Donald E. HesterCISSP, CISA, CAP, PSP, MCT

Maze & Associates / San Diego City College www.LearnSecurity.org

Payment Card Industry Introduction

The Problem

Albert Gonzalez, 28

With accomplices, he was involved in data breaches of most of the major data breaches: Heartland, Hannaford Bros., 7-Eleven, T.J. Maxx, Marshalls, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Dave & Busters, Boston Market, Forever 21, DSW and others.

Alarming Trend

Number of incidents per year.

Source:

Top 10 Data BreachesDate Organization Lost records

20-01-09 Heartland Payment Systems 130,000,000 17-01-07 TJX Companies Inc. 94,000,000 01-06-84 TRW, Sears Roebuck 90,000,000 05-10-09 National Archives and Records Administration 76,000,000 19-06-05 CardSystems, Visa, MasterCard, American Express 40,000,000 24-06-04 America Online 30,000,000 22-05-06 U.S. Department of Veterans Affairs 26,500,000 20-11-07 HM Revenue and Customs, TNT 25,000,000 06-10-08 T-Mobile, Deutsche Telekom 17,000,000 01-11-86 Canada Revenue Agency 16,000,000

Total: 544,500,000Current US Population: 303 million

Source:

http://www.youtube.com/watch?v=7W-k3R2N7Zk

Retail Solutions Providers Association video

Highest IT Priorities for 20081. Information Security Management2. IT Governance 3. Business Continuity Management and Disaster Recovery

Planning4. Privacy Management5. Business Process Improvement, Workflow and Process

Exceptions Alerts (new to list)6. Identity and Access Management7. Conforming to Assurance and Compliance Standards8. Business Intelligence (new to list)9. Mobile and Remote Computing10. Document, Forms, Content and Knowledge Management

Source: AICPA’s 19th Annual Top Technology Initiatives survey

1, 2, 4, 6, & 7, are all PCI related

Highest IT Priorities for 20091. Information Security Management2. Privacy Management3. Secure Data File Storage, Transmission and Exchange4. Business Process Improvement, Work Flow and Process

Exception Alerts5. Mobile and Remote Computing6. Training and Competency7. Identity and Access Management8. Improved Application and Data Integration9. Document, Forms, Content and Knowledge Management10. Electronic Data Retention Strategy

Source: AICPA’s 20th Annual Top Technology Initiatives survey

1, 2, 3, 6, 7, & 10, are all PCI related

Players• Acquirer (Merchant Bank)

– Bankcard association member that initiates and maintains relationships with merchants that accept payment cards

• Hosting Provider– Offer various services to merchants and

other service providers.• Merchant

– Provides goods and services for compensation

• Cardholder– Customer to whom a card is issued or

individual authorized to use the card

Card Brand

Acquirer

Hosting Provider

Merchant

Cardholder

Players

• Card Brand– Issue fines– Determine compliance

requirements

• PCI Security Standards Council– Maintain standards for PCI– Administer ASV & QSA

• Qualified Security Assessors– Certified to provide annual audits

• Approved Scanning Vendor– Certified to provide quarterly

scans

Card Brands

PCI SSC

QSA

ASV

Various Standards

American Express, DSOP

Discover Network, DISC

Master Card, SDP

Visa, CISP JCB

PCI Council Standards

American Express, DSOP

Discover Network, DISC

Master Card, SDP

Visa, CISP JCB

PCI Data Security Standard

What does the PCI Council do?

• Own and manage PCI DSS, including maintenance, revisions, interpretation and distribution

• Define common audit requirements to validate compliance

• Manage certification process for security assessors and network scanning vendors

• Establish minimum qualification requirements• Maintain and publish a list of certified assessors

and vendors

Website

https://www.pcisecuritystandards.org/

What are the Standards?

• PCI DSS: PCI Data Security Standard– Overall standard, applies to all

• PA DSS: Payment Application Data Security Standard– Supporting standard for payment applications

• PTS (was PED): PIN Transaction Security Standard– Supporting standard for PIN entry devices– Supporting standard for unattended payment

terminals (UPT)

PCI DSS

The Payment Card Industry Data Security Standard 6 Objectives (Goals) 12 Sections (Requirements) 194 Controls

PCI DSS

Standard Lifecycle

PA DSS

• “PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP).

• The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS.” – Payment Card Industry Security Standards Council

PIN Transaction Security

• “The PCI PED security alignment initiative is aimed at ensuring that the cardholder’s PIN, and any sensitive information such as resident keys, are protected consistently at a PIN acceptance device.

• The objective of the requirements is the provision of a single, consistent, and stringent standard for all PIN acceptance devices worldwide.”– Payment Card Industry Security Standards Council

Who must comply?

• With PCI DSS– Any organization the processes, stores or transmits credit

card information. • With PA DSS

– Payment application developers– Merchants will be required to use only compliant

applications by July 2010.• With PTS

– Manufactures of PIN entry devices– Merchants will be required to use only compliant

hardware by July 2010.– MasterCard PTS to incorporate into PCI SSC April 30, 2010

PCI Compliance

• This includes: • Organizations who only use paper based

processing• Organizations who outsource the credit

card processing• Organizations that process credit cards in

house

Is PCI law?The PCI DSS was developed by the

payment card brands Compliancy is compulsory if a merchant

wishes to continue processing payment card transactions

However, some States have enacted legislation that has made PCI compliance the law

What if we are a small organization?

• “All merchants, whether small or large, need to be PCI compliant.

• The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.”– PCI SSC

Cost?• What happens when there is a data

breach?– Depends if the merchant can reach safe

harbor.

What’s Safe Harbor?

Incident EvaluationSafe Harbor

$$$$$$

If compromised take immediate action.“Merchants and service providers that have experienced a suspected or confirmed security breach must take immediate action to help prevent additional damage and adhere to Visa CISP requirements.”

What’s Safe Harbor?

Incident EvaluationSafe Harbor

$$$$$$

If there is a data breach, the card brands will perform a forensic audit to determine if the organization was PCI DSS compliant at the time of the data breach.

What’s Safe Harbor?

Incident EvaluationSafe Harbor

$$$$$$

If the organization is found to be out of compliance at the time of the breach they may be liable for the full cost of the breach including the cost of the forensics, losses of cardholders, losses to the banks, losses to the card brand and in some states fines will be assessed.

What’s Safe Harbor?

Incident EvaluationSafe Harbor

$$$$$$

In addition, the organization will be moved to the highest merchant level and will be required to meet the most stringent evidence requirements and the credit card processing fees will increase.

What’s Safe Harbor?

Incident EvaluationSafe Harbor

$$$$$$

To obtain safe harbor status a merchant must maintain full compliance at all times, including at the time of the breach as demonstrated during a forensic investigation.

Safe Harbor Notes:

• For a merchant to be considered compliant, any Service Providers that store, process or transmit credit card account data on behalf of the merchant must also be compliant.

• The submission of compliance validation documentation alone does not provide the merchant with safe harbor status.

Loss or theft of account information

• Members, service providers or merchants must immediately report the suspected or confirmed loss or theft of any material or records that contain Visa cardholder data.

• If a member knows or suspects a security breach with a merchant or service provider, the member must take immediate action to investigate the incident and limit the exposure of cardholder data.

• If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.

• Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident. – Visa CISP program

FinesMerchants may be subject to fines by the card associations if deemed non-compliant. For your convenience fine schedules for Visa and MasterCard are outlined below.

http://www.firstnationalmerchants.com/ms/html/en/pci_compliance/pci_data_secur_stand.html

Payment Card Industry (PCI) Compliance

A Systematic Approach:Determine Cardholder

Environment

Action Items

• Document how your organization stores, processes or transmits credit card information

• Determine your merchant level• Determine your validation requirements

– Contact your merchant banks and acquirers• Determine your SAQ validation type• Find an ASV for compliance network vulnerability

scans– Perform at least quarterly scans

• Annually fill out your SAQ– turn in and/or keep on file

10 Steps to Document Cardholder Environment

1. Determine Merchant Level (number of transactions)2. List all Merchant Banks and Acquirers3. List all outsourced processors, ASPs and third party

processors4. Document all Payment Applications5. Document all PEDs used (Point of Interaction)6. List all physical locations that CHD is processed,

stored or transmitted7. List all electronic storage of CHD8. Document electronic transmission9. Document policies that address PCI requirements10. Implement applicable PCI DSS controls

Step 1: Determine Merchant Level

• List the number of all credit card transactions for all Merchant Banks and Acquirers

• List by card brand as well• Determine your merchant level based on

total annual credit card transactions• Number is based on the aggregate

number of transactions for a DBANote: Merchant levels are defined by the Card Brands and determined by the Acquirer based on transaction volume.

Step 2: Document Acquirers• List all Acquirers, Merchant Banks and/or

Acquiring Banks • Included card brands when they act as

acquirer, e.g. Amex, Discover, JCB • Would never be Visa or MasterCard• They determine your merchant level and

reporting requirements

Step 2: Document Acquirers

• Contact Information– Address– Phone Number

• Incident Response Team• Website

– Monitor for changes in requirements• Any notes or document conversations

you have with them

Step 3: Determine Service Providers

• A Service Provider is an business or entity that is directly involved in the processing, storage, transmission, and switching of transaction data and/or card holder data (CHD)

• Any service provider that has control or could have a security impact on CHD

Example of Service Providers

• Transaction Processors

• Customer Service• Call Centers• Payment Gateways• Credit Reporting • External Sales

• Remittance Processing

• Card Embossing Companies

• Information security providers

• Offsite Data Storage Providers

Manage Service Providers

• Maintain a list of service providers• Maintain agreements that hold service

providers responsible for security of CHD– Include reporting and breach notification

• Have a process to validate new service providers before they become service providers

• Have a program to monitor service provider compliance at least annually

Step 4: Document Payment Applications

• List all payment applications• Document the business use of the

applications• Determine if the application is compliant• Determine if the application stores CHD• Check PCI website for list of approved

applications

Action Items• Contact the vendor, make sure payment

applications are PA DSS complaint or will be.

• Contact your PIN device supplier, make sure you have compliant PIN Entry Devices.

https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.htmlhttps://www.pcisecuritystandards.org/security_standards/vpa/

Payment Applications• In house

applications– SDLC controls– Code reviews – Application

firewalls– OWASP

Step 5: Document PED • List all Points of Interaction (POI)

– List all PIN Entry Devices (PED)– List all Point of Interaction devices– List all Unattended Payment Terminals (UPT)– List all Point of Sale (POS) devices

• Document compliance for those devices currently required to be PCI compliant

PED

• PIN Entry Device– Scope of the standard increasing

• PIN Transaction Security (PTS)

– Will include • UPT (Unattended Payment Terminals)• POI (Point of Interaction)• POS (Point of Sale Devices)

– Standard addresses the vendors who make devices

– Merchants must use approved devices

Step 6: Physical CHD• List all physical locations that PAN is processed,

stored or transmitted– Paper, – Receipts, – Imprints, – Carbon Copies– Locations of backup media

• Document Retention Period – Justify with business need

• Document Destruction Policy

Step 7: Electronic Data Storage• List all electronic storage of CHD• Document business reason for storing

and retention period• Requirements in PCI DSS

– Encryption– Access Controls and Audit logs– Never permitted to store full track data

Cardholder DataData Element Storage

PermittedProtectionRequired

PCI DSS 3.4

Cardholder Data

Primary Account Number (PAN) Yes Yes Yes

Cardholder Name Yes Yes No

Service Code Yes Yes No

Expiration Date Yes Yes No

SensitiveAuthentication

Data

Full Magnetic Stripe Data No N/A N/A

CVC2 / CVV2 / CID / CAV2 No N/A N/A

PIN / PIN Block No N/A N/A

Places to look for CHD

• Electronic Image Files

• SANS• Fax Servers• Scan Archive• Pinter Spool• Laser Fiche• Log Files

• Audio Recording: customer service call recordings

• Voicemail• Email Server/Archive• Backup Media• Copier Scanner Cache • Data bases

Perform a search for CHD every 6 months

Unknown Storage

• Fax Machine and Copy Machines may store CHD

http://www.youtube.com/watch?v=iC38D5am7go

Step 8: Document Data Transmission

• Not only do you need to know where you data is stored but you also need to know where it travels

• Create a Data Flow diagram– Diagram with CHD flow superimposed over

network diagram• Evaluate flow every 6 months or more often if

there has been a change• Helps to determine the PCI scope and aids in

determining network segmentation

Document Data Flow

• With a network diagram document the flow of credit card information (transmission)

• Locate any places the information might be stored along the data path (storage)

Step 9: Create Needed Policies

• What policies do you currently have that address PCI related issues

• Create needed policies• See section 12 of the PCI DSS• You will need to create additional subordinate

policies, procedures or administrative directives for specific PCI control requirements

• Every PCI DSS control should be documented in some policy, procedure, administrative directive, SOP or schedule

Step 10: Document PCI DSS

PCI DSS

The Payment Card Industry Data Security Standard 6 Objectives (Goals) 12 Sections (Requirements) 194 Controls

PCI DSS

PII Policy

• If you already have a policy for handling confidential information or personally identifiable information add credit card information to confidential information or PII.

PCI DSS

• Start implementing the data security standard starting with policies

• Start with high level polices– “The City shall not store PAN (Credit Card

Numbers) electronically or physically. Employees shall be trained on PCI standard annually. Background checks will be performed on all staff with access to credit card information.”

PCI DSS

• Use the prioritized approach to implement the most important controls first.

Document Compliance

• Determine if all PEDs are PCI compliant• Determine if all payment applications are

PCI compliant• Determine if all 3rd party processors and 3rd

parties are PCI compliant• Obtain documentation from each• Annually renew documentation from 3rd

parties • Annually check payment application and

PED list

Payment Card Industry (PCI) Compliance

A Systematic Approach:Validation Requirements

Merchant Levels

• Each merchant is placed in levels based upon the number of transactions they process.

• These levels determine what evidence of compliance must be submitted. (Validation Requirements)

• Merchants with a low number of transactions can complete self-assessment questionnaire.

• Merchants in the middle submit questionnaires and have external scans.

• At the highest level merchants must have a full independent audit and external scan.

Validation Requirements

• External Scans by an ASV, at least quarterly

• Annually fill out SAQ – Even if bank has not requested one

• If level 1 or 2 you will need an audit from a QSA

• New Internal Security Assessor (ISA) program

Merchant Levels

Merchant levels are determined by the annual number of transactions not the dollar amount of the transactions.

Merchant Level E-commerce transactions All other transactionsLevel 1 Over 6 million annually Over 6 million annuallyLevel 2 1 to 6 million annually 1 to 6 million annuallyLevel 3 20,000 to 1 million annually N/ALevel 4 Up to 20,000 annually Up to 1 million annually

Merchant Levels: American Express

Merchant levels are determined by the annual number of transactions not the dollar amount of the transactions.

Merchant Level Definition

Level 1 2.5 million American Express Card transactions or more per year; or any Merchant that has had a data incident; or any Merchant that American

Express otherwise deems a Level 1Level 2 50,000 to 2.5 million American Express Card transactions per year

Level 3 Less than 50,000 American Express Card transactions per year

Validation Requirements

• The merchant level of the entities determines what the organization must do to validate their compliance with PCI DSS.

• Validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants in the near future.

• Validation requirements are set by Acquirers and Card Brands not PCI SSC

Validation Requirements

Merchant Level QSA Audit Quarterly Network Scans

Self-Assessment Questionnaire

Level 1 Yes Yes -

Level 2 * Yes Yes

Level 3 - Yes Yes

Level 4 - Yes Yes

Separate and distinct from the mandate to comply with the PCI DSS is the validation of compliance whereby entities verify and demonstrate their compliance status.* Starting 12-31-2010 MasterCard will require Annual QSA Audits for Level 2 Merchants

Validation Requirements:American Express

Merchant Level QSA Audit Quarterly Network Scans

Self-Assessment Questionnaire

Level 1 Yes Yes -

Level 2 - Yes Yes

Level 3 - Yes *

* Level 3 Merchants need not submit Validation Documentation, but still must comply with all other provisions of the DSOP.

Who do you report to?

• Acquirers (Merchant Banks) are responsible for verifying compliance

• Some Acquirers (Merchant banks) are already requiring merchants at level 4 to comply– “Merchants that store payment account data

should contact the acquiring financial institutions with whom they have merchant agreements to determine whether they must validate compliance and the specific requirements for compliance validation.” - PCI SSC

Network Vulnerability Scans

• The PCI DSS requires that all merchants with externally-facing IP addresses perform external network scanning to achieve compliance.

• Acquirers (Merchant Banks) require the quarterly submission of scan reports

• Scans must be performed by a PCI Approved Scanning Vendor (ASV)

Network Vulnerability Scans

• These scans are automated, non-intrusive web scans.

• Internal Scans are also required by PCI DSS, however no submission is required for internal scans.

• See PCI SSC website for a list of Approved Scanning Vendors (ASV)

Self Assessment Questionnaire

• The Payment Card Industry Security Standards Council (PCS SSC) revised the original version of the Self Assessment Questionnaire (SAQ) in February 2008 in order to address the various scenarios that can exist at a merchant’s point of sale environment.

• As most Acquirer’s (Merchant Bank) require Self Assessment Questionnaires on merchant levels 2, 3 and 4, it is important to know which version of the SAQ your business may need to complete.

• There are five SAQ validation categories.

SAQ’sSAQ

Validation Type

Description SAQ: V1.2

1Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.

A

2 Imprint-only merchants with no electronic cardholder data storage B

3 Stand-alone terminal merchants, no electronic cardholder data storage B

4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage C

5All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ.

D

QSA Audit

• For level 1 merchants an independent audit by a Qualified Security Assessor (QSA) is required– Starting 12-31-2010 MasterCard will require

Annual QSA Audits for Level 2 Merchants• The QSA will issue a Report on

Compliance (ROC) for the merchant

Payment Card Industry (PCI) Compliance

Filling Out the SAQ

Self Assessment Questionnaire Merchants have different levels of SAQ,

depending upon the risk of the processing environment.

Merchants who outsource processing or have paper only processing have less questions to answer.

Merchants who process in house on custom application have to answer all the questions.

SAQ Validation Types

SAQ FAQ• Do merchants have to be compliant only

with the questions on the SAQ?– No merchants must comply with all of the PCI

DSS. – The questions on the SAQ only reflect the

controls with the highest risk based upon the merchants processing environment.

– Controls can be N/A depending upon the merchants environment.

SAQ FAQ• What if my Merchant Bank has not

required our organization to turn in our SAQ?– Contact your Merchant Banks and Acquirers– Complete the SAQ annually– Maintain a copy on file

SAQ FAQ

• How can my organization find assistance in completing the SAQ? – The Council encourages organizations to

seek professional guidance in achieving compliance and completing the Self-Assessment Questionnaire.

– You are free to use any security professional of your choosing

– PCI SSC recommends QSA or ISA

SAQ FAQ

• What is an Attestation of Compliance?– The Attestation is your certification that you

have performed the appropriate Self-Assessment and attest to your organization’s compliance status with the PCI DSS.

SAQ A

Merchant level is determined by total transactions of a business (DBA) not by the number of transactions per acquirer. That is why that have these questions.

SAQ A

Do you know if your outsourced 3rd party provider is compliant? When you sign the Attestation of Compliance you sign off that you confirmed third-parties are PCI DSS compliant.

SAQ A

When you select yes for PCI DSS Requirement 12 you are effectively attesting that you are compliant with all controls in section 12

All of PCI DSS

They added the following check box, just in case you want to plead that you did not know checking yes for compliance to section 12 meant that you complied with all controls in section 12.

Items under section 12

• For Example– 12.5.1 Establish, document, and distribute

security policies and procedures– 12.6.1 Educate employees upon hire and at least

annually (for example, by letters, posters, memos, meetings, and promotions)

– 12.8.1 Verify that the contract contains provisions requiring adherence to the PCI DSS requirements

– 12.3.6 Acceptable network locations for the technologies

Payment Card Industry (PCI) Compliance

A Continuous Process

Continuous Process

Assess

ReportRemediate

“PCI DSS compliance is much more than a “project” with a beginning and end – It’s an ongoing process of assessment, remediation and reporting” - PCI SSC

Continuous Process

• Many of the PCI requirements have specific time interval requirements

• Create a schedule for time based requirements

• Some organizations already have ‘maintenance calendars’ for these type of actions

Payment Card Industry (PCI) Compliance

Common Audit Findings

Common Findings

• Clients think they are compliant– Because they do quarterly networks scans– Because they filled out the SAQ– Because they have too few transactions

• Reality– Validation is not compliance– Compliance is an ongoing process– PCI DSS is required for all merchants,

regardless of the number of transactions

Common Findings• Payment card information on paper• No network segmentation• Logging Access• Shared Passwords• Verifying compliance of outsourced

processing• No one is assigned responsibility• Not aware of PAN storage in

application

PCI Pitfalls• PCI will not make an

organization’s network or data secure

• PCI DSS focuses on one type of data: payment card transactions

• The organization runs the risk of focusing on one class of data to the detriment of everything else

Payment Card Industry (PCI) Compliance

Cashiers

Cashiers

• Limit Access• Background Checks• Log access to CHD• Fraud

– Look for tampering of PIN Entry Devices or Point of Interaction devices

Merchants Should

• Be aware of the risks relating to skimming. • Be aware of the vulnerabilities inherent the use of

point-of-sale terminals and terminal infrastructure. • Be aware of the vulnerabilities associated with staff

that has access to consumer payment devices. • Prevent or deter criminal attacks against point-of-sale

terminals and terminal infrastructure. • Identify any compromised terminals as soon as

possible and notify the appropriate agencies to respond and minimize the impact of a successful attack.

Skimming• Internal employees with criminal intent• Skimming results from the capture of

payment data within the payment infrastructure at the merchant location

• Focus on compromised POS terminals and their respective infrastructures

• Criminals will insert electronic equipment, by various means, into the terminal or the terminal infrastructure, in order to capture consumer account data

Criminal Methods

• Criminals will also target large multi-lane retailers where, during less busy periods, not all of the lanes are used and terminals are effectively left unattended.

• Criminals will steal terminals, compromise them, and then return them to either the same store or to another store in the same chain.

Attack Technique

Attack Technique

Attack Technique

Key LoggersCan be on PCs that process CHDIncluding PCs used as terminals or even those used for web transactions

Attack Technique

Attack Technique

Attack Technique

Attack Technique

Attack Technique

Attack Technique

Attack Technique

CCTV

• Use proper lighting for the cameras• Should cover POS but not PIN if entered• Store 90 days of video• Facility coverage (exit / entrance)• Problem with camera – review the

terminal• Time Stamps• Note Blackouts, Camera Incidents

Physical Security of Terminals

• Surrounding terminals• Note the entire cable path from the

terminal to the point where it leaves your merchant location

• Secure terminal cabling in public areas • Consider cable locks

Employees

• Employers often feel employees are trustworthy

• Trustworthiness needs to be validated• Not all have criminal background when

hired• Employees may develop criminal intent

over time

Criminal Activity

• Staff reporting criminal activity or if they are approached by criminals

• Whistle blower provision• Train your staff to be aware of the types

of fraud attacks criminals may attempt and the risk to them

Background Check

• Background checks could and should include – Validation of employee data as supplied in

the hiring process – A criminal check – A financial/credit check – An education check – Previous employment history should also be

in scope when applicable

Staff Should Know

• How to protect the terminal environment by being aware of what to look out for

• The procedure for escalating concerns• Who to contact if they have concerns• How to contact senior management• How management or the employee should

contact local law enforcement if someone threatens or attempts to bribe them to compromise terminals or payment data

POS Inventory

Payment Card Industry (PCI) Compliance