Post on 29-Mar-2015
MBS CREDIT CARD PROCESSING AND PCI REQUIREMENTSPhil Goble
Mike Chalk
2www.cdg.ws
(PCI) Payment Card Industry (DSS) Data Security Standards
Applies to everyone handling cardholder data
Merchants
Service providers
Payment gateways
Self Assessment Questionnaire (SAQ) applies for most merchants
Different forms of SAQ apply based on role and processing infrastructure
12 major requirements
PCI DSS
3www.cdg.ws
PCI PARTICIPANT ROLES
4www.cdg.ws
PCI VISA MERCHANT LEVELS Level / Tier
Merchant Criteria Validation Requirements
1
Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2
Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company
o The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification
Quarterly network scan by Approved Scan Vendor (“ASV”)
Attestation of Compliance Form
2
Merchants processing 1 million to 6 million Visa transactions annually (all channels)
Annual Self-Assessment Questionnaire (“SAQ”)
Quarterly network scan by ASV
Attestation of Compliance Form
3
Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
Annual SAQ
Quarterly network scan by ASV
Attestation of Compliance Form
4
Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
Annual SAQ recommended
Quarterly network scan by ASV if applicable
Compliance validation requirements set by merchant bank
5www.cdg.ws
CDG MONTHLY MERCHANT TOTALSCompany Amount
ChargedJanuary
TransactionsProjected Yearly
Transactions
Company 1 $3,528.02 22 264 Company 2 $1,448.22 39 468 Company 3 $5,266.15 67 804 Company 4 $67,289.60 70 840 Company 5 $7,323.37 71 852 Company 6 $6,626.13 73 876 Company 7 $13,388.27 181 2,172 Company 8 $17,853.04 227 2,724 Company 9 $44,679.98 384 4,608 Company 10 $39,678.89 476 5,712 Company 11 $70,533.30 632 7,584 Company 12 $40,160.71 688 8,256 Company 13 $52,212.21 709 8,508 Company 14 $76,814.29 717 8,604 Company 15 $96,345.84 724 8,688 Company 16 $59,469.59 790 9,480 Company 17 $89,527.60 800 9,600 Company 18 $76,964.64 960 11,520 Company 19 $150,890.28 1,397 16,764
$920,000.13 9,027 108,324
6www.cdg.ws
SAQ Version
Questions Short Description
SAQ A 13 Card-not-present, all cardholder data (CHD) functions outsourced
SAQ B 29 Imprint or standalone, dial-out terminals only, no electronic CHD storage
SAQ C-VT 51 Web-based virtual terminal only, no electronic CHD storage
SAQ C 40 POS or payment system connected to Internet, no electronic CHD storage
SAQ D 288 All other merchants and all service providers eligible to complete an SAQ
PCI SAQ VERSIONS
7www.cdg.ws
PCI MAJOR REQUIREMENTS (SAQ D)Objective High Level Compliance RequirementsBuild and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
8www.cdg.ws
Planned
Invoke host pay solution to avoid any knowledge of credit card number by MBS
Discontinue storage of credit card number, use token for making payments
Possible / Under consideration
Possible suppression of last 4 of credit card
Static and dynamic scanning for security vulnerabilities
CDG ACTIONS UNDER VIEW
9www.cdg.ws
PAYMENT VIA MERCHANT (CURRENT)
10www.cdg.ws
PAYMENT VIA WEB (CURRENT)
11www.cdg.ws
AUTOMATIC PAYMENT (CURRENT)
12www.cdg.ws
PAYMENT VIA WEB (NEW)
13www.cdg.ws
AUTOMATIC PAYMENT (NEW)
14www.cdg.ws
The most important thing we can do is protect SPI information, which includes credit card data
We need to look at being PCI compliant to minimize our liability and by inference improve our security (it doesn’t guarantee a breach won’t occur)
At least one merchant is approaching a point where PCI compliance would be mandatory for Visa, if all their transactions were Visa related (unlikely)
We need to identify the SAQ and requirements that apply to the CDG and merchant environment, and distribute that information to companies in attendance
SO WHAT ABOUT SECURITY AND PCI?
15www.cdg.ws
Employees have access to the credit card number when the card is given to them or its contents are communicated over the phone
Infected PCs can intercept keystrokes
Insecure networks (wired and wireless) provide opportunity for data to be intercepted
Tradeoffs exist
Security versus company’s end user complaints
Security versus company’s customer complaints
MERCHANT SECURITY CONSIDERATIONS
16www.cdg.ws
Accounts and passwords
Use of email accounts for login
Forcing password changes for E-Care
Introduction of additional security questions
Credit card data
Don’t email credit card numbers
Protect (or destroy) documents with complete credit card number information present
Encourage use of E-Care and auto payment to avoid employee knowledge of credit card data
SECURITY RELATED DISCUSSION TOPICS
17www.cdg.ws
What data besides credit card numbers is SPI?
SSN, birthdate, and bank account are considered SPI. What else should be?
Who should have access to the attributes and why?
Do the MBS security roles reflect who should have access to review or modify the information?
SECURITY RELATED DISCUSSION TOPICS
www.cdg.ws 18
NOTE: SOME REFERENCE MATERIALS FOLLOW
19www.cdg.ws
SSL encryption using EV-Cert with 2048 bit strength
Programming measures have been taken to help avoid CSRF (cross-site request forgery), XSS (cross-site scripting), and SQL injection attacks on our application
Hardware / software default account info is overridden
3rd party scans (using Nessus) of operational environment
Virus scans on PCs and servers within organization
PC options are rules based and devices are configurable by system administrators
Automatic timeouts on PCs and sessions
CDG SECURITY SAFEGUARDS
20www.cdg.ws
Use of privilege codes to enforce roles and access
Leveraging of Microsoft Active Directory
User IDs use FIMILI followed by company number
Password requires 7 characters of which three of the following categories (upper case, lower case, numeric and special character) must be met
Passwords must change every 35 days
Account locked after 3 failed login attempts
MBS USER ACCOUNT SECURITY (CDG)
21www.cdg.ws
Use of privilege codes to enforce roles and access
Use of Microsoft Active Directory optional (no licensees currently use it)
User ID has no constraints beyond being at least 1 character long
Password requires 7 characters of which three of the following categories (upper case, lower case, numeric and special character) must be met
Passwords expiration optional
Account locked after 5 failed login attempts
MBS USER ACCOUNT SECURITY (LICENSEE)
22www.cdg.ws
User IDs must be at least 7 characters of which one must be alphabetic and one must be numeric
User IDs can optionally be an email address
Passwords require 7 characters of which three of the following categories (upper case, lower case, numeric and special character) must be met and the characters cannot be part of the login
Seven failed login attempts locks the account until
They are unlocked manually by an MBS user
30 minutes pass
The user does a password reset
CDG USER ACCOUNT SECURITY (ECARE)
23www.cdg.ws
Credit card number, SSN, bank account data are encrypted in database with high-grade RC4, 128 bit keys
Only last 4 of credit card available for viewing
Last 4 of SSN displayed by default
Bank account can be and is usually masked
CDG SPI SAFEGUARDS