slide1 l.
Skip this Video
Loading SlideShow in 5 Seconds..
Understanding Credit Card Security Requirements PowerPoint Presentation
Download Presentation
Understanding Credit Card Security Requirements

Loading in 2 Seconds...

play fullscreen
1 / 26

Understanding Credit Card Security Requirements - PowerPoint PPT Presentation

  • Uploaded on

Understanding Credit Card Security Requirements . Gregory Dove, Manager, Information Systems Audit Manager AOA Meeting -- January 14, 2008. In The Virtual Storefront. Unlike merchants who operate in the physical world, you do not have face-to-face contact, a card-in-hand, or

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Understanding Credit Card Security Requirements

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Understanding Credit Card Security Requirements

Gregory Dove, Manager, Information Systems Audit Manager

AOA Meeting -- January 14, 2008

in the virtual storefront
In The Virtual Storefront
  • Unlike merchants who operate in the physical world, you do not have
    • face-to-face contact,
    • a card-in-hand, or
    • an actual signature
    • a physical door with a lock and key
    • a security guard posted 24/7 for protection.
  • Cyber-thieves know all of this and are always on the look-out for merchants who have hung up a virtual shingle, but have let their risk management guard down.

It’s up to you to understand the unique issues of running a virtual storefront and take a strategic approach to proactively address these issues and position your business for success.

the business case for security
The business case for security
  • Proper security enables a company to meet its business objective by providing a safe and secure environment that helps avoid:
    • Loss of revenue
    • Loss or compromise of data
    • Interruption of business process
    • Legal consequences
    • Damage to customer and partner confidence
    • Damage to reputation
  • A more secure retail store also enables easier and safer connectivity with customers and business partners
if the business case didn t convince you
If The Business Case didn’t Convince You
  • If an organization doesn't know that they need to be PCI compliant, or if an organization just doesn't want to be bothered by having to obtain PCI compliance, it soon will not matter.
  • The goal is to have all merchants, regardless of their merchant level, compliant with PCI DSS.
pci dss p ayment c ard i ndustry d ata s ecurity s tandard
PCI DSS Payment Card Industry Data Security Standard
  • Standard that is applied to:
    • Merchants
    • Service Providers (Third Third-party vendor, gateways)
    • Systems (Hardware, software)
  • That:
    • Stores cardholder data
    • Transmits cardholder data
    • Processes cardholder data
  • Applies to:
    • Electronic Transactions
    • Paper Transactions
pci dss exempt myth
PCI DSS Exempt Myth
  • All merchants are subject to the standard and to card association rules
    • No exemption provided to anyone
  • Immunity does not apply because
    • Requirement is contractual - not regulatory or statutory
    • Card associations can be selective who they provide services to
    • Merchants accept services on a voluntary basis
    • Merchants agree to abide by association rules when they execute e-merchant bank agreement
  • Merchant banks are prohibited by association rules from indemnifying a merchant from not being compliant with the standard
  • Association Rules require merchant banks to monitor merchants to ensure their compliance
    • Failure of a merchant bank to require compliance jeopardizes the merchant bank bank’s right to continue to be a merchant banks
    • Any fines levied are against the merchant bank, which in turns passes the fines onto the merchant
the pci framework is divided into 12 security requirements
The PCI framework is divided into 12 security requirements

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

3. Protect stored data.

4. Encrypt transmission of cardholder data and sensitive information across public networks.

Maintain a Vulnerability Management Program

5. Use and regularly update antivirus software.

6. Develop and maintain secure systems and applications

the pci framework is divided into 12 security requirements8
The PCI framework is divided into 12 security requirements

Implement Strong Access Control Measures

7. Restrict access to data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data.

11. Routinely test security systems and processes.

Maintain an Information Security Policy.

12. Establish high-level security principles and procedures.

compliance vs validation
Compliance Vs Validation
  • Compliance – Means adherence to the standard
    • Applies to every merchant regardless of volume
    • Technical and business practices
  • Validation – Verification that merchant (including its services providers) is compliant with the standard
    • Applies based on Level assigned to merchant, based on transaction volume
    • Two types of Validation
      • Self-Assessment
      • Certified by a Qualified Security Assessor (QSA)
  • Attestation – Letter to Visa signed by both merchant and acquirer bank attesting that validation has been performed
two components to validation
Two Components to Validation
  • Annual Assessment Questionnaire
    • Required of all merchants – regardless of level
    • Self Self-Assessment or performed by Qualified Security Assessor (QSA)
    • Must not have any “No” answers – it’s Fail or Pass
    • Applies to both technical and business
  • Security Vulnerability Scan - Quarterly
    • Required for External facing IP addresses
      • Web applications
      • POS Software and databases on networks
      • Applies even if there is a re-direction link to third third-party
    • Must be performed by Approved Scanning Vendor (ASV)
    • Validation based on Level assigned to merchant, based on transaction volume
      • Visa & MC schedules are different
      • Visa’s schedule is what most go by
levels of merchants applies to validation and attestation not to compliance
Levels of Merchants (Applies to Validation and Attestation, Not to Compliance)
  • All merchants must perform external network scanning to achieve compliance.
  • The new program, released in May 2007, requires acquirers to develop and submit a formal written compliance plan to Visa, which "identifies, prioritizes and manages overall risk within their Level 4 merchant populations," according to the CISP Bulletin.
  • For those acquirers who have not written and/or sent a summary of their plan, one must be emailed to Visa no later than July 31, 2007. Email summaries to
the current visa and mastercard validation requirements are as follows
The current Visa and MasterCard validation requirements are as follows:
  • Level 1-Visa/MasterCard-- Annual onsite review by merchant's internal auditor or a Qualified Security Assessor (QSA) or Internal Audit if signed by Officer of the company, and a quarterly network security scan with an Approved Scanning Vendor (ASV).
  • Level 2-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.
  • Level 3-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.
  • Level 4-- Completion of PCI DSS Self Assessment Questionnaire annually, and quarterly network security scan with an approved ASV.
  • Submit summary of PCI compliance plan, via acquirer, by July 30, 2007. If a breach has been reported, or found, Visa reserves the right to move the Level 4 merchant to a Level 1. If so, the Level 4 merchant must abide by the Level 1 validation requirements.
the level 4 merchant compliance program plan must consist of the following items acquirer
The Level 4 Merchant Compliance Program plan must consist of the following items: Acquirer
  • Timeline of Critical Events--Timeline of completion dates and milestones, for overall strategy.
  • Risk-Profiling Strategy--Prioritization of Level 4 merchants into subgroups, from merchants that post the greatest risk, to those that post little risk at all. Factors such as merchant category transaction volume, market segment, acceptance channel, number of locations can help the acquirer target compliance efforts for each subgroup.
  • Merchant Education Strategy--Strategy designed to eliminate prohibited data from being stored; protect stored data, and securing the environment in accordance with PCI DSS. This includes ensuring that merchants are only storing data they truly require, by complying with PCI DSSs, and by making sure payment applications are compliant and any third-party agents are on Visa's list of CISP-Compliant Service Providers.
  • Compliance Reporting--Monthly compliance reporting to executive or board management. Visa may also periodically request that the acquirer produce these reports.
merchant levels based on visa transaction volume over a 12 month period
Merchant levels: based on Visa transaction volume over a 12-month period

For Visa, Inc., the merchant's transaction volume is based on the aggregate number of Visa transactions-credit cards, debit cards, prepaid cards - from a merchant Doing Business As ("DBA"). For merchants and/or merchant corporations who operate more than one DBA, the aggregate volume of stored, processed or transmitted transactions by the corporate entity must be considered, to determine the validation level. If the corporate entity does not store, process or transmit cardholder data on behalf of the multiple DBAs, members will continue to consider the DBA's individual transaction volume to determine the validation level.

security breach fines
Security Breach Fines
  • Not levied by PCI Security Council
    • Fines levied byCard Associations
    • Against merchant bank, which passes fines on to merchant
  • Fines for security breach
    • Visa - Up to $500,000 per occurrence
    • MC – Up to $500,000 per occurrence
  • Amount of fines dependent upon
    • Number of card numbers stolen
    • Circumstances surrounding incident
    • Whether Track Data was stored or not
    • Timeliness of reporting incident
  • Safe Harbor
    • Could limit fine amount if had been validated as compliant by a QSA
    • But validation is point in time – Don’t count on
other security breach costs
Other Security Breach Costs
  • Fines levied by card associations to make notifications to all card holdersand replace cards
  • Costs of notifying customers of incident
  • Forensic Investigation Costs
    • Required by card associations
    • Must used approved firm (QSA)
    • Cost approximately $10,000
  • Cost associated with discontinuing accepting cards
  • Cost of an annualon-site security audit
    • Once a breach has occurred, elevated to a Level 1 merchant
    • Cost approximately $15,000 - $20,000
document the process flow
Document the Process Flow
  • Network Diagram is Required for all systems that transmit, store or process transactions, from the merchant system to the processor.
    • Put processing activities on a separate network segment
    • Campus network / 4CNET may need to be compliant or follow an encrypted path
  • All point of entry into the network / system must be identified and protected.
  • All Reports, downloads, and receipts must be protected.
why not paper
Why Not Paper
  • Physical protective measures are required for storing and securing paper transactions.
    • Report distribution controlled and reports physically locked; which is difficult to demonstrate compliance.
    • Transaction detail must be restricted to only authorized persons and must be physically locked.
  • A detailed documented process of all printouts and paper copies of transaction detail is required.
    • Difficult to demonstrate compliance without detailed understanding of the flow process
    • Retention requirements must include adequate security provisions
10 myths about pci compliance

Source:Payment Security Experts

10 Myths about PCI Compliance
  • I’m a small merchant, who only takes a handful of cards, so I don’t need PCI. A common misunderstanding with the standard is that small merchants, handling a few 10’s of credit cards a day are exempt from compliance. If you are a merchant and you are set up to take credit cards, by any mechanism - then you need to be complaint.
  • PCI only applies to E-commerce companies. No, PCI applies to every company that stores, processes or transmits cardholder information. In fact anyone who takes card present transactions that involve POS devices are more at risk than E-Commerce solutions, quite often these types of transactions involve storage of track data (which is forbidden under PCI). Disclosure of this type of data will bring heavy fines and requests for compensation from the banks involved.
  • You only have to be compliant with the majority of criteria. The pass mark for PCI is 100%, so if you fail even one of the criteria, you fail PCI. The standard is not really meant to be something to strive for; it is really a floor, a basis for further security measures. Failing to achieve even one of the requirements, is failing to meet a basic standard for handling cardholder information. All companies that routinely handle this type of data should be aiming to exceed the standard.

Source:Payment Security Experts

10 Myths about PCI Compliance

  • I only need to protect my credit card data, not ATM debit card related data. Unfortunately, both are required. Many debit cards are dual-purpose “signature debit,” which can be used on debit and credit card networks. As such, they are covered under PCI and must be protected in the same way as credit cards.
  • I can wait until my business grows. Unfortunately, the PCI standard applies to all sizes of business and waiting could be costly. Should you be compromised and not be compliant the fines and the compensation sort by the banks (it costs between $50 and $90 to replace one card) could be substantial.
  • I can just answer “yes” to all the criteria on the self-assessment. The self-assessment is merely a mechanism for getting the information about the level of your compliance to your merchant bank or to Visa. The standard applies at all times. Just saying yes to the questions puts the merchant at great risk. If a compromise took place and it was obvious that the merchant was not and has never been compliant, the matter would be taken very seriously by VISA. The merchant would be risking the whole business by answering “yes” to the questions, when there is no basis in fact for that answer.

Source:Payment Security Experts

10 Myths about PCI Compliance

  • As a merchant I’m not liable if a credit card is compromised Merchants are liable and not just for the credit card compromise, there are basically 4 scenarios where credit card data is compromised: Merchants can be liable not only for the compromise but also for subsequent damages from the issuing banks.

Source:Payment Security Experts

10 Myths about PCI Compliance

  • I can wait until my bank asks me to be compliant. The dates for Merchants demonstrating compliance are long gone, and the Merchant is responsible for making sure they are in compliance. Waiting until the bank asks you could be very costly indeed.
  • As a Merchant, I did not sign anything, saying I would be complaint; therefore, I do not need to be. The PCI standard forms part of the operating regulations that are the rules under which Merchants are allowed to operate merchant accounts. The regulations signed when the Merchant opens an account at the bank state that the VISA regulations have to be adhered to. Even if you have been in business for decades, PCI still applies, if you store, process or transmit credit cards.
  • As a Merchant, I’m entitled to store any data Many Merchants believe that they own the customer and have a right to store all the data about that customer in order to help their business. Not only is this incorrect regarding PCI, it may also be a violation of State and Federal legislation regarding privacy. The PCI regulations specifically forbid storing of any of the following:
    • Unencrypted credit card number
    • CVV or CVV2
    • Pin blocks
    • PIN numbers
  • Track 1 or 2 data
  • Any of the above found in databases, log files, audit trails, backups etc at a Merchant can result in serious consequences for the Merchant, especially if a compromise has taken place.


The Data Security Risk is Significant and

Therefore Requires Appropriate Controls

  • The threat of data compromise is global in scope (Web)
  • Many parties are involved in maintaining data security
  • The impact of data compromise is widespread financially, legally, and in goodwill exposures
  • Data security is a primary risk concern for Members, Merchants, Service Providers, Consumers, and Regulators
  • Data security has evolved from an operational problem and financial threat to a significant reputation risk
Hackers hit Dave & Buster's in credit-card fraud


Houston, Tex.-based Dave & Buster's restaurants was named in the case that began in 2006 when information on more than a million credit and debit cards was compromised in a computer hacking incident. A 27-count indictment was issued by a New York State grand jury, according to a Justice statement. Charged were Maksym Yastremskiy of Ukraine, Aleksandr Suvorov of Estonia and Albert Gonzalez of Miami. The three are charged with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and interception of electronic communications.

Justice officials call the crime "a scheme in which they hacked into POS terminals at 11 Dave & Buster's restaurants at various locations around the United States. . . then sold the stolen data to others who used it to make fraudulent purchases or resold it to make purchases, causing losses to financial institutions."

Stolen was "Track 2" data, the statement said. "Track 2" data is described as card numbers and expiration dates. Losses in the case have been been in excess of $600,000.

The indictments followed arrest of Yastremskiy in Turkey and Suvorov in Germany. Gonzalez was arrested last month in Miami.

Al Hammock, senior vice president at Envision Credit Union, said no charges or debits were incurred against cards issued to members. However, the institution has begun the process of reissuing cards to 468 debit card holders and 144 credit card holders as a precaution.

Fines could exceed $50,000,000.00 to Dave and Buster’s




Combined fines for all three