Payment Card Industry Data Security Standards

Download Report

Transcript Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards
 The Card Associations are concerned
about cardholder information getting
into the wrong hands for illegal use.
Therefore, the Card Associations
have adopted the PCI Standards to
better secure cardholder information.
What is PCI & PCIDSS
Payment Card Industry (PCI)
Data Security Standard (DSS) so (PCIDSS)
PCIDSS was developed jointly by all the credit card
brands (Amex, DC, JCB, MC and Visa) to protect the
merchants business, their customers (cardholders), and
the integrity of the payment system from the rising
incidences of stolen cardholder account data.
Why is PCI compliance important?
PCI helps protect the merchant business from:
 fraud
 substantial fines from the card associations
 customer dissatisfaction and distrust if their cardholder data
is compromised and misused as result of the merchants
business being compromised.
The credit card brands have made PCI compliance mandatory
for merchants.
How Could Cardholder Information be
Compromised?
►Hackers could illegally access a
merchant’s POS System.
►Employees could be conned into
revealing passwords, logons, or other
sensitive data.
►Credit card data such as reports or
receipts could be thrown in the trash by
merchants and retrieved by anyone digging
through the dumpster.
Who Must Comply with the PCI Data Security
Standards?
►All merchants who accept credit and debit
cards.
►All credit card processors, issuers and
acquirers (such as Heartland), third party
processors, and gateways.
►Developers and software providers.
PCI Data Security Standards Defined by the Card
Associations Require Merchants to:
1. Build and maintain a secure network.
2. Protect cardholder data.
3. Maintain a Vulnerability Management Program.
4. Implement strong access control measures.
5. Regularly monitor and test networks.
6. Maintain an information security policy.
1. Build and Maintain a Secure Network
►Merchants using the Internet for transmitting
credit/debit card information, must install and
maintain a firewall. Internet firewall security needs
to be installed and functional on all computers and
POS Systems using IP connectivity. POS systems
with a dial connection to the Internet are required
to comply with this standard as well.
2. Protect Cardholder Data
Merchants Must Use Passwords and Other Security
Measures
►Merchants must implement personalized logons and
passwords for all users of computers and POS
systems to limit access to cardholder information.
3. Maintain a Vulnerability Management Program to
Protect Stored Data.
►Hard copies of batch reports and paper receipts must be
placed in a secured area where only authorized personnel can
enter.
►Unneeded reports and receipts must be shredded before
disposal.
►Databases and files containing credit/debit card information
must be encrypted.
►Encryption software is required for POS systems using
internet connectivity for transmission of
cardholder information.
4. Install Antivirus Software.
►Merchants must install and maintain
updated antivirus software on their
computers and POS Systems.
5. Regularly Monitor and Test Networks.
►Merchants must track and monitor all access to
network resources.
►Merchants must show proof that they track and
monitor who has access to their computers and POS
systems.
6. Maintain an Information Security Policy.
►Merchants must have a written and
enforceable policy that details
safeguarding of credit/debit card
information
Merchant Levels of Compliance
►Levels of PCI Security compliance are based on size, type of business
and the number of transactions per year.
►Compliance requirements are based on 4 levels.
Must comply & pass third party audits
Level 1 – Any merchant-regardless of acceptance channel-processing
over 6,000,000 Visa transaction per year.
Any merchant that has suffered a hack or an attack that resulted in an
account data compromise.
Any merchant that Visa, at its sole discretion, determines should
meet the Level 1 merchant requirements to minimize risk to the Visa
system
Any merchant identified by any other payment card brand as level 1.
Level 2 –Any merchant-regardless of acceptance channel-processing
1,000,000 to 6,000,000 Visa transactions per year.
eCommerce merchants (1m trans/yr – 6M trans/yr)
Merchant Levels of Compliance
►Levels of PCI Security compliance are based on size, type of business
and the number of transactions per year.
►Compliance requirements are based on 4 levels.
Required to comply
Level 3 – Any Merchant processing 20,000 to 1,000,000 Visa ecommerce transaction per year.
Level 4 –All other merchants-regardless of acceptance channelprocessing up to 1,000,000 Visa transactions per year. And all
merchant processing fewer than 20,000 Visa e-commerce
transactions per year,
Level 1 – Large Retail Merchants
►Level 1 merchants must undergo
annual on-site audits by certified
auditors.
►Level 1 merchants must incur the
cost of quarterly scans of their
Internet facing systems for
vulnerabilities from viruses and
hackers.
►Adhering to the PCI standards
can cost Level 1 merchants
hundreds of thousands of dollars
per year to ensure compliance.
Level of compliance is
determined by merchant’s size
Large Retail Merchants
(Wal-Mart, Target, etc)
All merchants
(regardless of size)
are subject to annual
audits and quarterly
scans if they have a
compromised data
situation.
Level 1 – Large Retail Merchants
Validation Action
Validated By
Due Date
Annual On-site PCI
Data Security
Assessment
Qualified Data
9/30/2004
Security Company of
Internal Audit if
signed by Office of the
Company
Quarterly Network
Scan
Qualified
Independent Scan
Vendor
New Level 1
merchants have up to
one year from
identification to
validate
Level 2 - Mid/Large Merchants
►Level 2 and 3 merchants must undergo annual selfassessments (no outside validation required).
►Level 2 and 3 merchants must undergo quarterly
scans of their Internet facing systems for vulnerabilities
from viruses and hackers.
►Internet facing system scans can generally cost $1,000
to $3,000 dollars.
Level 2 - Mid/Large Merchants
Validation Action
Validated By
Due Date
Annual On-site PCI
Self-Assessment
Questionnaire
Merchant
Current
Quarterly Network
Scan
Qualified
Independent Scan
Vendor
New Level 2
merchants: 9/30/2007
Level 3 – Mid/Low Merchants
►Level 2 and 3 merchants must undergo annual selfassessments (no outside validation required).
►Level 2 and 3 merchants must undergo quarterly
scans of their Internet facing systems for vulnerabilities
from viruses and hackers.
►Internet facing system scans can generally cost $1,000
to $3,000 dollars.
Level 3 – Mid/Low Merchants
Validation Action
Validated By
Due Date
Annual On-site SelfAssessment
Questionnaire
Merchant
Current
Quarterly Network
Scan
Qualified
Independent Scan
Vendor
6/30/2005
Level 4 - Small Merchants
►PCI standards recommend Level 4 merchants undergo annual
self-assessment (no outside validation required).
►The standards also recommend the merchant conduct quarterly
scans of their Internet facing systems for vulnerabilities from
viruses and hackers.
►These are only “recommendations” for security practices.
Level 4* - Small Merchants
Validation Action
Validated By
Due Date
Annual On-site PCI
Self-Assessment
Questionnaire
Merchant
Current
Quarterly Network
Scan
Qualified
Independent Scan
Vendor
Validation
requirements and
dates are determined
by the merchant’s
acquirer
*The PCI DDS requires that all merchants perform external network scanning to achieve
compliance. Acquirers may require submission of scan reports and/or questionnaires by
level 4 merchants.
POS Software Developers must be PABP Compliant
►POS system software should only extract and store the
cardholder number, expiration date, and cardholder
name from the magnetic stripe.
►The POS software must encrypt all cardholder
information.
►The POS software must truncate the cardholder
number on receipts, reports and display screens.
►The POS software must encrypt all Internet
transactions, generally done by SSL (Secure
Socket Layer) encryption. Merchant’s software can
never store the CVV data
POS Software Developers must be PABP Compliant
►POS
►CCV Card Code is never allowed to
be stored
How do you know which POS Software
Complies with PABP Standards?
►Merchants must contact their
VAR/dealer or software developer
to determine if their POS System
software is PABP compliant.
Why Should Merchants Comply with PCI
Standards?
►To protect their business reputation.
►To protect their customer’s card information.
►To limit their risk of being fined and forced to undergo
forensics (Visa/MasterCard on-site audit to determine the cause
of the compromise) which can cost tens of thousands of dollars
and put them out of business.
Potential Cost to a Merchant for a Compromise
►If security is compromised, regardless of the
merchant’s tier level, they will be required to
undergo an on-site security audit.
First Violation
$50,000
Second Violation
$100,000
Third Violation
Management discretion
►Merchants will be fined and assessed all costs and expenses related to the
forensic investigation. They must pay a consultant to conduct the audit. The
merchant must pass the audit and continue to do audits on an annual basis.
Failure to notify Visa of a suspected or confirmed loss or theft of credit card
data is subject to a fine of $100,000 per incident.
►Costs of forensic investigations begin at $50,000 and could be as high as
$100,000 per investigation.
►Costs of audits can range from $15,000 - $20,000 per audit.
Summary of Steps to Compliance
► PCI standards apply to all credit and debit cards.
► Every merchant is mandated by the Card Associations to comply.
► The six basic standards are as follows:
► Build and Maintain a Secure Network
► Protect Cardholder Data
► Maintain a Vulnerability Management Program
► Implement Strong Access Control Measures
► Regularly Monitor and Test Networks
► Maintain an Information Security Policy
►The fines, investigations and audits for certification
and compromises can be expensive.
Visa Alerts 10:54:07 by David Press
News Green Sheet Magazine
“Visa alerts restaurants to lax POS installation a
spike in data security compromises at restaurants
prompted Visa U.S.A. to issue a data security alert in
July. It emphasized the proper installation and use
of POS equipment and systems. The card association
also issued a reminder of ways merchants can
protect themselves against lapses.”
Visa alerts
Visa alerts restaurants to lax POS installation Visa's
recommended mitigation strategy "If there is one
theme that is most helpful to the merchant and ISO
community, it is to make sure your payment
applications are not inadvertently storing track
data.“ – Martin Elliott, Visa's Vice President for Emerging Risk
Credit Firms Push to Thwart Fraud
 MasterCard Inc. and Visa USA Inc. are clamping down on
merchants that flout rules aimed at protecting card
transactions from fraudsters.
.
Credit Firms Push to Thwart Fraud Merchants Face a Penalty If Steps Aren't Taken to Curb
Identity Theft; Visa Misses Own Security Deadline By ROBIN SIDEL, Wall Street Journal
September 25, 2006; Page C1
An article appeared in the September
25th edition of the Wall Street Journal
 “The Journal article begins “MasterCard Inc. and Visa
USA Inc. are clamping down on merchants that flout rules
aimed at protecting card transactions from fraudsters. In
recent weeks, MasterCard has imposed fines on
merchants that haven't met its requirements to keep
transactions secure. Saturday, Visa will take aim at the
nation's largest merchants with fines that start at $10,000
a month and can rise to $100,000 a month.”
An article appeared in the September
25th edition of the Wall Street Journal
The article goes on to describe the various issues the credit
card industry faces regarding data security and how it
plans to deal with them in the coming months and years.
The fact is that although the credit card companies are
starting their efforts to enforce PCIDSS standards with
the big retailers, it is the small and mid sized businesses
like yours that are the easiest and most lucrative targets
for cyber criminals.
An article appeared in the September
25th edition of the Wall Street Journal
For example, restaurants from coast to coast have
already had to pay fines ranging from $5,000 to
$350,000. In addition, they faced the immediate loss
of their ability to accept credit cards and had to pay
for initial and ongoing security audits that cost
thousands more.”
Compromise Statistics: Industry
Cases By Industry
SpiderLabs data is
gathered from
more than 140 card
2%
compromise
cases.
Food Service
Industry
represents the
majority of the
compromises.
1%
2% 2%
5%
12%
1%
7%
1%
5%
1%
61%
Profesional Org.
Entertainment
Financial
Food Service
Government
Hosting
Media
Payment Process
Recreation
Retail
Transportation
University
Compromise Statistics: Acceptance
Cases by Card Acceptance
Card Not
Present
20%
About 4 out of every 5 cases is
a traditional Brick and Mortar
environment.
Card Present Merchants are
not aware of these risks!
Card Present
80%
Compromise Statistics: System Type
Cases By System Type
Majority of the cases
involved a compromise
of a Software based
POS system.
5%
1%
1%
4%
17%
1%
None of these systems
were Visa PABP or PCI
DSS compliant.
71%
Backend
Hardware
Mainframe
Physical
Cart
Virtual
Software
Compromise Statistics: Connectivity
Cases By Connectivity
Dial-up
24%
All Internet
connectivity should be
considered high risk.
SpiderLabs has
tracked a trend in
migration from T1 and
Dial-Up to DSL/Cable.
T1
29%
DSL/Cable
47%
Compromise Statistics: Error
Merchant Error vs. 3rd Party Error
Half of the
compromises
were caused
by a fault in
the service
provided by a
3rd party to a
Merchant.
3rd Party
Error
50%
Merchant
Error
50%
POS
Developers,
Integrators, IT
Firms are not
following PCI
DSS and
leaving
Merchants at
Risk!
Compromise Statistics: Track Data
Brick and Mortar Cases w/ Track Data Storage
Track Data storage is
never permitted in any
environment post
authorization.
No
4%
Yes
96%
Non-Compliant
software packages are
storing Track Data and
the Merchants did not
know until it was too
late!
Compromise Statistics: PCI DSS Violations
Most Common “Not In-Place”
Requirement 1: Install and maintain a firewall to protect data
Requirement 3: Protect stored data
Requirement 6: Develop and maintain secure systems and applications
Requirement 8: Assign a unique ID to each person with computer access
Requirement 10: Track and monitor all access to network and card data
Requirement 11: Regularly test security systems and processes
Compromise Statistics: SpiderLabs Top 10
Top 10 Reasons/Methods of Compromise
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Backdoor / Trojan
No Firewall
SQL Injection
Internal Theft
Remote Access
FTP Access to Data
Remote Exploit
Remote Buffer Overflow
Login Credential Leak
Password Brute Force
Compromise Statistics: Riskiest Merchant
Profile of the Merchant w/ Greatest Compromise Potential
Industry: Food Service
Payment Acceptance: Card Present
System Type: Non-Compliant Software POS
Connectivity: DSL or Cable Modem
Websites
 http://www.usa.visa.com/business/accepting_visa/ops_risk_manageme
nt/cisp_merchants.html
 https://www.pcisecuritystandards.org/tech/supporting_documents.htm
https://www.pcisecuritystandards.org/index.htm