1 / 23

MBS Credit Card Processing and PCI Requirements

MBS Credit Card Processing and PCI Requirements. Phil Goble Mike Chalk. PCI DSS. (PCI) Payment Card Industry (DSS) Data Security Standards Applies to everyone handling cardholder data Merchants Service providers Payment gateways

trey
Download Presentation

MBS Credit Card Processing and PCI Requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MBS Credit Card Processing and PCI Requirements Phil Goble Mike Chalk

  2. PCI DSS • (PCI) Payment Card Industry (DSS) Data Security Standards • Applies to everyone handling cardholder data • Merchants • Service providers • Payment gateways • Self Assessment Questionnaire (SAQ) applies for most merchants • Different forms of SAQ apply based on role and processing infrastructure • 12 major requirements www.cdg.ws

  3. PCI Participant roles www.cdg.ws

  4. PCI VISA Merchant Levels www.cdg.ws

  5. CDG Monthly Merchant Totals www.cdg.ws

  6. PCI SAQ Versions www.cdg.ws

  7. PCI Major Requirements (SAQ D) www.cdg.ws

  8. CDG ACTIONS UNDER VIEW • Planned • Invoke host pay solution to avoid any knowledge of credit card number by MBS • Discontinue storage of credit card number, use token for making payments • Possible / Under consideration • Possible suppression of last 4 of credit card • Static and dynamic scanning for security vulnerabilities www.cdg.ws

  9. Payment via merchant (Current) www.cdg.ws

  10. payment via web (Current) www.cdg.ws

  11. Automatic payment (CURRENT) www.cdg.ws

  12. Payment Via Web (New) www.cdg.ws

  13. Automatic Payment (New) www.cdg.ws

  14. So what about security and PCI? • The most important thing we can do is protect SPI information, which includes credit card data • We need to look at being PCI compliant to minimize our liability and by inference improve our security (it doesn’t guarantee a breach won’t occur) • At least one merchant is approaching a point where PCI compliance would be mandatory for Visa, if all their transactions were Visa related (unlikely) • We need to identify the SAQ and requirements that apply to the CDG and merchant environment, and distribute that information to companies in attendance www.cdg.ws

  15. Merchant security considerations • Employees have access to the credit card number when the card is given to them or its contents are communicated over the phone • Infected PCs can intercept keystrokes • Insecure networks (wired and wireless) provide opportunity for data to be intercepted • Tradeoffs exist • Security versus company’s end user complaints • Security versus company’s customer complaints www.cdg.ws

  16. Security related Discussion Topics • Accounts and passwords • Use of email accounts for login • Forcing password changes for E-Care • Introduction of additional security questions • Credit card data • Don’t email credit card numbers • Protect (or destroy) documents with complete credit card number information present • Encourage use of E-Care and auto payment to avoid employee knowledge of credit card data www.cdg.ws

  17. Security related Discussion Topics • What data besides credit card numbers is SPI? • SSN, birthdate, and bank account are considered SPI. What else should be? • Who should have access to the attributes and why? • Do the MBS security roles reflect who should have access to review or modify the information? www.cdg.ws

  18. NOTE: SOME REFERENCE MATERIALSFOLLOW www.cdg.ws

  19. CDG Security Safeguards • SSL encryption using EV-Cert with 2048 bit strength • Programming measures have been taken to help avoid CSRF (cross-site request forgery), XSS (cross-site scripting), and SQL injection attacks on our application • Hardware / software default account info is overridden • 3rd party scans (using Nessus) of operational environment • Virus scans on PCs and servers within organization • PC options are rules based and devices are configurable by system administrators • Automatic timeouts on PCs and sessions www.cdg.ws

  20. MBS USER account SECURITY (CDG) • Use of privilege codes to enforce roles and access • Leveraging of Microsoft Active Directory • User IDs use FIMILI followed by company number • Password requires 7 characters of which three of the following categories (upper case, lower case, numeric and special character) must be met • Passwords must change every 35 days • Account locked after 3 failed login attempts www.cdg.ws

  21. MBS USER account SECURITY (licensee) • Use of privilege codes to enforce roles and access • Use of Microsoft Active Directory optional (no licensees currently use it) • User ID has no constraints beyond being at least 1 character long • Password requires 7 characters of which three of the following categories (upper case, lower case, numeric and special character) must be met • Passwords expiration optional • Account locked after 5 failed login attempts www.cdg.ws

  22. CDG USER account SECURITY (ECARE) • User IDs must be at least 7 characters of which one must be alphabetic and one must be numeric • User IDs can optionally be an email address • Passwords require 7 characters of which three of the following categories (upper case, lower case, numeric and special character) must be met and the characters cannot be part of the login • Seven failed login attempts locks the account until • They are unlocked manually by an MBS user • 30 minutes pass • The user does a password reset www.cdg.ws

  23. CDG SPI Safeguards • Credit card number, SSN, bank account data are encrypted in database with high-grade RC4, 128 bit keys • Only last 4 of credit card available for viewing • Last 4 of SSN displayed by default • Bank account can be and is usually masked www.cdg.ws

More Related