visa europe implementing pci dss requirements within your organisation september 2008 simon breeden

Visa Europe

Implementing PCI DSS Requirements Within Your OrganisationSeptember 2008

Simon Breeden

Presentation Identifier.2Information Classification as NeededTel Aviv - !8th September 20082Visa Europe

Data security and your brand

• How much would your brand be worth if you lose your customers trust?

• Would your customers’ stay with you


Your brand needs security!

• Compromises do happen everyday, everywhere

• In the customer’s view, consumers, card schemes and merchants share responsibility for protecting their card data

• Yet… 63% of customers views merchants as the weakest link when it comes to protecting their data…¹

¹Source: Javelin Strategy and Research 2007


In customers’ eyes we all share responsibility to prevent fraud


Merchants as the weakest link


Customer confidence seriously impacted by a data breach

In the case of a breach….

49% of customers believe merchants to be the most likely source of the data breach

3 out of 4 customers won’t shop again at a compromised merchant

84% of customers want to shop at merchants who are security market leaders

Investing in PCI DSS should be part of your customer retention plans


Media and regulators are watching us…

-National and European Government are showing increasing interest in the area of account information security

• The European Commission is considering legislation on the duty to notify (suspicion of breach and actual compromise) – already adopted in California, Minnesota and Texas

-Media increasingly questioning industry compliance and progress…..


Is PCI DSS mandated for everybody?

PCI DSS is mandated for all merchants and other entities with access to card data

No access to data = no need for compliance validation

In the future, more companies may consider not handling data directly, rather than going through the cost and risk of securing them


What is it for ?

• Protecting customer confidence

• Mitigating against fraud and other losses

• Protecting against reputational damage

• Avoiding further regulatory control


PCI DSS part of overall Visa Security

POSEnvironment Online e-comm Back office

Chip & PIN Verified by Visa PCI DSS

Visa Europe

DATAWhat is important about ‘data’ ?


Card number Chip Expiry date

Magnetic Stripe CVV2 The card account number, plus a three-digit

made up of “Track 1” Card Verification Value 2 (CVV2) is indent-printed

and Track 2” data on the signature panel

Track data and CVV2 should never be stored after authorisation


You are only as safe as the least safe link in the chain

Processor

Acquiring bank

Internet payment gateway

Merchant

Web hosting company


Data Theft is……………

• Organised

• Multi-national

• Increasing in frequency

• Very, very lucrative

• Easy

• Almost risk-free


Most Companies don’t help themselves

• Track data and CVV2 is the ‘honey pot’ that hackers look for

• 80%+ of entities that are hacked are storing Track data and CVV2

• 70-80% of companies compromised go out of business within one year


PCI DSS is good business practice

Think of it as spring cleaning!

PCI DSS is an opportunity to take a fresh look at how your company works and identify any issues with people, processes, and systems;

• This enables you to

• Check your house is in order

• Discard unwanted items

• Rethink your data storage business needs

• Fix issues


The First Thing!

PCI DSS is mandated for all merchants and other entities who store, process and/or transmit card data

No data = no need for compliance validation

Companies have the option of investing in data security or hire a third party to manage data on their behalf


The Second Thing!

The key to a successful compliance programme is to:

• Identify stakeholders

- Finance Director, Risk Committee, Information Security Officer, IT Director, Operations Director, …

• Get business sponsorship

- Present PCI DSS and the risk of non-compliance to the Board

- Brand image is at stake


Making PCI Compliance a Reality

Visa’s recommended approach is

– Complete data flow analysis early

– Complete a comprehensive gap analysis

– Define a detailed remediation plan

How does PCI relate?

Data Flow Analysis

Gap Analysis Remediation Plan

Compliance Validation

Implement Remediation


Scoping and Sampling

Proper scoping and thorough reviews are critical

Beware of:

Not scoping and identifying all potential systems that may hold cardholder information

• Can lead to critical and destructive hacks

• The data flow mapping exercise should identify all points of storage, processing & transmission


PCI DSS Scoping

PCI DSS applies to all systems and networks that store, process, and/or transmit cardholder data, and all connected systems

• Includes networking equipment that transmits cardholder data (i.e. routers, switches, firewalls, wireless access points)

• Encrypted cardholder data is still within scope


Quick Wins

• Do not store track data or CVV2 post authorisation

• Delete card data everywhere you can

• Update security policy

• Update templates to ensure PCI DSS is included in all new projects

• Data retention policy & process


Advice on Payment Applications

• PA-DSS is here!

• Released by PCI SSC on 15 April 2008

• Set of comprehensive security standards for use by vendors to ensure their products assist PCI DSS compliance

• Ensure new applications are PA-DSS compliant

• Get the comfort of knowing you have an application which, if implemented correctly, helps you to become PCI DSS compliant

• PA-DSS certified applications do not make you compliant, but they help you get there


Merchant Compliance Validation

1. Processing more than 6 million Visa transactions per year, compromised in the last yearAnnual on-site security audit and quarterly network scan

2. Processing 1 million to 6 million Visa transactions per yearAnnual self assessment questionnaire audit and quarterly network scan

3. Processing 20,000 to 1 million Visa e-com transactions per yearAnnual self assessment questionnaire audit and quarterly network scan

4. Processing up to 20,000 Visa e-com transactions per year and all merchants processing up to 1 million Visa transactions per yearRecommended annual self assessment questionnaire audit and quarterly network scan


Service Provider Compliance Validation

1. All VisaNet processors, payment gateways and Internet payment service providers regardless of volumesAnnual on-site security audit and quarterly network scan

2. Any service provider not in level 1 and stores, processes or transmits more than 1 million Visa accounts or transactions per yearAnnual on-site security audit and quarterly network scan

3. Any service provider not in level 1 and stores, processes or transmits less than 1 million Visa accounts or transactions per year Annual self assessment questionnaire audit and quarterly network scan


Compliance Management

If you do not comply

• There are levels of fines that are imposed

• There are fines for data compromise

Ultimate Sanction

• Prohibition by all brands to deal with card and card data


However it is a Journey….

• No expectation of immediate compliance

• However…..

• No open ended deadlines to comply

• Evidence of commitment to comply

• Planned approach

• Compliance is a 24 hour a day activity – not a once a year activity to satisfy an audit

visa europe implementing pci dss requirements within your organisation september 2008 simon breeden

Documents

visa europe data

needed visa europe tel

information classification

presentation identifier

data security

data breach

fraud slide

card data