26
Understanding Credit Card Security Requirements Gregory Dove, Manager, Information Systems Audit Manager AOA Meeting -- January 14, 2008

PCI_presentation2008.ppt

Embed Size (px)

Citation preview

  • Understanding Credit Card Security Requirements

    Gregory Dove, Manager, Information Systems Audit Manager

    AOA Meeting -- January 14, 2008

    IntroductionsGood morning. Im (name and title) with the Communications department and today wed like to tell you about our organization and what we do. First Id like to introduce my colleague(s) . . .

    Id also like to go around the room and have each of you introduce yourselves and let us know your position and department here at the Chancellors Office.

    Brand ExerciseAs the creative arm of the organization, were going to start off by getting you up and on your feet. Id like to have everyone stand up.

    Now, close your eyes. I want you to take a moment to think about a brand. It can be anything, whatever comes right to the top of your mind. Got it?

    Now, open your eyes and you can be seated. Heres the quiz: by a show of hands, how many of you thought of the CSU? Anyone? Any winners of our grand prize? (CSU padfolio)

    (Assuming no one chose the CSU) That is why were here today and why weve titled our presentation:(go to first slide)

  • In The Virtual StorefrontUnlike merchants who operate in the physical world, you do not have

    face-to-face contact, a card-in-hand, or an actual signaturea physical door with a lock and keya security guard posted 24/7 for protection.

    Cyber-thieves know all of this and are always on the look-out for merchants who have hung up a virtual shingle, but have let their risk management guard down.

    Its up to you to understand the unique issues of running a virtual storefront and take a strategic approach to proactively address these issues and position your business for success.

  • The business case for securityProper security enables a company to meet its business objective by providing a safe and secure environment that helps avoid:

    Loss of revenueLoss or compromise of dataInterruption of business processLegal consequencesDamage to customer and partner confidenceDamage to reputation

    A more secure retail store also enables easier and safer connectivity with customers and business partners

  • If The Business Case didnt Convince YouIf an organization doesn't know that they need to be PCI compliant, or if an organization just doesn't want to be bothered by having to obtain PCI compliance, it soon will not matter. The goal is to have all merchants, regardless of their merchant level, compliant with PCI DSS.

  • PCI DSS Payment Card Industry Data Security Standard Standard that is applied to:

    MerchantsService Providers (Third Third-party vendor, gateways)Systems (Hardware, software)That:

    Stores cardholder dataTransmits cardholder dataProcesses cardholder dataApplies to:

    Electronic TransactionsPaper Transactions

  • PCI DSS Exempt MythAll merchants are subject to the standard and to card association rules

    No exemption provided to anyoneImmunity does not apply because

    Requirement is contractual - not regulatory or statutoryCard associations can be selective who they provide services toMerchants accept services on a voluntary basisMerchants agree to abide by association rules when they execute e-merchant bank agreementMerchant banks are prohibited by association rules from indemnifying a merchant from not being compliant with the standardAssociation Rules require merchant banks to monitor merchants to ensure their compliance

    Failure of a merchant bank to require compliance jeopardizes the merchant bank banks right to continue to be a merchant banks Any fines levied are against the merchant bank, which in turns passes the fines onto the merchant

  • The PCI framework is divided into 12 security requirementsBuild and Maintain a Secure Network1. Install and maintain a firewall configuration to protect data.2. Do not use vendor-supplied defaults for system passwords and other security parameters.

    Protect Cardholder Data3. Protect stored data.4. Encrypt transmission of cardholder data and sensitive information across public networks.

    Maintain a Vulnerability Management Program5. Use and regularly update antivirus software.6. Develop and maintain secure systems and applications

  • The PCI framework is divided into 12 security requirementsImplement Strong Access Control Measures7. Restrict access to data by business need-to-know.8. Assign a unique ID to each person with computer access.9. Restrict physical access to cardholder data.

    Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data.11. Routinely test security systems and processes.

    Maintain an Information Security Policy.12. Establish high-level security principles and procedures.

  • Compliance Vs Validation Compliance Means adherence to the standard

    Applies to every merchant regardless of volumeTechnical and business practicesValidation Verification that merchant (including its services providers) is compliant with the standard

    Applies based on Level assigned to merchant, based on transaction volumeTwo types of ValidationSelf-AssessmentCertified by a Qualified Security Assessor (QSA)Attestation Letter to Visa signed by both merchant and acquirer bank attesting that validation has been performed

  • Two Components to Validation Annual Assessment Questionnaire

    Required of all merchants regardless of levelSelf Self-Assessment or performed by Qualified Security Assessor (QSA)Must not have any No answers its Fail or PassApplies to both technical and business

    Security Vulnerability Scan - Quarterly

    Required for External facing IP addressesWeb applicationsPOS Software and databases on networksApplies even if there is a re-direction link to third third-partyMust be performed by Approved Scanning Vendor (ASV)Validation based on Level assigned to merchant, based on transaction volumeVisa & MC schedules are differentVisas schedule is what most go by

  • Levels of Merchants (Applies to Validation and Attestation, Not to Compliance)All merchants must perform external network scanning to achieve compliance.

    The new program, released in May 2007, requires acquirers to develop and submit a formal written compliance plan to Visa, which "identifies, prioritizes and manages overall risk within their Level 4 merchant populations," according to the CISP Bulletin.

    For those acquirers who have not written and/or sent a summary of their plan, one must be emailed to Visa no later than July 31, 2007. Email summaries to [email protected].

    TierTransactions per Year Types of Targets1More than 6 millionAnyone with breach Merchants, Merchant Agents, Processors, Direct Connects21 6 million Merchants, Merchant Agents, Processors320K 1million eCommerce Merchants4All other Merchants Merchants

  • The current Visa and MasterCard validation requirements are as follows:Level 1-Visa/MasterCard-- Annual onsite review by merchant's internal auditor or a Qualified Security Assessor (QSA) or Internal Audit if signed by Officer of the company, and a quarterly network security scan with an Approved Scanning Vendor (ASV). Level 2-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV. Level 3-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV. Level 4-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV. Submit summary of PCI compliance plan, via acquirer, by July 30, 2007. If a breach has been reported, or found, Visa reserves the right to move the Level 4 merchant to a Level 1. If so, the Level 4 merchant must abide by the Level 1 validation requirements.

  • The Level 4 Merchant Compliance Program plan must consist of the following items: Acquirer

    Timeline of Critical Events--Timeline of completion dates and milestones, for overall strategy. Risk-Profiling Strategy--Prioritization of Level 4 merchants into subgroups, from merchants that post the greatest risk, to those that post little risk at all. Factors such as merchant category transaction volume, market segment, acceptance channel, number of locations can help the acquirer target compliance efforts for each subgroup. Merchant Education Strategy--Strategy designed to eliminate prohibited data from being stored; protect stored data, and securing the environment in accordance with PCI DSS. This includes ensuring that merchants are only storing data they truly require, by complying with PCI DSSs, and by making sure payment applications are compliant and any third-party agents are on Visa's list of CISP-Compliant Service Providers. Compliance Reporting--Monthly compliance reporting to executive or board management. Visa may also periodically request that the acquirer produce these reports.

  • Merchant levels: based on Visa transaction volume over a 12-month period

    For Visa, Inc., the merchant's transaction volume is based on the aggregate number of Visa transactions-credit cards, debit cards, prepaid cards - from a merchant Doing Business As ("DBA").

    For merchants and/or merchant corporations who operate more than one DBA, the aggregate volume of stored, processed or transmitted transactions by the corporate entity must be considered, to determine the validation level.

    If the corporate entity does not store, process or transmit cardholder data on behalf of the multiple DBAs, members will continue to consider the DBA's individual transaction volume to determine the validation level.

  • Security Breach Fines Not levied by PCI Security Council

    Fines levied by Card AssociationsAgainst merchant bank, which passes fines on to merchantFines for security breach

    Visa - Up to $500,000 per occurrenceMC Up to $500,000 per occurrenceAmount of fines dependent upon

    Number of card numbers stolenCircumstances surrounding incidentWhether Track Data was stored or notTimeliness of reporting incidentSafe Harbor

    Could limit fine amount if had been validated as compliant by a QSABut validation is point in time Dont count on

  • Other Security Breach Costs Fines levied by card associations to make notifications to all card holders and replace cardsCosts of notifying customers of incidentForensic Investigation Costs

    Required by card associationsMust used approved firm (QSA)Cost approximately $10,000Cost associated with discontinuing accepting cardsCost of an annual on-site security audit

    Once a breach has occurred, elevated to a Level 1 merchantCost approximately $15,000 - $20,000

  • Document the Process FlowNetwork Diagram is Required for all systems that transmit, store or process transactions, from the merchant system to the processor.

    Put processing activities on a separate network segmentCampus network / 4CNET may need to be compliant or follow an encrypted pathAll point of entry into the network / system must be identified and protected.All Reports, downloads, and receipts must be protected.

  • Why Not PaperPhysical protective measures are required for storing and securing paper transactions.

    Report distribution controlled and reports physically locked; which is difficult to demonstrate compliance.Transaction detail must be restricted to only authorized persons and must be physically locked.A detailed documented process of all printouts and paper copies of transaction detail is required.

    Difficult to demonstrate compliance without detailed understanding of the flow processRetention requirements must include adequate security provisions

  • 10 Myths about PCI Compliance Im a small merchant, who only takes a handful of cards, so I dont need PCI. A common misunderstanding with the standard is that small merchants, handling a few 10s of credit cards a day are exempt from compliance. If you are a merchant and you are set up to take credit cards, by any mechanism - then you need to be complaint. PCI only applies to E-commerce companies. No, PCI applies to every company that stores, processes or transmits cardholder information. In fact anyone who takes card present transactions that involve POS devices are more at risk than E-Commerce solutions, quite often these types of transactions involve storage of track data (which is forbidden under PCI). Disclosure of this type of data will bring heavy fines and requests for compensation from the banks involved. You only have to be compliant with the majority of criteria. The pass mark for PCI is 100%, so if you fail even one of the criteria, you fail PCI. The standard is not really meant to be something to strive for; it is really a floor, a basis for further security measures. Failing to achieve even one of the requirements, is failing to meet a basic standard for handling cardholder information. All companies that routinely handle this type of data should be aiming to exceed the standard. Source: Payment Security Experts

  • 10 Myths about PCI Compliance Source: Payment Security ExpertsI only need to protect my credit card data, not ATM debit card related data. Unfortunately, both are required. Many debit cards are dual-purpose signature debit, which can be used on debit and credit card networks. As such, they are covered under PCI and must be protected in the same way as credit cards. I can wait until my business grows. Unfortunately, the PCI standard applies to all sizes of business and waiting could be costly. Should you be compromised and not be compliant the fines and the compensation sort by the banks (it costs between $50 and $90 to replace one card) could be substantial. I can just answer yes to all the criteria on the self-assessment. The self-assessment is merely a mechanism for getting the information about the level of your compliance to your merchant bank or to Visa. The standard applies at all times. Just saying yes to the questions puts the merchant at great risk. If a compromise took place and it was obvious that the merchant was not and has never been compliant, the matter would be taken very seriously by VISA. The merchant would be risking the whole business by answering yes to the questions, when there is no basis in fact for that answer.

  • 10 Myths about PCI Compliance Source: Payment Security ExpertsAs a merchant Im not liable if a credit card is compromised Merchants are liable and not just for the credit card compromise, there are basically 4 scenarios where credit card data is compromised: Merchants can be liable not only for the compromise but also for subsequent damages from the issuing banks.

    DiscoveryMerchant PCI Compliant?Reported by? Possible Result Merchant discovers the compromiseYes, and subsequent forensic team confirm thisBy the merchant to VISA using the approved processVISA and the Merchant track the compromise and correct any errors in the process. Unlikely any fines are levied and the problem is not made publicVISA discovers the compromiseYes, and subsequent forensic team confirm thisBy VISAVISA and the Merchant track the compromise and correct any errors in the process. Merchant may be required to improve certain aspects of their security structure. Unlikely any fines are levied and the problem is not made publicMerchant discovers the compromiseNo, or was complaint, but forensic team discovered compliance lapsedBy the merchant to VISA using the approved processVISA and the Merchant track the compromise and correct any errors in the process. Merchant is required to have full annual onsite audit Merchant is required to correct any areas out of compliance and demonstrate compliance at a date set by VISA Fines or damages may be leviedVISANo, or was complaint, but forensic team discovered compliance lapsedBy VISAVISA and the Merchant track the compromise and correct any errors in the process. Merchant is required to have full annual onsite audit Merchant will be fined by VISA via the bank and will have to pay restitution to all issuing banks affected; the total of these fines may be $50 to $90 per card compromised.

  • I can wait until my bank asks me to be compliant. The dates for Merchants demonstrating compliance are long gone, and the Merchant is responsible for making sure they are in compliance. Waiting until the bank asks you could be very costly indeed. As a Merchant, I did not sign anything, saying I would be complaint; therefore, I do not need to be. The PCI standard forms part of the operating regulations that are the rules under which Merchants are allowed to operate merchant accounts. The regulations signed when the Merchant opens an account at the bank state that the VISA regulations have to be adhered to. Even if you have been in business for decades, PCI still applies, if you store, process or transmit credit cards. As a Merchant, Im entitled to store any data Many Merchants believe that they own the customer and have a right to store all the data about that customer in order to help their business. Not only is this incorrect regarding PCI, it may also be a violation of State and Federal legislation regarding privacy. The PCI regulations specifically forbid storing of any of the following: Unencrypted credit card number CVV or CVV2 Pin blocks PIN numbers

    10 Myths about PCI Compliance Source: Payment Security Experts

    Track 1 or 2 data Any of the above found in databases, log files, audit trails, backups etc at a Merchant can result in serious consequences for the Merchant, especially if a compromise has taken place.

  • The threat of data compromise is global in scope (Web)Many parties are involved in maintaining data securityThe impact of data compromise is widespread financially, legally, and in goodwill exposuresData security is a primary risk concern for Members, Merchants, Service Providers, Consumers, and RegulatorsData security has evolved from an operational problem and financial threat to a significant reputation risk

    ConclusionThe Data Security Risk is Significant andTherefore Requires Appropriate Controls

  • Hackers hit Dave & Buster's in credit-card fraud

    BY BUSINESS MATTERS EDITOR JULY 1, 2008 Houston, Tex.-based Dave & Buster's restaurants was named in the case that began in 2006 when information on more than a million credit and debit cards was compromised in a computer hacking incident. A 27-count indictment was issued by a New York State grand jury, according to a Justice statement. Charged were Maksym Yastremskiy of Ukraine, Aleksandr Suvorov of Estonia and Albert Gonzalez of Miami. The three are charged with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and interception of electronic communications. Justice officials call the crime "a scheme in which they hacked into POS terminals at 11 Dave & Buster's restaurants at various locations around the United States. . . then sold the stolen data to others who used it to make fraudulent purchases or resold it to make purchases, causing losses to financial institutions." Stolen was "Track 2" data, the statement said. "Track 2" data is described as card numbers and expiration dates. Losses in the case have been been in excess of $600,000.

    The indictments followed arrest of Yastremskiy in Turkey and Suvorov in Germany. Gonzalez was arrested last month in Miami.

    Al Hammock, senior vice president at Envision Credit Union, said no charges or debits were incurred against cards issued to members. However, the institution has begun the process of reissuing cards to 468 debit card holders and 144 credit card holders as a precaution.

    Fines could exceed $50,000,000.00 to Dave and Busters

  • $50,000,000$10,000,000Combined fines for all three$60,590,000$590,000

  • DiscussionandQuestions

    IntroductionsGood morning. Im (name and title) with the Communications department and today wed like to tell you about our organization and what we do. First Id like to introduce my colleague(s) . . .

    Id also like to go around the room and have each of you introduce yourselves and let us know your position and department here at the Chancellors Office.

    Brand ExerciseAs the creative arm of the organization, were going to start off by getting you up and on your feet. Id like to have everyone stand up.

    Now, close your eyes. I want you to take a moment to think about a brand. It can be anything, whatever comes right to the top of your mind. Got it?

    Now, open your eyes and you can be seated. Heres the quiz: by a show of hands, how many of you thought of the CSU? Anyone? Any winners of our grand prize? (CSU padfolio)

    (Assuming no one chose the CSU) That is why were here today and why weve titled our presentation:(go to first slide)


ppt imapa 1.ppt

ppt imapa 1.ppt

Documents
PPt skenario3.ppt

PPt skenario3.ppt

Documents
PPT HAM 2.ppt

PPT HAM 2.ppt

Documents
PPT EPTIK ppt

PPT EPTIK ppt

Documents
Download PPT PPT

Download PPT PPT

Documents
Final ppt as ppt

Final ppt as ppt

Entertainment & Humor
PPT BLOK 23.ppt

PPT BLOK 23.ppt

Documents
PPT B21.ppt

PPT B21.ppt

Documents
TOE - PPT 1.ppt

TOE - PPT 1.ppt

Documents
Ppt de ppt

Ppt de ppt

Business
Blues ppt..ppt

Blues ppt..ppt

Documents
PPT, F7.ppt

PPT, F7.ppt

Documents
ppt dr.isa ppt

ppt dr.isa ppt

Documents
PPT COLEGIO_2.ppt

PPT COLEGIO_2.ppt

Documents
Ppt cape samana ppt

Ppt cape samana ppt

Real Estate
PPT 09.ppt

PPT 09.ppt

Documents
PPT PROMOCION PPT PRO PPT PROMOCION.pptx PPT PROMOCION.pptx PPT PROMOCION.pptx PPT PROMOCION.pptx PPT PROMOCION.pptxMOCION.pptx PPT PROMOCION.pptx PPT PROMOCION.pptx PPT PROMOCION.pptx

PPT PROMOCION PPT PRO PPT PROMOCION.pptx PPT PROMOCION.pptx PPT PROMOCION.pptx PPT PROMOCION.pptx PPT PROMOCION.pptxMOCION.pptx PPT PROMOCION.pptx PPT PROMOCION.pptx PPT PROMOCION.pptx

Documents
Ppt Peralatan Pemboran Ppt

Ppt Peralatan Pemboran Ppt

Documents
Ppt apendisitis ppt

Ppt apendisitis ppt

Education
Ppt Database Ppt

Ppt Database Ppt

Documents
ppt (1).ppt

ppt (1).ppt

Documents
PPT JULY 15.ppt

PPT JULY 15.ppt

Documents
ppt ppt ppt

ppt ppt ppt

Documents
govind ppt ppt

govind ppt ppt

Science
NEWSWRITING TIPS ppt..ppt

NEWSWRITING TIPS ppt..ppt

Documents
PPT kelm2.ppt

PPT kelm2.ppt

Documents
Ppt jornada 4 ppt

Ppt jornada 4 ppt

Education
Automatically generated PDF from existing images. Plan/B.E... · PPT PPT PPT PPT PPT PPT PPT PPT PPT PPT Session NO * 10 Topics to be covered Morals, values and Ethics ... Unit: 111

Automatically generated PDF from existing images. Plan/B.E... · PPT PPT PPT PPT PPT PPT PPT PPT PPT PPT Session NO * 10 Topics to be covered Morals, values and Ethics ... Unit: 111

Documents
Scanned by CamScannerPPT PPT PPT & BB PPT & BB PPT & BB PPT & BB PPT & BB PPT PPT Session NO * Topics to be covered ... Capacity and economy of single and multiple effect evaporator

Scanned by CamScannerPPT PPT PPT & BB PPT & BB PPT & BB PPT & BB PPT & BB PPT PPT Session NO * Topics to be covered ... Capacity and economy of single and multiple effect evaporator

Documents
Asistencia Social (PPT).ppt

Asistencia Social (PPT).ppt

Documents