290 likes | 485 Views
PCI DSS and MasterCard Site Data Protection Program. Payment System Integrity September 2008. Agenda. PCI Brief History Security Standards Council Documentation, Tools, Vendors SDP Acquirer requirements Compliance Database Enforcement Safe Harbor
E N D
PCI DSSand MasterCard Site Data Protection Program Payment System Integrity September 2008
Agenda • PCI • Brief History • Security Standards Council • Documentation, Tools, Vendors • SDP • Acquirer requirements • Compliance Database • Enforcement • Safe Harbor • Special Topics: Level 4 merchants, ADC Cases • Reporting and support MasterCard Proprietary
Evolution of Industry Approach • Feb 2002: Optional SDP service launched • April 2003: MasterCard Security Standard published • June 2003: SDP program deployed globally • Sept 2003: SDP mandate announced • June 2004: Initial compliance date for Level 2 merchants and service providers • December 2004: PCI Data Security Standard (v1.0) published • June 2005: Initial compliance date for Level 1 and 3 merchants and service providers • September 2006: PCI Security Standards Council formed and PCI DSS v1.1 published • May 2007: SDP mandate expanded • Nov 2007: PIN PED and PA DSS part of the PCI SSC • Feb 2008: Revised PCI SAQ released MasterCard Proprietary
The PCI Security Standards Council Members MasterCard Proprietary
PCI SSC – Scope • Develop and manage the PCI Security Standards (PCI DSS) and related documents • Manage industry-level approval processes for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) • Provide an open forum where stakeholders can provide input to the ongoing development of payment security standards. • Address industry and constituent questions on standards and interpretation of standards MasterCard Proprietary
PCI SSC Participating Organizations by Industry Financial Institutions Vendors Merchants Associations Gateways EFT Networks Processors Service Provider MasterCard Proprietary
United States 73% Asia Pacific 2% Canada 6% Europe 16% LAC 1% Central Europe /Middle East /Africa 2% Global Participation & Representation More than 400 organizations have been accepted MasterCard Proprietary
Participating Organization Benefits • Vote and Run for Participating Organization Board of Advisors • Comment on DSS, SAQ, PED, PA DSS and on other PCI SSC documentation, prior to public release • Attend Community Meetings • Attend Quarterly Webinar Meetings • Recommend new initiatives and standards • Early updates on upcoming press releases • Monthly bulletin from SSC General Manager Reserve Your Seat at the Table! MasterCard Proprietary
PCI SSC - The Standards PCI PED PCI PA-DSS PCI DSS PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where those applications are sold, distributed, or licensed to third parties. PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data, and specifically to those system components included in or connected to the cardholder data environment (the part of the network with cardholder data) PCI PED addresses device characteristics impacting security of PIN Entry Device (PED) during financial transactions Payment Applications (e.g. Shopping cart, POS) Merchants’ and Service Providers’ cardholder data environment Stand Alone PED Device PEDs Integrated with payment applications (POS, ATM) Payment Applications in merchants/ service providers environment** PA DSS may apply* PCI PED applies-PED device only PCI DSS applies – systems & networks MasterCard Proprietary
PCI DSS • Build and Maintain a Secure Network • Requirement 1: Install and maintain a firewall configuration to protect cardholder data • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data • Requirement 3: Protect stored cardholder data • Requirement 4: Encrypt transmission of cardholder data across open, public networks • Maintain a Vulnerability Management Program • Requirement 5: Use and regularly update anti-virus software • Requirement 6: Develop and maintain secure systems and applications • Implement Strong Access Control Measures • Requirement 7: Restrict access to cardholder data by business need-to-know • Requirement 8: Assign a unique ID to each person with computer access • Requirement 9: Restrict physical access to cardholder data • Regularly Monitor and Test Networks • Requirement 10: Track and monitor all access to network resources and cardholder data • Requirement 11: Regularly test security systems and processes • Maintain an Information Security Policy • Requirement 12: Maintain a policy that addresses information security MasterCard Proprietary
PCI Cardholder Data Storage Clarification * Data elements must be protected when stored in conjunction with PAN ** Compensating controls for encryption may be employed MasterCard Proprietary
PCI Self Assessment Questionnaire SAQ Validation Type Description SAQ Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced. This would never apply to face to face merchants A <20 Questions 1 Imprint-only merchants with no cardholder data storage B 21 Questions 2 B 21 Questions Stand alone dial-up terminal merchants, no cardholder data storage 3 C 38Questions Merchants with payment application systems connected to the Internet, no cardholder data storage 4 All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by apaymentbrand as eligible to complete an SAQ 5 D Full DSS Note: Sunset date for old version of SAQ is April 30, 2008 MasterCard Proprietary
PCI SSC Milestones in 2008 • Phased Approach for PA-DSS • Phase 1: Publish PA-DSS and testing procedures • Phase 2: PA-QSA testing approval • Phase 3: Payment application validation • Searchable FAQ Tool launched on PCI SSC Website • Responses developed by all five payment brands help ‘pave the way’ for PCI DSS evolution MasterCard Proprietary
PCI and SDP – Functional Areas Standards Development and Interpretation PCI SSC ----------------------------- Acquirers QSAs Payment Brands ---------------------- Compliance Validation Enforcement MasterCard Proprietary
PCI SSC - Not in scope • The following functions will be performed by each payment brand individually • Approval and posting of compliant third party service providers • Forensics and response to Account Data Compromise (ADC) events • PCI compliance tracking and enforcement MasterCard Proprietary
The SDP Program - 3 Major Components • Reporting • Acquirers must submit quarterly compliance reports on their affected merchants (level 1, 2 and 3) • Service Providers submit a Certificate of Validation (COV) or a PCI action plan for review and approval • Registration • Annual merchant requirement that is fulfilled via the MasterCard Registration Program (MRP) • Enforcement • Communications, Assessments and MCBS Billing MasterCard Proprietary
Entities that Store, Transmit or Process Cardholder Data • Any entity that stores, transmits or processes cardholder data must comply with the PCI DSS. • This statement has broad application in the financial industry. • Under the SDP Program, only affected merchants and service providers are required to validate their compliance. • MasterCard does not require compliance evidence or validation from issuers or acquirers. MasterCard Proprietary
Reporting - SDP Submission Form v3.0 Instruction Tab Acquirer Data Tab Merchant Data Tab Available on www.mastercard.com/sdp MasterCard Proprietary
Reporting - PCI Compliance Levels MasterCard Proprietary
Reporting - Level 4 Merchants • Compliance with the PCI Data Security Standard is required for all Level 4 merchants • The only optional aspects of compliance for Level 4 merchants are: • Active compliance validation with their acquirer • Card Association specific steps (e.g., MRP registration) • To be compliant with the PCI DSS, Level 4 merchants must successfully complete the following: • An annual PCI self assessment • Quarterly network security scans MasterCard Proprietary
PCI Onsite Assessment • PCI Self Assessment • PCI Quarterly Network Scanning Registration - PCI and SDP Compliance PCI Compliance • Compliance Validation with Acquirer • Acquirer Registration of Merchant with MasterCard The successful completion of the above applicable compliance requirements means the merchant is compliant with the PCI Data Security Standard. SDP Compliance The successful completion of the above compliance requirements means the merchant is compliant with the PCI Data Security Standard AND compliant with the MasterCard SDP Program requirements. PCI Compliance + SDP Compliance = Safe Harbor MasterCard Proprietary
Enforcement – Areas of Focus • Enforcement activities are generally managed in three distinct categories: • Non-reporting or incomplete quarterly reporting • Merchant storage of sensitive authentication data (post authorization) • Insufficient compliance progress • Communications is the preferred route of enforcement and range from informal to formal. SDP Global Mailbox: sdp@mastercard.com MasterCard Proprietary
Enforcement - Process Each quarter, MasterCard reviews merchant submissions against the 3 identified categories. Prior to any SDP noncompliance assessment, there is direct customer communication, both formal (letters) and informal (emails). The overall intent is to drive compliance, with SDP noncompliance assessments as only one tool. MasterCard Proprietary
SDP Enforcement • In 3Q2008, MasterCard will begin to enforce the completion of the Sensitive Authentication Data Storage field • Level 3 merchants • Continued focus on timely and complete quarterly reporting MasterCard Proprietary
SDP and Account Data Compromise • With a confirmed ADC, there is a demonstrated risk to the payment system. • MasterCard rules govern the immediate actions that acquirers must undertake with an ADC event. • Per MasterCard rules, all ADCs are classified as Level 1 with the compliance requirements of a annual onsite assessment and quarterly network scans. • Once action is taken by the ADC group, the merchant enters an accelerated PCI compliance process. MasterCard Proprietary
Contact Information For general Site Data Protection inquiries: Email: sdp@mastercard.com Website: www.mastercard.com/sdp For MasterCard security initiatives visit www.mastercardsecurity.com For the PCI Security Standards Council www.pcisecuritystandards.org MasterCard Proprietary