390 likes | 593 Views
Visa Cemea Account Information Security (AIS) Programme. Content. Overview Payment Card Industry Data Security Standard (PCI DSS Visa’s AIS Programme Benefits of the AIS Programme Compliance Validation Requirements and process Security Breaches and Vulnerability Experiences.
E N D
Content • Overview Payment Card Industry Data Security Standard (PCI DSS • Visa’s AIS Programme • Benefits of the AIS Programme • Compliance Validation Requirements and process • Security Breaches and Vulnerability Experiences
PCI Data Security Standard (PCI DSS) • Original published as the Visa Account Information Security Standard in 2000 and globally mandated in 2001 • Growing pressure from the industry to create a single aligned global standard resulted in the alignment of standard with other payment schemes. • Payment Card Industry Data Security Standard published in Jan 2005 as the globally aligned standard supported by the payment schemes participating in the PCI initiative.
PCI Participants GLOBAL
PCI DSS Objectives • The main objective of PCI DSS is to improve the overall level of security for payments globally by: • Promoting a secure environment for cardholder data • Reducing inter-scheme redundancies and inconsistencies in requirements. • Streamlining processes and reducing expenses • Single validation to satisfy the requirements of all participating schemes.
Elements of PCI DSS Alignment • Aligned Standards and Validation Tools • PCI Data Security Standard (DSS) • PCI Security Audit Procedures • PCI Self-Assessment Questionnaire • PCI Network Security Scan Requirements • Future Alignment Payment Application Best Practices PCI Payment Application Security Standard
PCI Security Standard Council • To manage the aligned standard, validation tools and centrally manage the process of approving security assessors, the participants of PCI formed Payment Card Industry Security Standard Council (PCI SSC) in Sept 06 • PCI SSC is responsible for • Managing and maintaining the aligned standards including future updates. • Approving on-site security assessors • Approving network scan vendors • PCI SSC is a global forum
Overview of PCI DSS • Consists of twelve basic requirements supported by more detailed sub requirements: • Build and maintain a secure network • Requirement 1. Install and maintain a firewall configuration to protect data • Requirement 2. Do not use vendor-supplied defaults for system passwords and other security parameters • Protect cardholder data • Requirement 3. Protect stored data • Requirement 4. Encrypt transmission of cardholder data and sensitive information across public networks • Maintain a vulnerability management program • Requirement 5. Use and regularly update anti-virus software • Requirement 6. Develop and maintain secure systems and applications
Overview of PCI DSS…cont • Implement strong access control measures • Requirement 7. Restrict access to data by business need-to-know • Requirement 8. Assign a unique ID to each person with computer access • Requirement 9. Restrict physical access to cardholder data • Regularly monitor and test networks • Requirement 10. Track and monitor all access to network resources and cardholder data • Requirement 11. Regularly test security systems and processes • Maintain an information security policy • Requirement 12. Maintain a policy that addresses information security
Storing Cardholder Data • What is allowed to be stored, transmitted, or processed? • PAN, and expiration date. • How should the PAN be protected when stored? • Encrypted, hashed, or truncated • What MUST NOT be stored post-authorization? • Full track data (Track 1 or 2) • CVV2 • PIN block/ Clear PIN
Storing Track Data For Troubleshooting Purposes • Sometimes track data must be stored (temporarily) for troubleshooting purposes • Why? Track misreads, network errors, encryption issues, etc. • Procedures should be defined around this issue: • - Retention period • - Destruction procedure • - Limits to number cardholder data stored
Visa’s AIS Programme • Due to the different business models and legal liabilities, all participants of PCI agreed that each scheme maintain, manage and enforce its own compliance program. • In Visa PCI DSS is validated via the regional Account Information Security Programme. • The programme is known as AIS Programme in all Visa regions, except in US where it is called Cardholder Information Security Programme (CISP)
Visa’s responsibilities • Enforce compliance via regional AIS programme • Manages communications, education, and support for Members, Merchants, and Service Providers. • Review and sign-off Report of Compliance for members, merchants and service providers. • Works with Visa Members to ensure compliance of their merchants and service providers.
Member’s responsibilities • All Members must comply with the PCI Data Security Standard • Members are responsible for ensuring the compliance of their merchants, service providers and other agents who store, process, or transmit cardholder data • Ensure their merchants, service providers or other agents do not store track data post authorization. • Report any data breach to Visa and take the appropriate action to mitigate further damage to the business and the Visa brand • Undergo compliance validation as outlined within the regional AIS programme from Jan 2008
Benefits of the AIS Programme • Limits risk associated with data compromise and fraud • Improves confidence in the payment industry • Protects reputation • Promote brand Integrity • Boost consumer confidence • Provides competitive edge
Compliance Validation, Requirements and process • Merchant Levels Defined • Cemea VBV Mandate • Acquirer responsibilities • Service Provider Levels Defined • Member levels Defined • Compliance Validation Cycle • Compliance validation process • Who can validate compliance
Merchant Levels Defined Only merchants who have the ability to store, process or transmit data need to be validated
VBV Mandate • E-commerce merchants are not allowed to store data in Cemea region. • Exceptions are granted to certain type of e-commerce merchants on a case by case basis. • Acquirers need to seek approval from Visa’s senior management prior to allowing merchants to store data.
Acquirer responsibilities • Visa Acquirers are responsible for: • Ensuring their merchants are PCI DSS compliant • Managing merchant communications • Working with their Merchants until full compliance has been validated • Merchants are not compliant until all requirements have been met and validated. • Acquirer is responsible for providing Visa their merchants’ compliance status. • Any liability that may occur as a result of non-compliance with PCI DSS
Members responsibilities • Members must use, and are responsible for ensuring that their merchants use service providers that are PCI DSS compliant. • Visa Members are responsible for any liability that may occur as a result of non-compliance of service providers with PCI DSS
Members Levels Defined Compliance validation to commence on Jan 2008
Validation Cycle • All entities must validate compliance on an annual basis. • Annual revalidation is required within 12 months from date of previous Report of Compliance was accepted • Quarterly scans must be performed at every three months interval.
Compliance Validation Process - Merchants • Acquirers are responsible for managing the compliance validation of their merchants as outlined within the merchant validation thresholds. • Where a Level 1 Merchant is identified, Acquirers must provide information regarding the Level 1 merchant to Visa. • Once the appropriate validation has been completed, the acquirer must provide Visa a Assertion Of Compliance letter indicating • Name of merchant and type of validation completed • Every requirement is met (including those met via compensating controls) • All remediation is complete and revalidated • Terminology used must reflect compliance • The PCI Security Audit Procedures were followed if an on-site review was performed. • All findings are accurate • No evidence of magnetic stripe data or CVV2 data storage
Compliance Validation Process – Service Providers • Service Providers are required to undertake compliance validation independently by contracting the appropriate security vendor • Once the validation is completed, the QSA and Service Providers must sign a Assertion Of Compliance letter indicating • What validation task was completed • Every requirement is marked “In Place” (including those met via compensating controls) • Terminology used must reflect compliance • All remediation is complete and revalidated • The PCI Security Audit Procedures were followed if an on-site was performed • All findings are accurate • No evidence of magnetic stripe data or CVV2 data storage Where an on-site is performed, a copy of the Compliance Report must be submitted to Visa for sign off prior to submitting the letter of assertion
Who can validate compliance • On-site review must be performed by a PCI SSC approved Qualified Security Assessor (QSA) • Self assessment – Ideally must be performed by an internal IT auditor or a QSA to ensure impartiality and accuracy. • Vulnerability scanning must be performed by a PCI SSC approved Scan Vendor (ASV)
Other related requirements • PCI PIN Security Standard • Clear PIN and PIN Block must not be stored in transaction journal or logs post authorisation. • International Member Letter 14/04 • Effective 1st April 2007, PAN must be truncated in cardholder copy of receipt. • Effective 1st April 2005, all newly deployed devices must have the capability to truncate PAN
Security Breaches Overview • Payment Card Industry Experience • Security Breaches • Hacker Focus • Impact of Data Compromises • Incident Response Procedures
Payment Card Industry Experience • Increased regulatory pressure to address security risk • Risk of consumer loss of confidence in brand and payment system • Globally organized criminals increasingly involved in hacks • Data compromises result in fraud losses
Security Breaches • No segmentation and/or firewall • Un-patched systems and/or default configuration • No logging • No encryption or authentication on wireless access points • Default passwords • No intrusion monitoring • Unsecured point of sale technology System Vulnerabilities
Hacker Focus • Hackers are attacking: • Brick-and-mortar merchants • E-commerce merchants • Third-party entities in the payment system • In-house processed banks • Hackers looking for: • Software that stores sensitive cardholder data • Personal information • Corporate intellectual property • Track data and payment account numbers
Impact of Data Compromises • Notification/disclosure • Brand/reputation • Loss of business/consumer confidence • Financial liabilities • Compromised Entity • Visa Member • Litigation • Government intervention/legislation
Incident Response Procedures • Contain and limit exposure • Understand entity’s environment • Identify how compromise occurred • Identify if full magnetic stripe data retained • Engage forensic team immediately • Action Items • Contract with qualified forensic team to determine findings • Validate full track has been removed • Bring environment into PCI DSS compliance
Useful contacts • Standard, validation tools and approved vendors. www.pcisecuritystandards.org./ • Information Visa Cemea’s AIS Programme www.visacemea.com/ac/ais/data_security.jsp • Reporting data breach • Visa Regional Risk Head • CemeaFraudcontrol@Visa.com