PAYMENT CARD INDUSTRY (PCI)
SECURITY STANDARDS
COUNCIL
Top 3 Largest Security Incidents Reported Worldwide = CREDIT CARDS Related
A Transaction Lifecycle - $$$
Credit / Debit Card Usage
Credit Card Information Collection Credit Card Information Routing Credit Card Information Authorization
Cardholder to Merchant Merchant to Acquirer/Service Provider Acquirer/Service Provider to Payment Brand Payment Brand to Issuer
Authorization Request Authorization Request e- Commerce data (CVV2) Track data (PIN) Acquirer / Service Provider(s) Card Present Transaction
Card Not Present Transaction Credit/Debit
Card
Participants in a Transaction Lifecycle…..
TerminologyEntity Description
Merchant
Any business that, having met the qualification standards of a payment brand and having been approved by any Acquiring member, accepts payment cards in exchange for goods and services.
Acquirer
Payment brand member that maintains relationships and accounts for merchants that accept payment cards. Serves as the intermediary figure between merchants and the payment brands.
(e.g., Chase Paymentech Solutions, First Data, BA Merchant Services, Nova Information systems, Fifth Third Bank, Wells Fargo Merchant Serv, Global Payments, Heartland Payment Systems, First Nat’l Merchant Solutions, RBS Lynk)
Service Provider (e.g., Processor, Gateway, Hosting Provider)
Business entity that is not a payment brand member or a merchant directly involved in the processing, storage, transmission, and switching of transaction data and cardholder information or both.
This also includes companies that provide services to merchants, services providers or members that control or could impact the security of cardholder data (e.g., service providers that provide managed firewalls, IDS and other services, hosting providers, etc).
Payment Brand
Processing organization that licenses members and merchants to issue and accept credit cards, respectively. The organization serves as an intermediary between Acquirers and Issuers.
(e.g., Visa.Inc, MasterCard Worlwide, America Express, Discover Financial Services & JCB International)
Issuer
Security Breach!!!!
Past Events
•
Implications of a cardholder data breach could
be huge
– Fines imposed* by payment brands (Visa, Mastercard, etc) and other regulatory bodies (FTC, etc) on acquirer banks / merchants / service providers
– Merchants loosing their ability to process customers credit card transactions
– Notification to legal authorities* and offering free credit-protection services to those affected
– Legal action* being taken by cardholders
– Bad Publicity
– Customer Attrition and eventual loss of business *TJX approximately $118 Million (Regulatory fines, Legal fees,
Cost of Security Breach $$$
RISK!•
Detection or Discovery, Escalation, Notification & Ex-post
Response*
– Activities that enable a company to reasonably detect the breach of personal data either at risk (in storage) or in motion
– Activities necessary to report breach of protected information to appropriate personnel within a specified time period
– Activities that enable the company to notify data subjects with a letter, outbound telephone call, e-mail or general notice that personal information was lost or stolen
– Activities to help victims of a breach communicate with the company to ask additional questions or obtain recommendations in order to minimize potential harms. Redress activities also include ex-post response such as credit report monitoring or the reissuing of a new account (or credit card)
Background
Payment Card Industry Security Standards Council
•
PCI Security Standards Council
– Organization founded by America Express, Visa.Inc, MasterCard Worlwide, Discover Financial Services & JCB International
Payment Card Industry Security Standards Council
Background
•
PCI Security Standards Council
– PCI security standards are technical and operational requirements set by the council
– The standards globally govern all
• Merchants and organizations that store, process and transmit card data
• Software developers and manufacturers of applications and devices used in the card transaction
– PCI Data Security Standard (PCI DSS), PIN Transaction Security (PTS) & Payment Application Data Security Standard (PA-DSS)
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS 1.2
•
Data Security Standard 1.2*
– PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data
– Covers technical and operational system components included in or connected to cardholder data
– 6 principles/goals and 12 requirements
PCI DSS (Principles)
Payment Card Industry Data Security Standard (PCI DSS)
Build and Maintain a Secure Network
Protect Card Holder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measure
Regularly Monitor and Test Networks
PCI DSS (Requirements)
Payment Card Industry Data Security Standard (PCI DSS)
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Card Holder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
PCI DSS (Requirements)
Payment Card Industry Data Security Standard (PCI DSS)
7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Implement Strong Access Control Measure
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
Stay Tuned – Session 2
Payment Card Industry Security Standards Council
•
PCI DSS - Deepdive
•
Changes from PCI DSS 1.1 to 1.2
•
Payment Application Data Security Standard
Payment Card Industry Security Standards Council