introduction to payment card industry data security standard 21st annual eci conference simon pugh
TRANSCRIPT
Introduction to Payment Card Industry Data Security Standard
21st Annual ECI Conference
Simon Pugh
History of PCI Security Standards Council
• Responsible for development, management education and awareness of PCI Security Standards
• Formed by American Express, Discover, JCB, MasterCard and Visa in 2006
• Its genesis dates back to work underway during the dot-com boom a decade ago
21st Annual ECI Conference
Three Components of PCI
21st Annual ECI Conference
Source: PCI Security Standards Council
PCI DSS – 6 Goals, 12 Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data 3. Protect Stored Data4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security
21st Annual ECI Conference
Applicability of PCI DSSData Element Storage Permitted Protection
Required
Cardholder Data Primary Account Number (PAN)
Yes Yes
Cardholder Name Yes Yes*
Service Code Yes Yes*
Expiration Date Yes Yes*
Sensitive Authentication Data (Post Authorization)
Full Magnetic Stripe Data No N/A
CAV2/CVC2/CVV2/CID No N/A
PIN/PIN Block No N/A
21st Annual ECI Conference
Source: PCI Security Standards Council* If stored in conjunction with the PAN
Six steps to PCI DSS Compliance
• If you don’t need it, don’t store it• Secure the perimeter• Secure applications• Control access to systems• Protect stored cardholder data• Finalize remaining compliance efforts, and
ensure all controls are in place
21st Annual ECI Conference
A Simple view of a Payment Transaction
21st Annual ECI Conference
THE ANATOMY OF A TRANSACTION
A U T H O R I Z A T I O N TIME OF PURCHASE
MasterCard authorization system
Cardholder submits Merchant’s bank asks valida tes ca rd security fea tu res and
MasterCard account MasterCard to determine approves send ing to cardho lder’s ba nk
to merchant cardholder’s bank for purchase approval
1 2 3
7 6 5 4
Cardholder completes Merchant’s bank sends MasterCard sends approval Cardholder’s bank
purchase and receives receipt approval to merchant to merchant’s bank approves purchase
C L E A R I N G U SU A LLY W ITH IN O N E D AY
Merchant’s bank sends
MasterCard clearing system validates
information and approves sending purchase
purchase information to information to cardholder’s bank, which
MasterCard network prepares da ta fo r cardholder’s sta tem en t
1 2
3 MasterCard clearing system provides comprehensive reconciliation to both the merchant’s bank and to the cardholder’s bank
Source: MasterCard Worldwide
The Retailer’s View
21st Annual ECI Conference
`POS
In-StoreProcessor
Wireless AP
`
Headquarter/Data Center
WAN
Kiosk
Store
Line of business and management servers
`
Wireless Devices
Corporate
Router/Switch
Router
VLAN 1
VLAN 2
VLAN 3
VLAN 4
`POS
`POS
`POS
In-StoreProcessor
Wireless AP
`
Headquarter/Data Center
WAN
Kiosk
Store
Line of business and management servers
`
Wireless Devices
Corporate
Router/Switch
Router
VLAN 1
VLAN 2
VLAN 3
VLAN 4
`POS
`POS
PCI DSS - Concluding Thoughts
• PCI DSS seems simple in theory – compliance is far more challenging and expensive
• Not complying can be far more costly though!• Technologies such as Chip+PIN may reduce the
value of compromised cardholder data but don’t simplify the burden of compliance – today.
21st Annual ECI Conference