MBS CREDIT CARD PROCESSING AND PCI REQUIREMENTSPhil Goble

Mike Chalk

2www.cdg.ws

(PCI) Payment Card Industry (DSS) Data Security Standards

Applies to everyone handling cardholder data

Merchants

Service providers

Payment gateways

Self Assessment Questionnaire (SAQ) applies for most merchants

Different forms of SAQ apply based on role and processing infrastructure

12 major requirements

PCI DSS

3www.cdg.ws

PCI PARTICIPANT ROLES

4www.cdg.ws

PCI VISA MERCHANT LEVELS Level / Tier

Merchant Criteria Validation Requirements

1

Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2

Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company

o The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification

Quarterly network scan by Approved Scan Vendor (“ASV”)

Attestation of Compliance Form

2

Merchants processing 1 million to 6 million Visa transactions annually (all channels)

Annual Self-Assessment Questionnaire (“SAQ”)

Quarterly network scan by ASV

Attestation of Compliance Form

3

Merchants processing 20,000 to 1 million Visa e-commerce transactions annually

Annual SAQ

Quarterly network scan by ASV

Attestation of Compliance Form

4

Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually

Annual SAQ recommended

Quarterly network scan by ASV if applicable

Compliance validation requirements set by merchant bank

5www.cdg.ws

CDG MONTHLY MERCHANT TOTALSCompany Amount

ChargedJanuary

TransactionsProjected Yearly

Transactions

Company 1 $3,528.02 22 264 Company 2 $1,448.22 39 468 Company 3 $5,266.15 67 804 Company 4 $67,289.60 70 840 Company 5 $7,323.37 71 852 Company 6 $6,626.13 73 876 Company 7 $13,388.27 181 2,172 Company 8 $17,853.04 227 2,724 Company 9 $44,679.98 384 4,608 Company 10 $39,678.89 476 5,712 Company 11 $70,533.30 632 7,584 Company 12 $40,160.71 688 8,256 Company 13 $52,212.21 709 8,508 Company 14 $76,814.29 717 8,604 Company 15 $96,345.84 724 8,688 Company 16 $59,469.59 790 9,480 Company 17 $89,527.60 800 9,600 Company 18 $76,964.64 960 11,520 Company 19 $150,890.28 1,397 16,764

$920,000.13 9,027 108,324

6www.cdg.ws

SAQ Version

Questions Short Description

SAQ A 13 Card-not-present, all cardholder data (CHD) functions outsourced

SAQ B 29 Imprint or standalone, dial-out terminals only, no electronic CHD storage

SAQ C-VT 51 Web-based virtual terminal only, no electronic CHD storage

SAQ C 40 POS or payment system connected to Internet, no electronic CHD storage

SAQ D 288 All other merchants and all service providers eligible to complete an SAQ

PCI SAQ VERSIONS

7www.cdg.ws

PCI MAJOR REQUIREMENTS (SAQ D)Objective High Level Compliance RequirementsBuild and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

8www.cdg.ws

Planned

Invoke host pay solution to avoid any knowledge of credit card number by MBS

Discontinue storage of credit card number, use token for making payments

Possible / Under consideration

Possible suppression of last 4 of credit card

Static and dynamic scanning for security vulnerabilities

CDG ACTIONS UNDER VIEW

9www.cdg.ws

PAYMENT VIA MERCHANT (CURRENT)

10www.cdg.ws

PAYMENT VIA WEB (CURRENT)

11www.cdg.ws

AUTOMATIC PAYMENT (CURRENT)

12www.cdg.ws

PAYMENT VIA WEB (NEW)

13www.cdg.ws

AUTOMATIC PAYMENT (NEW)

14www.cdg.ws

The most important thing we can do is protect SPI information, which includes credit card data

We need to look at being PCI compliant to minimize our liability and by inference improve our security (it doesn’t guarantee a breach won’t occur)

At least one merchant is approaching a point where PCI compliance would be mandatory for Visa, if all their transactions were Visa related (unlikely)

We need to identify the SAQ and requirements that apply to the CDG and merchant environment, and distribute that information to companies in attendance

SO WHAT ABOUT SECURITY AND PCI?

15www.cdg.ws

Employees have access to the credit card number when the card is given to them or its contents are communicated over the phone

Infected PCs can intercept keystrokes

Insecure networks (wired and wireless) provide opportunity for data to be intercepted

Tradeoffs exist

Security versus company’s end user complaints

Security versus company’s customer complaints

MERCHANT SECURITY CONSIDERATIONS

16www.cdg.ws

Accounts and passwords

Use of email accounts for login

Forcing password changes for E-Care

Introduction of additional security questions

Credit card data

Don’t email credit card numbers

Protect (or destroy) documents with complete credit card number information present

Encourage use of E-Care and auto payment to avoid employee knowledge of credit card data

SECURITY RELATED DISCUSSION TOPICS

17www.cdg.ws

What data besides credit card numbers is SPI?

SSN, birthdate, and bank account are considered SPI. What else should be?

Who should have access to the attributes and why?

Do the MBS security roles reflect who should have access to review or modify the information?

SECURITY RELATED DISCUSSION TOPICS

www.cdg.ws 18

NOTE: SOME REFERENCE MATERIALS FOLLOW

19www.cdg.ws

SSL encryption using EV-Cert with 2048 bit strength

Programming measures have been taken to help avoid CSRF (cross-site request forgery), XSS (cross-site scripting), and SQL injection attacks on our application

Hardware / software default account info is overridden

3rd party scans (using Nessus) of operational environment

Virus scans on PCs and servers within organization

PC options are rules based and devices are configurable by system administrators

Automatic timeouts on PCs and sessions

CDG SECURITY SAFEGUARDS

20www.cdg.ws

Use of privilege codes to enforce roles and access

Leveraging of Microsoft Active Directory

User IDs use FIMILI followed by company number

Password requires 7 characters of which three of the following categories (upper case, lower case, numeric and special character) must be met

Passwords must change every 35 days

Account locked after 3 failed login attempts

MBS USER ACCOUNT SECURITY (CDG)

21www.cdg.ws

Use of privilege codes to enforce roles and access

Use of Microsoft Active Directory optional (no licensees currently use it)

User ID has no constraints beyond being at least 1 character long

Password requires 7 characters of which three of the following categories (upper case, lower case, numeric and special character) must be met

Passwords expiration optional

Account locked after 5 failed login attempts

MBS USER ACCOUNT SECURITY (LICENSEE)

22www.cdg.ws

User IDs must be at least 7 characters of which one must be alphabetic and one must be numeric

User IDs can optionally be an email address

Passwords require 7 characters of which three of the following categories (upper case, lower case, numeric and special character) must be met and the characters cannot be part of the login

Seven failed login attempts locks the account until

They are unlocked manually by an MBS user

30 minutes pass

The user does a password reset

CDG USER ACCOUNT SECURITY (ECARE)

23www.cdg.ws

Credit card number, SSN, bank account data are encrypted in database with high-grade RC4, 128 bit keys

Only last 4 of credit card available for viewing

Last 4 of SSN displayed by default

Bank account can be and is usually masked

CDG SPI SAFEGUARDS