Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI DSS for Retail Industry

Similar presentations

Presentation on theme: "PCI DSS for Retail Industry"— Presentation transcript:

1 PCI DSS for Retail Industry
March 21, 2014

2 Agenda Threat Landscape Payment Ecosystem Overview of PCI DSS
Bank’s Approach for PCIDSS Compliance

3 Threat Landscape Increased focus at compromising POS systems at retail outlets Successful data breaches resulting in leakage of millions of cardholder data Sophisticated attack vectors being used to breach the security controls Affected Retailers Target Neiman Marcus Schnucks Markets Inc Harbor Freight MACPO Express ..and many more Malicious executables JackPOS Dexter Chewbacca Project Hack POSRAM Trojan …and many more Implement PCI DSS and PA DSS controls Lockdown POS terminals to allow only basic requisite applications (whitelist) Implement anti-malware and anti-virus solution capable of detecting variants of malicious executables Implement advanced monitoring solutions Advanced mitigation controls

4 Threat landscape

5 Payment Ecosystem– Terminologies
Customer purchasing products or services from merchant Receives the payment card and bills from the issuer Card Holder Bank or other organization issuing a payment card on behalf of a payment brand (e.g. Master Card & Visa) Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB) Issuer Visa, MasterCard, Amex, Discover, JCB Payment Brand

6 Payment Card Transaction Flow – Terminologies
Organization accepting the payment card for payment during a purchase Merchant Bank or entity the merchant uses to process their payment card transactions Receive authorization request from merchant and forward to issuer for approval Provides authorization, clearing and settlement services to merchants Acquirer

7 Payment Ecosystem – Authorization Flow

8 Payment Ecosystem – Settlement Flow

9 PCIDSS Overview - Some Key Terminologies
AOC – Attestation of Compliance SAQ – Self Assessment Questionnaire ROC – Report on compliance SAD – Sensitive Authentication Data CHD – Cardholder data PAN – Primary A/c. No. ASV – Approved Scanning Vendor QSA – Qualified Security Assessor

10 Payment Card Industry – Security Standards Council
Description PCI PTS This standard applies to hardware developers that design and build PIN entry devices. PCI PA-DSS This standard provides security requirements to software developers that build and resell payment applications to merchants P2PE The Point-to-Point Encryption (p2pe) program is optional and provides a comprehensive set of security requirements for p2pe solution providers to validate their hardware-based solutions, and may help reduce the PCI DSS scope of merchants using such solutions. PCI DSS Security requirements for entities processing, storing and/or transmitting CHD

11 PCI DSS Overview – The standard
6 Goals 12 Requirements 62 Main clauses 289 Testing Procedures Goal 1: Build and Maintain a Secure Network Goal 2: Protect Cardholder Data Goal 3: Maintain a Vulnerability Management Program Goal 4: Implement Strong Access Control Measures Goal 5: Regularly Monitor and Test Networks Goal 6: Maintain an Information Security Policy

12 Merchant Levels PAYMENT BRAND MERCHANT LEVEL Level 1 Level 2 Level 3
AMEX > 2.5million 50000 >< 2.5million <50000 NA DISCOVER > 6million 1million >< 6million 20000 ><1million Others JCB >1million < 1million MasterCard >< 1million VISA 20000 to 1million (ecommerce) < (ecommerce). < 1million (other) Payment Brand reserves the right to deem the level irrespective of transaction volume

13 Merchant Reporting Requirements
PAYMENT BRAND MERCHANT LEVEL Level 1 Level 2 Level 3 Level 4 AMEX Annual OA by QSA or IA EU Only: Annual SAQ Quarterly N/W scan (ASV) (R) EU Only: SAQ (R) NA Quarterly Network Scan (ASV) JCB Annual OA by QSA Quarterly N/W scan(ASV) Annual SAQ DISCOVER Acquirer to determine compliance validation Annual SAQ (R) MasterCard VISA Quarterly N/W scan (ASV) Attestation of Compliance form OA: Onsite Assessment R: Recommended IA: Internal Auditor

14 Service Provider Levels
PAYMENT BRAND SERVICE PROVIDER LEVEL Level 1 Level 2 AMEX All TPPs NA DISCOVER Does not categorize Service providers into levels JCB MasterCard >1million <1million VISA Inc >300,000 <300,000 Payment Brand reserves the right to deem the level irrespective of transaction volume TPP: Third Party Processors

15 Service Provider Reporting Requirements
PAYMENT BRAND SERVICE PROVIDER LEVEL Level 1 Level 2 AMEX Annual OA by QSA or IA DISCOVER Annual OA by QSA OR IA OR Annual SAQ Quarterly network scans by ASV JCB Annual OA by QSA MasterCard Annual onsite review by QSA Quarterly network scan by ASV Annual SAQ VISA Attestation of Compliance form OA: Onsite Assessment IA: Internal Auditor

16 Need for PCIDSS Compliance
RBI/ /424: Section A – Point iv: Banks should ensure that all acquiring infrastructure that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquirers, processors / aggregators and large merchants RBI Mandate It is not about just compliance. It is a security imperative, especially in the wake of recent high profile data breach incident at Service Providers & Merchants. Compliance is incidental, end objective is security. Remain resilient to data breaches

17 Bank’s Approach for PCIDSS Compliance
Bank Compliance 1. On boarded a QSA Company to support in implementing PCI DSS controls at the enterprise level 2. Current State Assessment and Implementation in progress for all payment applications (switch, payment gateways, etc.), infrastructure, network and processes Merchant Compliance 1. Deployed a portal to monitor PCI DSS compliance for merchants and service providers 2. Monitoring compliance status of Level 1, Level 2 and Level 3 merchants and Level 1 and Level 2 service providers 3. Assist merchants and service providers in filling the applicable SAQ Two streams of compliance program HDFC Bank has taken the initiative to share the data security alerts and advisories received from Payment brands with all its merchants. Take these alerts/advisories seriously. If not actioned on time you will get hit – as a target or by a random attack.

18 Thank You Manish Pal, Information Security Group

Download ppt "PCI DSS for Retail Industry"

Similar presentations

Ads by Google