Download - PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008
![Page 1: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/1.jpg)
PCI DSS and MasterCard Site Data Protection Program
Payment System Integrity
September 2008
![Page 2: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/2.jpg)
MasterCard Proprietary 2
Agenda• PCI
- Brief History
- Security Standards Council
- Documentation, Tools, Vendors
- SDP
- Acquirer requirements
- Compliance Database
- Enforcement
- Safe Harbor
- Special Topics: Level 4 merchants, ADC Cases
- Reporting and support
![Page 3: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/3.jpg)
MasterCard Proprietary 3
Evolution of Industry Approach• Feb 2002: Optional SDP service launched
• April 2003: MasterCard Security Standard published
• June 2003: SDP program deployed globally
• Sept 2003: SDP mandate announced
• June 2004: Initial compliance date for Level 2 merchants and service providers
• December 2004: PCI Data Security Standard (v1.0) published
• June 2005: Initial compliance date for Level 1 and 3 merchants and service providers
• September 2006: PCI Security Standards Council formed and PCI DSS v1.1 published
• May 2007: SDP mandate expanded
• Nov 2007: PIN PED and PA DSS part of the PCI SSC
• Feb 2008: Revised PCI SAQ released
![Page 4: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/4.jpg)
PCI Security Standards PCI Security Standards CouncilCouncil
![Page 5: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/5.jpg)
MasterCard Proprietary 5
The PCI Security Standards Council Members
![Page 6: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/6.jpg)
MasterCard Proprietary 6
PCI SSC – Scope
• Develop and manage the PCI Security Standards (PCI DSS) and related documents
• Manage industry-level approval processes for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs)
• Provide an open forum where stakeholders can provide input to the ongoing development of payment security standards.
• Address industry and constituent questions on standards and interpretation of standards
![Page 7: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/7.jpg)
MasterCard Proprietary 7
PCI SSC Participating Organizations by Industry
Merchants
Associations
Vendors
Financial Institutions
Gateways
ProcessorsEFT Networks
Service Provider
![Page 8: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/8.jpg)
MasterCard Proprietary 8
Global Participation & Representation
More than 400 organizations have been accepted
United States 73%
2%
6%
2%
16%
1%
Asia Pacific
LAC
Europe
Central Europe /Middle East /Africa
Canada
![Page 9: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/9.jpg)
MasterCard Proprietary 9
Participating Organization Benefits
• Vote and Run for Participating Organization Board of Advisors
• Comment on DSS, SAQ, PED, PA DSS and on other PCI SSC documentation, prior to public release
• Attend Community Meetings
• Attend Quarterly Webinar Meetings
• Recommend new initiatives and standards
• Early updates on upcoming press releases
• Monthly bulletin from SSC General Manager
Reserve Your Seat at the Table!
![Page 10: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/10.jpg)
MasterCard Proprietary 10
PCI SSC - The Standards
PCI PED addresses device characteristics impacting security of PIN Entry Device (PED) during financial transactions
Stand Alone PED Device
Payment Applications
(e.g. Shopping cart, POS)
Merchants’ and Service Providers’
cardholder data environment
PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where those applications are sold,
distributed, or licensed to third parties.
PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data, and specifically to those system components included in or connected to the cardholder data environment (the part of the network with cardholder data)
PEDs Integrated with payment applications (POS, ATM)
Payment Applications in
merchants/ service
providers environment**
PCI PED applies-PED device only
PA DSS may apply*
PCI DSS applies – systems & networks
PCI PEDPCI PED PCI PA-DSSPCI PA-DSS PCI DSSPCI DSS
![Page 11: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/11.jpg)
MasterCard Proprietary 11
PCI DSS• Build and Maintain a Secure Network
– Requirement 1: Install and maintain a firewall configuration to protect cardholder data
– Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data– Requirement 3: Protect stored cardholder data
– Requirement 4: Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program– Requirement 5: Use and regularly update anti-virus software
– Requirement 6: Develop and maintain secure systems and applications
• Implement Strong Access Control Measures– Requirement 7: Restrict access to cardholder data by business need-to-know
– Requirement 8: Assign a unique ID to each person with computer access
– Requirement 9: Restrict physical access to cardholder data
• Regularly Monitor and Test Networks– Requirement 10: Track and monitor all access to network resources and cardholder data
– Requirement 11: Regularly test security systems and processes
• Maintain an Information Security Policy– Requirement 12: Maintain a policy that addresses information security
![Page 12: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/12.jpg)
MasterCard Proprietary 12
PCI Cardholder Data Storage Clarification
ComponentComponentStorage Storage
PermittedPermittedProtection Protection RequiredRequired
Encryption Encryption RequiredRequired****
Cardholder Data PAN YES YES YES
Expiration Date* YES YES NO
Service Code* YES YES NO
Cardholder Name* YES YES NO
Sensitive Authentication Data
Full Magnetic Strip NO N/A N/A
CVC2/CVV/CID NO N/A N/A
PIN NO N/A N/A
* Data elements must be protected when stored in conjunction with PAN** Compensating controls for encryption may be employed
![Page 13: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/13.jpg)
MasterCard Proprietary 13
PCI Self Assessment Questionnaire
SAQ Validation SAQ Validation TypeType DescriptionDescription SAQSAQ
1Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced. This would never apply to face to face merchants
A<20 Questions
2Imprint-only merchants with no cardholder data storage
B21 Questions
3Stand alone dial-up terminal merchants, no cardholder data storage
4Merchants with payment application systems connected to the Internet, no cardholder data storage
C38 Questions
5 All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ
DFull DSS
B21 Questions
Note: Sunset date for old version of SAQ is April 30, 2008
![Page 14: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/14.jpg)
MasterCard Proprietary 14
PCI SSC Milestones in 2008
• Phased Approach for PA-DSS
– Phase 1: Publish PA-DSS and testing procedures
– Phase 2: PA-QSA testing approval
– Phase 3: Payment application validation
• Searchable FAQ Tool launched on PCI SSC Website
– Responses developed by all five payment brands help ‘pave the way’ for PCI DSS evolution
![Page 15: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/15.jpg)
MasterCard Proprietary 15
PCI and SDP – Functional Areas
Standards Development and Interpretation
Compliance Validation Enforcement
-----------------------------
PCI SSC
Payment Brands
----------------------Acquirers
QSAs
![Page 16: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/16.jpg)
MasterCard Site Data Protection MasterCard Site Data Protection (SDP)(SDP)
![Page 17: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/17.jpg)
MasterCard Proprietary 17
PCI SSC - Not in scope
• The following functions will be performed by each payment brand individually
– Approval and posting of compliant third party service providers
– Forensics and response to Account Data Compromise (ADC) events
– PCI compliance tracking and enforcement
![Page 18: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/18.jpg)
MasterCard Proprietary 18
The SDP Program - 3 Major Components
• Reporting
– Acquirers must submit quarterly compliance reports on their affected merchants (level 1, 2 and 3)
– Service Providers submit a Certificate of Validation (COV) or a PCI action plan for review and approval
• Registration
– Annual merchant requirement that is fulfilled via the MasterCard Registration Program (MRP)
• Enforcement
– Communications, Assessments and MCBS Billing
![Page 19: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/19.jpg)
MasterCard Proprietary 19
Entities that Store, Transmit or Process Cardholder Data
• Any entity that stores, transmits or processes cardholder data must comply with the PCI DSS.
• This statement has broad application in the financial industry.
• Under the SDP Program, only affected merchants and service providers are required to validate their compliance.
• MasterCard does not require compliance evidence or validation from issuers or acquirers.
![Page 20: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/20.jpg)
MasterCard Proprietary 20
Reporting - SDP Submission Form v3.0
Available on www.mastercard.com/sdp
Instruction Tab
Acquirer Data Tab
Merchant Data Tab
![Page 21: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/21.jpg)
MasterCard Proprietary 21
Reporting - PCI Compliance Levels
CategoryCategory CriteriaCriteria RequirementsRequirementsCompliance Compliance
DateDateLevel 1 • Merchants >6 MM annual
transactions (all channels)• Service Providers > 1MM annual
transactions• All compromised merchants, TPPs
and DSEs
• Annual Onsite Audit • Quarterly Network Scan
30 June 2005
Level 2 • All merchants > 1 million total MasterCard transactions <= 6 million total MasterCard transactions annually
• All merchants meeting the Level 2 criteria of a competing payment brand
• Service Providers <= 1MM annual transactions
• Annual Self-Assessment• Quarterly Network Scan
31 December 2008
Level 3 • All merchants with annual MasterCard e-commerce transactions > 20,000 but less than one million total transactions
• All merchants meeting the Level 3 criteria of a competing payment brand
• Annual Self-Assessment• Quarterly Network Scan
30 June 2005
Level 4 All other merchants • Annual Self-Assessment• Quarterly Network Scan
Consult Acquirer
![Page 22: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/22.jpg)
MasterCard Proprietary 22
Reporting - Level 4 Merchants
• Compliance with the PCI Data Security Standard is required for all Level 4 merchants
• The only optional aspects of compliance for Level 4 merchants are:– Active compliance validation with their acquirer– Card Association specific steps (e.g., MRP registration)
• To be compliant with the PCI DSS, Level 4 merchants must successfully complete the following:– An annual PCI self assessment– Quarterly network security scans
![Page 23: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/23.jpg)
MasterCard Proprietary 23
Registration - PCI and SDP Compliance
• PCI Onsite Assessment• PCI Self Assessment• PCI Quarterly Network Scanning
The successful completion of the above applicable compliance requirements means the merchant is compliant with the PCI Data Security Standard.
The successful completion of the above compliance requirements means the merchant is compliant with the PCI Data Security Standard AND compliant with the MasterCard SDP Program requirements.
PCI Compliance + SDP Compliance =PCI Compliance + SDP Compliance = Safe Safe HarborHarbor
PCI PCI ComplianceCompliance
SDP SDP ComplianceCompliance
• Compliance Validation with Acquirer
• Acquirer Registration of Merchant with MasterCard
![Page 24: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/24.jpg)
MasterCard Proprietary 24
Enforcement – Areas of Focus
• Enforcement activities are generally managed in three distinct categories:
– Non-reporting or incomplete quarterly reporting
– Merchant storage of sensitive authentication data (post authorization)
– Insufficient compliance progress
• Communications is the preferred route of enforcement and range from informal to formal.
SDP Global Mailbox: [email protected]
![Page 25: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/25.jpg)
MasterCard Proprietary 25
Enforcement - Process
• Each quarter, MasterCard reviews merchant submissions against the 3 identified categories.
• Prior to any SDP noncompliance assessment, there is direct customer communication, both formal (letters) and informal (emails).
• The overall intent is to drive compliance, with SDP noncompliance assessments as only one tool.
![Page 26: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/26.jpg)
MasterCard Proprietary 26
SDP Enforcement
• In 3Q2008, MasterCard will begin to enforce the completion of the Sensitive Authentication Data Storage field
• Level 3 merchants
• Continued focus on timely and complete quarterly reporting
![Page 27: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/27.jpg)
MasterCard Proprietary 27
SDP and Account Data Compromise
• With a confirmed ADC, there is a demonstrated risk to the payment system.
• MasterCard rules govern the immediate actions that acquirers must undertake with an ADC event.
• Per MasterCard rules, all ADCs are classified as Level 1 with the compliance requirements of a annual onsite assessment and quarterly network scans.
• Once action is taken by the ADC group, the merchant enters an accelerated PCI compliance process.
![Page 28: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/28.jpg)
MasterCard Proprietary 28
Contact Information
For general Site Data Protection inquiries:
Email: [email protected]
Website:www.mastercard.com/sdp
For MasterCard security initiatives visit
www.mastercardsecurity.com
For the PCI Security Standards Council
www.pcisecuritystandards.org
![Page 29: PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008](https://reader030.vdocument.in/reader030/viewer/2022032703/56649d2c5503460f94a01dd5/html5/thumbnails/29.jpg)
Thank you.