9/12/2008 2
The PCI Security Standards Council
• An open global forum, launched in 2006,
responsible for the development, management,
education, and awareness of the PCI Security
Standards, including:
– Data Security Standard (DSS)
– Payment Application Data Security Standard (PA-DSS) – Pin-Entry Device (PED)
PCI PED
PCI SSC - The Standards
PCI PED addresses device characteristics impacting security of PIN Entry Device (PED) during financial transactions
PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where those applications are sold,
distributed, or licensed to third parties.
PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data, and specifically to those system components included in or connected to the cardholder data environment (the part of the network with cardholder data)
9/12/2008 4
9/12/2008 6 PCI DSS Drivers Security Scans Self-Assessment Questionnaire On Site Audits Community Meeting Industry Best Practices Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs) Proactive
feedback from QSAs, ASVs and POs
PCI Data Security Standard ADC Forensics Results
Advisory Board
2007 Successes
• Over 420 Participating Organizations around the World
• Successful Community Meeting with over 300 attendees from around the world
• Board of Advisors elected and working (i.e. Task Forces)
• 1,500 QSA Assessors trained and certified • The New PED Standard announced
• Successful feedback processes in place for DSS & SAQ (for release in 2008)
• Started Special Interest Group Program • Influential Outreach Program
9/12/2008 8
2008 PCI SSC Objectives & Accomplishments
2008 PCI SSC Objectives – North America and Europe Community Meetings
planned for Q3 2008
– Manage new and existing standards
• PCI DSS Version 1.2 to be released Q3 2008 • Updates to PED Program for Q2 2008
– Unattended Payment Terminals (UPT) – Hardware Security Modules (HSM)
Enhance cardholder data security
Enhance cardholder data security
9/12/2008 10
Roles and Responsibilities of the Council
• Is an Independent Industry Standard
• Manages the technical and business requirements for how payment data should be stored and protected
• Maintains List of Qualified PCI Assessors
– QSAs, ASVs
PCI SSC….
PCI SSC Does Not…
• Manage or drive Compliance
– Each brand continues to
maintain its own compliance programs
• Identifies stakeholders that need to validate compliance
• Definitions of Validation Levels • Fines and Fees
Slide 10
SC16 Fix grammar/tenses Sarah Cummins, 1/9/2008
9/12/2008 11
Resources Provided by Council • Security Standards and Supporting
Documents
• Frequently Asked Questions
• List of Approved QSAs, ASVs, PED Labs
• Education and Outreach Programs • Participating Organization
Membership, Community Meetings, Feedback
Frequently Asked Questions
•
• New Searchable FAQ Tool New
available on PCI SSC Website
– Responses developed by all five payment brands help ‘pave the way’ for PCI DSS evolution
9/12/2008
• Threats in one month: August 2007
– 89% of email was spam (new record)
– Trojans made up 78% of new malware
– 264,133 new zombies detected
– Average of 11,906 new malicious websites found daily
Threat Landscape
Implementing the standard is a Journey…… Not a Destination
The Cost of Complying
Three Categories of Compliance
How much does this cost your organization?
For merchants with complex or older systems, it may cost millions
“PCI Compliance Cost Analysis: A Justified Expense.”
A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex. Jan. 2008
[This study utilized data from several sources including level 1 and level 2 merchants with 2,000 – 2,500 retail locations.]
The Cost of Not Complying
Same study estimated non-compliance costs significantly higher, including
• “Crisis” cost upgrades • Repeat assessments • Notification costs • Brand reputation
• Shareholder and consumer lawsuits
The cost of a breach can easily be 20 times the cost of
PCI Compliance
• Upgrading Payments Systems and Security
• Verifying Compliance (Assessment)
• Sustaining Compliance
Forensics Statistics
Consumer data:
Payment card information -Credit / Debit
-Card-present / CNP
Personal Check information
Identity-related data:
Name, address, email
Social security, Social insurance IRS / tax return information
Company-proprietary:
Financial records HR / employee data
Product strategy & roadmap Trade secrets & technology
Inside Jobs vs. Intrusions
17% Inside ~77% are partial insiders Incident Detection >75% via allegation of compromise Findings Percentages 92% Confirmed Security Breach >60% Confirmed Data Compromise Case Commonalities 19% SQL injection 45% POS systems 10% Wireless infrastructure ~50% Via 3rd party connections Breach Sources ~13% Inside US Vulnerability Scanning SQL Injection cases: 71% had commercial scanning 63% detected SQL vulnerability
15% in scan reports for 1 year + > 60% Payment Cards vs. Others Law Enforcement Involvement 87% of cases Incident Detection >75% via allegation of compromise
9/12/2008 17 9/12/2008 17 It It’’ll be OKll be OK PCI doesn
PCI doesn’’t introduce any new, t introduce any new, alien concepts alien concepts
•
•
Anger
Anger
•
•
Bargaining
Bargaining
•
•
Depression
Depression
•
•
Acceptance
Acceptance
•
•
Denial
Denial
It doesnIt doesn’’t apply to met apply to mePCI compliance is mandatory
It isn
It isn’’t fairt fair
PCI applies to all parties in the
PCI applies to all parties in the
payment process
payment process
I
I’’ll do some of itll do some of it
Compliance is
Compliance is ““pass / failpass / fail””
I
I’’ll never get therell never get there
Many merchants already have
Many merchants already have
The PCI Data Security Standard
• The PCI DSS version 1.1 is a set of comprehensive requirements for enhancing payment account data security
• The PCI DSS is a multifaceted security standard that includes requirements for security
management, policies, procedures, network architecture, software design and other critical protective measures • This comprehensive standard is
intended to help organizations
proactively protect customer payment data
Slide 18
SC10 This will likely tie in to the risk-based approach. Sarah Cummins, 1/9/2008
Six Goals, Twelve Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security
The PCI Data Security Standard SC13
Slide 19
SC13 This will likely tie in to the risk-based approach. Sarah Cummins, 1/9/2008
Updates to PCI DSS • October 2008:
– PCI DSS Revision v1.2
– Assessed and Incorporated feedback received from over 2,500 queries and suggested changes from Community Stakeholders
– 1.2 revision address the existing six goals and twelve requirements of the DSS with future effective dates for potential new sub requirements – Areas of focus
• Clarity and flexibility of requirements
• Incorporate existing and new best practices • Scoping and reporting clarification
• Eliminate overlapping sub requirements and consolidate documentation • Expanded FAQ and glossary
9/12/2008 21
The Payment Application Data Security Standard
• Based on Visa USA’s PABP, PA-DSS is a comprehensive set of
requirements designed for payment application software vendors to
facilitate their customers’ PCI DSS compliance
• This comprehensive standard is intended to help organizations minimize the potential for security breaches due to flawed payment applications, leading to compromise of full magnetic stripe data
• Distinct from but aligned with PCI DSS
Payment Application (PA DSS) Data Security Standard
Slide 21
CB1 This will likely tie in to the risk-based approach. Chris Burd, 9/12/2008
9/12/2008 22
The Payment Application Data Security Standard
Maintain instructional documentation and training programs for customers, resellers, and integrators Encrypt all non-console administrative access
Encrypt sensitive traffic over public networks Facilitate secure remote access to application Facilitate secure remote software updates
Cardholder data must never be stored on a server connected to the Internet Facilitate secure network implementation
Test Applications to address vulnerabilities Protect wireless transmissions
Develop Secure Applications Log Application Activity Protect stored cardholder data Provide secure password features
Do not retain full magnetic strip, card validation code or value (CAV2, CID, CVC2, CVV2) or PIN block data
Fourteen Requirements…Protecting Payment Application Transactions
The PIN Entry Device Requirements
PIN Entry Device (PED) Requirements
• These requirements are divided into the following categories:
• Device Characteristics:
– Physical Security Characteristics – Logical Security Characteristics
• Device Management
• Device Management During Mft.
• Device Management Between Mft. and
Initial Key Loading
• Considers how the PED is produced, controlled, transported, stored and used throughout its life cycle. If the device is not properly managed, unauthorized modifications might be made to its
physical or logical security characteristics.
Slide 23
SC23 This will likely tie in to the risk-based approach. Sarah Cummins, 1/9/2008
PABP becomes PA-DSS
•PA-DSS is the Council-managed program formerly called the Payment Application Best Practices (PABP) under the supervision of Visa Inc.
•PA-DSS helps software vendors and others develop secure payment applications that do not store prohibited data and ensures their payment applications support compliance with the PCI DSS.
•Organizations must use applications certified under PA-DSS or grandfathered under PABP.
•The PA-DSS will be updated in October 2008 to version 1.2 and will reflect changes made in the next iteration of the PCI DSS.
PABP becomes PA-DSS
9/12/2008 25
Sample Clarifications
• Scope of PA-DSS: adds clarification
• Applicability to hardware
terminals: specifies criteria for
hardware exempt from review • Responsible Parties: identifies
responsibilities of:
• Vendors ; customers; resellers; payment brands; PCI SSC
• Completion Steps: provides
guidance to PA-QSAs on how to complete and submit
documentation
Sample Additions
• Requirement 2.1: provides
guidance on purging of cardholder data
• Requirement 7.2: adds testing procedures to address integrity during patches and updates • Appendix A: summarizes and
explains the PA-DSS
Implementation Guide
• Appendix B: tool for PA-QSAs to confirm status of lab environment and validation process in an
PIN Entry Device Requirements
Physical Attributes Logical Attributes
• Attributes that deter physical Attacks
– ex penetration of device to determine key(s)
– Planting a PIN disclosing bug within
• Logical security
characteristics include functional capabilities that preclude:
– Allowing device to output clear text PIN encryption key
The PED Security Requirements are designed to secure personal identification number (PIN)-based transactions globally and applies to devices (attended or unattended) that accept PIN entry for all PIN-based transactions as well as non-cardholder interface devices (hardware security modules)
PIN Entry Device Requirements
Device Types Under PED
• Traditional Devices include
– Point-of-sale PED Designed for Secure PIN Entry
– Attended devices (e.g., sales clerk, cashier) • New Devices scheduled for 2008 include
– Unattended Payment Terminals (UPTs)
• Fuel Pumps, Kiosks, Ticketing Machines – Hardware (or Host) Security Modules (HSMs)
• Non-cardholder interface
• Embedded devices that are used for:
– PIN translation, Card Personalization, Data Protection, Electronic Commerce
PIN Entry Device Requirements
• UPT Process/Requirements
– Evaluation process same as other PCI PED evaluation processes
– Vendor questionnaire
– Assessment performed by PCI approved lab – Security requirements broken down by:
• Core physical security • Core logical security • Additional online • Additional offline
PIN Entry Device Requirements
• UPT Security Requirements
– UPT is broken down into following key areas
• PIN pad – expected to be a PCI approved encrypting PIN pad • Separate card reader
• Customer display • UPT controller • UPT cabinet
• Additional cryptographic controller • Communication interface
– Security Requirements reflect which area should be assessed in order to meet the requirement
PIN Entry Device Requirements
• HSM Evaluations
– Structured like existing POS/EPP testing
• Security Requirements are physical and logical • Vendor questionnaire to complete
• Testing scripts
– Existing labs skill sets applicable
If you’re a manufacturer of HSM or UPT devices, join the Council as a Participating Organization!
9/12/2008 31
New SAQ Objectives
Self Assessment Questionnaires
• Alignment with the PCI DSS v1.1
• Based on industry feedback • Flexibility for multiple
merchant types
• Providing guidance for the intent and applicability of the underlying requirements
Self Assessment Questionnaire (SAQ) A
Self Assessment Questionnaire
SAQ Validation SAQ Validation
Type
Type DescriptionDescription SAQSAQ
1 Card-Not-Present (e-commerce or MO/TO) merchants, all
cardholder data functions outsourced. This would never apply to face to face merchants
A
<20 Questions
2 Imprint-only merchants with no cardholder data storage B
21 Questions
3 Stand alone dial-up terminal merchants, no cardholder data storage
4 Merchants with payment application systems connected to
the Internet, no cardholder data storage
C
38 Questions
5 All other merchants (not included in descriptions for SAQs
A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ
D
Full DSS
B
9/12/2008 33
Data Storage Clarification
New Application Level Requirement
• Addresses SQL injection, cross-site scripting and other application level attacks
• Complements existing requirements for secure coding of web applications (6.5) and application level penetration testing (11.3.2)
• Seeks to provide added assurance that sites are not vulnerable, by either of the following methods:
• Having all custom application code reviewed for common vulnerabilities by an
organization that specializes in application security.
• Installing an application layer firewall in front of web-facing applications
9/12/2008 35 Requirement 1:
Requirement 1: Install and maintain a Install and maintain a firewall to protect cardholder data
firewall to protect cardholder data Requirement 3:
Requirement 3: Protect stored dataProtect stored data Requirement 6:
Requirement 6: Develop and maintain Develop and maintain
secure systems and applications
secure systems and applications Requirement 8:
Requirement 8: Assign a unique ID to Assign a unique ID to
each person with computer access
each person with computer access Requirement 10:
Requirement 10: Track and monitor Track and monitor access to network and card data access to network and card data Requirement 11:
Requirement 11:Regularly test security Regularly test security systems and processes
systems and processes Requirement 12:
Requirement 12: Maintain a policy that Maintain a policy that addresses information security
addresses information security
Violations >50% Found During Forensic Investigations
Violations >50% Found During Forensic Investigations
Violations <50% Found During Forensic Investigations
Violations <50% Found During Forensic Investigations
Violations Found During Initial PCI DSS Audits
Violations Found During Initial PCI DSS Audits
Revisions for Consideration
Community Meeting
PHASED APPROACH
PHASED APPROACH
Input from Participating Organizations, QSA’s and ASV’s
Revised PCI Standard
Revised PCI Standard
Phase 1
Phase 2
Phase 3
9/12/2008
QSAs
• Organizations that validate an entity’s adherence to PCI DSS requirements are known as
Qualified Security Assessors (QSAs).
• Over 100 QSA companies • To find more about the
program:
– https://www.pcisecuritystandards.org/reso urces/qualified_security_assessors.htm
9/12/2008 39
Qualified Security Assessor Certification
• Apply as a company for qualification by providing documentation adhering to the Validation
Requirements for Qualified Security Assessors (QSA) v 1.1
• Qualify individual employees, through training and testing, to perform security assessments
• Execute agreement with the PCI Security Standards Council governing performance
ASVs • Organizations that validate adherence by performing
vulnerability scans of internet facing environments of
merchants and service providers are known as Approved Scanning Vendors (ASVs).
• Over 130 ASVs
• https://www.pcisecuritystandards.org/resources/approved _scanning_vendors.htm
9/12/2008 41
Approved Scanning Vendor Certification
Prospective ASVs
• Apply for approval by providing documentation
adhering to the Validation Requirements for Approved Scanning Vendors (ASVs) v 1.1
• Successfully complete the security scanning vendor testing and approval process.
• Execute agreement with the PCI Security Standards Council governing performance
PED Vendors
• Organizations that manufacture PIN acceptance devices for use in the acceptance of PINs during a financial transaction using a
payment card
• Approximately seventy vendors with over 170 approved devices • https://www.pcisecuritystandards.
9/12/2008 43
PED Vendor Certification
• Download the Program Manual, Security Requirements
and supporting documents from www.pcisecuritystandards.org/pin
• Select a PCI recognized PED lab, enter evaluation
contract and NDA with selected lab
• Complete the PCI PIN Entry Device Security
Requirements forms and the PCI PIN Entry Device Evaluation Vendor Questionnaire
– Please see PCI SSC Website for complete approval process.
9/12/2008 45 Community Meeting Merchants Approved Scanning Vendors Service Providers Qualified Security Assessors Acquirers Brands
Community
Community
Meeting
Meeting
Community Meetings
• Two Meetings. Responsive to Industry
– Orlando, Fla., September 23-25
• Vendor Showcase opportunity
– Brussels, Belgium, October 21-23
• Program in conjunction with PCI Europe
Your Opportunity to Get Involved in Setting the
Global PCI Standards
Not Yet a Participating Organization?
Join Us At www.pcisecuritystandards.org
9/12/2008 47
North America
• When:
– Sept. 23 Pre Conference Workshop – Sept. 24 & 25 Main Conference
• Where:
Europe
• When:
– Joint Cocktail Reception with PCI Europe: October 21 – Main Conference: October 22
– Post Conference Workshop: October 23
• Where:
9/12/2008
Global Participation & Representation
More than 400 organizations have been accepted
United States 73% 2% 6% 2% 16% 1% Asia Pacific
Latin America/ Caribbean Europe
Central Europe /Middle East /Africa
9/12/2008 51 Participating Organizations Categories 34% Merchant 34% Merchant 41% Other 41% Other 8% Financial Institution 8% Financial Institution 15% Processor 15% Processor 2% Multiple 2% Multiple
Board Representation & Special Interest Groups Financial Institutions • Merchants • Gateways • Processors • Service Providers • EFT Networks • Associations • Vendors
A Seat at the Table
9/12/2008 53
Participating Organization Privileges
• Vote and Run for Participating Organization Board of Advisors
• Comment on DSS, SAQ, PED, PA DSS and on other PCI SSC documentation, prior to public release
• Attend Community Meetings
• Attend Quarterly Webinar Meetings
• Recommend new initiatives and standards • Early updates on upcoming press releases • Monthly bulletin from SSC General Manager
Reserve Your Seat at the Table
SC8Slide 53
SC8 Update for PO priviledges etc... SIGs
Merchant training
Free Community Meeting Sarah Cummins, 1/9/2008
9/12/2008 54
Board of Advisors
• Merchants
– British Airways, plc
– Exxon Mobil Corporation – McDonalds Corporation – Microsoft
– Tesco Stores Ltd. – Wal-Mart Stores, Inc.
• Associations & Vendors
– APACS
– EPC
– PayPal, Inc. – VeriFone, Inc.
• Processors
– Chase Paymentech Solutions – First Data Corporation
– Interac Association
– Moneris Solutions Corporation – SERVICIOS ELECTRONICOS
GLOBALES S.A. DE C.V. – TSYS Acquiring Solutions
• Financial Institutions
– Bank of America
– JP Morgan Chase and Co.
– Citibank N.A., Global Consumer Group – Commonwealth Bank of Australia
Roles and Responsibilities • Provide Feedback
– Set Strategy
– Emerging Security Issues – Additional Standards
– Evolving the Current Standard(s)
– Set Agenda/Programs for Community Meetings
• Time Commitments
– Face to Face Meetings (as needed) – Conference Calls (regularly scheduled)
• SME, Panelists, Moderator (Community Meetings/Webinars) • Regional & Business Category Market Feedback • Ad Hoc Working Groups
9/12/2008 56
Community Meeting Agenda Task Force
• Restructure Agenda • Define clear business models to use going forward • Members Include: •Paypal •TSYS Acquiring Solutions •Microsoft •RBS Outreach and Education Task Force
• Identify additional
marketing and educational needs, based on industry size, region, etc.
• Members Include:
•Walmart Stores Inc. •APACS
•British Airways
•First Data Corporation PA –DSS Task Force
• Develop Best Practices into to Industry Standards • Evolution of testing criteria in the applications • Driving Marketplace adoption • Members Include: •Paypal •Verifone •Moneris •JP Morgan Chase
Participating Organizations Associations
Associations
Financial Institutions
Financial InstitutionsPOS VendorsMerchantsMerchantsProcessorsProcessorsMerchantsOtherOtherOtherPOS VendorsOtherOtherProcessorsMerchantsOtherMerchantsMerchantsProcessors
For a full list:
9/12/2008 58
Need More Information?
• Go to:
www.pcisecuritystandards.org and find information on:
– Frequently Asked Questions
– PCI Documentation – Contact Information
