1 / 22

The influence of PCI upon retail payment design and architectures

The influence of PCI upon retail payment design and architectures. Weekend Conference 7 & 8 September 2013. Ian White QSA. Head of UK&I and ME PCI Team. September 4, 2013. Agenda. The PCI DSS The Retail Environment Card Payments The Retail Environment The retail store eCommerce

adler
Download Presentation

The influence of PCI upon retail payment design and architectures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The influence of PCI upon retail payment design and architectures Weekend Conference 7 & 8 September 2013 Ian White QSA Head of UK&I and ME PCI Team September 4, 2013

  2. Agenda • The PCI DSS • The Retail Environment • Card Payments • The Retail Environment • The retail store • eCommerce • The call centre (MOTO) • Current challenges • Further Information

  3. Managed by the PCI SSC on behalf of the Card Brands (Visa, MasterCard, AMEX, Discover and JCB) Currently on version 2.0, with Version 3.0 published 7th Nov 2013 Compliance is managed by the individual Card Brands Recognises Merchants and Service Providers (or TPP / DSE) Annual validation usually based around transaction volumes (SAQ or Report On Compliance) QSA and ISA roles exist to support independent validation against the control requirements An industry standard – but backed by legislation in some jurisdictions and should be perhaps viewed as “best practice” The PCI Data Security Standard

  4. The Payment Card Industry standards • PCI DSS Covers the security of environments that store, process or transmit Account Data. • PCI PA DSS Covers Payment Applications so that they can support PCI DSS compliance • PCI PTS Covers hardware devices, for example HSM and PEDs, for protection of PIN • PCI P2PE Encryption, decryption and key management within secure devices (hardware / hardware) • PCI PIN Secure management, processing and transmission of PIN data during online and offline payment processing

  5. Cardholder Data Track 1 Account Data Track 2

  6. The PCI DSS Requirements PCI DSS Version 2.0

  7. Internet The Retail Environment Acceptance Channels Corporate Systems Institutions AuthorizationServers (Site A) Acquirer Store POSController POS Terminals Acquirer POSDatabases (Site B) Printer (Site E) Finance (Site C) Loyalty MOTO Call Center (Site D)

  8. “Connected To” Systems • “Connected To” systems support the controls that protect the Cardholder Data Environment (CDE) and as such may be considered to be “in scope” of the PCI DSS for some requirements • Typical examples include: • Active Directory (User accounts) • Log Management • AV / malware software update / management servers • Patching servers • Backup servers • Terminal Servers • Time Servers • Support personnel desktops / laptops • …

  9. Authorisation The merchant requests and receives authorisation from the issuer to proceed with the transaction and receives an authorisation code Service Provider Merchant Acquirer 3 2 WWW 6 BofE 7 Card Scheme network 5 4 1 Cardholder Issuer

  10. Clearing Acquirer sends issuer purchase information and issuer responds and then prepares for Settlement of funds Merchant Service Provider Acquirer WWW BofE Card Scheme network 3 1 2 Cardholder Issuer

  11. The Store Environment - expected

  12. The Store Environment – actual?

  13. The Store Environment – with segmentation

  14. The Store Environment – P2PE? PED and stand-alone chip-and-PIN reader that are P2PE validated POS servers communicate with corporate office and card data is transmitted to P2PE solution provider

  15. Currently very few solutions have been validated (2) The POI device encrypts the card data at the read head using a key that the merchant has no access to. P2PE supports HW to HW and so-called HW to Hybrid solutions (the term “Hybrid” refers to the decryption of the data taking place outside of the HSM and in software on a host system that uses an HSM to protect the keys) The use of a P2PE solution might enable a merchant to use a wide range of devices such as the iPAD as they would only be providing a secure communications path for the (encrypted) data. PCI SSC list of validated P2PE solutions as at 6th Sept 2013 Point–to-Point-Encryption (P2PE)

  16. The eCommerce Environment - expected PCI SSC QSA training 2011

  17. The eCommerce Environment – actual? PCI SSC QSA training 2011

  18. The eCommerce Environment – with segmentation Which PCI DSS requirements apply here – if any?

  19. The eCommerce Environment – Using a Third Party? Which PCI DSS requirements apply here – if any?

  20. The Call Centre – areas to consider • Policies and Procedures • Virtual terminals • Call recording software

  21. Some of the current challenges for retail • Logging • Legacy systems and encryption • CCTV – especially in retail store environment • P2PE vs E2EE • Wireless scanning / NAC • Virtualisation / Cloud Services • Contractual frameworks for third parties • Loyalty schemes (Tokenisation?)

  22. Further Information Go to www.pcissc.org for detailed information and documentation (standards, guidance and FAQ The Card Brands and Acquiring banks have many documents that provide detailed advice and guidance on the PCI DSS and associated compliance issues http://www.verizonenterprise.com/DBIR/2013/ Ian.white@intl.verizon.com

More Related