Payment Card Industry Program Data Security Standards

1
Payment Card Industry ProgramData Security
Standards

• Alberto España, CISSPXtrategies, LLC
• aespana_at_xtrategies.com
• GIGSE Montreal
• June 2007

2
Agenda

• Introduction
• What is PCI?
• Major Requirements
• Industry Findings
• How to prepare for Compliance

3
A boutique consulting firm, with
extensivebanking, payments and strategy
experienceserving Latin America and the
Caribbean
Introduction

• Our highly experienced team follows a
  result-driven process to deliver client value
  quickly and consistently

• Focused analysis
• Pragmatic advice action plans
• Customized solutions project assistance
• Tangible results
• Follow through

We are a Qualified Security Assessor in the PCI
Program.
4
Introduction
Some of our clients
5
Introduction

• Xtrategies has performed over 40 PCI Audits to
  date
• First Atlantic Commerce - Bermuda
• E-Global - México
• Prosa - México
• Visa Argentina
• Visa Colombia
• Visanet Uruguay
• Visanet Guatemala
• Visanet Dominicana
• Visa Perú
• Alignet
• Aeroméxico/Mexicana
• McDonalds Argentina
• Movistar Argentina
• Costco México
• Comercial Mexicana

6
What is PCI?

• The Payment Card Industry Data Security Standard
  was adopted by the major brands in late 2004.
• The PCI Program evolved from three major
  programs
• Cardholder Information Security Program (CISP)
  from Visa USA
• Mastercards Site Data Protection Program (SDP)
• Visa Internationals Account Information Security
  Program (AIS)

7
What is PCI?

• The objective of the PCI Program is to protect
  credit and debit card sensitive data in all
  phases of the payment process. PCI applies to
• Processors
• Merchants
• Service Providers
• Call Centers

Any entity that has access to credit/debit card
data!
8
What is PCI?

• Requirements for Compliance vary by Card Brand,
  or Region
• Classification by level of Risk
• Tier 1
• Tier 2
• Tier 3
• Required for all Processors by Visa and
  Mastercard

9
What is PCI?

• Merchant requirements vary
• Mastercard and Visa in the US - Merchants with 6
  million transactions in a year.
• Discover Card upon request only.
• Visa Latin America uses 80/20 rule by country
• Visa Europe and Asia rules vary by market

If any entity meets the requirement of any Card
Brand, then it immediately qualifies in the PCI
Program for all Brands!
10
What is PCI?

• Two major requirements for Tier 1 Merchants
• Pass on-site audit by a Qualified Security
  Assessor
• Conduct Quarterly Scans using an authorized
  scanning tool and show no level 3,4, or 5
  vulnerabilities.
• Submit Annual Self Assessment Questionnaire
• Requirements for Tier 2 Merchants
• Conduct Quarterly Scans using an authorized
  scanning tool and show no level 3,4, or 5
  vulnerabilities.
• Submit Annual Self Assessment Questionnaire
• S

11
Major Requirements
12
Major Requirements

• Must meet all of the requirements to be
  considered in Compliance.
• Compensatory Controls are allowed at the
  discretion of the QSA.
• Annual Re-certification
• Quarterly Scans

13
Findings
The reasons for the program are evident
14
Findings

• Some of our findings

15
Findings

• Some of our findings

16
Findings

• Some of our findings

17
How to Prepare for Compliance

• Compliance will be required sooner rather than
  later.
• Can start preparing right away. Consider PCI in
  new releases or versions of your payment
  application. This will save money in the long
  run.
• Consider Acquiring PCI compliant applications.
• Investment in technology and resources will be
  required.

18
How to Prepare for Compliance

• Assign full time staff to the Information
  Security function.
• Ensure you do not store any sensitive cardholder
  data
• Track 1 or 2
• CVV2
• PIN Blocks
• Any credit card number and other data to be
  stored must be encrypted, masked, or truncated.
• Protect your Network and establish a well
  configured DMZ

19
Thank You!