1. The Payment Card Industry (PCI) Data Security Standard: What it is and why you might find it useful Fred Hopper, CISSP TASK - 27 March 2007

2. 2 + IT Infrastructure Support, Network Management, Info Security and Corporate Security Previous roles at Davis + Henderson and Canadian Standards Association Head of Corporate Security for Metaca Corporation - one of Canada’s leading manufacturers and personalizers of Financial, Loyalty, ID, Satellite TV, Telco, Health, and Insurance cards. My Background and Perspective

3. 3 + Payment Card Security – History Companies who manufacture and personalize cards for other organizations (e.g. banks) are called Card Vendors Card Vendor security has historically focused on the physical security of the product rather than data security.

4. 4 + The First Credit Card The First Supper - Frank X. McNamara (1950)

5. 5 + Later Diners Club Cards

6. 6 + American Express

7. 7 + Today’s Risks Most significant risk these days is with the compromise and misuse of the data rather than the physical card itself Card Vendors have had to meet detailed Logical (i.e. Information) Security requirements in recent years, with detailed standards and annual audits Current weak points in system – some merchants and third party data processors.

8. 8 + Today’s Risks

9. 9 + Card Skimming and Background for PCI DSS Until the 1990’s, magstripe reading and encoding hardware and the knowledge to use it were hard to come by. Personal computers and inexpensive hardware changed everything. Improvements and miniaturization in electronics in recent years has also been reflected in skimming equipment Features of current equipment include flash memory, internal clocks, firmware supporting timestamps, databases, Bluetooth Password protected access to memory and features to protect data from law enforcement and rival skimming gangs.

10. 10 + Skimming Hardware

11. 11 + Skimming Hardware

12. 12 + Skimming Hardware

13. 13 + Skimming Hardware

14. 14 + Skimming Hardware

15. 15 + Skimming Hardware

16. 16 + Skimming Hardware

17. 17 + Skimming Software

18. 18 + Counterfeiting Supplies

19. 19 + Important Card Data Financial card dimensions, location of magnetic stripe, and data encoding and layout all covered in ISO standards www.magtek.com

20. 20 + Important Card Data

21. 21 + Important Card Data For processing transactions it is necessary for merchant to present multiple fields to acquiring financial institutions – e.g. PAN, expiry date, CVV/CVC, PVV or Pin Offset.

22. 22 + Payment Card Data Skimming is still a lot of work and risk, why not just try to get card track data in bulk? Carding sites exist to trade in stolen card numbers – e.g. Carderplanet, Mazafuka, Shadowcrew, Darkprofits Where do these numbers come from? At lot of them are stolen from Merchants and Data Processors who store data more data than they need and do so insecurely, and are subsequently compromised Payment card industry has been aware of this problem for years and has been responding in various ways, one of which is the Payment Card Industry Data Security Standard (PCI DSS).

23. 23 + Payment Card Security Standards Prior to 2004 Each card association had different rules Visa: Account Information Secuity (AIS) and Cardholder Security Information Program (CISP) MasterCard: Site Data Protection (SDP) American Express: Data Security Standard (DSS) Discover: Discover Information Security Compliance Program (DISC).

24. 24 + Formation of the PCI Security Standards Council Visa, MasterCard, American Express, Discover and JCB decided to standardize on a common set of data security requirements for merchants and data processors – the PCI Data Security Standard (PCI DSS) PCI Security Standards Council was formed in 2004 as an independent organization in order to maintain and promote the PCI DSS Version 1.0 of the PCI DSS was published in January 2005 Version 1.1 published in September 2006 www.pcisecuritystandards.orgwww.pcisecuritystandards.org.

25. 25 + Scope of PCI DSS If your shop handles financial card data: PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted PCI DSS security requirements apply to all “system components” – defined as “any network component, server or application that is included in or connected to the cardholder data environment” Failure to comply will eventually result in surcharges, fines and substantially increased liability in the event of a data breach If a PAN is not stored, processed or transmitted then PCI DSS requirements do not apply.

26. 26 + Scope of PCI DSS If your shop does not handle financial card data: Strictly speaking, PCI DSS requirements do not apply to your organization You may still want to utilize PCI DSS in order to protect personal information (NPPI), commercially sensitive information, trade secrets, etc. Q: Why use PCI DSS instead of other InfoSec standards (e.g. ISO 17799?) A: It’s concise (16 pages), easy to interpret and was developed through consensus by organizations who knew it would be a challenge to obtain compliance from it’s target audience. In other words, it is well thought out, well documented and attainable.

27. 27 + PCI DSS Requirements The PCI Data Security Standard is comprised of 12 general requirements designed to: Build and maintain a secure network Protect cardholder data Ensure the maintenance of vulnerability management programs Implement strong access control measures Regularly monitor and test networks Ensure the maintenance of information security policies Does this sound familiar?…..

28. 28 + PCI DSS vs. CISSP CBK PCI DSS Control ObjectiveCISSP CBK Domains Build and Maintain a Secure Network Telecommunications and Network Security Protect Cardholder DataCryptography Maintain a Vulnerability Management Program Applications and System Development Security Implement Strong Access Control Measures Access Control Systems and Methodology + Physical Security Regularly Monitor and Test Networks Operations Security Maintain an Information Security Policy Security Management Practices

29. 29 + Control Objectives (1 of 6) Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

30. 30 + Sample of Format Used

31. 31 + Control Objectives (2 of 6) Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks.

32. 32 + Control Objectives (3 of 6) Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications.

33. 33 + Control Objectives (4 of 6) Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data.

34. 34 + Control Objectives (5 of 6) Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources Requirement 11: Regularly test security systems and processes.

35. 35 + Control Objectives (6 of 6) Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security.

36. 36 + Conclusion PCI DSS is out there and if your systems process payment card numbers, you must be compliant Even of you do not process payment card numbers, the PCI DSS provides an excellent information security framework for your organization’s Information Security Management System.

37. Questions and Answers Fred Hopper Director, Corporate Security, IT and Quality Metaca Corporation fhopper@metaca.com