Payment Card Industry Data Security Standard

1
Payment Card IndustryData Security Standard

• IU Treasury Operations
• 5th Annual e-Business/Banking Seminar
• August 10 11, 2006

Tom Davis, CISSP, CISM, GCIA Chief IT Security
Officer Office of the VP for Information
Technology
2
Agenda

• Protecting card data
• Overview of the Payment Card Industry Data
  Security Standard (PCI DSS)
• PCI DSS requirements
• Merchant levels
• PCI DSS compliance validation
• Risks of non-compliance
• IU and PCI DSS compliance
• Questions

3
Protecting card data

• Why its important
• causes hardship for our customers
• loss of customer confidence
• required by PCI DSS
• state laws on disposal and notice
• impending federal legislation?

4
Credit card theft is big business!

• Phishing attempts on the rise
• to trick individuals into divulging financial
  info
• Dramatic move by hackers to compromise machines
  for profit
• keyboard monitoring software
• Many chat channels devoted to underground trading
  of credit card s

5
Overview of PCI DSS

• Prior to September 2004
• no standardization across card companies on
  credit card security requirements
• difficult for merchants to become familiar with
  and adhere to competing standards from VISA,
  MasterCard, and others
• As fraud losses increased, card industry realized
  the need for consistent and well defined security
  standards

6
Overview of PCI DSS

• PCI DSS announced in September 2004
• collaboration between VISA and MasterCard
• endorsed by other card companies as well
• offers a single approach to safeguarding
  sensitive data for all card brands

7
Overview of PCI DSS

• Applies to
• all merchants that store, process, or transmit
  cardholder data
• all payment (acceptance) channels, including
  brick-and-mortar, mail, telephone, e-commerce
  (Internet)
• Includes 12 requirements, based on
• administrative controls (policies, procedures,
  etc.)
• physical security (locks, physical barriers,
  etc.)
• technical security (passwords, encryption, etc.)

8
Card Security Programs

• The following programs incorporate PCI DSS
• VISA
• Cardholder Information Security Program (CISP)
• MasterCard
• Site Data Protection (SDP) Program
• American Express
• Data Security Requirements
• Discover
• Discover Information Security and Compliance
  (DISC) Program

9
PCI DSS requirements

• Each requirement has many sub-requirements!
• Install and maintain a firewall configuration to
  protect data
• Do not use vendor-supplied defaults for system
  passwords and other security parameters
• Protect stored data

10
PCI DSS requirements

• Encrypt transmission of cardholder data and
  sensitive information across public networks
• Use and regularly update anti-virus software
• Develop and maintain secure systems and
  applications
• Restrict access to data by business need-to-know

11
PCI DSS requirements

• Assign a unique ID to each person with computer
  access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources
  and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information
  security

12
Merchant levels

• Merchant levels are based on yearly transaction
  volume of merchant
• Specific criteria for placement in merchant
  levels varies across card companies
• All merchants, regardless of level, must adhere
  to PCI DSS requirements
• Level into which merchant is placed determines
  PCI DSS compliance validation (and ultimately
  cost)
• Lets take a quick look at Visas levels

13
Merchant levels - Visa

• Level 1
• merchants, regardless of acceptance channel,
  processing over 6,000,000 Visa transactions
• any merchant that has suffered a data compromise
• any merchant so selected by Visa
• any merchant identified by other card brand as
  level 1

14
Merchant levels - Visa

• Level 2
• merchants, regardless of acceptance channel,
  processing 1,000,000 to 6,000,000 Visa
  transactions
• Level 3
• any merchant processing 20,000 to 1,000,000 Visa
  e-commerce (Internet) transactions

15
Merchant levels - Visa

• Level 4
• any merchant processing fewer than 20,000 Visa
  e-commerce (Internet) transactions
• all other merchants, regardless of acceptance
  channel, processing up to 1,000,000 Visa
  transactions

16
PCI DSS compliance validation

• Level 1 merchants
• annual on-site assessment by approved assessor
  (generates a report on compliance)
• quarterly network security scan by approved scan
  vendor
• Level 2 and 3 merchants
• self-assessment questionnaire
• quarterly network security scan by approved scan
  vendor

17
PCI DSS compliance validation

• Level 4 merchants
• self-assessment questionnaire
• if required by acquirer
• quarterly network security scan by approved scan
  vendor
• if required by acquirer

18
Risks of non-compliance

• Endangering customer information
• Exposure could lead to
• fines levied by acquiring banks
• cost of replacing cards and perhaps covering
  fraudulent charges
• loss of merchant status
• elevations to Level 1 status (and resulting
  compliance validation costs)

19
IU and PCI DSS compliance

• Joint effort across many units
• Treasury, IT Security and Policy, Internal Audit,
  Legal Counsel, Purchasing, etc.
• Review IU merchants
• rank existing merchants based on perceived risk
  and begin compliance reviews
• will most likely hold merchants to higher
  standard than dictated by PCI DSS
• especially for level 4 merchants

20
IU and PCI DSS compliance

• Contracts
• review existing and new contracts with external
  agencies to ensure they are responsible for
  complying with PCI DSS
• Education and awareness
• this seminar!

21
Questions?
22
Additional reading

• http//usa.visa.com/business/accepting_visa/ops_ri
  sk_management/cisp.html
• http//www.time.com/time/world/article/0,8599,1224
  273,00.html?cnnyes
• http//www.no1proxy.com/proxy-list.html
• http//searchsecurity.techtarget.com/originalConte
  nt/0,289142,sid14_gci1146949,00.html
• http//money.cnn.com/2006/05/11/technology/fastfor
  ward_fortune/index.htm

23
Payment Card IndustryData Security Standard

• IU Treasury Operations
• 5th Annual e-Business/Banking Seminar
• August 10 11, 2006

Tom Davis, CISSP, CISM, GCIA Chief IT Security
Officer Office of the VP for Information
Technology