January 2016

PCI DSS Compliance Services

20160104-Galitt-PCI DSS Compliance Services.pptx

Agenda

© Copyright Galitt 2

1. Introduction

2. Overview of the PCI DSS standard

3. PCI DSS compliance approach

Global trends

Introduction

© Copyright Galitt 3

Contactless Cards & NFC

Mobile Acceptance

Digital Wallets E-commerce & M-commerce

Chip on the Cloud / HCE

Rise of card payments across the globe (Card Present & Card Not Present)

Growth of fraud and security breaches

In 2014, card-based payment fraud in France is estimated to 395,6 million euros, with a projection for a 10% increase every year

Advances in the payment sector have created opportunities for card-based payments over various channels : face-to-face, internet, mobile …

Embedded security at various levels

• Payment transaction authorisation management (e-rsb)

• Use of EMV “Chip-and-PIN” vs. magnetic stripe cards

• Extended interoperability between domestic banks

Introduction The French card-based payment eco-system

4

Benefits

• Convenience for the cardholder

• High transaction processing and payment guarantee for merchants

BUT BEWARE !

© Copyright Galitt

• Following a data breach in France, fraud may be performed wherever an equivalent security framework is not enforced.

• This risk must not be underestimated; everyone must take responsibility for protecting cardholder data from compromise.

Introduction The impacts of a data breach

© Copyright Galitt

5

• Damage of reputation and loss of credibility

• Depending on the extent of the breach, brand value may be highly impacted, dropping of 17% to 31%

• Average reputation recovery time is of 11,8 months

• Financial loss

• Average cost of data breach (total): 2,9M€

• Average cost of data breach (per record) : 127€

• Re-issuing of compromised cards

• Loss of revenue

• Penalties from card brands

• Collateral damages: business consequences

• Loss of credibility by business partners: card brands, banks, service providers, merchants, …

• High attrition rate (e.g. 4,4% in France)

5

Damage of reputation and

brand value

Remediation of security

vulnerabilities

Card brand penalties

Fraud costs

Key impacts

5

(*) Source: « 2011-Ponemon_reputation_impact_of_a_compromission » (**) Source: Report ''Cost of Data Breach'‘ of Ponemon Institute et Symantec – June, 2013

• Attacks and fraud schemes perpetrated in France

• Data breaches abroad

Introduction Data breach figures in France and abroad

© Copyright Galitt 6

3x

160K

188

560

Compromise of merchant points of sale and ATMs has tripled between 2011 and 2012, according to the GIE CB report.

Loss of 160 000 euros in a “MIM card” fraud scheme performed against a large merchant in 2014/2015.

Approximately 200 points of sale terminals were hacked in 2013 while only 30 were compromised in 2011.

Over 500 gas pumps were compromised in 2014, rising from 188 in 2012 (source: 2014 OSCP report)

Hacking of a US leading hotel group in September 2015, compromising payment terminals in restaurants, bars and gifts shops.

80M 80 millions customers could be impacted by data compromised within a US leading health insurance company (2015)

Increase of face-to-face merchants accepting “CB” counterfeit cards in France, compromised through fraud schemes abroad (source: GIE CB report)

(**) OSCP : Observatoire de la Sécurité des Cartes de Paiement

Introduction Darknet markets

© Copyright Galitt 7

• Large volumes of card data reselling on « Carding » websites

• Average value on the market:

• Fraud opportunities based on stolen cardholder data

• PAN: purchase of goods in insecure e-commerce websites (no CVX2 validation)

• PAN + Expiry Date + CVX2: purchase of goods in classic e-commerce websites

• Complete ISO2 magnetic stripe : card-present transactions in non-EMV environments

• Complete ISO2 magnetic stripe data + PIN : card-present transactions and cash withdrawal in non-EMV environments

• Stolen cardholder data

• Primary Account Number (PAN) and CVX2: 1€

• Magnetic stripe data: from 8€ to 73€

• « White plastic » card with magnetic stripe: 100€

• Magnetic stripe data and PIN code: 1 000€

• Fraud kits

• Malware: from 1 000€ to 2 000€

• Skimming equipment: from 1 000€ to 2 000€

Agenda

© Copyright Galitt 8

1. Introduction

2. Overview of the PCI DSS standard

3. PCI DSS compliance approach

• Background

• Initially developed by the 5 card brands below

• Supported by major players in the payment card industry (e.g. smartcard and terminal manufacturers)

• Objectives of PCI standards

• Reduce card fraud by protecting cardholder data

• Define a common approach and set of rules to be adopted by major card brands, based on existing cardholder data protection programmes

• Define a set of industry-wide requirements and processes through different standards

Overview of the PCI DSS standard

9 © Copyright Galitt

Overview of the PCI DSS standard

© Copyright Galitt 10

• PCI DSS aims to protect Cardholder Identification and Sensitive Authentication Data

Primary Account Number (PAN)

Cardholder name

Expiry date

Magnetic stripes (tracks 1 and 2 containing PIN block – Personal Identification Number – encrypted PIN and Service Code)

123

Track-equivalent data also stored in the chip

Cardholder Identification Data Sensitive Authentication Data

Primary Account Number (PAN) Cardholder Name Expiration Date Service Code

Full track data (magnetic-stripe data or equivalent on a chip) CVX2 (CAV2/CVC2/CVV2/CID) PINs/PIN blocks

Card verification code (CAV2/CVC2/CVV2/CID)

Bank Logo

Overview of the PCI DSS standard

© Copyright Galitt 11

• Who’s subject to PCI DSS?

• PCI DSS applies to all entities involved in payment card processing that either store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD):

• Merchants that accepts card-based payments from one or many card brands

• Payment Service Providers (PSP)

• Acquiring and Issuing banks

• PCI DSS is used as a technical and operational standard to protect cardholder data. The table below provides a high-level overview of the 12 PCI DSS requirement groups:

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes

Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

Overview of the PCI DSS standard

© Copyright Galitt 12

• Merchant profiles vs. PCI DSS compliance validation requirements

LEVEL MERCHANT PROFILE COMPLIANCE VALIDATION REQUIREMENTS

1

• Merchants processing more than 6 million Visa or MasterCard transactions annually via all channels

• Merchants that have been compromised • Merchants identified as a level 1 by another

card brand • Any merchant designated by the card brand at

its discretion

• Annual Report on Compliance (ROC) following an on-site audit by either a Qualified Security Assessor (QSA) or qualified Internal Security Auditor (ISA)

• Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) • Attestation of Compliance form (AoC)

Exemption: declassification to a level 2 in case of 95% EMV transactions

2

• Merchants processing between 1 and 6 million Visa or MasterCard transactions annually via all channels.

• Merchants identified as a level 2 by another card brand

• Annual Self-Assessment Questionnaire (SAQ). Assistance by a Qualified Security Assessor is required.

• Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) • Attestation of Compliance form (AoC)

3

• Merchants processing from 20,000 to 1 million Visa or MasterCard e-commerce transactions annually.

• Merchants identified as a level 3 by another card brand.

• Annual Self-Assessment Questionnaire (SAQ) • Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) • Attestation of Compliance form (AoC)

Exemption: scan exemption for merchants using certified solutions

4

• Merchants processing fewer than 20,000 Visa or MasterCard e-commerce transactions annually.

• Non e-commerce merchants processing up to 1 million Visa transactions annually.

• Annual Self-Assessment Questionnaire (SAQ) • Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) • Attestation of Compliance form (AoC)

• The merchant profile is defined based on the total number of transactions processed by the merchant’s multiple acquiring banks. • Domestic transactions performed with “co-badged” cards (VISA or MasterCard + Carte Bancaire) must also be accounted for.

Agenda

© Copyright Galitt 13

1. Introduction

2. Overview of the PCI DSS standard

3. PCI DSS compliance approach

PCI DSS compliance approach

• A PCI DSS compliance program may transform the organisation not only from a technical perspective, but also from a business processes standpoint.

• The success of such a program depends on the involvement and contribution of different business functions : people.

Project governance

People

Business processes

Information Systems

Payment processes

HR

IT Finance

Legal

Accounting

Platforms

Operating Systems

Applications

Databases

Networks

Project sponsors

Contributors

Project Managers

Senior Management

Key questions

What is the scope of my organisation subject to PCI DSS?

14 © Copyright Galitt

How can this scope be reduced?

What is the best compliance strategy for my organisation?

1

2

3

• Key drivers and challenges for conducting a PCI DSS compliance program

PCI DSS compliance approach

© Copyright Galitt 15

Drivers

• Improved risk management approach, which as a result, reduces the likelihood of security breaches and data theft.

• Perception as a trusted partner as security is demonstrated to be a priority within organisation.

• Reduce or avoid financial penalties by card brands in case of data theft by demonstrating compliance and a strong security posture.

• Adopt PCI DSS as a security baseline, enforcing best practice to protection general sensitive data.

Challenges

• Defining the scope of the program is a complex task and often requires the help of a QSA.

• Roles and responsibilities to deliver the program are often unclear.

• Obtaining support from Senior Management is key to the success of the program and therefore mandatory.

• Maintaining the state of compliance as the environment rapidly evolves.

• PCI DSS work streams being deprioritized due to budget constraints and other internal, competing initiatives.

X

PCI DSS compliance approach

Galitt can assist your organisation throughout all phases of a PCI DSS compliance program

16 © Copyright Galitt

Business Process and Applications Mapping

PCI DSS Gap Analysis and Remediation Plan

Pro

ject

man

agem

ent

Certification audit (Level 1 merchants)

Self Assessment Questionnaire (Merchants of level 2, 3 and 4)

External vulnerability scans from an « Approved Scanning Vendor »

PCI DSS Compliance Strategy and Roadmap

Definition of the Cardholder Data Environment (scope)

Consulting, implementation of security controls, remediation of findings…

PLA

NN

ING

& P

REP

AR

ATI

ON

C

OM

PLI

AN

CE

REM

EDIA

TIO

N

PCI DSS training and awareness

Galitt contact details

Contacts

Thank you!

www.galitt.us www.galitt.com

© Copyright Galitt US 17

Rémi GITZINGER

Director - Payment Consulting

+33 1 77 70 28 59

r.gitzinger@galitt.com

Bruno KOVACS

Consulting Manager & QSA

+33 1 77 70 28 12

b.kovacs@galitt.com