, hashed, or truncated • What must not be stored post-authorization? • Full track data • Track 1 • Track 2 • CVV2/CVC2 • PIN block
When is Track Data Allowed/Disallowed? Track data: • Cannot be stored past initial authorization • Elements that are allowed to be stored (name, account number, and expiration date) should be parsed out and stored appropriately • May (and must) travel over the network: • Should be encrypted on the internal network • Must be encrypted outside the internal network • One exception - Issuers may store track data where necessary for issuing business needs
PCI DSS Scoping Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, web servers) • Encrypted cardholder data is still within scope • Does include all account numbers
PCI DSS Scoping PCI DSS applies to all systems and networks that store, process, and/or transmit cardholder data and all connected systems • Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, web servers) • Encrypted cardholder data is still within scope • Does include all account numbers
Merchants and Service Provider Scoping • PCI Compliance • Review includes networks connected to those that have cardholder data, unless internal firewalls are implemented and validated • Review includes wireless access, even for non-cardholder data functions, unless there is a firewall between the wireless and production networks • Good network segmentation can reduce the scope • Service Provider scope for validation is same as scope for compliance (Merchants differ slightly…)
Merchant Validation Scope • Merchant is responsible for compliance of all systems but validation scope is focused on systems related to authorization and settlement where cardholder data is processed, stored, or transmitted: • All external connections into the merchant network • All connections to and from the authorization and settlement environment • Any data repository outside of the authorization and settlement environment where more than 500 thousand account numbers are stored
Scoping PCI • Ways to limit the scope of PCI • Network Segmentation • Limiting Storage of Credit Card data • Processing and Reporting as Separate DBAs • PAN Truncation • PAN Hashing • Process/Procedure Changes
Compensating Controls • Assessors can always consider compensating controls (except for track data storage) • Compensating controls are “above and beyond” other PCI DSS requirements • Compensating controls are applicable to most PCI DSS requirements • Bottom line: • Must meet the intent and rigor of the original PCI requirement and would withstand a compromise attempt with the same preventive force as the original requirement
Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Technical Session - PCI Data Security Standard DSS - 12 overall requirements (Digital Dozen) categorized in 6 logical groupings • Install and maintain a firewall confirmation to protect data • Do not use vendor-supplied defaults for system passwords and other security parameters • Protect stored data • Encrypt transmission of cardholder data and sensitive information across public networks • Use and regularly update anti-virus software • Develop and maintain secure applications
Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Technical Session - PCI Data Security Standard • Restrict access to data by business need-to-know • Assign a unique ID to each person with computer access • Restrict physical access to cardholder data • Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes • Maintain a policy that addresses information security
Thank You for Listening Questions?
Rose Andert Associate Director Protiviti rose.andert@protiviti.com 602.273.8045 www.protiviti.com Lance Wright Senior Consultant Protiviti lance.wright@protiviti.com 602.683.4117 www.protiviti.com Contact