Payment Card Industry Data Security Standard

(1)

Payment Card Industry

Data Security Standard

Abhinav Goyal, B.E.(Computer Science)

MBA Finance Final Trimester Welingkar Institute of Management

(2)

Credit Card

•

Credit Card Number Generator

(3)

Let’s Focus -1

• Issuer Identification

Number

• Check digit (Luhn or

Mod 10 check)

• Leaving 9 numbers is

the account Number

• Arrangement 109 • 1 bn combinations • Amex: 15 digits, Acc

(4)

Let’s Focus -2

•

CVV/ CSC/ CVV2

•

Amex 4 digit

(5)

Video: Case Study -1

• Carla Yorborough used

to run SPANKY Restaurant.

• She does not expect to

fully resolve the issues fully resolve the issues of her security breach for another 12 months. To date this ordeal has cost her $110,000.

(6)

Agenda

• Creation, Need & Reason • History of PCI

• Overview of PCIDSS • Card Security Programs

• 12 PCIDSS Requirements  6 control Objectives • Merchant Levels

Levels Compliance Validation

• Levels Compliance Validation

• Non Compliance Risks and Consequences • Breach Risk and Consequences

• Recommendations

• Approved Assessor and Certifying Organizations • Self Assessment Questionnaire

• Common PCI Myths • Case Study

(7)

Who created, the need and Reason

•

Creators

• American Express, Discover Financial

Services, JCB International, MasterCard Worldwide and Visa Inc International

Worldwide and Visa Inc International

•

Need - Attack on network, theft & misuse of

cardholders info.

•

Reason- Reassurance to customer,

Proactive protection

(8)

History of PCI

• Own standard with different requirements(encryption

strength etc)

• In 2004 the PCI Security Standards Council was

formed with 1 umbrella concept formed with 1 umbrella concept

• Level 1 merchants were required to be compliant by

Dec. 31, 2007

• Level 2-4 merchants were required to be compliant by

(9)

Overview of PCI DSS

•

Prior to September 2004

• difficult for merchants to become familiar with

and adhere to competing standards from VISA, MasterCard, and others

MasterCard, and others

•

As fraud losses increased, card industry

(10)

Technology Age to PCIDSS

(11)

Overview of PCI DSS

• Applies to

• all merchants that “store, process, or transmit

cardholder data”

• all payment (acceptance) channels, including

brick-and-mortar, mail, telephone, e-commerce (Internet) mortar, mail, telephone, e-commerce (Internet)

• Includes 12 requirements, based on

(12)

Card Security Programs

• The following programs incorporate PCI DSS:

• VISA

• Cardholder Information Security Program (CISP)

• MasterCard

• Site Data Protection (SDP) Program

• American Express

• Data Security Requirements

• Discover

• Discover Information Security and Compliance (DISC)

(13)

VISA Cardholder Information Security

Program (CISP)

(14)

(15)

4. Understanding the 12

requirements of PCIDSS

(16)

(17)

(18)

(19)

(20)

(21)

3. How actually cards get stolen

and used

(22)

Merchant levels

• Merchant levels are based on yearly transaction

volume of merchant

• Specific criteria for placement in merchant levels

varies across card companies

All merchants, regardless of level, must adhere to

• All merchants, regardless of level, must adhere to PCI DSS requirements

• Level into which merchant is placed determines PCI DSS compliance validation (and ultimately

cost)

(23)

Merchant levels – Visa (Same for

Master Card)

•

Level 1:

• merchants, regardless of acceptance channel,

processing over 60,00,000 Visa transactions

• any merchant that has suffered a data • any merchant that has suffered a data

compromise

• any merchant so selected by Visa

• any merchant identified by other card brand as

(24)

Merchant levels - Visa

•

Level 2:

• merchants, regardless of acceptance channel,

processing 10,00,000 to 60,00,000 Visa transactions

transactions

•

Level 3:

• any merchant processing 20,000 to 10,00,000

(25)

Merchant levels - Visa

•

Level 4:

• any merchant processing fewer than 20,000

Visa e-commerce (Internet) transactions

• all other merchants, regardless of acceptance • all other merchants, regardless of acceptance

(26)

PCI DSS compliance validation

•

Level 1 merchants

• annual on-site assessment by Qualified

security assessor (generates a report on compliance)

compliance)

• quarterly network security scan by approved

scan vendor

•

Level 2 and 3 merchants

• self-assessment questionnaire

• quarterly network security scan by approved

(27)

PCI DSS compliance validation

•

Level 4 merchants

• self-assessment questionnaire

• if required by acquirer

• quarterly network security scan by approved • quarterly network security scan by approved

scan vendor

(28)

What are the implications of non

compliance?

• Failure to prove compliance can carry severe penalties, including

fines

• increased transaction fees or losing the right to access a

payment card network’s resources at any level.

• For example, in 2006, Visa levied $4.6 million in fines versus $3.4 million

in 2005.

• Visa announced that merchants found to be storing sensitive credit card

data will be subjected to fines up to $10,000 per month.

• American Express, on its side, is fining merchants up to $15,000 per day

(29)

Non Compliant Risk and

Consequences

•

Visa – Regardless of level requirements

• 1st Violation

• _{Up to $50,000 USD for rolling 12-month period}

• 2nd Violation • 2nd Violation

• _{Up to $100,000}

• _{USD for rolling 12-month period}

• 3rd Violation

• Visa’s discretion to refuse future transactions until

complaint

(30)

Non Compliant Risk and

Consequences

•

Master Card

• Level 1

• Up to $25,000 USD annual fee per Merchant

• Level 2 • Level 2

• Up to $5,000 USD annual fee per Merchant

• Level 3

(31)

Risks of non-compliance

•

Endangering customer information

•

Exposure could lead to:

• fines levied

loss of merchant status

• loss of merchant status

• elevations to Level 1 status (and resulting

(32)

Breach Risk and Consequences

•

Reputation Risk

• What will the impact be on your companies

brand?

• Mandatory involvement of federal law

enforcement in investigation enforcement in investigation

•

Financial Risk

• $20 - $90 fine per credit card number that

COULD have been exposed or compromised

• Civil liability and cost of providing ID theft

protection

(33)

Breach Risk and Consequences

•

Compliance Risk

• Exposure to Level 1 validation requirements

•

Operational Risk

Potential loss of card processing privileges

(34)

Some facts

•

84% of breaches are from merchants in

Level II, III and IV

•

60% of people do not trade with merchants

that are breached

•

The criminal steal not only money but also

(35)

I am a merchant with no money

•

What I can do is

• Firewall

• Keep patches

• Change passwords timely • Change passwords timely • Turn off remote access

• Contact POS to check what information is

getting saved

(36)

Approved assessor and certyfying

organizations

• QSA stands for Qualified Security Assessor.

• It is a certification obtained by experienced security consultants

• Enable them to conduct the On-Site Data Security Assessment for PCI DSS • Required to attend training by PCI every year and pass the exam.

• A recertifying QSA must obtain additional CPE's from training and other

experiences in order to obtain certification. experiences in order to obtain certification.

• Some QSA's also maintain other certifications. For example ISO 27001 Lead

Auditors.

• There are over 100 QSA companies.

• QSA Services: On-Site Data Security Assessments (PCI "Audits"), Gap Analysis,

Remediation Services, General PCI consulting and advice.

• The cost to make an application PCI compliant averages about $100k.

PDF:5 List of Qualified Security Assessor

(37)

Self Assessment Questionnaire

https://www.pcisecuritystandards.org/saq/instructi

ons.shtml

PDF:8 PCI_Self assessment questionaire_c

(38)

Some Common PCI Myths

•

One vendor and product will make us

compliant

•

Outsourcing card processing makes us

compliant

•

PCI compliance is an IT project

•

PCI will make us secure

(39)

Some Common PCI Myths

•

PCI is unreasonable and it requires too

much

•

We don’t take enough credit cards to be

compliant

•

We completed a SAQ so we’re compliant

(40)

Case Study Solution

•

Carla Yorborough used to run SPANKY

Restaurant.

She does not expect to fully resolve the

•

She does not expect to fully resolve the

issues of her security breach for another 12

months. To date this ordeal has cost her

$110,000.

(41)

(42)