2. What is PCI
In 2004 the Pament Card Industry Data Security Standard
(PCI-DSS) was created by the 4 major credit cards brands
– Visa, MasterCard, Discover and American Express. In
2006 JCB joined these four to form the PCI Security
Standards Council (PCI SSC), establishing additional
security standards and updating the existing ones.
Ensure you are compliant so you avoid costly security
breaches that can include:
100% responsibility for cardholder losses
Card brand fines up to $500,000 per incident
Forensic investigations expenses as high as $100,000
IT Compliance Consulting 2
3. Terminology of Who’s Who
Visa and MasterCard are made up of Member organisations
who can be either Acquirers, Issuers or both
Acquirers are the Members of the Visa or MasterCard
organisations which handle Merchants
Issuers are the Members of the Visa or MasterCard
organisations that issue the cards to Cardholders
Merchants are those entities who “accept” card transactions
Cardholders are consumers like you and me
Service Providers are the entities that provide any service
requiring the processing, storing or transport of card information
on behalf of any of the above
IT Compliance Consulting 3
4. Who must comply
The Payment Card Industry Data Security Standards (PCI-DSS)
apply to all members, merchants and service providers that
store, process or transmit cardholder data
Additionally, these security requirements apply to all system
components which are defined as any network component,
server or application included in, or connected to, the
cardholder data environment
Although compliance is universally required, compliance
validation requirements can vary
By classification: Service Providers (entities that process, store, or transmit
cardholder data on behalf of other entities) have stronger validation
requirements than Merchants
By size: Entities that process larger volumes have stronger validation
requirements than those who process smaller volumes
IT Compliance Consulting 4
5. Responsibilities
MasterCard is responsible for certifying products and
companies capable of fulfilling the scanning requirements
These are referred to Approved Scanning Vendors (ASVs)
Visa is responsible for training and certifying companies and
individuals capable of fulfilling the on-site audit requirements
Such companies are called Qualified Security Assessors (QSAs)
The other PCI organisations are contributors to the standards
IT Compliance Consulting 5
6. Data in Scope
Cardholder Data
PAN (Primary Account Number)
Cardholder Name
Card verification code (CVV, CVC)
Expiration Date
Apart from the cardholder name, all other data must be protected when stored in
any form, electronic or paper
Authentication Data
Referred to as Track Data (1 or 2)
Three elements
Full Magnetic Strip Data
CVV2/CVC2/CID2 (Security Code)
PIN / PIN Block
None of this data can ever be stored after authorization
IT Compliance Consulting 6
7. Cardholder Data: Storage Guidelines
Data Element Storage Protection
permitted required
Primary Account Number (PAN) Yes Yes
Cardholder Name* Yes Yes*
Cardholder Data
Service Code* Yes Yes*
Expiration Date Yes Yes*
Sensitive Magnetic Stripe No N/A
Authentication Data CVV2/CVC2/CID2 No N/A
PIN / PIN Block No N/A
* These data elements must be protected if stored in conjunction with the PAN
IT Compliance Consulting 7
8. Protect your Business and your Customers
With data security compromises on the rise, it is more important than ever to
take measures to safeguard your customers and your business
Criminals or “hackers” can pose a risk to your business both on-site and
remotely, making it necessary to implement procedures to protect your
sensitive data, whether it is stored in a file cabinet or on a computer
The largest breach in history – 94 million card numbers stolen in 2007,
occured at TJ Max, a large US clothing retailer. They agreed to pay $60
million to card networks to settle complaints
11 TJ-Max Hackers were caught, coming from the US, Ukraine, China, Estonia and
Belarus
70 % of all database breaches are internal
IT Compliance Consulting 8
9. What are the costs of a security breach?
The cost associated with a compliance failure or data breach can
be very expensive for any merchant or service provider, especially
a small or medium sized business owner. These costs include:
Forensic investigation of computer or point of sale systems: $10,000 -
$20,000
Replacement cards for breached accounts: $20-$30 per card
Card Association fines for non-compliance with the PCI Standard, up to
$500,000
Loss of business reputation and customer loyalty, and potentially credit
card acceptance
IT Compliance Consulting 9
10. Common excuses after a security breach
I thought my IT Department was taking care of that
I thought we had a secure website with a firewall
I didn’t know my filing cabinets had to be secured
I didn’t know 70% of all database breaches are internal
I thought outsourcing to a vendor relieved me of the
responsibility
My bank never mentioned anything about PCI to me
The merchant agreement with the bank didn’t specifically
indicate we would be responsible for fines
IT Compliance Consulting 10
11. Compliance-Validation-Attestation
Compliance - Adherence to the standard
Applies to every merchant/ service provider regardless of volume
Applies to both technical and business practices
Validation - Verification that merchant/ service provider is
compliant with the standard
Depends upon type of card capture method(s) utilized
Two types of Validation
Self-Assessment Questionnaire (SAQ) Annually – applies to every merchant
Vulnerability Scanning Quarterly – applies if external-facing IP addresses are involved
(Web and POS Software). Must be performed by a Qualified Scanning Vendor (QSV)
Attestation - Providing proof of validation to card processor
Card processor reports to Visa and MasterCard
Attest whenever requested by the card processor
IT Compliance Consulting 11
12. Card Capture Channels
Card Present Card Not Present
Card can be swiped Card cannot be swiped
• All Credit Cards • All Credit Cards
• Pin based debit cards with the • Debit cards with the Visa/
Visa/ MasterCard logo MasterCard logo
Face to Face transactions Remote transactions
• Through the Internet
• Mail / Telephone Order (MOTO)
• Interactive Voice Response (IVR)
Requirements to be followed are determined primarily by the card capture method being utilized
IT Compliance Consulting 12
13. Do’s to become PCI Compliant
Build and maintain a secure network
Protect cardholder data
Segregation of duties by department
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
IT Compliance Consulting 13
14. Don'ts to stay PCI compliant
Transmitting credit card numbers unsecured by
Fax
E‐mail
Text message
Instant messaging
Storing of audio recordings of CVV, CVC, etc.
Storing of full Magnetic Stripe track data - one of the most
‐
common violations of PCI‐DSS)
Storing CVV2/CVC2/CID2 anytime after the transaction has
been authorized
Forgetting about paper copies and disk drives in
multifunctional printers
IT Compliance Consulting 14
15. Easy Improvements
Store Less Data
Don’t store cardholder data unless there is a compelling business reason to do so
Determine where credit card data exists in your organization, what it is used for
and why it is needed
Eliminate “shadow databases” (Excel worksheets, etc.)
View online reports, don’t download them (downloading = storing)
Ensure your systems don’t store magnetic stripe data by default
Retaining of CVV2/ CVC2/ CID2 data and PIN subsequent to authorization is never
allowed
Better Access Controls
Limit cardholder data only to employees with “need to know”
Segment databases and networks – thereby limiting scope of PCI
Implement requirements specified in the Standard, as identified in the annual Self
Assessment Questionnaire (SAQ)
Establish formal written Policies and Procedures
IT Compliance Consulting 15
16. Compliance Levels of Merchants
Quarterly Self-Assessment Network Security
Vulnerability Scan Questionaire Scan (Penetr. test)*
Level 1 Required, in addition to Not Required Required
> 6 million transactions or annual on-site (annually)
previously compromised certification
Level 2 Required Required Required
> 1 million transactions (annually) (annually)
Level 3 Required Required Required
> 20K e-commerce txs. (annually) (annually)
Level 4 Required Recommended Recommended
< 20K e-commerce txs. (annually) (annually)
< 1 million total txs.
* External facing IP addresses, that only store cardholder data
IT Compliance Consulting 16
17. Compliance Levels of Service Providers
Quarterly Self-Assessment Network Security
Vulnerability Scan Questionaire Scan (Penetr. test)*
Level 1 Required, in addition to Not Required Required
All processors and annual (annually)
payment gateways on-site certification
Level 2 Required, in addition to Required Required
Not level 1 and stores, annual *** (annually)
processes or transmits on-site certification
more than 1 million txs. **
Level 3 Required Required Recommended
Not level 1 and stores, (annually)
processes or transmits
less than 1 million txs.
* External facing IP addresses, that only store cardholder data
** On-site certification required only by MasterCard as of 2011
*** Required annually only by VISA
IT Compliance Consulting 17
18. Service Providers
It is the responsibility of the merchant to utilize compliant service
providers
If the service provider is not compliant, then the merchant is not compliant
Any fines for breaches pertain to the merchant not to the service provider
Examples of Service Providers
Gateway and Web Hosting
Backup Storage and IT Infrastructure
PCI Requirement 12.8 applies, requiring merchant to “manage”
the service provider:
Maintaining a “written agreement” specifying the service provider’s responsibility
for compliance
Performing due diligence to ensure PCI compliance prior to engagement
Monitoring the service provider’s compliance status
Monitoring the Service Provider
Some vendors are registered as compliant by Visa or MC. The merchant should
obtain “evidence” of compliance from vendor (e.g. Report on Compliance –RoC)
Merchant cannot answer SAQ truthfully if requirements are not met
IT Compliance Consulting 18
19. PCI DSS Structure
Is made up of six key sections:
Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management Program
Implement strong control measures
Regularly monitor and test networks
Maintain aninformation security policy
Each section has a set of Requirements, for example:
Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect
data.
Requirement 2: Do not use vendor-supplied defaults for system
passwords and other security parameters.
IT Compliance Consulting 19
20. PCI DSS Structure, Continued
Each Requirement has a rationale and a set of subrequirements specified for
review, e.g.
Requirement 1: Install and maintain a firewall configuration to protect data
Firewalls are computer devices that control computer traffic allowed into
a company’s network from the outside, as well as traffic into more
sensitive areas within a company’s internal network. All systems need to
be protected from unauthorized access from the Internet, whether for
e-commerce, employees’ Internet-based access via desktop browsers,
or employees’ email access. Often, seemingly insignificant paths to and
from the Internet can provide unprotected pathways into key systems.
Firewalls are a key protection mechanism for any computer network
Requirement 1.1 Establish firewall configuration standards that include:
1.1.1 A formal process for approving and testing all external network connections
and changes to the firewall configuration
1.1.2 A current network diagram with all connections to cardholder data,
including any wireless networks
1.1.3 Requirements for a firewall at each Internet connection and between any
DMZ and the Intranet
IT Compliance Consulting 20
21. Building and Maintaining a Secure Network
Requirement 1:
Install and maintain a firewall configuration to protect
cardholder data. Internet firewall security needs to be installed
and functional on all computers, payment applications and POS
systems using IP connectivity, including those with a dial up
connection to the internet
Requirement 2:
Do not use vendor supplied defaults for system passwords and
other security parameters. Passwords should be personalized
for all users. All unnecessary services should be disabled
IT Compliance Consulting 21
22. Protecting Cardholder Data
Requirement 3:
Protect stored cardholder data. Do not store the contents of the track
data from the magnetic stripe on the credit card or the CVV or CVC
information (3 digit code on the back on the card) post authorization
Only store cardholder account information that is essential to your business. Hard
copies of reports and paper receipts must be placed in a secured area and
shredded when discarded. Implement a policy on how long data will be stored
for and why (i.e. business or legal purposes)
Requirement 4:
Encrypt transmission of cardholder data across open or public networks.
Databases and files containing payment card information must be
encrypted. Encryption software is required for systems using internet
connectivity for transmission of cardholder information
IT Compliance Consulting 22
23. Maintaining a Vulnerability
Management Program
Requirement 5:
Use and regularly update anti-virus software. Install and
maintain updated anti-virus software on all computers and
servers. The number one reason for hacker fraud is Trojan or
Backdoor virus intrusion
Requirement 6:
Develop and maintain secure systems and applications. Check
with your software supplier to ensure you are using the latest
version. You can also verify if your software and version are
included on the PCI Security Standards Council’s Validated
Payment Application list
Old technology and software is an open invitation for hackers. Don’t take for
granted that your supplier has informed you of possible vulnerabilities or updates.
Remember it is you that will be subject to fines if your business is compromised
IT Compliance Consulting 23
24. Implementing Strong Access Control Measures
Requirement 7:
Restrict access to cardholder data on a need-to-know
basis. Complex passwords should always be used to limit
access to cardholder information
Requirement 8:
Assign a unique ID to each person with computer access.
Ensure each employee has a unique user name and
password to restrict access to computers and transaction
systems’ data. Make sure you update passwords when
any employee leaves who had access to cardholder data
Requirement 9:
Restrict physical access to cardholder data
IT Compliance Consulting 24
25. Regularly Monitoring and Testing Networks/ Maintaining
an Information Security Policy
Requirement 10:
Track and monitor all access to network resources and cardholder
data as well as to network resources (i.e. computers and
transaction systems). You must be able to show proof of tracking
Requirement 11:
Regularly test security systems and processes. Document a policy
for testing of security systems and processes. You must be able to
show proof of testing of your internet security and policy
processes
Requirement 12:
Maintain a policy that addresses information security. Document
and maintain an enforceable policy that details safeguarding of
payment card information
IT Compliance Consulting 25
26. PCI-DSS relative to other standards
PCI-DSS
Consistency of controls
SOX 404
GLBA SR
Expertise required
HIPAA SR
ISO 17799-2000
Generic Prescriptive
IT Compliance Consulting 26
27. Milestones for Prioritizing PCI DSS
Compliance efforts
The Prioritized Approach includes six milestones. The list below
summarizes the high-level goals and intentions of each milestone.
1. Remove sensitive authentication data and limit data retention.
This milestone targets a key area of risk for entities that have
been compromised. Remember – if sensitive authentication and
other cardholder data is not stored, the effects of a compromise
will be greatly reduced. If you don’t need it, don’t store it!
2. Protect the perimeter, internal and wireless networks. This
milestone targets controls for points of access to most
compromises – the network or a wireless access point
IT Compliance Consulting 27
28. Milestones for Prioritizing PCI DSS
Compliance efforts cont.
3. Secure payment card applications. This milestone targets
controls for applications, application processes and
application servers. Weaknesses in these areas offer easy prey
for compromising systems and obtaining access to cardholder
data
4. Monitor and control access to your systems. Controls for this
milestone allow you to detect the who, what, when and how
concerning who is accessing your network and cardholder
data environment
IT Compliance Consulting 28
29. Milestones for Prioritizing PCI DSS
Compliance efforts cont.
5. Protect stored cardholder data. For those organizations that
have analyzed their business processes and determined that
they must store Primary Account Numbers, milestone five
targets key protections mechanisms for that stored data
6. Finalize remaining compliance efforts and ensure all controls
are in place. The intent of milestone six is to complete PCI DSS
requirements and finalize all remaining related policies,
procedures and processes needed to protect the cardholder
data environment
IT Compliance Consulting 29
30. On-site Assessment
Is a detailed audit against the PCI Data Security Standard
Potentially targets all systems and networks that store, process and/
or transmit cardholder information
Includes review of contractual relationships, but not assessment of
the Third Parties themselves
Must be performed using an offering from a Visa certified Qualified
Security Assessor (QSA) such as Trustwave
Biggest difficulties in having on-site reviews are the initial scoping
and the subsequent cost of correction to compliant levels
The QSA provides a report on compliance when compliant, for
submission to the Acquirer. Interim reports may be asked for by the
Acquirer
IT Compliance Consulting 30
31. On-site Review Practicalities
Make sure you scope correctly
The appropriate placement of a stateful firewall can reduce the scope
dramatically
If not compliant, it will be necessary to submit planning
information on how compliance will be achieved
This will be monitored and policed both by your QSA and Acquirer
It may be possible to use compensating controls to meet a
requirement
Must be controls over and above what is already specified, and
Must meet the intent of the requirement
At the discretion of the QSA and must be agreed to by the Acquirer
IT Compliance Consulting 31
32. PCI DSS Control Evaluation
The PCI Security Audit Procedures give some guidance on
what will be checked for. An example of this can be seen by:
6.3.7 Review of custom code prior to release to production or customers, to identify
any potential coding vulnerability
Testing procedure
6.3.7.a - Obtain and review written policies to confirm they dictate that code
reviews are required, and must be performed by individuals other than the
originating author of the code
6.3.7.b - Confirm that code reviews are occurring for new code as well as after
code changes
IT Compliance Consulting 32
33. Tokenization
This new technology replaces sensitive cardholder data (the
PAN in particular) with a randomized token that represents the
data. Tokenization eliminates the storage of actual cardholder
data and brings the following benefits:
Scope reduction by allowing fewer system components to have
access to real card holder data – the most significant benefit
Cardholder data security can be improved when data encryption
is combined with tokenization
Avoids the complexity of key management requirements when
replacing encryption
IT Compliance Consulting 33
34. Network Security Scanning
Targets Internet facing devices, systems and applications
including
routers and firewalls
servers and hosts (including virtual)
Applications
May not have any severity 3 or greater issues:
5 (Urgent) - Trojan Horses, file read and write exploits, remote
command execution
4 (Critical) - Potential Trojan Horses, file read exploit
3 (High) - Limited exploit
IT Compliance Consulting 34
35. Security Incident Plan
Requirements of:
Card Association Rules
Requirement number 12 of the PCI DSS
OSC’s policy -“Merchant Cards Security Incident Plan”
Basic points
Must have a formal plan
Applies to both technology and paper breaches
Acquirer must be notified in all cases – immediately
Card associations take into consideration timeliness of reporting when
determining fines for breach
IT Compliance Consulting 35
36. Limit Personnel Access to Restricted Data
Background checks must be performed prior to hiring for any
positions with unrestricted access to cardholder data (not
necessary for cashier level personnel with access to only one
card at a time)
All personnel involved in credit card transactions must attend
security training annually
Physical and logical access only granted on a ‘need to know’
basis
IT Compliance Consulting 36
37. FAQ‘s
Q: Am I PCI compliant if my point-of-sale system is compliant?
A: No. PCI compliance goes beyond the hardware or software used for payment
card processing. You are expected to be compliant to the Payment Card
Industry Data Security Standard (PCI DSS). The PCI DSS contains 12
requirements addressing 6 core principles for network architecture, cardholder
data protection, vulnerability management, access controls, network security
and information security policies. These include items such as policies for
storing reports/receipts, physical access to data, passwords, etc.
Using a validated payment application and/ or an PCI approved PIN Entry
Device (PED) may aide in reducing scope of potential areas requiring
attention. However, to be considered PCI compliant, you must validate your
compliance by completing and passing the PCI SAQ and network vulnerability
scans (if applicable)
IT Compliance Consulting 37
38. FAQ’s
Q: As a merchant, I did not sign anything saying I would be compliant; therefore,
I don’t need to be
A: The PCI standard forms part of the operating regulations that are the rules
under which merchants are allowed to operate merchant accounts. The
regulations signed when you open an account at the bank state that the VISA
regulations have to be adhered to. Even if you have been in business for
decades, PCI still applies if you store, process or transmit credit card data
Q: Who needs to comply with the PCI DSS?
A: ALL organizations, regardless of size or number of transactions, that process,
store or transmit cardholder data must comply with the PCI DSS. Essentially,
all merchants with a Merchant Identification number (MID) and all service
providers that touch cardholder data are required to comply with the PCI DSS.
IT Compliance Consulting 38
39. PCI Glossary
CISP - Visa’s Cardholder Information Security Program
SDP - MasterCard’s Site Data Protection Program
PCI SSC - Payment Card Security Standards Council
PCI DSS - Payment Card Industry Data Security Standard *
PCI PA-DSS - PCI Payment Application Data Security Standard*
PTS - PIN Transaction Security Standard *
QSA - Qualified Security Assessor (e.g., Trustwave)
ASV - Approved Scanning Vendor (e.g., Trustwave)
SAQ - Self Assessment Questionnaire (A, B, C, or D)
* Note: Three separate standards can apply
IT Compliance Consulting 39