The Payment Card Industry (PCI) Data Security Standard:

What it is and why you might find it useful

Fred Hopper, CISSP

TASK - 27 March 2007

2

+

IT Infrastructure Support, Network Management, Info Security and Corporate Security

Previous roles at Davis + Henderson and Canadian Standards Association

Head of Corporate Security for Metaca Corporation - one of Canada’s leading manufacturers and personalizers of Financial, Loyalty, ID, Satellite TV, Telco, Health, and Insurance cards.

My Background and Perspective

3

+ Payment Card Security – History

Companies who manufacture and personalize cards for other organizations (e.g. banks) are called Card Vendors

Card Vendor security has historically focused on the physical security of the product rather than data security.

4

+ The First Credit Card

The First Supper - Frank X. McNamara (1950)

5

+ Later Diners Club Cards

6

+ American Express

7

+ Today’s Risks

Most significant risk these days is with the compromise and misuse of the data rather than the physical card itself

Card Vendors have had to meet detailed Logical (i.e. Information) Security requirements in recent years, with detailed standards and annual audits

Current weak points in system – some merchants and third party data processors.

8

+ Today’s Risks

9

+ Card Skimming and Background for PCI DSS

Until the 1990’s, magstripe reading and encoding hardware and the knowledge to use it were hard to come by. Personal computers and inexpensive hardware changed everything.

Improvements and miniaturization in electronics in recent years has also been reflected in skimming equipment

Features of current equipment include flash memory, internal clocks, firmware supporting timestamps, databases, Bluetooth

Password protected access to memory and features to protect data from law enforcement and rival skimming gangs.

10

+ Skimming Hardware

11

+ Skimming Hardware

12

+ Skimming Hardware

13

+ Skimming Hardware

14

+ Skimming Hardware

15

+ Skimming Hardware

16

+ Skimming Hardware

17

+ Skimming Software

18

+ Counterfeiting Supplies

19

+ Important Card Data

Financial card dimensions, location of magnetic stripe, and data encoding and layout all covered in ISO standards

www.magtek.com

20

+ Important Card Data

21

+ Important Card Data

For processing transactions it is necessary for merchant to present multiple fields to acquiring financial institutions – e.g. PAN, expiry date, CVV/CVC, PVV or Pin Offset.

22

+ Payment Card Data

Skimming is still a lot of work and risk, why not just try to get card track data in bulk?

Carding sites exist to trade in stolen card numbers – e.g. Carderplanet, Mazafuka, Shadowcrew, Darkprofits

Where do these numbers come from? At lot of them are stolen from Merchants and Data Processors who store data more data than they need and do so insecurely, and are subsequently compromised

Payment card industry has been aware of this problem for years and has been responding in various ways, one of which is the Payment Card Industry Data Security Standard (PCI DSS).

23

+ Payment Card Security Standards Prior to 2004

Each card association had different rules

Visa: Account Information Secuity (AIS) and Cardholder Security Information Program (CISP)

MasterCard: Site Data Protection (SDP)

American Express: Data Security Standard (DSS)

Discover: Discover Information Security Compliance Program (DISC).

24

+ Formation of the PCI Security Standards Council

Visa, MasterCard, American Express, Discover and JCB decided to standardize on a common set of data security requirements for merchants and data processors – the PCI Data Security Standard (PCI DSS)

PCI Security Standards Council was formed in 2004 as an independent organization in order to maintain and promote the PCI DSS

Version 1.0 of the PCI DSS was published in January 2005

Version 1.1 published in September 2006

www.pcisecuritystandards.org .

25

+ Scope of PCI DSS

If your shop handles financial card data:

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted

PCI DSS security requirements apply to all “system components” – defined as “any network component, server or application that is included in or connected to the cardholder data environment”

Failure to comply will eventually result in surcharges, fines and substantially increased liability in the event of a data breach

If a PAN is not stored, processed or transmitted then PCI DSS requirements do not apply.

26

+ Scope of PCI DSS

If your shop does not handle financial card data:

Strictly speaking, PCI DSS requirements do not apply to your organization

You may still want to utilize PCI DSS in order to protect personal information (NPPI), commercially sensitive information, trade secrets, etc.

Q: Why use PCI DSS instead of other InfoSec standards (e.g. ISO 17799?)

A: It’s concise (16 pages), easy to interpret and was developed through consensus by organizations who knew it would be a challenge to obtain compliance from it’s target audience. In other words, it is well thought out, well documented and attainable.

27

+ PCI DSS Requirements

The PCI Data Security Standard is comprised of 12 general requirements designed to:

Build and maintain a secure network

Protect cardholder data

Ensure the maintenance of vulnerability management programs

Implement strong access control measures

Regularly monitor and test networks

Ensure the maintenance of information security policies

Does this sound familiar?…..

28

+ PCI DSS vs. CISSP CBK

PCI DSS Control Objective CISSP CBK Domains

Build and Maintain a Secure Network

Telecommunications and Network Security

Protect Cardholder Data Cryptography

Maintain a Vulnerability Management Program

Applications and System Development Security

Implement Strong Access Control Measures

Access Control Systems and Methodology + Physical

Security

Regularly Monitor and Test Networks

Operations Security

Maintain an Information Security Policy

Security Management Practices

29

+ Control Objectives (1 of 6)

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

30

+ Sample of Format Used

31

+ Control Objectives (2 of 6)

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

32

+ Control Objectives (3 of 6)

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications.

33

+ Control Objectives (4 of 6)

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data.

34

+ Control Objectives (5 of 6)

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources

Requirement 11: Regularly test security systems and processes.

35

+ Control Objectives (6 of 6)

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security.

36

+ Conclusion

PCI DSS is out there and if your systems process payment card numbers, you must be compliant

Even of you do not process payment card numbers, the PCI DSS provides an excellent information security framework for your organization’s Information Security Management System.

Questions and Answers

Fred Hopper

Director, Corporate Security, IT and Quality

Metaca Corporation

fhopper@metaca.com