Public PCI DSS for Retail Industry March 21, 2014.
-
Upload
diamond-upshaw -
Category
Documents
-
view
214 -
download
1
Transcript of Public PCI DSS for Retail Industry March 21, 2014.
Public
PCI DSS for Retail Industry
March 21, 2014
Public
Agenda
• Threat Landscape
• Payment Ecosystem
• Overview of PCI DSS
• Bank’s Approach for PCIDSS Compliance
Public
Threat Landscape
Increased focus at compromising POS systems at retail outlets Successful data breaches resulting in leakage of millions of cardholder data Sophisticated attack vectors being used to breach the security controls
Affected Retailers• Target• Neiman Marcus• Schnucks Markets Inc• Harbor Freight• MACPO Express• ..and many more
Malicious executables• JackPOS• Dexter• Chewbacca• Project Hack• POSRAM Trojan• …and many more
• Implement PCI DSS and PA DSS controls • Lockdown POS terminals to allow only basic requisite applications (whitelist)• Implement anti-malware and anti-virus solution capable of detecting variants of malicious
executables• Implement advanced monitoring solutions
Advanced mitigation controls
Public
Threat landscape
Public
Payment Ecosystem– Terminologies
• Customer purchasing products or services from merchant• Receives the payment card and bills from the issuer
Card Holder
• Bank or other organization issuing a payment card on behalf of a payment brand (e.g. Master Card & Visa)
• Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB)
Issuer
• Visa, MasterCard, Amex, Discover, JCB
Payment Brand
Public
Payment Card Transaction Flow – Terminologies
• Organization accepting the payment card for payment during a purchase
Merchant
• Bank or entity the merchant uses to process their payment card transactions
• Receive authorization request from merchant and forward to issuer for approval
• Provides authorization, clearing and settlement services to merchants
Acquirer
Public
Payment Ecosystem – Authorization Flow
Public
Payment Ecosystem – Settlement Flow
Public
PCIDSS Overview - Some Key Terminologies
AOC – Attestation of Compliance
SAQ – Self Assessment
Questionnaire
ROC – Report on compliance
SAD – Sensitive Authentication
Data
CHD – Cardholder data•PAN – Primary A/c.
No.
ASV – Approved Scanning Vendor
QSA – Qualified Security Assessor
Public
Payment Card Industry – Security Standards Council
Standard Description
PCI PTS This standard applies to hardware developers that design and build PIN entry devices.
PCI PA-DSS This standard provides security requirements to software developers that build and resell payment applications to merchants
P2PE The Point-to-Point Encryption (p2pe) program is optional and provides a comprehensive set of security requirements for p2pe solution providers to validate their hardware-based solutions, and may help reduce the PCI DSS scope of merchants using such solutions.
PCI DSS Security requirements for entities processing, storing and/or transmitting CHD
Public
PCI DSS Overview – The standard
6 Goals
12 Requirement
s
62 Main clauses
289 Testing
Procedures
Goal 1: Build and Maintain a Secure Network
Goal 2: Protect Cardholder Data
Goal 3: Maintain a Vulnerability Management Program
Goal 4: Implement Strong Access Control Measures
Goal 5: Regularly Monitor and Test Networks
Goal 6: Maintain an Information Security Policy
Public
Merchant Levels
PAYMENT BRANDMERCHANT LEVEL
Level 1 Level 2 Level 3 Level 4
AMEX > 2.5million 50000 >< 2.5million <50000 NA
DISCOVER > 6million 1million >< 6million
20000 ><1million Others
JCB >1million < 1million NA
MasterCard > 6million 1million >< 6million
20000 >< 1million Others
VISA > 6million 1million >< 6million
20000 to 1million
(ecommerce)
< 20000 (ecommerce).
< 1million (other)
Payment Brand reserves the right to deem the level irrespective of transaction volume
Public
Merchant Reporting Requirements
PAYMENT BRAND
MERCHANT LEVEL
Level 1 Level 2 Level 3 Level 4
AMEXAnnual OA by QSA or IA EU Only: Annual SAQ
•Quarterly N/W scan (ASV) (R)•EU Only: SAQ (R) NA
Quarterly Network Scan (ASV)
JCB •Annual OA by QSA•Quarterly N/W scan(ASV)
•Annual SAQ•Quarterly N/W scan(ASV) NA
DISCOVERAnnual OA by QSA or IA Annual SAQ
Acquirer to determine compliance validation
Annual SAQ (R)Quarterly N/W scan (ASV) (R)
Quarterly Network Scan (ASV)
MasterCardAnnual OA by QSA or IA Annual SAQ
Quarterly Network Scan (ASV)
VISA
Annual OA by QSA Annual SAQ
•Annual SAQ •Quarterly N/W scan(ASV)
Quarterly N/W scan (ASV)Attestation of Compliance form
OA: Onsite Assessment R: Recommended IA: Internal Auditor
Public
Service Provider Levels
PAYMENT BRANDSERVICE PROVIDER LEVEL
Level 1 Level 2
AMEX All TPPs NA
DISCOVER Does not categorize Service providers into levels
JCB All TPPs NA
MasterCard >1million <1million
VISA Inc >300,000 <300,000
TPP: Third Party ProcessorsPayment Brand reserves the right to deem the level irrespective of transaction volume
Public
Service Provider Reporting Requirements
PAYMENT BRAND
SERVICE PROVIDER LEVEL
Level 1 Level 2
AMEX • Annual OA by QSA or IA
DISCOVER • Annual OA by QSA OR IA OR Annual SAQ•Quarterly network scans by ASV
JCB • Annual OA by QSA• Quarterly network scans by ASV
MasterCard •Annual onsite review by QSA•Quarterly network scan by ASV
•Annual SAQ•Quarterly network scan by ASV
VISA•Annual OA by QSA•Quarterly network scan by ASV•Attestation of Compliance form
•Annual SAQ•Quarterly network scan by ASV•Attestation of Compliance form
OA: Onsite Assessment IA: Internal Auditor
Public
Need for PCIDSS Compliance
• RBI/2012-13/424: Section A – Point iv:• Banks should ensure that all acquiring infrastructure
that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquirers, processors / aggregators and large merchants
RBI Mandate
• It is not about just compliance. It is a security imperative, especially in the wake of recent high profile data breach incident at Service Providers & Merchants. Compliance is incidental, end objective is security.
Remain resilient to data breaches
Public
Bank’s Approach for PCIDSS Compliance
Bank Compliance
1. On boarded a QSA Company to support in implementing PCI DSS controls at the enterprise level2. Current State Assessment and Implementation in progress for all payment applications (switch, payment gateways, etc.), infrastructure, network and processes
Merchant Compliance
1. Deployed a portal to monitor PCI DSS compliance for merchants and service providers2. Monitoring compliance status of Level 1, Level 2 and Level 3 merchants and Level 1 and Level 2 service providers3. Assist merchants and service providers in filling the applicable SAQ
Two streams of compliance
program
HDFC Bank has taken the initiative to share the data security alerts and advisories received from Payment brands with all its merchants. Take these alerts/advisories seriously. If not actioned on time you will get hit – as a target or by a random attack.
Public
Thank You
Manish Pal, Information Security Group