Payment Card Industry Data Security Standards

Payment Card Industry Data

Security Standards

Discussion Objectives

Agenda

Introduction

PCI Overview and History

The Protiviti Difference

Questions and Discussion

PCI DSS Overview and History

Global Payment Card Statistics

• Issuers, merchants, and acquirers of credit, debit, and prepaid general purpose and private label payment cards worldwide experienced gross fraud losses of $11.27 billion in 2012, up 14.6% over the prior year, according to The Nilson Report, a leading payment industry newsletter. Of that $11.27 billion, card issuers lost 63% and merchants and acquirers lost the other 37%.

• Fraud as percentage of total volume was lowest for PIN-based debit networks worldwide at 1.10¢ per

$100 in total volume. The global brand cards — Visa, MasterCard, American Express, UnionPay, Diners Club, and JCB — averaged fraud losses of 6.13¢ for every $100 in total volume.

• Card issuer losses occur mainly at the point of sale from counterfeit cards. Issuers bear the fraud loss if they give merchants authorization to accept the payment.

• Merchant and acquirer losses occur mainly on card-not-present (CNP) transactions on the Web, at a call center, or through mail order because issuers can chargeback fraudulent transactions.

Source: http://www.nilsonreport.com/publication_chart_and_graphs_archive.php

Need for the Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that store, process or transmit credit card information maintain a secure environment.

The Payment Card Industry Data Security Standard (PCI DSS)

About PCI DSS

The PCI DSS is administered and managed by the PCI

Security Standards Council (SSC), an independent body that was created by the major payment card brands (Visa,

MasterCard, American Express, Discover and JCB.).

PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

Source: http://www.pcicomplianceguide.org/pcifaqs.php#2

U.S. Purchase Volume - Consumer vs.

Commercial Cards

PCI DSS Version 3.0

• Install and maintain a firewall configuration to protect cardholder data.

• Do not use vendor-supplied defaults or system passwords and other security parameters.

Build and Maintain a Secure Network and Systems

• Protect Stored Cardholder Data.

• Encrypt transmission of cardholder data across open, public networks.

Protect Cardholder Data

• Protect all systems against malware and regularly update anti-virus software or programs.

• Develop and maintain security systems and applications.

Maintain a Vulnerability Management Program

PCI DSS Version 3.0

• Restrict access to cardholder data by business need to know.

• Identify and authenticate access to system components.

• Restrict physical access to cardholder data.

Implement Strong Access Control Measures

• Track and monitor all access to network resources and cardholder data.

• Regularly test security systems and processes.

Regularly Monitor and Test Networks

• Maintain a policy that addresses information security for all personnel

Maintain an Information Security Policy

Merchant Scope

• Any organization that enters into a Merchant processing agreement with an acquirer will typically be signing a contract requiring that the Merchant fully comply with operating regulations outlined by the Payment Card Brands (Visa, MasterCard etc.). This includes full compliance with all requirements outlined within the PCI DSS and the requirement to report that compliance annually, irrespective of the organization’s processing volumes.

– Failing to comply with the PCI DSS, be it 1 control or many, would therefore be considered a breach of contract and provides the opportunity for the acquirer to levy contract based penalties.

This could include fines or termination of the contract.

– In addition to contractual compliance penalties, the merchant services contract also allows the acquirer to recover costs applied to them by the card brands resulting from a breach of any CHD by the Merchant.

• These contractual requirements therefore necessitate that Merchants assess and report their compliance as a complete entity for all areas where they collect or process CHD. It does not provide the ability for a Merchant to assess compliance on individual business processes.

• While Merchants may choose to outsource aspects of their business that relate to the processing of

Payment Card transactions or support of IT systems that store, process or transmit CHD, if the

organization maintains the acquirer Merchant ID for those transactions, they retain responsibility for

compliance with the PCI DSS.

Service Provider Scope

• Service Providers are any entity that performs functions on behalf Merchants, Issuers, Acquirers, Card Brands or even other Service Providers related to protection of CHD.

– This could include the full development, support, maintenance and management of the entire CHD processing environment (such as occurs with Web Development and Hosting providers)

– It could be as small as providing local or remote support for an application on a desktop that is part of the CDE or performing a process such as User Access Management or Vulnerability Scanning

• Compliance with the PCI DSS and subsequent reporting by Service Providers is determined by their contracts with their customers. It is up to the customer to determine how to monitor the compliance of their Service Provider.

• The scope of a Service Provider’s PCI DSS compliance assessment is driven by:

– The CHD they store, process or transmit on behalf of their customer; or – The system/process they support on behalf of their customer.

• Service Providers can assess services or products they provide individually to meet their customer’s

requirements, rather than perform an entire PCI DSS assessment over their complete environment.

PCI DSS Version 3.0: Changes Overview

The core 12 security areas remain the same, but the updates include several new sub-requirements that did not exist previously.

The updated standards will help organizations not by making the requirements more prescriptive, but by adding more flexibility and guidance for integrating card security into their business-as-usual activities.

The changes will provide increased stringency for validating that these controls have been implemented properly, with more rigorous and specific testing

procedures that clarify the level of validation the assessor is expected to perform.

Overall, the changes are designed to give organizations a strong but flexible security architecture with principles that can be applied to their unique technology, payment, and business environments.

Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights

The new standard Version 3 has brought with it policy and procedural changes that will

impact the security of the entire electronic payment ecosystem.

Challenge Areas

1 Lack of education and awareness around payment security

2 Weak passwords, authentication

3 Third-party security challenges

4 Slow self-detection, malware

PCI DSS Version 3.0: Change Drivers

5 Inconsistency in assessments

Common challenge areas and drivers for change include:

Source: Data Security Standard and Payment Application Data Security Standard: Version 3.0 Change Highlights

Key Takeaways

The bar for Segmentation is

raised

Point-to-point encryption as a

more valuable scope reduction

strategy

• This technology encrypts card data at the point of swipe and maintains that encryption all the way to the processor such that the merchant cannot ever decrypt the data.

• Use of point-to-point encryption

remains one of the most effective ways to reduce PCI scope.

Merchants and service providers alike will require time to address these new requirements and expanded scoping.

1

Nevertheless, those entities that are able to implement the new rules effectively can gain competitive advantage and ensure better protection of personal payment information, as well as avoid serious reputational harm caused by unauthorized exposure of customers’ credit card data.

2

3

The changes in PCI DSS 3.0 are likely to result in significant additional effort for companies processing credit card payments

Source: INFORMATION TECHNOLOGY FLASH REPORT-Understanding PCI DSS Version 3.0 – Key Changes and New Requirements

Assessors Role and Obligations

• Qualified Security Assessors (QSA) are external parties hired by the a Merchant or Service Provider to undertaken an independent assessment of the organization’s compliance with the PCI DSS.

• The assessment and resulting Attestation of Compliance is used by the Merchant or Service Provider to validate to a third party, be it an acquirer, Card Brand, or customer, adherence to the PCI DSS across all components in scope for compliance.

• While the Merchant or Service Provider engaging the QSA is paying the bill, the Attestation of Compliance legally binds the QSA organization to the third party who receives it. The QSA must therefore be comfortable that their assessment has not been compromised and fairly represents the compliance state of their client.

• It is therefore imperative that the QSA determines the

scope, level of testing required, and validates the

compliance of the environment without conceding to the

pressures of their customers.

The Protiviti Difference

About Protiviti

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE ^® 1000 and Global 500

companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.

Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.

• 6

Largest Risk Consulting Firm

• 2,500+

professionals

• 1,000+ clients

• 70+ offices

• Over 20 countries in Americas, Europe and Asia-Pacific

Protiviti is one of the fastest growing

consulting firms worldwide. Our revenues have increased from US

$15 million in

2002, to US $385.6

million in 2010.

About Protiviti IT Security Services

The Protiviti IT Consulting practice encompasses three broad areas – Managing the Business of IT, Managing Applications and data, and Managing IT Security and Privacy. IT Security and Privacy primarily covers Security Strategy & Program Management, and Identity and Access Management

In this domain Protiviti has a demonstrated track record of helping companies react to security incidents, establish security programs, manage identity access, and handle industry specific data security and privacy issues, including PCI and HITRUST.

Solution

Segment Service Offerings

Security Strategy &

Program Management

• Security Policy & Program Services

• Security Strategy & Architecture Services

• Security Implementation & Deployment Services

• Security Metrics

• Incident Response Services

• Awareness and Training

• Other Security Services

Identity and Access Management

• Access Management Policy & Standards Services

• IDAM Design & Implementation Services

• Identity Credential Selection Services

• Identity Federation Strategy & Implementation Services

Protiviti Qualifications

• Protiviti holds all major PCI related certifications including:

• PCI DSS – Qualified Security Assessor (QSA) – Perform PCI DSS Gap Assessments

– Develop creative, cost effective solutions to address PCI DSS compliance gaps and reduce PCI DSS scope

– Complete PCI DSS ROC assessments

• Payment Application Qualified Security Assessor (PA-QSA) – Assess payment applications for compliance with the PA-DSS

• Approved Scanning Vendor (ASV)

– Perform quarterly external vulnerability scanning

• PCI Forensic Investigator (PFI)

– Undertake forensic investigations associated with CHD breaches – Advise breached organizations on how to manage the breach

– Lead the identification, containment, recovery and remediation of breaches

– Develop plans to reduce the likelihood of future breaches

Compliance vs. Security

• Following almost all of the large breaches that have been reported in the last 5 years (especially those that have reported compliance with the PCI DSS), key executives have stated that the PCI DSS does not provide security.

• In almost every case of these breaches, the entity has:

– Failed to adequately scope the CDE, missing key systems that store, process or transmit CHD.

– Assumed that firewall segmentation between those systems that store, process or transmit CHD is adequate to protect those systems from a breach in IT infrastructure that is shared between the less secure corporate environment and the CDE. Systems providing services such as Authentication and Authorization (Active Directory/LDAP etc.), Patch Management, Monitoring and Availability, etc. are often not adequately protected.

– Assumed that their Service Providers are aligned and adhering with the PCI DSS.

– Failed to continue to operate integral processes such as user access management, patch management, virus management, threat monitoring etc. across all systems components to maintain the security posture of the CDE.

– Accepted or convinced their QSA to accept poor or sub standard compensating controls.

• At Protiviti, we believe that compliance with the PCI DSS can achieve true security for

cardholder data if the risk is properly scoped and controls are applied correctly and

maintained by the organization.

Questions

"This presentation contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly owned subsidiary of Robert Half

("RH"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are

non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to the "Client",

and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents of this

presentation are intended for the use of the Client and may not be distributed to third parties. This presentation does not

constitute an agreement between Protiviti and the Client. Any services Protiviti may provide to the Client will be governed by

the terms of a separate written agreement signed by both Protiviti and Client.