Presentation on theme: "The Payment Card Industry Data Security Standard (PCI DSS)"— Presentation transcript:
The Payment Card Industry Data Security Standard (PCI DSS)
Presentation outline Why PCI DSS? Compliance and validation levels Cardholder data The legal perspective Performing a PCI DSS audit Decreasing costs through automation
What is the Payment Card Industry Data Security Standard (PCI DSS)? The PCI DSS is a set of security standards drawn up by the worlds major credit card companies including VISA and MasterCard to protect credit and debit card data To date, these requirements govern all the payment channels including retail, mail orders, telephone orders and e-commerce It was previously a separate information security standard, however it has now become a global security standard
Why is the PCI DSS required? Cardholder data theft and fraud have been around since the mid-80s and this prompted Visa to establish the first security program The recent TJX security breach in which at least 45.6 million credit and debit card numbers were stolen by hackers who broke into its network highlights the increased need for greater security According to InformationWeek, hackers can sell stolen credit card data on the Black market at a rate of USD 490 for a card number with PIN
PCI Data Security Standard v1.1 (1/3) The PCI DSS framework is divided into 12 security requirements which can be grouped into three main areas: >Collection and storage of all log data so that it is available for analysis >Reporting on all activity so as to be able to prove compliance on the spot >Monitoring and alerting whereby administrators can constantly monitor access and usage of data and be warned of problems immediately
PCI Data Security Standard v1.1 (2/3) PCI DSS categories The PCI DSS framework is also made up of six categories as follows: Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Maintain an information security policy Regularly monitor and test networks Implement strong access control measures
PCI Data Security Standard v1.1 (3/3) PCI DSS Requirements Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security for employees and contractors
All information from a credit/debit card used in a transaction - pcianswers.com Cardholder data elements >Primary Account Number (PAN) >Cardholder name >Expiration date Sensitive Authentication Data (SAD) >Magnetic stripe data >Card Validation Code (CVC) >Personal identification number (PIN) What is cardholder data?
Cardholder data storage The PCI DSS provides protection of cardholder data It is permitted to store the following details as long as they are encrypted, hashed or truncated: >PAN, Cardholder name, Expiration date, Service Code
The merchant submits the credit card transaction to the Payment Gateway Payment Gateway passes transaction via a secure connection to the Merchants Bank Typical transaction flow A customer uses a credit card to pay a merchant for purchased goods Merchants bank then goes through the Credit Card Interchange for transaction approval
Who should be PCI DSS compliant? As from September 30, 2007 all businesses handling cardholder data – irrespective of size – have to be compliant with strict security standards drawn up by the worlds major credit card companies This applies to all entities where cardholder data is >Stored >Transmitted >Processed All entities described as merchants or service providers must become compliant
Merchants Entities that accept credit cards as payment Examples of sectors affected >Online trading (e.g. ebay.com) >Retail (e.g. Wal-Mart) >Higher Education (e.g. Universities) >Health (e.g. Hospitals) >Travel and entertainment (e.g. Restaurants) >Energy (e.g. Gas/Service stations) >Finance (e.g. Insurance companies)
Merchant compliance levels MERCHANT LEVELS Level 1 Merchants from whom cardholder data has been compromised Merchants with more than 6 million annual credit card transactions Level 2 Merchants with between 1 and 6 million annual credit card transactions Level 3 Merchants with between 20,000 and 1 million annual credit card transactions Level 4 All other merchants
Service providers Entities that provide services to merchants Examples of services >Payment gateways (e.g. PayPal) >Payment processors >E-commerce host providers >Managed service providers >Credit reporting agencies >Backup management companies >Paper shred companies
Service provider compliance levels SERVICE PROVIDER LEVELS Level 1 All payment processors and payment gateways Level 2 Service providers not in Level 1, with more than 1 million annual credit card accounts/transactions Level 3 Service providers not in Level 1, with fewer than 1 million annual credit card accounts/transactions
Cardholder data compromises Intrusion into computer system where unauthorized disclosure, modification, or destruction of cardholder data is suspected - PCI DSS glossary Incident response plan >Requirement 12.9 Why report a compromise? >Limit the damage Reporting channels >Internal incident response team >Credit card associations and acquirers >Local law enforcement Who risks a compromise?
Consequences Financial >Could lead to fines of up to USD 500,000 and expensive litigation costs Reputation >A negative incident could have a big impact on a brand name >Involvement of law enforcement agencies Operational >Level 2, 3 or 4 + compromise = Level 1 >Could lead to a potential loss of card processing privileges
Preparation for PCI DSS compliance Become familiar with the PCI DSS requirements Identify all cardholder data and remove unnecessary cardholder data Perform a security gap analysis Create an action plan and call in experts for advice if necessary
Pain points Maintain secure systems and applications >Audit your network >Scan for vulnerabilities >Deploy patches/service packs Monitor the network >Log user activity >Log access to cardholder data >Alert on important events Provide documented evidence >Maintain secure systems >Monitor activity >Take remedial action
PCI DSS and GFI network security products PCI DSS Requirements Encrypt transmission of cardholder data across open, public networks 5.Use and regularly update anti-virus software or programs 6.Develop and maintain secure systems and applications 7.Restrict access to cardholder data by business need-to-know 8. 9.Restrict physical access to cardholder data Regularly test security systems and processes 12.Maintain a policy that addresses information security for employees and contractors Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied system passwords & other security parameters Protect stored cardholder data Assign a unique ID to each person with computer access GFI EventsManager Track and monitor all access to network resources and cardholder data GFI LANguard N.S.S.
ROI and business benefits Automation >Reduce manual and repetitive tasks >Reduce administrators workload >Trigger proactive remedial actions Protection >Complement your security policy >Notify you on potential security threats >Gives you peace of mind Savings >No PCI DSS fines >No outsourced consultancy fees >Business continuity
Conclusion Since companies are constantly at risk of losing sensitive cardholder data, which could result in fines, legal action and bad publicity, achieving compliance with the PCI DSS should be high on the agenda of companies who store, transmit or process credit card data PCI DSS compliance needs to be achieved by September, 2007 – this is the deadline posed by credit card companies GFI Software offers such businesses two products, GFI EventsManager and GFI LANguard Network Security Scanner (N.S.S.) to help them on their road to becoming compliant
Corporate overview Founded in 1992 Over 200 employees worldwide Offices in Malta, London, Raleigh, Hong Kong and Adelaide GFI products installed on over 200,000 networks worldwide, mostly SMBs A channel-focused company with over 10,000 partners throughout the world The vision To become the technology of choice for IT security and productivity solutions. The mission To provide quality, cost- effective content security, network security and messaging solutions to IT professionals around the world.