Transcript Document
PCI DSS for Retail Industry
March 21, 2014
Public
Agenda
• Threat Landscape
• Payment Ecosystem
• Overview of PCI DSS
• Bank’s Approach for PCIDSS Compliance
Public
Threat Landscape
Increased focus at compromising POS systems at retail outlets
Successful data breaches resulting in leakage of millions of cardholder data
Sophisticated attack vectors being used to breach the security controls
Affected Retailers
Malicious executables
• Target
• Neiman Marcus
• Schnucks Markets Inc
• Harbor Freight
• MACPO Express
• ..and many more
• JackPOS
• Dexter
• Chewbacca
• Project Hack
• POSRAM Trojan
• …and many more
Advanced mitigation controls
• Implement PCI DSS and PA DSS controls
• Lockdown POS terminals to allow only basic requisite applications (whitelist)
• Implement anti-malware and anti-virus solution capable of detecting variants of malicious
executables
• Implement advanced monitoring solutions
Public
Threat landscape
Public
Payment Ecosystem– Terminologies
Card Holder
• Customer purchasing products or services from merchant
• Receives the payment card and bills from the issuer
Issuer
• Bank or other organization issuing a payment card on behalf
of a payment brand (e.g. Master Card & Visa)
• Payment Brand issuing a payment card directly (e.g. Amex,
Discover, JCB)
Payment Brand
• Visa, MasterCard, Amex, Discover, JCB
Public
Payment Card Transaction Flow – Terminologies
Merchant
• Organization accepting the payment card for payment
during a purchase
Acquirer
• Bank or entity the merchant uses to process their payment
card transactions
• Receive authorization request from merchant and forward
to issuer for approval
• Provides authorization, clearing and settlement services to
merchants
Public
Payment Ecosystem – Authorization Flow
Public
Payment Ecosystem – Settlement Flow
Public
PCIDSS Overview - Some Key Terminologies
AOC – Attestation
of Compliance
SAQ – Self
Assessment
Questionnaire
QSA – Qualified
Security Assessor
ASV – Approved
Scanning Vendor
ROC – Report on
compliance
CHD – Cardholder
data
•PAN – Primary A/c.
No.
Public
SAD – Sensitive
Authentication
Data
Payment Card Industry – Security Standards Council
Standard
Description
PCI PTS
This standard applies to hardware developers that design and build PIN entry
devices.
PCI PA-DSS
This standard provides security requirements to software developers that build
and resell payment applications to merchants
P2PE
The Point-to-Point Encryption (p2pe) program is optional and provides a
comprehensive set of security requirements for p2pe solution providers to
validate their hardware-based solutions, and may help reduce the PCI DSS
scope of merchants using such solutions.
PCI DSS
Security requirements for entities processing, storing and/or transmitting CHD
Public
PCI DSS Overview – The standard
6
Goals
12
Requirement
s
Goal 1: Build and Maintain a Secure Network
62
Goal 2: Protect Cardholder Data
Main clauses
Goal 3: Maintain a Vulnerability Management
Program
289
Testing
Procedures
Goal 4: Implement Strong Access Control Measures
Goal 5: Regularly Monitor and Test Networks
Goal 6: Maintain an Information Security Policy
Public
Merchant Levels
MERCHANT LEVEL
PAYMENT BRAND
Level 1
Level 2
Level 3
Level 4
AMEX
> 2.5million
50000 ><
2.5million
<50000
NA
DISCOVER
> 6million
1million ><
6million
20000
><1million
Others
JCB
>1million
< 1million
MasterCard
> 6million
1million ><
6million
VISA
> 6million
1million ><
6million
Payment Brand reserves the right to deem the level irrespective of transaction volume
Public
NA
20000 ><
1million
20000 to
1million
(ecommerce)
Others
< 20000
(ecommerce).
< 1million
(other)
Merchant Reporting Requirements
MERCHANT LEVEL
PAYMENT
BRAND
Level 1
Level 2
Annual OA by QSA or IA
EU Only: Annual SAQ
Level 3
•Quarterly N/W scan (ASV) (R)
•EU Only: SAQ (R)
AMEX
Quarterly Network Scan (ASV)
JCB
•Annual OA by QSA
•Quarterly N/W scan(ASV)
•Annual SAQ
•Quarterly N/W scan(ASV)
Annual OA by QSA or IA
Level 4
NA
NA
Annual SAQ
DISCOVER
Quarterly Network Scan (ASV)
Annual OA by QSA or IA
Annual SAQ
MasterCard
Acquirer to determine compliance
validation
Annual SAQ (R)
Quarterly N/W scan (ASV) (R)
Quarterly Network Scan (ASV)
Annual OA by QSA
Annual SAQ
•Annual SAQ
•Quarterly N/W scan(ASV)
VISA
Quarterly N/W scan (ASV)
Attestation of Compliance form
OA: Onsite Assessment
R: Recommended
Public
IA: Internal Auditor
Service Provider Levels
SERVICE PROVIDER LEVEL
PAYMENT BRAND
AMEX
DISCOVER
Level 1
Level 2
All TPPs
NA
Does not categorize Service providers into levels
JCB
All TPPs
NA
MasterCard
>1million
<1million
VISA Inc
>300,000
<300,000
Payment Brand reserves the right to deem the level irrespective of transaction volume
Public
TPP: Third Party Processors
Service Provider Reporting Requirements
SERVICE PROVIDER LEVEL
PAYMENT
BRAND
Level 1
Level 2
AMEX
•Annual OA by QSA or IA
DISCOVER
•Annual OA by QSA OR IA OR Annual SAQ
•Quarterly network scans by ASV
JCB
•Annual OA by QSA
•Quarterly network scans by ASV
MasterCard
•Annual onsite review by QSA
•Quarterly network scan by ASV
•Annual SAQ
•Quarterly network scan by ASV
VISA
•Annual OA by QSA
•Quarterly network scan by ASV
•Attestation of Compliance form
•Annual SAQ
•Quarterly network scan by ASV
•Attestation of Compliance form
OA: Onsite Assessment
IA: Internal Auditor
Public
Need for PCIDSS Compliance
RBI Mandate
• RBI/2012-13/424: Section A – Point iv:
• Banks should ensure that all acquiring infrastructure
that is currently operational on IP (Internet Protocol)
based solutions are mandatorily made to go through
PCI-DSS and PA-DSS certification. This should include
acquirers, processors / aggregators and large
merchants
Remain resilient
to data breaches
• It is not about just compliance. It is a security
imperative, especially in the wake of recent high profile
data breach incident at Service Providers & Merchants.
Compliance is incidental, end objective is security.
Public
Bank’s Approach for PCIDSS Compliance
Bank Compliance
1. On boarded a QSA Company to support in implementing PCI
DSS controls at the enterprise level
2. Current State Assessment and Implementation in progress for
all payment applications (switch, payment gateways, etc.),
and processes
has infrastructure,
taken thenetwork
initiative
to share the data
TwoHDFC Bank
security alerts and advisories received from Payment
streams
of with all its merchants. Take these
brands
alerts/advisoriesMerchant
seriously. If not Compliance
actioned on time
compliance
you will get hit – as a target or by a random attack.
program
1. Deployed a portal to monitor PCI DSS compliance for merchants
and service providers
2. Monitoring compliance status of Level 1, Level 2 and Level 3
merchants and Level 1 and Level 2 service providers
3. Assist merchants and service providers in filling the applicable
SAQ
Public
Thank You
Manish Pal, Information Security Group
Public