Presentation is loading. Please wait.

Presentation is loading. Please wait.

MBS CREDIT CARD PROCESSING AND PCI REQUIREMENTS Phil Goble Mike Chalk.

Similar presentations


Presentation on theme: "MBS CREDIT CARD PROCESSING AND PCI REQUIREMENTS Phil Goble Mike Chalk."— Presentation transcript:

1 MBS CREDIT CARD PROCESSING AND PCI REQUIREMENTS Phil Goble Mike Chalk

2 (PCI) Payment Card Industry (DSS) Data Security Standards Applies to everyone handling cardholder data Merchants Service providers Payment gateways Self Assessment Questionnaire (SAQ) applies for most merchants Different forms of SAQ apply based on role and processing infrastructure 12 major requirements PCI DSS 2www.cdg.ws

3 PCI PARTICIPANT ROLES 3www.cdg.ws

4 PCI VISA MERCHANT LEVELS 4www.cdg.ws Level / Tier Merchant CriteriaValidation Requirements 1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2 Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal Auditor if signed by officer of the company o The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (ISA) certification Quarterly network scan by Approved Scan Vendor (ASV) Attestation of Compliance Form 2 Merchants processing 1 million to 6 million Visa transactions annually (all channels) Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan by ASV Attestation of Compliance Form 3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form 4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually Annual SAQ recommended Quarterly network scan by ASV if applicable Compliance validation requirements set by merchant bank

5 CDG MONTHLY MERCHANT TOTALS 5www.cdg.ws CompanyAmount Charged January Transactions Projected Yearly Transactions Company 1$3,528.0222 264 Company 2$1,448.2239 468 Company 3$5,266.1567 804 Company 4$67,289.6070 840 Company 5$7,323.3771 852 Company 6$6,626.1373 876 Company 7$13,388.27181 2,172 Company 8$17,853.04227 2,724 Company 9$44,679.98384 4,608 Company 10$39,678.89476 5,712 Company 11$70,533.30632 7,584 Company 12$40,160.71688 8,256 Company 13$52,212.21709 8,508 Company 14$76,814.29717 8,604 Company 15$96,345.84724 8,688 Company 16$59,469.59790 9,480 Company 17$89,527.60800 9,600 Company 18$76,964.64960 11,520 Company 19$150,890.281,397 16,764 $920,000.139,027 108,324

6 SAQ Version QuestionsShort Description SAQ A13Card-not-present, all cardholder data (CHD) functions outsourced SAQ B29Imprint or standalone, dial-out terminals only, no electronic CHD storage SAQ C-VT51Web-based virtual terminal only, no electronic CHD storage SAQ C40POS or payment system connected to Internet, no electronic CHD storage SAQ D288All other merchants and all service providers eligible to complete an SAQ PCI SAQ VERSIONS 6www.cdg.ws

7 PCI MAJOR REQUIREMENTS (SAQ D) 7www.cdg.ws ObjectiveHigh Level Compliance Requirements Build and Maintain a Secure Network and Systems 1.Install and maintain a firewall configuration to protect data 2.Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data3.Protect stored cardholder data 4.Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5.Protect all systems against malware and regularly update anti-virus software or programs 6.Develop and maintain secure systems and applications Implement Strong Access Control Measures 7.Restrict access to cardholder data by business need to know 8.Identify and authenticate access to system components 9.Restrict physical access to cardholder data Regularly Monitor and Test Networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an Information Security Policy 12.Maintain a policy that addresses information security for all personnel

8 Planned Invoke host pay solution to avoid any knowledge of credit card number by MBS Discontinue storage of credit card number, use token for making payments Possible / Under consideration Possible suppression of last 4 of credit card Static and dynamic scanning for security vulnerabilities CDG ACTIONS UNDER VIEW 8www.cdg.ws

9 PAYMENT VIA MERCHANT (CURRENT) 9www.cdg.ws

10 PAYMENT VIA WEB (CURRENT) 10www.cdg.ws

11 AUTOMATIC PAYMENT (CURRENT) 11www.cdg.ws

12 PAYMENT VIA WEB (NEW) 12www.cdg.ws

13 AUTOMATIC PAYMENT (NEW) 13www.cdg.ws

14 The most important thing we can do is protect SPI information, which includes credit card data We need to look at being PCI compliant to minimize our liability and by inference improve our security (it doesnt guarantee a breach wont occur) At least one merchant is approaching a point where PCI compliance would be mandatory for Visa, if all their transactions were Visa related (unlikely) We need to identify the SAQ and requirements that apply to the CDG and merchant environment, and distribute that information to companies in attendance SO WHAT ABOUT SECURITY AND PCI? 14www.cdg.ws

15 Employees have access to the credit card number when the card is given to them or its contents are communicated over the phone Infected PCs can intercept keystrokes Insecure networks (wired and wireless) provide opportunity for data to be intercepted Tradeoffs exist Security versus companys end user complaints Security versus companys customer complaints MERCHANT SECURITY CONSIDERATIONS 15www.cdg.ws

16 Accounts and passwords Use of email accounts for login Forcing password changes for E-Care Introduction of additional security questions Credit card data Dont email credit card numbers Protect (or destroy) documents with complete credit card number information present Encourage use of E-Care and auto payment to avoid employee knowledge of credit card data SECURITY RELATED DISCUSSION TOPICS 16www.cdg.ws

17 What data besides credit card numbers is SPI? SSN, birthdate, and bank account are considered SPI. What else should be? Who should have access to the attributes and why? Do the MBS security roles reflect who should have access to review or modify the information? SECURITY RELATED DISCUSSION TOPICS 17www.cdg.ws

18 18 NOTE: SOME REFERENCE MATERIALS FOLLOW

19 SSL encryption using EV-Cert with 2048 bit strength Programming measures have been taken to help avoid CSRF (cross-site request forgery), XSS (cross-site scripting), and SQL injection attacks on our application Hardware / software default account info is overridden 3 rd party scans (using Nessus) of operational environment Virus scans on PCs and servers within organization PC options are rules based and devices are configurable by system administrators Automatic timeouts on PCs and sessions CDG SECURITY SAFEGUARDS 19www.cdg.ws

20 Use of privilege codes to enforce roles and access Leveraging of Microsoft Active Directory User IDs use FIMILI followed by company number Password requires 7 characters of which three of the following categories (upper case, lower case, numeric and special character) must be met Passwords must change every 35 days Account locked after 3 failed login attempts MBS USER ACCOUNT SECURITY (CDG) 20www.cdg.ws

21 Use of privilege codes to enforce roles and access Use of Microsoft Active Directory optional (no licensees currently use it) User ID has no constraints beyond being at least 1 character long Password requires 7 characters of which three of the following categories (upper case, lower case, numeric and special character) must be met Passwords expiration optional Account locked after 5 failed login attempts MBS USER ACCOUNT SECURITY (LICENSEE) 21www.cdg.ws

22 User IDs must be at least 7 characters of which one must be alphabetic and one must be numeric User IDs can optionally be an email address Passwords require 7 characters of which three of the following categories (upper case, lower case, numeric and special character) must be met and the characters cannot be part of the login Seven failed login attempts locks the account until They are unlocked manually by an MBS user 30 minutes pass The user does a password reset CDG USER ACCOUNT SECURITY (ECARE) 22www.cdg.ws

23 Credit card number, SSN, bank account data are encrypted in database with high-grade RC4, 128 bit keys Only last 4 of credit card available for viewing Last 4 of SSN displayed by default Bank account can be and is usually masked CDG SPI SAFEGUARDS 23www.cdg.ws


Download ppt "MBS CREDIT CARD PROCESSING AND PCI REQUIREMENTS Phil Goble Mike Chalk."

Similar presentations


Ads by Google