Understanding Credit Card Security Requirements - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Understanding Credit Card Security Requirements

Description:

Understanding Credit Card Security Requirements. Gregory Dove, Manager, ... No, or was complaint, but forensic team discovered compliance lapsed ... – PowerPoint PPT presentation

Number of Views:236
Avg rating:3.0/5.0
Slides: 27
Provided by: CSUS5
Category:

less

Transcript and Presenter's Notes

Title: Understanding Credit Card Security Requirements


1
Understanding Credit Card Security Requirements
Gregory Dove, Manager, Information Systems Audit
Manager AOA Meeting -- January 14, 2008
2
In The Virtual Storefront
  • Unlike merchants who operate in the physical
    world, you do not have
  • face-to-face contact,
  • a card-in-hand, or
  • an actual signature
  • a physical door with a lock and key
  • a security guard posted 24/7 for protection.
  • Cyber-thieves know all of this and are always on
    the look-out for merchants who have hung up a
    virtual shingle, but have let their risk
    management guard down.
  • Its up to you to understand the unique
    issues of running a virtual storefront and take a
    strategic approach to proactively address these
    issues and position your business for success.

3
The business case for security
  • Proper security enables a company to meet its
    business objective by providing a safe and secure
    environment that helps avoid
  • Loss of revenue
  • Loss or compromise of data
  • Interruption of business process
  • Legal consequences
  • Damage to customer and partner confidence
  • Damage to reputation
  • A more secure retail store also enables easier
    and safer connectivity with customers and
    business partners

4
If The Business Case didnt Convince You
  • If an organization doesn't know that they need to
    be PCI compliant, or if an organization just
    doesn't want to be bothered by having to obtain
    PCI compliance, it soon will not matter.
  • The goal is to have all merchants, regardless of
    their merchant level, compliant with PCI DSS.

5
PCI DSS Payment Card Industry Data Security
Standard
  • Standard that is applied to
  • Merchants
  • Service Providers (Third Third-party vendor,
    gateways)
  • Systems (Hardware, software)
  • That
  • Stores cardholder data
  • Transmits cardholder data
  • Processes cardholder data
  • Applies to
  • Electronic Transactions
  • Paper Transactions

6
PCI DSS Exempt Myth
  • All merchants are subject to the standard and to
    card association rules
  • No exemption provided to anyone
  • Immunity does not apply because
  • Requirement is contractual - not regulatory or
    statutory
  • Card associations can be selective who they
    provide services to
  • Merchants accept services on a voluntary basis
  • Merchants agree to abide by association rules
    when they execute e-merchant bank
    agreement
  • Merchant banks are prohibited by association
    rules from indemnifying a merchant from not being
    compliant with the standard
  • Association Rules require merchant banks to
    monitor merchants to ensure their compliance
  • Failure of a merchant bank to require compliance
    jeopardizes the merchant bank banks right to
    continue to be a merchant banks
  • Any fines levied are against the merchant bank,
    which in turns passes the fines onto the merchant

7
The PCI framework is divided into 12 security
requirements
  • Build and Maintain a Secure Network
  • 1. Install and maintain a firewall configuration
    to protect data.
  • 2. Do not use vendor-supplied defaults for system
    passwords and other security parameters.
  • Protect Cardholder Data
  • 3. Protect stored data.
  • 4. Encrypt transmission of cardholder data and
    sensitive information across public networks.
  • Maintain a Vulnerability Management Program
  • 5. Use and regularly update antivirus software.
  • 6. Develop and maintain secure systems and
    applications

8
The PCI framework is divided into 12 security
requirements
  • Implement Strong Access Control Measures
  • 7. Restrict access to data by business
    need-to-know.
  • 8. Assign a unique ID to each person with
    computer access.
  • 9. Restrict physical access to cardholder data.
  • Regularly Monitor and Test Networks
  • 10. Track and monitor all access to network
    resources and cardholder data.
  • 11. Routinely test security systems and
    processes.
  • Maintain an Information Security Policy.
  • 12. Establish high-level security principles and
    procedures.

9
Compliance Vs Validation
  • Compliance Means adherence to the standard
  • Applies to every merchant regardless of volume
  • Technical and business practices
  • Validation Verification that merchant
    (including its services providers) is compliant
    with the standard
  • Applies based on Level assigned to merchant,
    based on transaction volume
  • Two types of Validation
  • Self-Assessment
  • Certified by a Qualified Security Assessor (QSA)
  • Attestation Letter to Visa signed by both
    merchant and acquirer bank attesting that
    validation has been performed

10
Two Components to Validation
  • Annual Assessment Questionnaire
  • Required of all merchants regardless of level
  • Self Self-Assessment or performed by Qualified
    Security Assessor (QSA)
  • Must not have any No answers its Fail or
    Pass
  • Applies to both technical and business
  • Security Vulnerability Scan - Quarterly
  • Required for External facing IP addresses
  • Web applications
  • POS Software and databases on networks
  • Applies even if there is a re-direction link to
    third third-party
  • Must be performed by Approved Scanning Vendor
    (ASV)
  • Validation based on Level assigned to merchant,
    based on transaction volume
  • Visa MC schedules are different
  • Visas schedule is what most go by

11
Levels of Merchants (Applies to Validation and
Attestation, Not to Compliance)
  • All merchants must perform external network
    scanning to achieve compliance.
  • The new program, released in May 2007, requires
    acquirers to develop and submit a formal written
    compliance plan to Visa, which "identifies,
    prioritizes and manages overall risk within their
    Level 4 merchant populations," according to the
    CISP Bulletin.
  • For those acquirers who have not written and/or
    sent a summary of their plan, one must be emailed
    to Visa no later than July 31, 2007. Email
    summaries to cisp_at_visa.com.

12
The current Visa and MasterCard validation
requirements are as follows
  • Level 1-Visa/MasterCard-- Annual onsite review by
    merchant's internal auditor or a Qualified
    Security Assessor (QSA) or Internal Audit if
    signed by Officer of the company, and a quarterly
    network security scan with an Approved Scanning
    Vendor (ASV).
  • Level 2-- Completion of PCI DSS Self Assessment
    Questionnaire annually, and quarterly network
    security scan with an approved ASV.
  • Level 3-- Completion of PCI DSS Self Assessment
    Questionnaire annually, and quarterly network
    security scan with an approved ASV.
  • Level 4-- Completion of PCI DSS Self Assessment
    Questionnaire annually, and quarterly network
    security scan with an approved ASV.
  • Submit summary of PCI compliance plan, via
    acquirer, by July 30, 2007. If a breach has been
    reported, or found, Visa reserves the right to
    move the Level 4 merchant to a Level 1. If so,
    the Level 4 merchant must abide by the Level 1
    validation requirements.

13
The Level 4 Merchant Compliance Program plan must
consist of the following items Acquirer
  • Timeline of Critical Events--Timeline of
    completion dates and milestones, for overall
    strategy.
  • Risk-Profiling Strategy--Prioritization of Level
    4 merchants into subgroups, from merchants that
    post the greatest risk, to those that post little
    risk at all. Factors such as merchant category
    transaction volume, market segment, acceptance
    channel, number of locations can help the
    acquirer target compliance efforts for each
    subgroup.
  • Merchant Education Strategy--Strategy designed to
    eliminate prohibited data from being stored
    protect stored data, and securing the environment
    in accordance with PCI DSS. This includes
    ensuring that merchants are only storing data
    they truly require, by complying with PCI DSSs,
    and by making sure payment applications are
    compliant and any third-party agents are on
    Visa's list of CISP-Compliant Service Providers.
  • Compliance Reporting--Monthly compliance
    reporting to executive or board management. Visa
    may also periodically request that the acquirer
    produce these reports.

14
Merchant levels based on Visa transaction volume
over a 12-month period
For Visa, Inc., the merchant's transaction volume
is based on the aggregate number of Visa
transactions-credit cards, debit cards, prepaid
cards - from a merchant Doing Business As
("DBA"). For merchants and/or merchant
corporations who operate more than one DBA, the
aggregate volume of stored, processed or
transmitted transactions by the corporate entity
must be considered, to determine the validation
level. If the corporate entity does not store,
process or transmit cardholder data on behalf of
the multiple DBAs, members will continue to
consider the DBA's individual transaction volume
to determine the validation level.
15
Security Breach Fines
  • Not levied by PCI Security Council
  • Fines levied by Card Associations
  • Against merchant bank, which passes fines on to
    merchant
  • Fines for security breach
  • Visa - Up to 500,000 per occurrence
  • MC Up to 500,000 per occurrence
  • Amount of fines dependent upon
  • Number of card numbers stolen
  • Circumstances surrounding incident
  • Whether Track Data was stored or not
  • Timeliness of reporting incident
  • Safe Harbor
  • Could limit fine amount if had been validated as
    compliant by a QSA
  • But validation is point in time Dont count on

16
Other Security Breach Costs
  • Fines levied by card associations to make
    notifications to all card holders and replace
    cards
  • Costs of notifying customers of incident
  • Forensic Investigation Costs
  • Required by card associations
  • Must used approved firm (QSA)
  • Cost approximately 10,000
  • Cost associated with discontinuing accepting
    cards
  • Cost of an annual on-site security audit
  • Once a breach has occurred, elevated to a Level 1
    merchant
  • Cost approximately 15,000 - 20,000

17
Document the Process Flow
  • Network Diagram is Required for all systems that
    transmit, store or process transactions, from the
    merchant system to the processor.
  • Put processing activities on a separate network
    segment
  • Campus network / 4CNET may need to be compliant
    or follow an encrypted path
  • All point of entry into the network / system must
    be identified and protected.
  • All Reports, downloads, and receipts must be
    protected.

18
Why Not Paper
  • Physical protective measures are required for
    storing and securing paper transactions.
  • Report distribution controlled and reports
    physically locked which is difficult to
    demonstrate compliance.
  • Transaction detail must be restricted to only
    authorized persons and must be physically locked.
  • A detailed documented process of all printouts
    and paper copies of transaction detail is
    required.
  • Difficult to demonstrate compliance without
    detailed understanding of the flow process
  • Retention requirements must include adequate
    security provisions

19
10 Myths about PCI Compliance
Source Payment Security Experts
  • Im a small merchant, who only takes a handful of
    cards, so I dont need PCI. A common
    misunderstanding with the standard is that small
    merchants, handling a few 10s of credit cards a
    day are exempt from compliance. If you are a
    merchant and you are set up to take credit cards,
    by any mechanism - then you need to be complaint.
  • PCI only applies to E-commerce companies. No, PCI
    applies to every company that stores, processes
    or transmits cardholder information. In fact
    anyone who takes card present transactions that
    involve POS devices are more at risk than
    E-Commerce solutions, quite often these types of
    transactions involve storage of track data (which
    is forbidden under PCI). Disclosure of this type
    of data will bring heavy fines and requests for
    compensation from the banks involved.
  • You only have to be compliant with the majority
    of criteria. The pass mark for PCI is 100, so if
    you fail even one of the criteria, you fail PCI.
    The standard is not really meant to be something
    to strive for it is really a floor, a basis for
    further security measures. Failing to achieve
    even one of the requirements, is failing to meet
    a basic standard for handling cardholder
    information. All companies that routinely handle
    this type of data should be aiming to exceed the
    standard.

20
Source Payment Security Experts
10 Myths about PCI Compliance
  • I only need to protect my credit card data, not
    ATM debit card related data. Unfortunately, both
    are required. Many debit cards are dual-purpose
    signature debit, which can be used on debit and
    credit card networks. As such, they are covered
    under PCI and must be protected in the same way
    as credit cards.
  • I can wait until my business grows.
    Unfortunately, the PCI standard applies to all
    sizes of business and waiting could be costly.
    Should you be compromised and not be compliant
    the fines and the compensation sort by the banks
    (it costs between 50 and 90 to replace one
    card) could be substantial.
  • I can just answer yes to all the criteria on
    the self-assessment. The self-assessment is
    merely a mechanism for getting the information
    about the level of your compliance to your
    merchant bank or to Visa. The standard applies at
    all times. Just saying yes to the questions puts
    the merchant at great risk. If a compromise took
    place and it was obvious that the merchant was
    not and has never been compliant, the matter
    would be taken very seriously by VISA. The
    merchant would be risking the whole business by
    answering yes to the questions, when there is
    no basis in fact for that answer.

21
Source Payment Security Experts
10 Myths about PCI Compliance
  • As a merchant Im not liable if a credit card is
    compromised Merchants are liable and not just for
    the credit card compromise, there are basically 4
    scenarios where credit card data is compromised
    Merchants can be liable not only for the
    compromise but also for subsequent damages from
    the issuing banks.

22
Source Payment Security Experts
10 Myths about PCI Compliance
  • I can wait until my bank asks me to be compliant.
    The dates for Merchants demonstrating compliance
    are long gone, and the Merchant is responsible
    for making sure they are in compliance. Waiting
    until the bank asks you could be very costly
    indeed.
  • As a Merchant, I did not sign anything, saying I
    would be complaint therefore, I do not need to
    be. The PCI standard forms part of the operating
    regulations that are the rules under which
    Merchants are allowed to operate merchant
    accounts. The regulations signed when the
    Merchant opens an account at the bank state that
    the VISA regulations have to be adhered to. Even
    if you have been in business for decades, PCI
    still applies, if you store, process or transmit
    credit cards.
  • As a Merchant, Im entitled to store any data
    Many Merchants believe that they own the customer
    and have a right to store all the data about that
    customer in order to help their business. Not
    only is this incorrect regarding PCI, it may also
    be a violation of State and Federal legislation
    regarding privacy. The PCI regulations
    specifically forbid storing of any of the
    following
  • Unencrypted credit card number
  • CVV or CVV2
  • Pin blocks
  • PIN numbers
  • Track 1 or 2 data
  • Any of the above found in databases, log files,
    audit trails, backups etc at a Merchant can
    result in serious consequences for the Merchant,
    especially if a compromise has taken place.

23
Conclusion The Data Security Risk is Significant
and Therefore Requires Appropriate Controls
  • The threat of data compromise is global in scope
    (Web)
  • Many parties are involved in maintaining data
    security
  • The impact of data compromise is widespread
    financially, legally, and in goodwill exposures
  • Data security is a primary risk concern for
    Members, Merchants, Service Providers, Consumers,
    and Regulators
  • Data security has evolved from an operational
    problem and financial threat to a significant
    reputation risk

24
  • Hackers hit Dave Buster's in credit-card fraud
  • BY BUSINESS MATTERS EDITOR JULY 1, 2008
  • Houston, Tex.-based Dave Buster's restaurants
    was named in the case that began in 2006 when
    information on more than a million credit and
    debit cards was compromised in a computer hacking
    incident. A 27-count indictment was issued by a
    New York State grand jury, according to a Justice
    statement. Charged were Maksym Yastremskiy of
    Ukraine, Aleksandr Suvorov of Estonia and Albert
    Gonzalez of Miami. The three are charged with
    wire fraud conspiracy, wire fraud, conspiracy to
    possess unauthorized access devices, access
    device fraud, aggravated identity theft,
    conspiracy to commit computer fraud, computer
    fraud and interception of electronic
    communications.
  • Justice officials call the crime "a scheme in
    which they hacked into POS terminals at 11 Dave
    Buster's restaurants at various locations around
    the United States. . . then sold the stolen data
    to others who used it to make fraudulent
    purchases or resold it to make purchases, causing
    losses to financial institutions."
  • Stolen was "Track 2" data, the statement said.
    "Track 2" data is described as card numbers and
    expiration dates. Losses in the case have been
    been in excess of 600,000.
  • The indictments followed arrest of Yastremskiy
    in Turkey and Suvorov in Germany. Gonzalez was
    arrested last month in Miami.
  • Al Hammock, senior vice president at Envision
    Credit Union, said no charges or debits were
    incurred against cards issued to members.
    However, the institution has begun the process of
    reissuing cards to 468 debit card holders and 144
    credit card holders as a precaution.
  • Fines could exceed 50,000,000.00 to Dave and
    Busters

25
50,000,000
10,000,000
Combined fines for all three 60,590,000
590,000
26
DiscussionandQuestions
Write a Comment
User Comments (0)
About PowerShow.com