slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Payment Card Industry Data Security Standards PowerPoint Presentation
Download Presentation
Payment Card Industry Data Security Standards

Loading in 2 Seconds...

play fullscreen
1 / 44

Payment Card Industry Data Security Standards - PowerPoint PPT Presentation


  • 124 Views
  • Uploaded on

Payment Card Industry Data Security Standards. The Card Associations are concerned about cardholder information getting into the wrong hands for illegal use. Therefore, the Card Associations have adopted the PCI Standards to better secure cardholder information. What is PCI & PCIDSS.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Payment Card Industry Data Security Standards' - artan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Payment Card Industry Data Security Standards

  • The Card Associations are concerned about cardholder information getting into the wrong hands for illegal use. Therefore, the Card Associations have adopted the PCI Standards to better secure cardholder information.
what is pci pcidss
What is PCI & PCIDSS
  • Payment Card Industry (PCI)
  • Data Security Standard (DSS) so (PCIDSS)
  • PCIDSS was developed jointly by all the credit card brands (Amex, DC, JCB, MC and Visa) to protect the merchants business, their customers (cardholders), and the integrity of the payment system from the rising incidences of stolen cardholder account data.
why is pci compliance important
Why is PCI compliance important?

PCI helps protect the merchant business from:

  • fraud
  • substantial fines from the card associations
  • customer dissatisfaction and distrust if their cardholder data is compromised and misused as result of the merchants business being compromised.

The credit card brands have made PCI compliance mandatory for merchants.

slide4

How Could Cardholder Information be Compromised?

  • Hackers could illegally access a merchant’s POS System.
  • Employees could be conned into revealing passwords, logons, or other sensitive data.
  • Credit card data such as reports or receipts could be thrown in the trash by merchants and retrieved by anyone digging through the dumpster.
slide5

Who Must Comply with the PCI Data Security Standards?

  • All merchants who accept credit and debit cards.
  • All credit card processors, issuers and acquirers (such as Heartland), third party processors, and gateways.
  • Developers and software providers.
slide6

PCI Data Security Standards Defined by the Card Associations Require Merchants to:

Build and maintain a secure network.

Protect cardholder data.

Maintain a Vulnerability Management Program.

Implement strong access control measures.

Regularly monitor and test networks.

Maintain an information security policy.

slide7

1. Build and Maintain a Secure Network

  • Merchants using the Internet for transmitting credit/debit card information, must install and maintain a firewall. Internet firewall security needs to be installed and functional on all computers and POS Systems using IP connectivity. POS systems with a dial connection to the Internet are required to comply with this standard as well.
slide8

2. Protect Cardholder Data

  • Merchants Must Use Passwords and Other Security Measures
    • Merchants must implement personalized logons and passwords for all users of computers and POS systems to limit access to cardholder information.
slide9

3. Maintain a Vulnerability Management Program to Protect Stored Data.

  • Hard copies of batch reports and paper receipts must be placed in a secured area where only authorized personnel can enter.
  • Unneeded reports and receipts must be shredded before disposal.
  • Databases and files containing credit/debit card information must be encrypted.
  • Encryption software is required for POS systems using internet connectivity for transmission of cardholder information.
slide10

4. Install Antivirus Software.

  • Merchants must install and maintain updated antivirus software on their computers and POS Systems.
slide11

5. Regularly Monitor and Test Networks.

  • Merchants must track and monitor all access to network resources.
  • Merchants must show proof that they track and monitor who has access to their computers and POS systems.
slide12

6. Maintain an Information Security Policy.

  • Merchants must have a written and enforceable policy that details safeguarding of credit/debit card information
slide13

Merchant Levels of Compliance

  • Levels of PCI Security compliance are based on size, type of business and the number of transactions per year.
  • Compliance requirements are based on 4 levels.

Must comply & pass third party audits

Level 1 – Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transaction per year.

Any merchant that has suffered a hack or an attack that resulted in an account data compromise.

Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system

Any merchant identified by any other payment card brand as level 1.

Level 2 –Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.

eCommerce merchants (1m trans/yr – 6M trans/yr)

slide14

Merchant Levels of Compliance

  • Levels of PCI Security compliance are based on size, type of business and the number of transactions per year.
  • Compliance requirements are based on 4 levels.

Required to comply

Level 3 – Any Merchant processing 20,000 to 1,000,000 Visa e-commerce transaction per year.

Level 4 –All other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. And all merchant processing fewer than 20,000 Visa e-commerce transactions per year,

slide15

Level 1 – Large Retail Merchants

  • Level 1 merchants must undergo annual on-site audits by certified auditors.
  • Level 1 merchants must incur the cost of quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers.
  • Adhering to the PCI standards can cost Level 1 merchants hundreds of thousands of dollars per year to ensure compliance.

Level of compliance is determined by merchant’s size

Large Retail Merchants

(Wal-Mart, Target, etc)

All merchants (regardless of size) are subject to annual audits and quarterly scans if they have a compromised data situation.

slide17

Level 2 - Mid/Large Merchants

  • Level 2 and 3 merchants must undergo annual self-assessments (no outside validation required).
  • Level 2 and 3 merchants must undergo quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers.
  • Internet facing system scans can generally cost $1,000 to $3,000 dollars.
slide19

Level 3 – Mid/Low Merchants

  • Level 2 and 3 merchants must undergo annual self-assessments (no outside validation required).
  • Level 2 and 3 merchants must undergo quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers.
  • Internet facing system scans can generally cost $1,000 to $3,000 dollars.
slide21

Level 4 - Small Merchants

  • PCI standards recommend Level 4 merchants undergo annual self-assessment (no outside validation required).
  • The standards also recommend the merchant conduct quarterly scans of their Internet facing systems for vulnerabilities from viruses and hackers.
  • These are only “recommendations” for security practices.
level 4 small merchants
Level 4* - Small Merchants

*The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

slide23

POS Software Developers must be PABP Compliant

  • POS system software should only extract and store the cardholder number, expiration date, and cardholder name from the magnetic stripe.
    • The POS software must encrypt all cardholder information.
    • The POS software must truncate the cardholder number on receipts, reports and display screens.
    • The POS software must encrypt all Internet transactions, generally done by SSL (Secure Socket Layer) encryption.

Merchant’s software can never store the CVV data

slide24

POS Software Developers must be PABP Compliant

  • POS
    • CCV Card Code is never allowed to be stored
slide25

How do you know which POS Software Complies with PABP Standards?

  • Merchants must contact their VAR/dealer or software developer to determine if their POS System software is PABP compliant.
slide26

Why Should Merchants Comply with PCI Standards?

  • To protect their business reputation.
  • To protect their customer’s card information.
  • To limit their risk of being fined and forced to undergo forensics (Visa/MasterCard on-site audit to determine the cause of the compromise) which can cost tens of thousands of dollars and put them out of business.
slide27

First Violation

Second Violation

Third Violation

$50,000

$100,000

Management discretion

Potential Cost to a Merchant for a Compromise

  • If security is compromised, regardless of the merchant’s tier level, they will be required to undergo an on-site security audit.
  • Merchants will be fined and assessed all costs and expenses related to the forensic investigation. They must pay a consultant to conduct the audit. The merchant must pass the audit and continue to do audits on an annual basis. Failure to notify Visa of a suspected or confirmed loss or theft of credit card data is subject to a fine of $100,000 per incident.
  • Costs of forensic investigations begin at $50,000 and could be as high as $100,000 per investigation.
  • Costs of audits can range from $15,000 - $20,000 per audit.
slide28

Summary of Steps to Compliance

  • PCI standards apply to all credit and debit cards.
  • Every merchant is mandated by the Card Associations to comply.
  • The six basic standards are as follows:
    • Build and Maintain a Secure Network
    • Protect Cardholder Data
    • Maintain a Vulnerability Management Program
    • Implement Strong Access Control Measures
    • Regularly Monitor and Test Networks
    • Maintain an Information Security Policy
  • The fines, investigations and audits for certification and compromises can be expensive.
visa alerts 10 54 07 by david press
Visa Alerts 10:54:07 by David Press
  • News Green Sheet Magazine
  • “Visa alerts restaurants to lax POS installation a spike in data security compromises at restaurants prompted Visa U.S.A. to issue a data security alert in July. It emphasized the proper installation and use of POS equipment and systems. The card association also issued a reminder of ways merchants can protect themselves against lapses.”
visa alerts
Visa alerts
  • Visa alerts restaurants to lax POS installation Visa's recommended mitigation strategy "If there is one theme that is most helpful to the merchant and ISO community, it is to make sure your payment applications are not inadvertently storing track data.“ – Martin Elliott, Visa's Vice President for Emerging Risk
credit firms push to thwart fraud
Credit Firms Push to Thwart Fraud Merchants Face a Penalty If Steps Aren't Taken to Curb Identity Theft; Visa Misses Own Security Deadline By ROBIN SIDEL, Wall Street JournalSeptember 25, 2006; Page C1

.

Credit Firms Push to Thwart Fraud
  • MasterCard Inc. and Visa USA Inc. are clamping down on merchants that flout rules aimed at protecting card transactions from fraudsters.
an article appeared in the september 25th edition of the wall street journal
An article appeared in the September 25th edition of the Wall Street Journal
  • “The Journal article begins “MasterCard Inc. and Visa USA Inc. are clamping down on merchants that flout rules aimed at protecting card transactions from fraudsters. In recent weeks, MasterCard has imposed fines on merchants that haven't met its requirements to keep transactions secure. Saturday, Visa will take aim at the nation's largest merchants with fines that start at $10,000 a month and can rise to $100,000 a month.”
an article appeared in the september 25th edition of the wall street journal1
An article appeared in the September 25th edition of the Wall Street Journal

The article goes on to describe the various issues the credit card industry faces regarding data security and how it plans to deal with them in the coming months and years. The fact is that although the credit card companies are starting their efforts to enforce PCIDSS standards with the big retailers, it is the small and mid sized businesses like yours that are the easiest and most lucrative targets for cyber criminals.

an article appeared in the september 25th edition of the wall street journal2
An article appeared in the September 25th edition of the Wall Street Journal
  • For example, restaurants from coast to coast have already had to pay fines ranging from $5,000 to $350,000. In addition, they faced the immediate loss of their ability to accept credit cards and had to pay for initial and ongoing security audits that cost thousands more.”
compromise statistics industry
Compromise Statistics: Industry

Cases By Industry

SpiderLabs data is gathered from more than 140 card compromise cases.

Food Service Industry represents the majority of the compromises.

compromise statistics acceptance
Compromise Statistics: Acceptance

Cases by Card Acceptance

About 4 out of every 5 cases is a traditional Brick and Mortar environment.

Card Present Merchants are not aware of these risks!

compromise statistics system type
Compromise Statistics: System Type

Cases By System Type

Majority of the cases involved a compromise of a Software based POS system.

None of these systems were Visa PABP or PCI DSS compliant.

compromise statistics connectivity
Compromise Statistics: Connectivity

Cases By Connectivity

All Internet connectivity should be considered high risk.

SpiderLabs has tracked a trend in migration from T1 and Dial-Up to DSL/Cable.

compromise statistics error
Compromise Statistics: Error

Merchant Error vs. 3rd Party Error

Half of the compromises were caused by a fault in the service provided by a 3rd party to a Merchant.

POS Developers, Integrators, IT Firms are not following PCI DSS and leaving Merchants at Risk!

compromise statistics track data
Compromise Statistics: Track Data

Brick and Mortar Cases w/ Track Data Storage

Track Data storage is never permitted in any environment post authorization.

Non-Compliant software packages are storing Track Data and the Merchants did not know until it was too late!

compromise statistics pci dss violations
Compromise Statistics: PCI DSS Violations

Most Common “Not In-Place”

Requirement 1:Install and maintain a firewall to protect data

Requirement 3:Protect stored data

Requirement 6:Develop and maintain secure systems and applications

Requirement 8:Assign a unique ID to each person with computer access

Requirement 10:Track and monitor all access to network and card data

Requirement 11:Regularly test security systems and processes

compromise statistics spiderlabs top 10
Compromise Statistics: SpiderLabs Top 10

Top 10 Reasons/Methods of Compromise

  • Backdoor / Trojan
  • No Firewall
  • SQL Injection
  • Internal Theft
  • Remote Access
  • FTP Access to Data
  • Remote Exploit
  • Remote Buffer Overflow
  • Login Credential Leak
  • Password Brute Force
compromise statistics riskiest merchant
Compromise Statistics: Riskiest Merchant

Profile of the Merchant w/ Greatest Compromise Potential

Industry:Food Service

Payment Acceptance:Card Present

System Type:Non-Compliant Software POS

Connectivity:DSL or Cable Modem

websites
Websites
  • http://www.usa.visa.com/business/accepting_visa/ops_risk_management/cisp_merchants.html
  • https://www.pcisecuritystandards.org/tech/supporting_documents.htm
  • https://www.pcisecuritystandards.org/index.htm