Payment Card Industry
Data Security Standard
Abhinav Goyal, B.E.(Computer Science)
MBA Finance Final Trimester Welingkar Institute of Management
Credit Card
•
Credit Card Number Generator
Let’s Focus -1
• Issuer Identification
Number
• Check digit (Luhn or
Mod 10 check)
• Leaving 9 numbers is
the account Number
• Arrangement 109 • 1 bn combinations • Amex: 15 digits, Acc
Let’s Focus -2
•
CVV/ CSC/ CVV2
•Amex 4 digit
Video: Case Study -1
• Carla Yorborough used
to run SPANKY Restaurant.
• She does not expect to
fully resolve the issues fully resolve the issues of her security breach for another 12 months. To date this ordeal has cost her $110,000.
Agenda
• Creation, Need & Reason • History of PCI
• Overview of PCIDSS • Card Security Programs
• 12 PCIDSS Requirements 6 control Objectives • Merchant Levels
Levels Compliance Validation
• Levels Compliance Validation
• Non Compliance Risks and Consequences • Breach Risk and Consequences
• Recommendations
• Approved Assessor and Certifying Organizations • Self Assessment Questionnaire
• Common PCI Myths • Case Study
Who created, the need and Reason
•
Creators
• American Express, Discover Financial
Services, JCB International, MasterCard Worldwide and Visa Inc International
Worldwide and Visa Inc International
•
Need - Attack on network, theft & misuse of
cardholders info.
•
Reason- Reassurance to customer,
Proactive protection
History of PCI
• Own standard with different requirements(encryption
strength etc)
• In 2004 the PCI Security Standards Council was
formed with 1 umbrella concept formed with 1 umbrella concept
• Level 1 merchants were required to be compliant by
Dec. 31, 2007
• Level 2-4 merchants were required to be compliant by
Overview of PCI DSS
•
Prior to September 2004
• difficult for merchants to become familiar with
and adhere to competing standards from VISA, MasterCard, and others
MasterCard, and others
•
As fraud losses increased, card industry
Technology Age to PCIDSS
Overview of PCI DSS
• Applies to
• all merchants that “store, process, or transmit
cardholder data”
• all payment (acceptance) channels, including
brick-and-mortar, mail, telephone, e-commerce (Internet) mortar, mail, telephone, e-commerce (Internet)
• Includes 12 requirements, based on
Card Security Programs
• The following programs incorporate PCI DSS:
• VISA
• Cardholder Information Security Program (CISP)
• MasterCard
• Site Data Protection (SDP) Program
• American Express
• Data Security Requirements
• Discover
• Discover Information Security and Compliance (DISC)
VISA Cardholder Information Security
Program (CISP)
4. Understanding the 12
requirements of PCIDSS
3. How actually cards get stolen
and used
Merchant levels
• Merchant levels are based on yearly transaction
volume of merchant
• Specific criteria for placement in merchant levels
varies across card companies
All merchants, regardless of level, must adhere to
• All merchants, regardless of level, must adhere to PCI DSS requirements
• Level into which merchant is placed determines PCI DSS compliance validation (and ultimately
cost)
Merchant levels – Visa (Same for
Master Card)
•
Level 1:
• merchants, regardless of acceptance channel,
processing over 60,00,000 Visa transactions
• any merchant that has suffered a data • any merchant that has suffered a data
compromise
• any merchant so selected by Visa
• any merchant identified by other card brand as
Merchant levels - Visa
•
Level 2:
• merchants, regardless of acceptance channel,
processing 10,00,000 to 60,00,000 Visa transactions
transactions
•
Level 3:
• any merchant processing 20,000 to 10,00,000
Merchant levels - Visa
•
Level 4:
• any merchant processing fewer than 20,000
Visa e-commerce (Internet) transactions
• all other merchants, regardless of acceptance • all other merchants, regardless of acceptance
PCI DSS compliance validation
•
Level 1 merchants
• annual on-site assessment by Qualified
security assessor (generates a report on compliance)
compliance)
• quarterly network security scan by approved
scan vendor
•
Level 2 and 3 merchants
• self-assessment questionnaire
• quarterly network security scan by approved
PCI DSS compliance validation
•
Level 4 merchants
• self-assessment questionnaire
• if required by acquirer
• quarterly network security scan by approved • quarterly network security scan by approved
scan vendor
What are the implications of non
compliance?
• Failure to prove compliance can carry severe penalties, including
fines
• increased transaction fees or losing the right to access a
payment card network’s resources at any level.
• For example, in 2006, Visa levied $4.6 million in fines versus $3.4 million
in 2005.
• Visa announced that merchants found to be storing sensitive credit card
data will be subjected to fines up to $10,000 per month.
• American Express, on its side, is fining merchants up to $15,000 per day
Non Compliant Risk and
Consequences
•
Visa – Regardless of level requirements
• 1st Violation
• Up to $50,000 USD for rolling 12-month period
• 2nd Violation • 2nd Violation
• Up to $100,000
• USD for rolling 12-month period
• 3rd Violation
• Visa’s discretion to refuse future transactions until
complaint
Non Compliant Risk and
Consequences
•
Master Card
• Level 1
• Up to $25,000 USD annual fee per Merchant
• Level 2 • Level 2
• Up to $5,000 USD annual fee per Merchant
• Level 3
Risks of non-compliance
•
Endangering customer information
•
Exposure could lead to:
• fines levied
loss of merchant status
• loss of merchant status
• elevations to Level 1 status (and resulting
Breach Risk and Consequences
•
Reputation Risk
• What will the impact be on your companies
brand?
• Mandatory involvement of federal law
enforcement in investigation enforcement in investigation
•
Financial Risk
• $20 - $90 fine per credit card number that
COULD have been exposed or compromised
• Civil liability and cost of providing ID theft
protection
Breach Risk and Consequences
•
Compliance Risk
• Exposure to Level 1 validation requirements
•
Operational Risk
Potential loss of card processing privileges
Some facts
•
84% of breaches are from merchants in
Level II, III and IV
•
60% of people do not trade with merchants
that are breached
that are breached
•
The criminal steal not only money but also
I am a merchant with no money
•
What I can do is
• Firewall
• Keep patches
• Change passwords timely • Change passwords timely • Turn off remote access
• Contact POS to check what information is
getting saved
Approved assessor and certyfying
organizations
• QSA stands for Qualified Security Assessor.
• It is a certification obtained by experienced security consultants
• Enable them to conduct the On-Site Data Security Assessment for PCI DSS • Required to attend training by PCI every year and pass the exam.
• A recertifying QSA must obtain additional CPE's from training and other
experiences in order to obtain certification. experiences in order to obtain certification.
• Some QSA's also maintain other certifications. For example ISO 27001 Lead
Auditors.
• There are over 100 QSA companies.
• QSA Services: On-Site Data Security Assessments (PCI "Audits"), Gap Analysis,
Remediation Services, General PCI consulting and advice.
• The cost to make an application PCI compliant averages about $100k.
PDF:5 List of Qualified Security Assessor
Self Assessment Questionnaire
https://www.pcisecuritystandards.org/saq/instructi
ons.shtml
PDF:8 PCI_Self assessment questionaire_c
Some Common PCI Myths
•
One vendor and product will make us
compliant
•
Outsourcing card processing makes us
compliant
compliant
•
PCI compliance is an IT project
•PCI will make us secure
Some Common PCI Myths
•
PCI is unreasonable and it requires too
much
•
We don’t take enough credit cards to be
compliant
compliant
•
We completed a SAQ so we’re compliant
Case Study Solution
•
Carla Yorborough used to run SPANKY
Restaurant.
She does not expect to fully resolve the
•
She does not expect to fully resolve the
issues of her security breach for another 12
months. To date this ordeal has cost her
$110,000.
Payment Card Industry
Data Security Standard
February 13th, 2010
Abhinav Goyal, B.E.(Computer Science)
MBA Finance Final Trimester Welingkar Institute of Management