Visa Europe Public

Payment System Risk Andrew Mulvenna 10th November 2010

Visa Europe Public

Agenda

• PCI DSS & PA-DSS v2.0 – What’s new?

• Visa Europe’s PCI Compliance Programme

• Vulnerability Guidance

• Encryption and Tokenisation

• Questions and Answers

2

Visa Europe Public

PCI DSS & PA-DSS v2.0 – What’s new?

• Mainly clarifications to existing requirements.

• Certain requirements will be based more on risk assessment rather than being overly perspective.

• The standards will be moving to a three year standard lifecycle.

Visa Europe Public

The New Life-cycle

Visa Europe Public

Agenda

• PCI DSS & PA-DSS v2.0 – What’s new?

• Visa Europe’s PCI Compliance Programme

• Vulnerability Guidance

• Encryption and Tokenisation

• Questions and Answers

5

Visa Europe Public

The Current Environment

• Knowledge of cardholder and account data is (largely) considered proof of ownership. Consequently, cardholder data is inherently valuable to a criminal.

• Many retailers believe that there is a disproportionate onus on them to protect data.

• What if we could make data less valuable such that it needs less protection?

=

Visa Europe Public

Storing cardholder data

Basic principles:

• If you don’t need it don’t store it

• Delete sensitive authentication data after authorisation

• If you store cardholder data you must do one or more of the following:

– Truncate

– Hash

– Encrypt

7 Retail Fraud Conference 20 April 2010

Visa Europe Public

Merchant Levels and Validation Requirements

Level Definition Validation requirements

1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.**

** Where merchants operate in more than one country or region, if they meet level one criteria in any Visa country or region, they are considered a global Level one merchant. An exception may apply to global merchants if there is no common infrastructure and if Visa data is not aggregated across borders. In such cases merchants are validated according to regional levels.

Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource

Quarterly network scan by Approved Scan Vendor (ASV)

Attestation of Compliance form

2 Merchants processing one million to six million Visa transactions annually via all channels.

Annual Self-Assessment Questionnaire (SAQ)

Quarterly network scan by ASV

Attestation of Compliance form

Visa Europe Public

Merchant Levels and Validation Requirements (2)

Level Definition Validation requirements

3 Merchants processing 20,000 to one million Visa e-commerce transactions annually.

Use a service provider that has certified PCI DSS

compliance to process, store and transmit card and

account data.

OR

Have certified their own PCI DSS compliance to the

acquirer, who must, on request, be able to validate

that compliance to Visa Europe

4 E-commerce merchants only

Merchants processing fewer than 20,000 Visa e-commerce transactions annually.

Use a service provider that has certified PCI DSS compliance to process, store and transmit card and account data

OR

Have certified their own PCI DSS compliance to the acquirer, who must, on request, be able to validate that compliance to Visa Europe

4 Non e-commerce merchants processing up to one million Visa transactions annually.

Annual SAQ

Quarterly network scan by an ASV

Attestation of Compliance form

Visa Europe Public

PCI DSS Prioritised Risk Based Approach

Phase PCI DSS Objective (defined by PCI SSC)

1 Remove Sensitive Authentication Data and Limit Data Retention

2 Protect the Perimeter, Internal, and Wireless Networks

3 Secure Applications

4 Protect Through Monitoring and Access Control

5 Render Cardholder Data Unreadable

6 Achieve Final Compliance and Maintenance of PCI DSS

Required

Validation

Merchant

Discretion /

Safe Harbour

Visa Europe Public

Agenda

• PCI DSS & PA-DSS v2.0 – What’s new?

• Visa Europe’s PCI Compliance Programme

• Vulnerability Guidance

• Encryption And Tokenisation

•Questions and Answers

11

Visa Europe Public

Guidance Supplements

Visa Europe Public

Agenda

• PCI DSS & PA-DSS v2.0 – What’s new?

• Visa Europe’s PCI Compliance Programme

• Vulnerability Guidance

• Encryption and Tokenisation

• Questions and Answers

13

Visa Europe Public

New Payment Architectures

Encrypting Registers

Segmenting

Device

PCI Compliant Zone

Internal or Public

Network

Point of Decryption

PCI Compliant Zone

Segmenting

Device

Encrypting PEDs

Visa Europe Public

The industry’s first specification for Data Field Encryption

– A compressive guidance document describing the key management practices that would be necessary to support encryption solutions

– Based on 5 key security objectives

– Aimed at consolidating industry best practice

15

Visa Europe Public

SRED – Secure Read and Exchange of Data

• A new optional module within PCI PTS PoI v3.

• Describes security requirements for the protection of account data originating from a secure PED.

Visa Europe Public

What is Tokenisation?

• Tokenisation defines a process through which PANs are replaced with surrogate values known as “tokens”.

• The security of an individual token relies on the properties of uniqueness and the infeasibility to determine the original PAN knowing only the surrogate value.

Visa Europe Public

Agenda

• PCI DSS & PA-DSS v2.0 – What’s new?

• Visa Europe’s PCI Compliance Programme

• Vulnerability Guidance

• Encryption and Tokenisation

•Questions and Answers

18

Visa Europe Public

Questions?

Visa Europe Public

Thank you