Introduction to PCI DSS

(1)

IBM

Introduction to PCI DSS

(2)

IBM 6/1/2015 Security Services Template

2

Agenda

PCI DSS History

What is PCI DSS? / PCI DSS Requirements

What is Cardholder Data?

What does PCI DSS apply to?

Payment Ecosystem

How is PCI DSS Enforced?

(3)

IBM

PCI DSS History

6/1/2015 Introduction to PCI DSS 3



Visa developed the Cardholder Information Security Program (CISP) in 2001



MasterCard and other card providers started developing separate criteria



In 2004, Visa and MasterCard formally agreed to combine efforts

– Created the Payment Card Industry (PCI) Data Security Standard (PCI DSS)



PCI DSS 1.1 released September 2006



PCI DSS 1.2 released October 2008



PCI DSS 1.2.1 released July 2009



PCI DSS 2.0 released in October 2010

(4)

IBM

What is PCI DSS?

6/1/2015 Security Services Template 4

(5)

IBM

PCI DSS Requirements

Build and Maintain a Secure Ntwork

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data sent across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes

Maintain an Information Security Policy

(6)

IBM

What is Cardholder Data?

 Cardholder data includes:

– Primary Account Number (PAN)

– Cardholder Name

– Service Code

– Expiration Date

 Sensitive authentication data includes:

– Full Magnetic Stripe

– CVC2/CVV2/CID/CAV2

– PIN / PIN Block

Cardholder data may be stored, but only the PAN must be masked when displayed (Req. 3.3)

and rendered “unreadable” (Req. 3.4)

Sensitive authentication data may not be stored after authorization (Req 3.2)

The PAN is the defining factor in the applicability of PCI DSS requirements.

(7)

IBM

Who Does PCI DSS apply to?

 Any entity that stores, process and/or transmits cardholder data must comply with the PCI Data Security Standard (DSS).

 Additionally, any entities which provide services that could impact the security of cardholder data may have a PCI compliance obligation.

 Entities may include, but are not limited to, merchants and service providers.  Applies to:

– Retail (online & brick & mortar)

– Hospitality (restaurants, hotel chains, etc.) – Transportation (i.e. airlines, car rental, etc.)

– Financial Services (banks, credit unions, card processors, etc.) – Energy (oil, gas, utilities, etc),

– Healthcare/Education (hospitals, universities) – Government (Federal, Provincial, Municipal)

(8)

IBM

Payment Ecosystem

Merchants

Acquirers /

_Processors

Service Providers

Payment Brand

Networks

(9)

IBM

How is PCI DSS Enforced?

Merchants

Acquirers /

Processors

Service Providers

Issuers

Payment Card Brands

(10)

IBM

Benefits of Compliance

 Compliance with the PCI DSS means that your systems are “secure”, and customers can trust you with their sensitive payment card information:

– Trust means your customers have confidence in doing business with you

– Confident customers are more likely to be repeat customers, and to recommend you to others

– Implementation of PCI DSS controls protects sensitive data, reduces the risk of compromise, and helps maintain your corporate reputation

 Compliance improves your reputation with acquirers and payment brands

– These are the partners you need in order to do business

 Compliance has indirect benefits as well:

– Through your efforts to comply with PCI Security Standards, you’ll likely be better prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc.

– The PCI DSS can help form the basis for a corporate security strategy

– Assets and processes developed for PCI Compliance can be leveraged generally across the organization as information security best practices

(11)

IBM

Non-Compliance Consequences

 If non-compliant and a breach occurs:

– Breached entity is liable for the acquirer/issuer's losses and card re-issuance costs – Breached entity will likely have significant investigative and legal costs

– Possible fines or restrictions imposed by card brands (prohibiting future credit card processing)

– Repayment of losses may exceed the ability to pay and cause total failure of the organization

 Other potential consequences: – Damaged brand reputation – Negative publicity

– Loss of customers and corporate trust

– Penalties and fees levied by card brands for non-compliance

• Visa USA fining some non-compliant merchants $25K per month • MasterCard’s fee structure for Level 1 & 2 merchants and service

providers includes quarterly escalating fines of up to $25K, $50K, $100K, $200K.

(12)

IBM

IBM Capabilities

 IBM is a PCI QSA (Qualified Security Assessor), Approved Scanning Vendor

(ASV), and PFI (PCI Forensic Investigator)

 IBM is authorized to certify organizations.

 40+ Certified PCI QSAs across the different regions

 IBM cannot certify its own business units or services to avoid a conflict of

interest. A third-party QSA company will have to be retained to obtain a

certification

(13)

IBM

Questions?

(14)

IBM

Appendix

(15)

IBM

Defining a Cardholder Data Environment

 A critical strategic step in any PCI compliance initiative is formally

defining a cardholder data environment.

 If a system stores, processes, or transmits cardholder data, it must be

included in the cardholder data environment.

 The PCI DSS applies to any network component, server, or application

that is included in or connected to the cardholder data environment.



In “flat networks” where an organization does not pursue scope

reduction strategies, the entire network is in scope of the PCI DSS

assessment.

(16)

IBM

Defining a Cardholder Data Environment

 The CDE boundary is is typically implemented via firewall rules or

strong access control lists on the security device forming the boundary

of the CDE – normally a firewall or a router with a firewall module

capable of performing stateful inspection.

 In order to adequately form a boundary of the CDE, all inbound and

outbound connectivity to the CDE must be limited to those specific

ports and protocols required for the business.

(17)

IBM

Supporting Infrastructure

 It is important to consider systems outside of the CDE, which although they do

not store, process, or transmit cardholder data, are still “connected to” the

CDE.

 These may be systems which are providing security services to the CDE or

which are simply allowed to communicate with the CDE.

 In each such case, such a “supporting system” must be evaluated in order to

determine whether it should be considered in PCI scope as well. Ultimately, if

the compromise of such a system outside of the CDE, may impact the security

of a system within the CDE or cardholder data, then it should be considered in

PCI scope.

(18)

IBM

www.ibm.com/security

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE