PCI Security Standards Council

PCI Security Standards Council

How You Can

Participate

Applying PCI

Agenda

Why PCI

About the PCI Council

Open, global forum

Founded 2006

Guiding open standards for payment card security

•

Development

•

Management

•

Education

PCI: Architecture for Payment Card Security

5 major card brands

drive efforts for

Your Card Data is a Gold Mine for Criminals

Types of Data on a Payment Card

Chip Pan

Expiration Date Magnetic Strip

(data on tracks 1 & 2)

CAV2/CID/CVC2/CW2

(Discover, JCB, MasterCard, Visa)

CID

(American Express)

Manufacturers

PCI PTS

Pin Entry Devices

Ecosystem of payment devices, applications, infrastructure and users

Software Developers

PCI PA-DSS

PCI Security

& Compliance

P2PE

PCI DSS

PCI Security Standards Suite

EMV Helps Reduce Face-to-Face Fraud

Countries that have implemented EMV have reported a decrease in card fraud. According to the UK Cards

Association, “Fraud on lost and stolen cards is now at its lowest

level for two decades and counterfeit card fraud losses have also fallen and are at their

lowest level since 1999.*”

*Smart Card Alliance EMV FAQ

EMV by itself does not

protect the confidentiality

of, or inappropriate access

to sensitive authentication

data and/or cardholder data

in card-not-present or

Internet transactions

Business Sectors With the Most Breaches

Retail

45%

Food & Beverage

24%

Hospitality

9%

2%

High Technology 2%

Other

8%

Organisations Ignored PCI … and Were Breached

96% of those breached were not PCI

compliant as of their last assessment

(or were never assessed/validated)

Top attack methods used to breach

organizations:

•

81% of incidents involved hacking

•

69% incorporated malware

Top Mistakes By Those Breached

Revealed by Forensic Audits

• Weak Passwords

• Lack of employee education

• Security deficiencies introduced by third

parties responsible for system support,

development and/or maintenance

Why we fail to maintain secure environments

•

Lack of awareness by IT practitioners

•

Incentive to keep security a primary focus

•

Quickly evolving technology landscape

•

Rapid development and distribution of

new solutions

•

Still unnecessary exposure of CHD

PCI Standards Help Secure Your Data

92%

_97%

92% of

compromises were

simple

97% were avoidable through

simple or intermediate

controls

The PCI Data Security Standard

Six Goals

Twelve Requirements

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access

Control Measures

7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes Maintain an Information

PCI Standards for Applications & Devices

PIN Transaction Security (PTS)

• Addresses characteristics & management of devices for processing payment cards

• PTS is followed by device manufacturers

• Merchants must use validated PTS devices

Payment Application Security

Data Security Standard

(PA-DSS)

• Addresses applications for payment, authorisation and settlement

• PA-DSS is followed by software developers

Getting Ready for PCI 3.0

2013 Focus: Updating

PCI Standards and

supporting

+

The Bottom Line

Compliance Doesn’t Equal Security

Why PCI

Tokenisation

P2PE

Applying PCI in Your Environment

Virtualisation

Mobile

EMV

ATM

EMV Helps Reduce Face-to-Face Fraud

EMV by itself does not

protect the

confidentiality of, or

Areas of Focus for Mobile

Devices

Tamper-responsive,

PTS Devices (e.g.

SCR) using P2PE

Applications

Requirements and/or

Best Practices for

authorisation and

settlement

Service Providers

Service provider

protection of

cardholder data and

validation

Mobile payments and the PCI Council

Identified mobile applications that

can be validated to PA-DSS

Published merchant guidance for

‘mobile’ solutions leveraging P2PE

Developed best practices for

Guidance on Mobile

New Mobile Guidance for Merchants

Guidance for merchants on the

factors and risks that need to be

addressed in order to protect card

data when using mobile devices,

such as smart phones and tablets,

to accept payments, including:

• Objectives and guidance

for the security of a

payment transaction

• Guidelines for securing the

mobile device

• Guidelines for securing the

payment acceptance

Point-to-Point Encryption

•

Available to all members of the

payment chain

•

Also called “P2PE”

•

Optional standard for

decreasing scope

•

PCI 2PE hardware /hardware

requirements available

•

PCI P2PE “Hybrid” requirements

available

Tokenisation

Work on tokenization standards has begun

Ensure that process of creating token from

PAN doesn’t leak information about PAN

Ensure that a token or collection

of tokens by themselves cannot feasibly allow

discovery of PAN

Ensure that adequate controls exist over

de-tokenisation process

Ensure that token cannot be used in lieu of

PAN for impermissible purposes

PAN

T

2013 Training Highlights

Online Internal Security Assessor

(ISA) Training

P2PE Assessor Training

Corporate PCI Awareness – Let Us

Come To You!

Online Awareness Training in Four

Hours

Qualified Integrators and Resellers

(QIR)™ Program

PCI Professional Program (PCIP)™

To learn more, visit:

QIR Addresses Common Misconceptions

I’m using a PA-DSS validated

application, so I must be OK.

I’m using a “reputable” 3

_{party, so}

they must be doing a secure

installation.

Payment Card Industry Professional (PCIP)™

Support your

organisation

Professional

credibility

Competitive

advantage

directory

Global

A comprehensive PCI DSS training and qualification program for eligible

internal audit security professionals that you asked for!

Internal Security Assessor (ISA) Program

• Improves your understanding

of PCI DSS and compliance

procedures

• Helps your organisation build

internal expertise

PCI Awareness Training

Team

Building

Convenience

Cost

How You Can Participate

Why PCI

Chief Security Officers Information Security Professionals Compliance

Officers Investigators Forensic Technologists

IT Managers Risk Managers Information Chief

Officers Legal Experts

Data Security Experts

Join! Become a

Participating

Organisation today

PCI SSC Special Interest Groups (SIG)

New SIG Guidance – PCI DSS Risk Assessment

Go to our website today to download these new guidelines!

https://www.pcisecuritystandards.org/index.php

Guidance for choosing the risk

assessment approach that works

best for your business to secure

your card data

New SIG Guidance – eCommerce

Go to our website today to download these new guidelines!

https://www.pcisecuritystandards.org/index.php

eCommerce

New SIG Guidance – Cloud

Go to our website today to download these new guidelines!

https://www.pcisecuritystandards.org/index.php

Cloud

Best Practices for Maintaining PCI Compliance Third Party Security Assurance

2013 Special Interest Groups- Join us!

Board of Advisor Nominations and

Elections 2013

27 January

Nominations Open

25 February

Nominations

Close

7 March

Voting

Commences

Join as a Participating Organisation by going to

https://www.pcisecuritystandards.org/get_involved/join.php

Get Involved – We Need Your Input

Join

Learn

Input

Network

The Formula for PCI Success

+

Summary: Why PCI Matters to You!

Please visit our website at

www.pcisecuritystandards.org