The Payment Card Industry (PCI) Data Security Standard: What it is and why you might find it useful...
-
Upload
blaise-roy-york -
Category
Documents
-
view
219 -
download
2
Transcript of The Payment Card Industry (PCI) Data Security Standard: What it is and why you might find it useful...
The Payment Card Industry (PCI) Data Security Standard:
What it is and why you might find it useful
Fred Hopper, CISSP
TASK - 27 March 2007
2
+
IT Infrastructure Support, Network Management, Info Security and Corporate Security
Previous roles at Davis + Henderson and Canadian Standards Association
Head of Corporate Security for Metaca Corporation - one of Canada’s leading manufacturers and personalizers of Financial, Loyalty, ID, Satellite TV, Telco, Health, and Insurance cards.
My Background and Perspective
3
+ Payment Card Security – History
Companies who manufacture and personalize cards for other organizations (e.g. banks) are called Card Vendors
Card Vendor security has historically focused on the physical security of the product rather than data security.
4
+ The First Credit Card
The First Supper - Frank X. McNamara (1950)
5
+ Later Diners Club Cards
6
+ American Express
7
+ Today’s Risks
Most significant risk these days is with the compromise and misuse of the data rather than the physical card itself
Card Vendors have had to meet detailed Logical (i.e. Information) Security requirements in recent years, with detailed standards and annual audits
Current weak points in system – some merchants and third party data processors.
8
+ Today’s Risks
9
+ Card Skimming and Background for PCI DSS
Until the 1990’s, magstripe reading and encoding hardware and the knowledge to use it were hard to come by. Personal computers and inexpensive hardware changed everything.
Improvements and miniaturization in electronics in recent years has also been reflected in skimming equipment
Features of current equipment include flash memory, internal clocks, firmware supporting timestamps, databases, Bluetooth
Password protected access to memory and features to protect data from law enforcement and rival skimming gangs.
10
+ Skimming Hardware
11
+ Skimming Hardware
12
+ Skimming Hardware
13
+ Skimming Hardware
14
+ Skimming Hardware
15
+ Skimming Hardware
16
+ Skimming Hardware
17
+ Skimming Software
18
+ Counterfeiting Supplies
19
+ Important Card Data
Financial card dimensions, location of magnetic stripe, and data encoding and layout all covered in ISO standards
www.magtek.com
20
+ Important Card Data
21
+ Important Card Data
For processing transactions it is necessary for merchant to present multiple fields to acquiring financial institutions – e.g. PAN, expiry date, CVV/CVC, PVV or Pin Offset.
22
+ Payment Card Data
Skimming is still a lot of work and risk, why not just try to get card track data in bulk?
Carding sites exist to trade in stolen card numbers – e.g. Carderplanet, Mazafuka, Shadowcrew, Darkprofits
Where do these numbers come from? At lot of them are stolen from Merchants and Data Processors who store data more data than they need and do so insecurely, and are subsequently compromised
Payment card industry has been aware of this problem for years and has been responding in various ways, one of which is the Payment Card Industry Data Security Standard (PCI DSS).
23
+ Payment Card Security Standards Prior to 2004
Each card association had different rules
Visa: Account Information Secuity (AIS) and Cardholder Security Information Program (CISP)
MasterCard: Site Data Protection (SDP)
American Express: Data Security Standard (DSS)
Discover: Discover Information Security Compliance Program (DISC).
24
+ Formation of the PCI Security Standards Council
Visa, MasterCard, American Express, Discover and JCB decided to standardize on a common set of data security requirements for merchants and data processors – the PCI Data Security Standard (PCI DSS)
PCI Security Standards Council was formed in 2004 as an independent organization in order to maintain and promote the PCI DSS
Version 1.0 of the PCI DSS was published in January 2005
Version 1.1 published in September 2006
www.pcisecuritystandards.org .
25
+ Scope of PCI DSS
If your shop handles financial card data:
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted
PCI DSS security requirements apply to all “system components” – defined as “any network component, server or application that is included in or connected to the cardholder data environment”
Failure to comply will eventually result in surcharges, fines and substantially increased liability in the event of a data breach
If a PAN is not stored, processed or transmitted then PCI DSS requirements do not apply.
26
+ Scope of PCI DSS
If your shop does not handle financial card data:
Strictly speaking, PCI DSS requirements do not apply to your organization
You may still want to utilize PCI DSS in order to protect personal information (NPPI), commercially sensitive information, trade secrets, etc.
Q: Why use PCI DSS instead of other InfoSec standards (e.g. ISO 17799?)
A: It’s concise (16 pages), easy to interpret and was developed through consensus by organizations who knew it would be a challenge to obtain compliance from it’s target audience. In other words, it is well thought out, well documented and attainable.
27
+ PCI DSS Requirements
The PCI Data Security Standard is comprised of 12 general requirements designed to:
Build and maintain a secure network
Protect cardholder data
Ensure the maintenance of vulnerability management programs
Implement strong access control measures
Regularly monitor and test networks
Ensure the maintenance of information security policies
Does this sound familiar?…..
28
+ PCI DSS vs. CISSP CBK
PCI DSS Control Objective CISSP CBK Domains
Build and Maintain a Secure Network
Telecommunications and Network Security
Protect Cardholder Data Cryptography
Maintain a Vulnerability Management Program
Applications and System Development Security
Implement Strong Access Control Measures
Access Control Systems and Methodology + Physical
Security
Regularly Monitor and Test Networks
Operations Security
Maintain an Information Security Policy
Security Management Practices
29
+ Control Objectives (1 of 6)
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
30
+ Sample of Format Used
31
+ Control Objectives (2 of 6)
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
32
+ Control Objectives (3 of 6)
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications.
33
+ Control Objectives (4 of 6)
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data.
34
+ Control Objectives (5 of 6)
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources
Requirement 11: Regularly test security systems and processes.
35
+ Control Objectives (6 of 6)
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.
36
+ Conclusion
PCI DSS is out there and if your systems process payment card numbers, you must be compliant
Even of you do not process payment card numbers, the PCI DSS provides an excellent information security framework for your organization’s Information Security Management System.
Questions and Answers
Fred Hopper
Director, Corporate Security, IT and Quality
Metaca Corporation