2 Agenda Threat Landscape Payment Ecosystem Overview of PCI DSS Bank’s Approach for PCIDSS Compliance
3 Threat LandscapeIncreased focus at compromising POS systems at retail outletsSuccessful data breaches resulting in leakage of millions of cardholder dataSophisticated attack vectors being used to breach the security controlsAffected RetailersTargetNeiman MarcusSchnucks Markets IncHarbor FreightMACPO Express..and many moreMalicious executablesJackPOSDexterChewbaccaProject HackPOSRAM Trojan…and many moreImplement PCI DSS and PA DSS controlsLockdown POS terminals to allow only basic requisite applications (whitelist)Implement anti-malware and anti-virus solution capable of detecting variants of malicious executablesImplement advanced monitoring solutionsAdvanced mitigation controls
5 Payment Ecosystem– Terminologies Customer purchasing products or services from merchantReceives the payment card and bills from the issuerCard HolderBank or other organization issuing a payment card on behalf of a payment brand (e.g. Master Card & Visa)Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB)IssuerVisa, MasterCard, Amex, Discover, JCBPayment Brand
6 Payment Card Transaction Flow – Terminologies Organization accepting the payment card for payment during a purchaseMerchantBank or entity the merchant uses to process their payment card transactionsReceive authorization request from merchant and forward to issuer for approvalProvides authorization, clearing and settlement services to merchantsAcquirer
10 Payment Card Industry – Security Standards Council DescriptionPCI PTSThis standard applies to hardware developers that design and build PIN entry devices.PCI PA-DSSThis standard provides security requirements to software developers that build and resell payment applications to merchantsP2PEThe Point-to-Point Encryption (p2pe) program is optional and provides a comprehensive set of security requirements for p2pe solution providers to validate their hardware-based solutions, and may help reduce the PCI DSS scope of merchants using such solutions.PCI DSSSecurity requirements for entities processing, storing and/or transmitting CHD
11 PCI DSS Overview – The standard 6Goals12 Requirements62Main clauses289Testing ProceduresGoal 1: Build and Maintain a Secure NetworkGoal 2: Protect Cardholder DataGoal 3: Maintain a Vulnerability Management ProgramGoal 4: Implement Strong Access Control MeasuresGoal 5: Regularly Monitor and Test NetworksGoal 6: Maintain an Information Security Policy
12 Merchant Levels PAYMENT BRAND MERCHANT LEVEL Level 1 Level 2 Level 3 AMEX> 2.5million50000 >< 2.5million<50000NADISCOVER> 6million1million >< 6million20000 ><1millionOthersJCB>1million< 1millionMasterCard>< 1millionVISA20000 to 1million (ecommerce)< (ecommerce).< 1million (other)Payment Brand reserves the right to deem the level irrespective of transaction volume
13 Merchant Reporting Requirements PAYMENT BRANDMERCHANT LEVELLevel 1Level 2Level 3Level 4AMEXAnnual OA by QSA or IAEU Only: Annual SAQQuarterly N/W scan (ASV) (R)EU Only: SAQ (R)NAQuarterly Network Scan (ASV)JCBAnnual OA by QSAQuarterly N/W scan(ASV)Annual SAQDISCOVERAcquirer to determine compliance validationAnnual SAQ (R)MasterCardVISAQuarterly N/W scan (ASV)Attestation of Compliance formOA: Onsite AssessmentR: RecommendedIA: Internal Auditor
14 Service Provider Levels PAYMENT BRANDSERVICE PROVIDER LEVELLevel 1Level 2AMEXAll TPPsNADISCOVERDoes not categorize Service providers into levelsJCBMasterCard>1million<1millionVISA Inc>300,000<300,000Payment Brand reserves the right to deem the level irrespective of transaction volumeTPP: Third Party Processors
15 Service Provider Reporting Requirements PAYMENT BRANDSERVICE PROVIDER LEVELLevel 1Level 2AMEXAnnual OA by QSA or IADISCOVERAnnual OA by QSA OR IA OR Annual SAQQuarterly network scans by ASVJCBAnnual OA by QSAMasterCardAnnual onsite review by QSAQuarterly network scan by ASVAnnual SAQVISAAttestation of Compliance formOA: Onsite AssessmentIA: Internal Auditor
16 Need for PCIDSS Compliance RBI/ /424: Section A – Point iv:Banks should ensure that all acquiring infrastructure that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquirers, processors / aggregators and large merchantsRBI MandateIt is not about just compliance. It is a security imperative, especially in the wake of recent high profile data breach incident at Service Providers & Merchants. Compliance is incidental, end objective is security.Remain resilient to data breaches
17 Bank’s Approach for PCIDSS Compliance Bank Compliance1. On boarded a QSA Company to support in implementing PCI DSS controls at the enterprise level2. Current State Assessment and Implementation in progress for all payment applications (switch, payment gateways, etc.), infrastructure, network and processesMerchant Compliance1. Deployed a portal to monitor PCI DSS compliance for merchants and service providers2. Monitoring compliance status of Level 1, Level 2 and Level 3 merchants and Level 1 and Level 2 service providers3. Assist merchants and service providers in filling the applicable SAQTwo streams of compliance programHDFC Bank has taken the initiative to share the data security alerts and advisories received from Payment brands with all its merchants. Take these alerts/advisories seriously. If not actioned on time you will get hit – as a target or by a random attack.
18 Thank YouManish Pal, Information Security Group
Your consent to our cookies if you continue to use this website.