PCI DSS. Payment Card Industry Data Security Standard.

(1)

Payment Card Industry Data Security Standard

PCI DSS

(2)

What Is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) PCI DSS (Payment Card Industry Data Security Standard) PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands .The standard designed to enhance cardholder data security. Regardless of their size, organizations that process payment card information must be PCI DSS compliant. To secure business and increase customer confidence, achieving PCI DSS compliance is a clear indicator of protection when handling sensitive customer data.

American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. formed PCI SSC (PCI Security Standard Council)

PCI SSC (PCI Security Standard Council)PCI SSC (PCI Security Standard Council)

PCI SSC (PCI Security Standard Council) in 2006, responsible for administering, revising, managing, and promoting adoption of PCI DSS.

PCI DSS is mandatory for entities processing, transmitting or storing cardholder data. This could include acquirers, banks, service providers such as

payment gateway, data centers & merchants.

• Acquirers may ask merchants to cease credit cards transactions • Forensic audit – QSA team on-site to determine cause of breach • Can take 90-120 days to complete remediation actions • Merchant is responsible for all costs. $80-100K average • Breaches are public knowledge; brand image tarnished

Non-Compliant and Suffer a Breach ?

Breached Business are out of business within one year of the attack

Breaches originate from organized criminal groups Small businesses will suffer a credit card breach in the next 24 months

Is the average direct cost of a data breach

Average days between intrusion and detection

• What are the different types of threats to the organization? • What are the organization’s assets that need protecting from the

threats?

• How vulnerable is the organization to different threats? • What is the likelihood that a threat will be realized? • What would be the impact if a threat was realized?

• How can the organization reduce the likelihood of a threat being realized, or reduce the impact if it does occur?

Risk has many interpretations, and is often used to describe dangers or threats to a particular person, environment, or business. Understanding risk includes understanding of the different elements and how they ﬁt together. For example, considerations from a business perspective may include:

Risk Management

Who Has to Comply ?

That:

+ + +

+ Stores cardholder data +

+ +

+ Transmits cardholder data +

+ +

+ Processes cardholder data

PCI DSS applies to:

+ ++

+ Merchants +

++

+ Service Providers (TPPs, gateways) +

++

(3)

Standards & Requirements

The consolidation of individual payment card brand’s security programs offers the best available framework to guide better protection of cardholder data resulting a comprehensive security baseline of

Control Objective

6

6 Core Requirements

12

12 ~375

~375

Audit Procedures

Compliance requirements apply to the entire “cardholder data environment” comprised of people, processes and technology that

store, process, or transmit payment card data.

The PCI Security Standards Council recognizes the TÜV Rheinland Group as a QSAC (Qualiﬁed Security Assessors Company). To fully leverage cardholder data security through PCI DSS compliance, ask our experts. We will be glad to help your organization reach full compliance the standards and regulations for safe and secure credit card transactions.

Compliance Roadmap

Renew Measures Improve Review Collect

How to Comply ?

PCI DSS provides a baseline of technical and operational controls that work together to provide a defense-in-depth approach to the protection of cardholder data. Risk assessments provide valuable information to help organizations determine whether additional controls are necessary to protect their sensitive data and other assets. In order to achieve compliance with the PCI DSS, an organization must meet all applicable PCI DSS requirements.

Merchants Level & Validation

PCI compliance categorized compliance level depends on the number of annually. Understanding which PCI compliance level applies to your business is the ﬁrst step in assuring that your PCI compliance audits will be as simple as possible.

Transac"on Volume Transac"on VolumeTransac"on Volume

Transac"on Volume >6mio 1 – 6 Mio 20K – 1 Mio All other merchant Level Level Level Level 111 1 22 22 3333 44 44

Onsite QSA Audit

Self Assessment Questionnaire (SAQ)

By a

QSA/ISA

Authorized Scanning

Vendor (ASV) scan

Security Awareness

training

Policy Review and

Acceptance

Requirements

Build and maintain a Secure

Network

Firewall Management Vendor Default Controls

Protect Cardholder Data Data Protection

Data Transmission Encryption

Maintain Vulnerability Management Program

Anti-virus Control

System & Application Security

Implement Strong Access Control Measures

Data Access Control Personal Access Control Physical Access Control

Regularly Monitor and Test Networks

Data & Network Access Controls Security testing

Maintain information

(4)

Results of Audit:

• Executive Summary • Technical Report • Solution and Remedial

Test Target:

• Network components • Servers incl. database. • Applications

• Segmentation interface

Vulnerability Assessment and Penetration Test

Vulnerability Assessment focuses on IT Infrastructure, Network and Application:

Whitebox Penetration Test done by involving your IT Staff to monitor and evaluate the work and results of the audit. The audit is done from within the agency or evaluated institution.

Blackbox Penetration Test not involved your IT Staff. The Audit is done from outside agencies or evaluated institution, the test is generally done with published web application for the enterprise, vendor and client.

• Internal and External Vulnerability Assessments needs to be performed quarterly • A clean ASV scan report is mandatory every quarter to comply with PCI DSS. • Workﬂow would be set up to perform quarterly schedule the scans.

• Internal and External Penetration Tests need to be performed annually

Quarterly & Annual Schedules

PCI DSS version 3 intends to make compliance to be a continuous process, a business-as-usual approach. Maintaining compliance throughout the year is a demanding task involving oversight over hundreds of documents and approvals.

In order to simplify this process, a GRC tool has been developed, which reduces time and complexity to review, process and inform compliance status. PCM is a one-stop portal to manage documentation, role assignment, workﬂow alerts, escalation, audit readiness on a continuous basis.

Compliance Management

Methodology Reference

• OSSTMM (Open Source Security Testing Methodology Manual

• ISSAF (Information System Security Assessments Framework)

• NIST SP800-115 (National Institute of Standards and Technology)

• OWASP Testing Guide (Open Web Application Security Project).

(5)

Gap Analysis

Identify Identify Identify

Identifynon-compliance issues Discover Discover Discover Discovervulnerabilities Explore Explore Explore

Exploresegmentation potential Draw up

Draw up Draw up

Draw upa detailed compliance plan

Training

Holding trainings/workshops on PCI compliance, attack vectors, Policies/ SOPs/Forms, vendor management, Risk assessment, Incident Response, Business Continuity

Compliance Audit

PCI DSS compliance assessment, real time dashboard. Report on

Compliance (RoC), Attestation of Compliance (AOC), Testmark, Certificate or validation of Self Assess-ment Questionnaire (SAQ) .

Remediation & Consulting

Remediation & ConsultingRemediation & Consulting

Remediation & Consulting • Minimizing CHDE footprint

• Documentation development

• On-site/Off-site support

• Mitigating risks

• All requirements covered

Vulnerability Assessment

Internal and external vulnerability as-sessment and penetration testing; and ASV scan

Compliance Management

GRC tool with PCI DSS workflow alert, documentation, role assignments, re-view and dashboard. Deployed on-site with migration support.