payment card industry (pci) data security standards (dss) fundamentals

2© 2008 Protiviti Inc.

Learning PointsLearning Points

• What is the Payment Card Industry (PCI) Data Security Standard (DSS)?

• Recent Data Breaches and Cost

• Card Brand Programs History and Non-compliance Problems

• Complimentary Regulatory Compliance Efforts

• PCI Component Overview

• Member Requirements and Merchant Levels

• Identifying, Finding, Storing & Eliminating Sensitive Cardholder Info

• Scope of PCI

• PCI DSS (Digital 12)

• Self-Assessment versus Audit Requirements


What is the PCI DSS?What is the PCI DSS?

Definition:

The Payment Card Industry (PCI) Data Security Standard (DSS) is a rigorous set of requirements designed to assist retailers protect their customers’ identity by securing their payment account transactions (credit card/debit card) and stored card information.

• Not a federal law nor a certification process

• It is a set of requirements standardized by the PCI council


What is the PCI DSS?What is the PCI DSS?

Main Objective:

Consistency in “due care” through mandated requirements surrounding protection of payment account, transaction and authentication of data of customers

The PCI DSS includes requirements for:

• Security Management

• Policies and Procedures

• Network Architecture

• Software Design

• Other standards mandated around processing, storage and transmission of cardholder data


BreachesBreaches


The TJX Companies, Inc. Data BreachThe TJX Companies, Inc. Data Breach

• July 2005 to January 2007, TJX suffered the largest computer data breach in corporate history, affecting over 45 million credit and debit cards

• 451,000 customers exposed to identity theft, including Social Security numbers and driver’s license numbers

Source: http://online.wsj.com/article_email/article_print/SB117824446226991797.html

• August 2007, TJX disclosed that the costs of the data breach – including lawsuits, computer system improvements, security upgrades, fraud monitoring and other claims – have soared to $256 million, up from the initial estimate of $25 million

Source: http://www.boston.com/business/globe/articles/2007/08/15/cost_of_data_breach _at_tjx_soars_to_256m/

• Experts estimate that breach-related costs could potentially reach $1 billion dollars

• December 2007, TJX agreed to fund up to $40.9 million pre-tax for recovery payments to financial institutions as part of a settlement agreement

Source: http://www.boston.com/news/local/massachusetts/articles/2008/03/19/state_warns_hannaford_about_laws_on_data_leaks/


Hannaford Bros. Data BreachHannaford Bros. Data Breach

• In March 2008, the Massachusetts Bankers Association (MBA) notified 60 to 70 of its 200 member banks of a large data breach originating from a “major retailer” between December 2007 to March 2008

• It has been reported that the data breach occurred within Hannaford Bros., a Maine-based supermarket chain, exposing as many as 4.2 million credit and debit cards to fraud in Massachusetts and the northern New England states

• Hannaford has already reported that at least 1,800 cases have occurred where cards were used fraudulently

Source: http://www.boston.com/news/local/massachusetts/articles/2008/03/19/ state_warns_hannaford_about_laws_on_data_leaks/


Cost of Security BreachesCost of Security Breaches Continue to Increase Continue to Increase

• Breaches cost companies an average of $182 per compromised record*

• This was a 31% increase over 2005*

• Gartner analysts estimate that the cost of sensitive data break will increase 20 percent per year through 2009 **

*Ponemon Institute

**http://security.tekrati.com/research/9457/


Card Brand Programs - HistoryCard Brand Programs - History

• In June 2001, Visa developed a robust security audit program (CISP)

• In December 2004 the expanded Payment Card Industry (PCI) Data Security Standard (DSS) was adopted by American Express, Discover Financial Services, JCB International, MasterCard Worldwide (includes Diners Club) and Visa International

• September 2006 PCI Security Standards Council Formed


Non-compliance is a ProblemNon-compliance is a Problem

Retailers Failing to Comply with Credit Card Security Standards

• Despite five years and two deadlines, just 65 percent of level one merchants (6 million+ annual transactions) and an estimated 43 percent of lower-volume merchants have fully validated with cardholder data security standards (as of Sept 30, 2007)

Source: http://www.ecorablog.com/the_compliance_and_securi/ pci_compliance/index.html



Penalties are Severe

• Companies can be barred from processing credit card transactions, higher processing fees can be applied; and in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance

Source http://www.internetretailer.com/internet/marketing-conference/80146-compliance-dilemma.html



Member Fines and Penalties

In case of a compromise, Members proven to be non-compliant or whose merchants or agents are non-compliant may be assessed:

• Non-compliance fine (egregious violations up to $500k)

• Forensic investigation costs

• Issuer/Acquirer losses

– Unlimited liability for fraudulent transactions– Potential additional Issuer compensation (e.g., card replacement)

• Dispute resolution costs

• Disclosure costs


Complementary Regulatory Complementary Regulatory Compliance EffortsCompliance Efforts

Sarbanes-Oxley Act

• Requires that public companies have effective internal controls on financial reporting information with independent auditor attestation

• Prudent private companies comply as well

• It comes down to this:

― Access control: Who has access to what information?

― Auditability: Can you monitor and track access to information?


Complementary Regulatory Complementary Regulatory Compliance EffortsCompliance Efforts

Gramm-Leach-Bliley Act (GLBA)

• Requires that financial institutions safeguard “Personally Identifiable information” (PII)

• Prudent retailers consider GLBA compliance a “best practice”

• Personal service depends on secure access to PII

– Data Privacy: Do your best customers trust you?

State Breach Notification Laws (SB1386)

• Require notification of customers if customer data is compromised


PCI Component OverviewPCI Component Overview

and/or

Issuer

Acquirer

Merchant

Cardholderuses card to

buy from

is a member of

is a member of

provides processing services to

issues cards to

may or may not be the same as


Member Compliance RequirementsMember Compliance Requirements

• All Members must comply with the PCI Data Security Standard

• Issuing and Acquiring Members are not YET required to validate compliance unless they are a VisaNet Processor

• Members are responsible for ensuring the compliance of their merchants and service providers who store, process, or transmit cardholder data

• Compliance dates have come and gone. Banks established new reporting dates (e.g., 6/30/07 and 9/30/07 were common dates)


Merchant Levels and Required ValidationMerchant Levels and Required Validation


Self Assessment vs. Audit RequirementsSelf Assessment vs. Audit Requirements

All Merchants are responsible to comply with the PCI Standard

Validation varies based on merchant level

• Level 1 requires onsite audit using audit procedures document

• Level 2 and below require Self-assessment Questionnaire

Questionnaire is extremely high level… could result in a merchant thinking they are fully compliant with the standard when they are missing key controls

Merchants should read the PCI standard document and refer to the audit procedures for additional information and clarification regarding the controls and then fill out the Questionnaire with this information in mind


New RequirementsNew Requirements for Level 2 & 3 Merchants for Level 2 & 3 Merchants


Credit Card Processing PrerequisitesCredit Card Processing Prerequisites

1. Merchant processing agreements for card processing, including multiple Merchant IDs for each business unit and currencies

2. Merchant bank account for settlement deposits

3. Communication method for routing transaction data between SAP and each processor used (US, Europe, American Express, etc.)


Visa Safe HarborVisa Safe Harbor

• Safe harbor provides Members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise. To attain safe harbor:

– The entity must be in full compliance with the PCI Data Security Standards at the time of the breach, as demonstrated during a forensic investigation

– The entity must have validated full compliance prior to the compromise

• Submission of a Report on Compliance (ROC), in and of itself, does not provide a Member safe harbor status

– Compromised entity must have adhered to all the requirements at the time of the breach


Identifying, Finding, Storing & Eliminating Identifying, Finding, Storing & Eliminating Sensitive Cardholder DataSensitive Cardholder Data

• What information is at risk?

• Account and transaction information includes:

– Track Data

– CVV2/CVC2

– PIN block

– Primary Account Number (PAN)

– Expiration Date

– Password, name, e-mail, address, other personal data (when with PAN)


Identifying, Finding, Storing & Eliminating Identifying, Finding, Storing & Eliminating Sensitive Cardholder DataSensitive Cardholder Data


Storing Cardholder DataStoring Cardholder Data

• What is allowed to be stored, transmitted, or processed?

– Encrypted PAN, expiration date, and name

• How should the PAN be protected when stored?

– Encrypted, hashed, or truncated

• What must not be stored post-authorization?

– Full track data Track 1 Track 2

– CVV2/CVC2

– PIN block


When is Track Data Allowed/Disallowed?When is Track Data Allowed/Disallowed?

Track data:

Cannot be stored past initial authorization

Elements that are allowed to be stored (name, account number, and expiration date) should be parsed out and stored appropriately

May (and must) travel over the network:

– Should be encrypted on the internal network

– Must be encrypted outside the internal network

One exception - Issuers may store track data where necessary for issuing business needs


PCI DSS ScopingPCI DSS Scoping

Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, web servers)

• Encrypted cardholder data is still within scope

• Does include all account numbers


PCI DSS ScopingPCI DSS Scoping

PCI DSS applies to all systems and networks that store, process, and/or transmit cardholder data and all connected systems

• Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, web servers)

• Encrypted cardholder data is still within scope

• Does include all account numbers


Merchants and Service Provider ScopingMerchants and Service Provider Scoping

• PCI Compliance

– Review includes networks connected to those that have cardholder data, unless internal firewalls are implemented and validated

– Review includes wireless access, even for non-cardholder data functions, unless there is a firewall between the wireless and production networks

– Good network segmentation can reduce the scope

• Service Provider scope for validation is same as scope for compliance (Merchants differ slightly…)


Merchant Validation ScopeMerchant Validation Scope

• Merchant is responsible for compliance of all systems but validation scope is focused on systems related to authorization and settlement where cardholder data is processed, stored, or transmitted:

– All external connections into the merchant network

– All connections to and from the authorization and settlement environment

– Any data repository outside of the authorization and settlement environment where more than 500 thousand account numbers are stored


Scoping PCIScoping PCI

• Ways to limit the scope of PCI

– Network Segmentation

– Limiting Storage of Credit Card data

– Processing and Reporting as Separate DBAs

– PAN Truncation

– PAN Hashing

– Process/Procedure Changes


Compensating ControlsCompensating Controls

• Assessors can always consider compensating controls (except for track data storage)

• Compensating controls are “above and beyond” other PCI DSS requirements

• Compensating controls are applicable to most PCI DSS requirements

• Bottom line:

– Must meet the intent and rigor of the original PCI requirement and would withstand a compromise attempt with the same preventive force as the original requirement


Technical Session - PCI Data Security StandardTechnical Session - PCI Data Security Standard

• Build and Maintain a Secure Network

• Protect Cardholder Data

• Maintain a Vulnerability Management Program

1. Install and maintain a firewall confirmation to protect data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored data

4. Encrypt transmission of cardholder data and sensitive information across public networks

5. Use and regularly update anti-virus software

6. Develop and maintain secure applications

DSS - 12 overall requirements (Digital Dozen) categorized in 6 logical groupings


Technical Session - PCI Data Security StandardTechnical Session - PCI Data Security Standard

• Implement Strong Access Control Measures

• Regularly Monitor and Test Networks

• Maintain an Information Security Policy

7. Restrict access to data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security


Thank You for ListeningThank You for Listening

Questions?


ContactContact

Rose Andert

Associate Director

Protiviti

[email protected]

602.273.8045

www.protiviti.com

Lance Wright

Senior Consultant

Protiviti

[email protected]

602.683.4117

www.protiviti.com

payment card industry (pci) data security standards (dss) fundamentals

Documents