the influence of pci upon retail payment design and architectures
Post on 20-Jan-2016
30 Views
Preview:
DESCRIPTION
TRANSCRIPT
The influence of PCI upon retail payment design and architectures
Ian White QSA
Head of UK&I and ME PCI TeamSeptember 4, 2013
Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 3
ISG Weekend Conference 7 & 8 September 2013
Agenda
• The PCI DSS• The Retail Environment
– Card Payments
– The Retail Environment• The retail store• eCommerce• The call centre (MOTO)
• Current challenges• Further Information
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 4
ISG Weekend Conference 7 & 8 September 2013
The PCI Data Security Standard
• Managed by the PCI SSC on behalf of the Card Brands (Visa, MasterCard, AMEX, Discover and JCB)
• Currently on version 2.0, with Version 3.0 published 7th Nov 2013• Compliance is managed by the individual Card Brands• Recognises Merchants and Service Providers (or TPP / DSE)• Annual validation usually based around transaction volumes (SAQ or
Report On Compliance)• QSA and ISA roles exist to support independent validation against
the control requirements• An industry standard – but backed by legislation in some
jurisdictions and should be perhaps viewed as “best practice”
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 5
ISG Weekend Conference 7 & 8 September 2013
The Payment Card Industry standards
• PCI DSSCovers the security of environments that store, process or transmit Account Data.
• PCI PA DSSCovers Payment Applications so that they can support PCI DSS compliance
• PCI PTSCovers hardware devices, for example HSM and PEDs, for protection of PIN
• PCI P2PEEncryption, decryption and key management within secure devices (hardware / hardware)
• PCI PINSecure management, processing and transmission of PIN data during online and offline payment processing
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 6
ISG Weekend Conference 7 & 8 September 2013
Cardholder Data
Track 1
Track 2Account Data
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 7
ISG Weekend Conference 7 & 8 September 2013
The PCI DSS RequirementsThe PCI DSS Requirements
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
PCI DSS Version 2.0
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 8
ISG Weekend Conference 7 & 8 September 2013
The Retail Environment
Acceptance Channels InstitutionsCorporate Systems
POS TerminalsStore POSController
AuthorizationServers (Site A)
POSDatabases (Site B)
Acquirer
Internet
MOTO
Finance(Site C)
Call Center (Site D)
Acquirer
Printer (Site E)
Loyalty
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 9
ISG Weekend Conference 7 & 8 September 2013
“Connected To” Systems
• “Connected To” systems support the controls that protect the Cardholder Data Environment (CDE) and as such may be considered to be “in scope” of the PCI DSS for some requirements
• Typical examples include:– Active Directory (User accounts)
– Log Management
– AV / malware software update / management servers
– Patching servers
– Backup servers
– Terminal Servers
– Time Servers
– Support personnel desktops / laptops
– …
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 10
ISG Weekend Conference 7 & 8 September 2013
Authorisation
Service Provider Acquirer
Card Scheme network
Issuer
Cardholder
BofE
1
2 3
4 5
67
WWW
Merchant
The merchant requests and receives authorisation from the issuer to proceed with the transaction and receives an authorisation code
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 11
ISG Weekend Conference 7 & 8 September 2013
Clearing
Service Provider Acquirer
Card Scheme network
Issuer
Cardholder
BofE
1
2
3
WWW
Merchant
Acquirer sends issuer purchase information and issuer responds and then prepares for Settlement of funds
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12
ISG Weekend Conference 7 & 8 September 2013
The Store Environment - expected
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 13
ISG Weekend Conference 7 & 8 September 2013
The Store Environment – actual?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 14
ISG Weekend Conference 7 & 8 September 2013
The Store Environment – with segmentation
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 15
ISG Weekend Conference 7 & 8 September 2013
The Store Environment – P2PE?
POS servers communicate with corporate office and card
data is transmitted to P2PE solution provider
PED and stand-alone chip-and-PIN reader that are P2PE
validated
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 16
ISG Weekend Conference 7 & 8 September 2013
Point–to-Point-Encryption (P2PE)
• Currently very few solutions have been validated (2)
• The POI device encrypts the card data at the read head using a key that the merchant has no access to.
• P2PE supports HW to HW and so-called HW to Hybrid solutions (the term “Hybrid” refers to the decryption of the data taking place outside of the HSM and in software on a host system that uses an HSM to protect the keys)
• The use of a P2PE solution might enable a merchant to use a wide range of devices such as the iPAD as they would only be providing a secure communications path for the (encrypted) data.
• PCI SSC list of validated P2PE solutions as at 6th Sept 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 17
ISG Weekend Conference 7 & 8 September 2013
The eCommerce Environment - expected
PCI SSC QSA training 2011
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 18
ISG Weekend Conference 7 & 8 September 2013
The eCommerce Environment – actual?
PCI SSC QSA training 2011
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 19
ISG Weekend Conference 7 & 8 September 2013
The eCommerce Environment – with segmentation
Which PCI DSS requirements apply here – if any?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 20
ISG Weekend Conference 7 & 8 September 2013
The eCommerce Environment – Using a Third Party?
Which PCI DSS requirements apply here – if any?
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 21
ISG Weekend Conference 7 & 8 September 2013
The Call Centre – areas to consider
• Policies and Procedures• Virtual terminals• Call recording software
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 22
ISG Weekend Conference 7 & 8 September 2013
Some of the current challenges for retail
• Logging• Legacy systems and encryption• CCTV – especially in retail store environment• P2PE vs E2EE• Wireless scanning / NAC• Virtualisation / Cloud Services• Contractual frameworks for third parties• Loyalty schemes (Tokenisation?)
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.23
ISG Weekend Conference 7 & 8 September 2013
Further Information
Go to www.pcissc.org for detailed information and documentation (standards, guidance and FAQ
http://www.verizonenterprise.com/DBIR/2013/
The Card Brands and Acquiring banks have many documents that provide detailed advice and guidance on the PCI DSS and associated compliance issues
Ian.white@intl.verizon.com
top related