Payment Card Industry Data Security Initiative

1
Payment Card Industry Data Security Initiative

• Jennifer Wallace-Fischer, Visa U.S.A.
• NASACT - May 25, 2005

2
Discussion Topics

• Introduction
• Cardholder Data Security
• Visa CISP Background
• Industry Alignment
• Compliance
• Compliance Validation
• Payment Application Best Practices
• Reference Tools

3
Introduction
Relationships Matrix
Member
Processor
Cardholder
Merchant
4
Introduction
Public Concerns and Industry Consequences
Cardholder Data Targeted
Cardholder Victimized
Regulatory Enforcement
Government Intervention
Media Scrutiny
5
Introduction
Cardholder Data Exposure
Service Provider
Service Provider
Payment Application
6
Cardholder Data Security
Todays Security Environment

• Track data stored by merchants and third parties
• Payment applications enable track data storage
• Non e-commerce entities, third parties and
  processors are aggressively targeted
• Heightened interest in adopting federal
  legislation to address security concerns
• Globally organized criminals increasingly
  involved in hacks

7
Cardholder Data Security
Network Vulnerabilities

• No segmentation and/or firewall
• Un-patched systems and/or default configuration
• No logging
• No encryption or authentication on Wireless
  Access Points
• Security not written into payment applications
• Remote access misconfigurations

8
Visa CISP Background
Timeline
Visa CISP compliance requirement takes effect and
e-merchants validate compliance
PCI Security Standard developed Visa CISP
validation deadline
Visas concept for data security program is born
1999
2000
2001
2002
2003
2004
2005
Visa CISP validation expanded to all merchant and
service provider channels
Visa develops Cardholder Information Security
Program (CISP), working with acquirers and
merchants
9
Industry Alignment
PCI Data Security Standard
CISP Compliance Requirements
CISPValidation
SDP Compliance Requirements
SDPValidation
Compliance Requirements
Compliance Requirements
Compliance Requirements
ComplianceRequirements
10
Industry Alignment
Standardized PCI Documents

• PCI Data Security Standard
• PCI Security Audit Procedures
• Onsite Assessment
• PCI Self-Assessment Questionnaire
• Security Scanning Procedures

11
Industry Alignment
Mapping CISP to PCI Requirements
12
Industry Alignment
13
Visa CISP Compliance
Overview

• CISP compliance required since June 5, 2001
• All Members, merchants, and service providers
  that store, process, or transmit cardholder data
• All acceptance channels (e.g. face-to-face,
  e-commerce, MOTO)
• Members must use, and are responsible for
  ensuring that their merchants use, compliant
  service providers
• Visit www.visa.com/cisp for a list of Compliant
  Service Providers

14
Compliance Validation
Any merchant processing over 6,000,000 Visa
transactions per year, or identified by any other
payment card brand as Level 1
Any merchant processing 150,000 to 6 million Visa
e-commerce transactions per year
Any merchant processing 20,000 to 150,000 Visa
e-commerce transactions per year
Any merchant processing less than 20,000 Visa
e-commerce transactions per year, and all other
merchants processing up to 6 million Visa
transactions per year
15
Compliance Validation
Merchant Compliance Validation
16
Compliance Validation
Merchant Compliance Documentation
17
Payment Application Best Practices
Extend Scope to Software Vendors

• Educate major companies that write software
  applications for merchants and processors
• Create a list of compliant vendors

Compliant Vendor List
18
Reference Tools

• Payment Card Industry (PCI)
• Data Security Standard
• Security Audit Procedures
• Self-Assessment Questionnaire
• Security Scanning Procedures

• What To Do If Compromised Guide
• Qualified On-site Security Assessor List 
• List of CISP-Compliant Service Providers
• Payment Application Best Practices
• List of CISP-Validated Payment Applications
• Frequently Asked Questions
• Scan Vendor List (MC SDP website)
• cisp_at_visa.com

www.visa.com/cisp