Public

PCI DSS for Retail Industry

March 21, 2014

Public

Agenda

• Threat Landscape

• Payment Ecosystem

• Overview of PCI DSS

• Bank’s Approach for PCIDSS Compliance

Public

Threat Landscape

Increased focus at compromising POS systems at retail outlets Successful data breaches resulting in leakage of millions of cardholder data Sophisticated attack vectors being used to breach the security controls

Affected Retailers• Target• Neiman Marcus• Schnucks Markets Inc• Harbor Freight• MACPO Express• ..and many more

Malicious executables• JackPOS• Dexter• Chewbacca• Project Hack• POSRAM Trojan• …and many more

• Implement PCI DSS and PA DSS controls • Lockdown POS terminals to allow only basic requisite applications (whitelist)• Implement anti-malware and anti-virus solution capable of detecting variants of malicious

executables• Implement advanced monitoring solutions

Advanced mitigation controls

Public

Threat landscape

Public

Payment Ecosystem– Terminologies

• Customer purchasing products or services from merchant• Receives the payment card and bills from the issuer

Card Holder

• Bank or other organization issuing a payment card on behalf of a payment brand (e.g. Master Card & Visa)

• Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB)

Issuer

• Visa, MasterCard, Amex, Discover, JCB

Payment Brand

Public

Payment Card Transaction Flow – Terminologies

• Organization accepting the payment card for payment during a purchase

Merchant

• Bank or entity the merchant uses to process their payment card transactions

• Receive authorization request from merchant and forward to issuer for approval

• Provides authorization, clearing and settlement services to merchants

Acquirer

Public

Payment Ecosystem – Authorization Flow

Public

Payment Ecosystem – Settlement Flow

Public

PCIDSS Overview - Some Key Terminologies

AOC – Attestation of Compliance

SAQ – Self Assessment

Questionnaire

ROC – Report on compliance

SAD – Sensitive Authentication

Data

CHD – Cardholder data•PAN – Primary A/c.

No.

ASV – Approved Scanning Vendor

QSA – Qualified Security Assessor

Public

Payment Card Industry – Security Standards Council

Standard Description

PCI PTS This standard applies to hardware developers that design and build PIN entry devices.

PCI PA-DSS This standard provides security requirements to software developers that build and resell payment applications to merchants

P2PE The Point-to-Point Encryption (p2pe) program is optional and provides a comprehensive set of security requirements for p2pe solution providers to validate their hardware-based solutions, and may help reduce the PCI DSS scope of merchants using such solutions.

PCI DSS Security requirements for entities processing, storing and/or transmitting CHD

Public

PCI DSS Overview – The standard

6 Goals

12 Requirement

s

62 Main clauses

289 Testing

Procedures

Goal 1: Build and Maintain a Secure Network

Goal 2: Protect Cardholder Data

Goal 3: Maintain a Vulnerability Management Program

Goal 4: Implement Strong Access Control Measures

Goal 5: Regularly Monitor and Test Networks

Goal 6: Maintain an Information Security Policy

Public

Merchant Levels

PAYMENT BRANDMERCHANT LEVEL

Level 1 Level 2 Level 3 Level 4

AMEX > 2.5million 50000 >< 2.5million <50000 NA

DISCOVER > 6million 1million >< 6million

20000 ><1million Others

JCB >1million < 1million NA

MasterCard > 6million 1million >< 6million

20000 >< 1million Others

VISA > 6million 1million >< 6million

20000 to 1million

(ecommerce)

< 20000 (ecommerce).

< 1million (other)

Payment Brand reserves the right to deem the level irrespective of transaction volume

Public

Merchant Reporting Requirements

PAYMENT BRAND

MERCHANT LEVEL

Level 1 Level 2 Level 3 Level 4

AMEXAnnual OA by QSA or IA EU Only: Annual SAQ

•Quarterly N/W scan (ASV) (R)•EU Only: SAQ (R) NA

Quarterly Network Scan (ASV)

JCB •Annual OA by QSA•Quarterly N/W scan(ASV)

•Annual SAQ•Quarterly N/W scan(ASV) NA

DISCOVERAnnual OA by QSA or IA Annual SAQ

Acquirer to determine compliance validation

Annual SAQ (R)Quarterly N/W scan (ASV) (R)

Quarterly Network Scan (ASV)

MasterCardAnnual OA by QSA or IA Annual SAQ

Quarterly Network Scan (ASV)

VISA

Annual OA by QSA Annual SAQ

•Annual SAQ •Quarterly N/W scan(ASV)

Quarterly N/W scan (ASV)Attestation of Compliance form

OA: Onsite Assessment R: Recommended IA: Internal Auditor

Public

Service Provider Levels

PAYMENT BRANDSERVICE PROVIDER LEVEL

Level 1 Level 2

AMEX All TPPs NA

DISCOVER Does not categorize Service providers into levels

JCB All TPPs NA

MasterCard >1million <1million

VISA Inc >300,000 <300,000

TPP: Third Party ProcessorsPayment Brand reserves the right to deem the level irrespective of transaction volume

Public

Service Provider Reporting Requirements

PAYMENT BRAND

SERVICE PROVIDER LEVEL

Level 1 Level 2

AMEX • Annual OA by QSA or IA

DISCOVER • Annual OA by QSA OR IA OR Annual SAQ•Quarterly network scans by ASV

JCB • Annual OA by QSA• Quarterly network scans by ASV

MasterCard •Annual onsite review by QSA•Quarterly network scan by ASV

•Annual SAQ•Quarterly network scan by ASV

VISA•Annual OA by QSA•Quarterly network scan by ASV•Attestation of Compliance form

•Annual SAQ•Quarterly network scan by ASV•Attestation of Compliance form

OA: Onsite Assessment IA: Internal Auditor

Public

Need for PCIDSS Compliance

• RBI/2012-13/424: Section A – Point iv:• Banks should ensure that all acquiring infrastructure

that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquirers, processors / aggregators and large merchants

RBI Mandate

• It is not about just compliance. It is a security imperative, especially in the wake of recent high profile data breach incident at Service Providers & Merchants. Compliance is incidental, end objective is security.

Remain resilient to data breaches

Public

Bank’s Approach for PCIDSS Compliance

Bank Compliance

1. On boarded a QSA Company to support in implementing PCI DSS controls at the enterprise level2. Current State Assessment and Implementation in progress for all payment applications (switch, payment gateways, etc.), infrastructure, network and processes

Merchant Compliance

1. Deployed a portal to monitor PCI DSS compliance for merchants and service providers2. Monitoring compliance status of Level 1, Level 2 and Level 3 merchants and Level 1 and Level 2 service providers3. Assist merchants and service providers in filling the applicable SAQ

Two streams of compliance

program

HDFC Bank has taken the initiative to share the data security alerts and advisories received from Payment brands with all its merchants. Take these alerts/advisories seriously. If not actioned on time you will get hit – as a target or by a random attack.

Public

Thank You

Manish Pal, Information Security Group