1. The Payment Card Industry Data Security Standard (PCI DSS)

2. Presentation outline Why PCI DSS? Compliance and validation levels
Cardholder data
The legal perspective
Performing a PCI DSS audit
Decreasing costs through automation

3. What is the Payment Card Industry Data Security Standard (PCI DSS)?
The PCI DSS is a set of security standards drawn up by the world’s major credit card companies including VISA and MasterCard to protect credit and debit card data
To date, these requirements govern all the payment channels including retail, mail orders, telephone orders and e-commerce
It was previously a separate information security standard, however it has now become a global security standard

4. Why is the PCI DSS required?
Cardholder data theft and fraud have been around since the mid-80’s and this prompted Visa to establish the first security program
The recent TJX security breach in which at least 45.6 million credit and debit card numbers were stolen by hackers who broke into its network highlights the increased need for greater security
According to InformationWeek, hackers can sell stolen credit card data on the Black market at a rate of USD 490 for a card number with PIN

5. PCI Data Security Standard v1.1 (1/3)
The PCI DSS framework is divided into 12 security requirements which can be grouped into three main areas:
Collection and storage of all log data so that it is available for analysis
Reporting on all activity so as to be able to prove compliance on the spot
Monitoring and alerting whereby administrators can constantly monitor access and usage of data and be warned of problems immediately

6. PCI Data Security Standard v1.1 (2/3)
The PCI DSS framework is also made up of six categories as follows:
PCI DSS categories
Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy

7. PCI Data Security Standard v1.1 (3/3)
PCI DSS Requirements 1. 2. 3. 4. 5. 6. 7. 8. 9.
10.
11.
12.
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for employees and contractors

8. What is “cardholder data”?
All information from a credit/debit card used in a transaction
- pcianswers.com
Cardholder data elements
Primary Account Number (PAN)
Cardholder name
Expiration date
Sensitive Authentication Data (SAD)
Magnetic stripe data
Card Validation Code (CVC)
Personal identification number (PIN)
1234
123

9. Cardholder data storage
The PCI DSS provides protection of cardholder data
It is permitted to store the following details as long as they are encrypted, hashed or truncated:
PAN, Cardholder name, Expiration date, Service Code

10. Typical transaction flowŽ Œ
 Merchant’s bank then goes through the Credit Card Interchange for transaction approval
ΠA customer uses a credit card to pay a merchant for purchased goods
Ž Payment Gateway passes transaction via a secure connection to the Merchant’s Bank
 The merchant submits the credit card transaction to the Payment Gateway

11. Who should be PCI DSS compliant?
As from September 30, 2007 all businesses handling cardholder data – irrespective of size – have to be compliant with strict security standards drawn up by the world’s major credit card companies
This applies to all entities where cardholder data is
Stored
Transmitted
Processed
All entities described as merchants or service providers must become compliant

12. Merchants Entities that accept credit cards as payment
Examples of sectors affected
Online trading (e.g. ebay.com)
Retail (e.g. Wal-Mart)
Higher Education (e.g. Universities)
Health (e.g. Hospitals)
Travel and entertainment (e.g. Restaurants)
Energy (e.g. Gas/Service stations)
Finance (e.g. Insurance companies)

13. Merchant compliance levels
MERCHANT LEVELS
Level 1
Merchants from whom cardholder data has been compromised
Merchants with more than 6 million annual credit card transactions
Level 2
Merchants with between 1 and 6 million annual credit card transactions
Level 3
Merchants with between 20,000 and 1 million annual credit card transactions
Level 4
All other merchants

14. Service providers Entities that provide services to merchants
Examples of services
Payment gateways (e.g. PayPal)
Payment processors
E-commerce host providers
Managed service providers
Credit reporting agencies
Backup management companies
Paper shred companies

15. Service provider compliance levels
SERVICE PROVIDER LEVELS
Level 1
All payment processors and payment gateways
Level 2
Service providers not in Level 1, with more than 1 million annual credit card accounts/transactions
Level 3
Service providers not in Level 1, with fewer than 1 million annual credit card accounts/transactions

16. PCI DSS compliance procedures
Merchant
On-site
security audit
Self-assessment
questionnaire
Network Scan
Level 1
Required Annually
Required Quarterly
Level 2
Level 3
Level 4
Service Provider
By:
Qualified Security Assessor (QSA)
In-house
Approved Scan Vendor (ASV)
Deliverable:
Report on Compliance (ROC)
Self-Assessment Questionnaire
Scan report

17. Cardholder data compromises
“Intrusion into computer system where unauthorized disclosure, modification, or destruction of cardholder data is suspected”
- PCI DSS glossary
Incident response plan
Requirement 12.9
Why report a compromise?
Limit the damage
Reporting channels
Internal incident response team
Credit card associations and acquirers
Local law enforcement
Who risks a compromise?

18. Consequences Financial Reputation Operational
Could lead to fines of up to USD 500,000 and expensive litigation costs
Reputation
A negative incident could have a big impact on a brand name
Involvement of law enforcement agencies
Operational
Level 2, 3 or 4 + compromise = Level 1
Could lead to a potential loss of card processing privileges

19. Preparation for PCI DSS compliance
Become familiar with the PCI DSS requirements
Identify all cardholder data and remove unnecessary cardholder data
Perform a security gap analysis
Create an action plan and call in experts for advice if necessary

20. PCI DSS compliance costs
Merchant
On-site
security audit
Self-assessment
questionnaire
Network Scan
Level 1
Required Annually
Required Quarterly
Level 2
Level 3
Level 4
Service Provider
By:
Qualified Security Assessor (QSA)
In-house
Approved Scan Vendor (ASV)
Deliverable:
Report on Compliance (ROC)
Self-Assessment
Questionnaire
Scan report

21. Pain points Maintain secure systems and applications
Audit your network
Scan for vulnerabilities
Deploy patches/service packs
Monitor the network
Log user activity
Log access to cardholder data
Alert on important events
Provide documented evidence
Maintain secure systems
Monitor activity
Take remedial action

22. Automation through software
Drastically reduce manual, repetitive tasks:
Network audits
Vulnerability management
Activity monitoring
Real-time alerts
Remedial action
Report generation

23. PCI DSS and GFI network security products
PCI DSS Requirements 1. n 2. 3. 4.
Encrypt transmission of cardholder data across open, public networks 5.
Use and regularly update anti-virus software or programs 6.
Develop and maintain secure systems and applications 7.
Restrict access to cardholder data by business need-to-know 8. 9.
Restrict physical access to cardholder data
10.
11.
Regularly test security systems and processes
12.
Maintain a policy that addresses information security for employees and contractors
GFI
EventsManager
GFI
LANguard N.S.S.
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied system passwords & other security parameters
Protect stored cardholder data
Assign a unique ID to each person with computer access
Track and monitor all access to network resources and cardholder data

24. ROI and business benefits
Automation
Reduce manual and repetitive tasks
Reduce administrator’s workload
Trigger proactive remedial actions
Protection
Complement your security policy
Notify you on potential security threats
Gives you peace of mind
Savings
No PCI DSS fines
No outsourced consultancy fees
Business continuity

25. Conclusion
Since companies are constantly at risk of losing sensitive cardholder data, which could result in fines, legal action and bad publicity, achieving compliance with the PCI DSS should be high on the agenda of companies who store, transmit or process credit card data
PCI DSS compliance needs to be achieved by September, 2007 – this is the deadline posed by credit card companies
GFI Software offers such businesses two products, GFI EventsManager and GFI LANguard Network Security Scanner (N.S.S.) to help them on their road to becoming compliant

26. Corporate overview Founded in 1992 Over 200 employees worldwide
Offices in Malta, London, Raleigh, Hong Kong and Adelaide
GFI products installed on over 200,000 networks worldwide, mostly SMBs
A channel-focused company with over 10,000 partners throughout the world
The vision To become the technology of choice for IT security and productivity solutions.
The mission To provide quality, cost-effective content security, network security and messaging solutions to IT professionals around the world.