pci dss: compliance mandates, challenges and … conference 2012 ... 8 pci dss: compliance mandates,...

© 2012 Deloitte LLP. Private and confidential.

PCI DSSCompliance mandates, challenges and benefits

Dariusz SadowskiINFOSEK Conference 2012


ThreatsPayment transaction flow

2 PCI DSS: Compliance mandates, challenges and benefits


ThreatsCatalogue

Every attack’s purpose is to steal cardholder data, so fraudulent transactions can be carried out.

•Skimming at Point-Of-Sale: magnetic stripe readers, imprinters

•Skimming at ATM: add-on readers, video cameras

•Fake ATMs: add-on readers, video cameras, physical card theft

•CNP (Card Not Present) transactions: risk on the user’s equipment side

• Keyloggers• Scareware/ransomware• Phishing + fake e-commerce sites

• E-commerce sales and intermediaries• (normal difficulty) data theft as a result of one-off breach• (hard difficulty) continuous data theft for

days/weeks/months



ThreatsPlethora of choices


Product Price

Cardholder data

$2-$90

Physical cards

$190 + personalisation costs

Card cloner $200-$1000

Fake ATM $35,000

Bank authentication data

$80 do 700$ (balance guaranteed)

Transfer From 10 to 40% of original amount

Fake e-stores

Per case

Sale and goods transfer

$30-$300

Spam rental $15

Market shows signs of greater maturity that what may be expected:

•When buying bulk quantities you may get a rebate

•You get a warranty

•When the purchased data is invalid you are fully eligible for a return and a refund

•Sellers guarantee quality – same data won’t be sold to more than one buyer


ThreatsActivity and organisation

Key personnel:

•Programmers

•Distributors

•Technical experts

•Hackers/Crackers

•Fraudsters

•Hosting service providers

•Cashiers

•Mules

•Leaders


Year Entity Amount of data stolen

2012 Global Payments 1,5 mln

2011 Sony 25 mln

2009 Heartland Payment Systems

130 mln

2008 Hannaford Brothers

4,6 mln

2007 TJX Companies 46 mln

2005 CardSystems Solutions

40 mln

Cybercrime organisations work similar to normal businesses. They have right people doing their jobs, but in contrary to normal businesses, cybercriminals do not have schedules, holidays or weekends.


ThreatsCommon scenario

• Card data theft by: phishing, pharming, skimming, etc.

• Fake job recruitment may be used to conduct identity theft

• Popular schemes for money laundering include using freshly recruited money mules or online casinos


Card data theftIdentity theft

Money laundering


PCI DSSIntroduction

• PCI DSS (Payment Card Industry Data Security Standard) is a security standard i.e. it is a set of comprehensive requirements aimed at achieving satisfactory data security level

• It applies exclusively to entities that process, store or transmit cardholder data

• PCI Security Council is the governing body

• It’s NOT a legal requirement



PCI DSSCardholder data (1/2)

PCI DSS requirements apply to all components that are involved in a process of processing, storing or transmitting cardholder data.


Data Element Storage permitted

Special protection

Cardholder data

Primary account number (PAN) Yes Yes

Cardholder name Yes Yes

Expiration date Yes Yes

Service code Yes Yes

Sensitive authentication

data

Magnetic stripe data No N/A

CAV2/CVC2/CVV2/CID No N/A

PIN block No N/A


PCI DSSCardholder data (2/2)


MicrochipPAN

CID (AMEX)

Expiration date

CAV2/CID/CVC2/CVV2(Discover, JSC, MasterCard, Visa)

Magnetic stripe


PCI DSSScope (1/2)

• Merchants• Entity that accepts payment cards bearing

the logos of any of the five members of PCI SSC

• Acquirer• Entity that initiates and maintains

relationships with merchants for the acceptance of payment cards

• Roles can be merged

• What about issuers?


PCI DSS and banks

•Currently banks are not in scope of formal PCI DSS compliance programme

•However, they are still required to comply with PCI DSS

•Outsourcing of services (acquiring, issuing) does not mean risk avoidance


PCI DSSScope (2/2)

Cardholder Data Environment (CDE) - The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components. System components are any network component, server, or application included in or connected to the cardholder data environment.


Card operations

Storage Processing Transition

• Data retention on electronic media and in hard copy

• Data manipulation using electronic or physical means

• Data transfer using electronic or physical means

CDE contamination


PCI DSSRequirements (1/2)


Build and maintain a secure network

1) Install and maintain a firewall configuration to protect cardholder data• Up-to-date network diagram, network segmentation, business justification

for firewall rules

2) Do not use vendor-supplied defaults for system passwords and other security parameters

• Configuration standards, primary function, administrative access

Protect cardholder data

3) Protect stored cardholder data• Data retention, masking, key management

4) Encrypt transmission of cardholder data across open, public networks• Wireless networks, messaging

Maintain a vulnerability management programme

5) Use and regularly update anti-virus software6) Develop and maintain secure systems and applications

• Security patches, vulnerability management, SDLC, change management

Requirement category


PCI DSSRequirements (1/2)


Implement strong access control

measures

7) Restrict access to cardholder data by business need-to-know• User access rights management

8) Assign a unique ID to each person with computer access• Authentication, password policy enforcement

9) Restrict physical access to cardholder data• Visitor control, media handling

Regularly monitor and test networks

10) Track and monitor all access to network resources and cardholderdata

• Logging and correlation rules, time synchronization

11) Regularly test security systems and processes• Network scans, penetration testing

Maintain an information

security policy

12) Maintain a policy that addresses information security• Risk assessment, awareness build-up, training, vendor management

Requirement category


PCI DSSClassification


• Merchants:

• Service Providers

• Above 6 million Visa or MasterCard transactions annually

• Above 2,5 million American Express transactions annually

Level 1

• Above 1 million Visa or MasterCard transactions annually

• Above 50 thousand American Express transactions annually

Level 2

• Below 20 thousand Visa or MasterCard transactions annually Level 4

• Above 20 thousand Visa or MasterCard transactions annually


Level 3


• Above 2,5 million American Express transactions annually

Level 1



Level 2

• Below 50 thousand American Express transactions annuallyLevel 3


PCI DSSCompliance validation methods (1/3)

Self Assessment Questionnaire (SAQ) –tool that can be used by an entity to perform self assessment of it’s compliance against PCI DSS

Qualified Security Assessor (QSA) –company approved by the PCI SSC to conduct PCI DSS on-site assessments

Approved Scanning Vendors (ASV) –company approved by the PCI SSC to conduct external vulnerability scanning services.





Level Visa MasterCard American ExpressLevel 1 Annuall QSA on-site

assessmentAnnuall QSA on-site assessment

Annuall QSA on-site assessment

Quaterly ASV scan Quaterly ASV scan Quaterly ASV scan

Level 2 Quaterly ASV scan Quaterly ASV scan Quaterly ASV scan

Annuall SAQ Annuall SAQ

Level 3 Quaterly ASV scan Quaterly ASV scan Quaterly ASV scanrecommended

Annuall SAQ Annuall SAQ

Level 4 Annuall SAQrecommended

Annuall SAQrecommended

N/A

Quaterly ASV scanrecommended

Quaterly ASV scanrecommended




Level Visa MasterCard American ExpressLevel 1 Annuall QSA on-site

assessmentAnnuall QSA on-site assessment

Annuall QSA on-site assessment

Quaterly ASV scan Quaterly ASV scan Quaterly ASV scan

Level 2 Annuall SAQ Annuall SAQ N/A

Quaterly ASV scan Quaterly ASV scan N/A


Summary

• PCI DSS is an industry initiative brought to life by world’s biggest payment organisations in order to ensure cardholder data security

• Data protection is required at least for the following reasons: a) constantly growing usage of cards and popularisation of cashlesstransactions, and b) growing demand for cardholder data from cybercriminals

• In theory, all entities processing, storing or transmitting cardholder data are to comply with PCI DSS

• In practice, acquirers are compliant for a long time (because this is their core business) and the biggest pressure is put on merchants. Banks are left behind

• General rule for implementing PCI DSS is CDE reduction. This is because it: a) is the safest thing to do b) makes compliance cost less

• CDE reduction is dependent on business process reengineering exercise – this is why PCI DSS deployment is a business issue and not IT! (common mistake)

• One thing to remember: being compliant does not guarantee security –see Heartland Payment Systems

• Non-compliance may have a very direct impact (fines)18 PCI DSS: Compliance mandates, challenges and benefits


PCI DSSReferences

• PCI Council https://www.pcisecuritystandards.org/

• PCI Guru https://pciguru.wordpress.com/

• Visa CISP http://usa.visa.com/merchants/risk_management/cisp.html

• MasterCard SDP http://www.mastercard.com/us/company/en/whatwedo/site_data_protection.html



Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.

Deloitte LLP is the United Kingdom member firm of DTTL.

This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

© 2012 Deloitte LLP. All rights reserved.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.

Member of Deloitte Touche Tohmatsu Limited

Dariusz SadowskiAssistant ManagerPMP, CIA, CISM, [email protected]+44 (0) 7768 947 617

PCI DSS: Compliance mandates, challenges and benefits20

pci dss: compliance mandates, challenges and … conference 2012 ... 8 pci dss: compliance mandates,...

Documents