Transcript shva.co.il

PCI DSS and MasterCard Site Data Protection Program
Payment System Integrity
September 2008
Agenda
• PCI
-
Brief History
-
Security Standards Council
-
Documentation, Tools, Vendors
- SDP
-
Acquirer requirements
-
Compliance Database
-
Enforcement
-
Safe Harbor
-
Special Topics: Level 4 merchants, ADC Cases
-
Reporting and support
MasterCard Proprietary
2
Evolution of Industry Approach
• Feb 2002: Optional SDP service launched
• April 2003: MasterCard Security Standard published
• June 2003: SDP program deployed globally
• Sept 2003: SDP mandate announced
• June 2004: Initial compliance date for Level 2 merchants and service
providers
• December 2004: PCI Data Security Standard (v1.0) published
• June 2005: Initial compliance date for Level 1 and 3 merchants and service
providers
• September 2006: PCI Security Standards Council formed and PCI DSS v1.1
published
• May 2007: SDP mandate expanded
• Nov 2007: PIN PED and PA DSS part of the PCI SSC
• Feb 2008: Revised PCI SAQ released
MasterCard Proprietary
3
PCI Security Standards Council
The PCI Security Standards Council Members
MasterCard Proprietary
5
PCI SSC – Scope
• Develop and manage the PCI Security Standards (PCI DSS)
and related documents
• Manage industry-level approval processes for Qualified
Security Assessors (QSAs) and Approved Scanning Vendors
(ASVs)
• Provide an open forum where stakeholders can provide input
to the ongoing development of payment security standards.
• Address industry and constituent questions on standards and
interpretation of standards
MasterCard Proprietary
6
PCI SSC Participating Organizations by Industry
Financial
Institutions
Vendors
Merchants
Associations
Gateways
EFT Networks
Processors
Service
Provider
MasterCard Proprietary
7
Global Participation & Representation
United States 73%
Asia Pacific
2%
Canada
6%
Europe 16%
LAC 1%
Central Europe
/Middle East /Africa
2%
More than 400 organizations have been accepted
MasterCard Proprietary
8
Participating Organization Benefits
•
Vote and Run for Participating Organization Board of Advisors
•
Comment on DSS, SAQ, PED, PA DSS and on other PCI SSC
documentation, prior to public release
•
Attend Community Meetings
•
Attend Quarterly Webinar Meetings
•
Recommend new initiatives and standards
•
Early updates on upcoming press releases
•
Monthly bulletin from SSC General Manager
Reserve Your Seat at the Table!
MasterCard Proprietary
9
PCI SSC - The Standards
PCI PED
PCI PA-DSS
PA-DSS applies to software vendors and
others who develop payment applications
that store, process, or transmit cardholder
data as part of authorization or settlement,
where those applications are sold,
distributed, or licensed to third parties.
PCI PED addresses device
characteristics impacting
security of PIN Entry Device
(PED) during financial
transactions
PCI DSS applies to any entity that stores,
processes, and/or transmits cardholder data,
and specifically to those system components
included in or connected to the cardholder data
environment (the part of the network with
cardholder data)
Merchants’ and
Service Providers’
cardholder data
environment
Payment
Applications
(e.g. Shopping
cart, POS)
Stand Alone
PED Device
PEDs Integrated
with payment
applications
(POS, ATM)
PCI PED appliesPED device only
PCI DSS
Payment
Applications in
merchants/
service
providers
environment**
PA DSS may
apply*
MasterCard Proprietary
PCI DSS applies –
systems & networks
10
PCI DSS
• Build and Maintain a Secure Network
–
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
–
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters
• Protect Cardholder Data
–
Requirement 3: Protect stored cardholder data
–
Requirement 4: Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
–
Requirement 5: Use and regularly update anti-virus software
–
Requirement 6: Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
–
Requirement 7: Restrict access to cardholder data by business need-to-know
–
Requirement 8: Assign a unique ID to each person with computer access
–
Requirement 9: Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
–
Requirement 10: Track and monitor all access to network resources and cardholder data
–
Requirement 11: Regularly test security systems and processes
• Maintain an Information Security Policy
–
Requirement 12: Maintain a policy that addresses information security
MasterCard Proprietary
11
PCI Cardholder Data Storage Clarification
Storage
Permitted
Protection
Required
Encryption
Required**
PAN
YES
YES
YES
Expiration Date*
YES
YES
NO
Service Code*
YES
YES
NO
Cardholder Name*
YES
YES
NO
Full Magnetic Strip
NO
N/A
N/A
CVC2/CVV/CID
NO
N/A
N/A
PIN
NO
N/A
N/A
Component
Cardholder Data
Sensitive Authentication Data
* Data elements must be protected when stored in conjunction with PAN
** Compensating controls for encryption may be employed
MasterCard Proprietary
12
PCI Self Assessment Questionnaire
SAQ Validation
Type
1
2
Description
Card-Not-Present (e-commerce or MO/TO) merchants, all
cardholder data functions outsourced. This would never apply
to face to face merchants
Imprint-only merchants with no cardholder data storage
SAQ
A
<20 Questions
B
21 Questions
3
4
5
Stand alone dial-up terminal merchants, no cardholder data
storage
Merchants with payment application systems connected to the
Internet, no cardholder data storage
All other merchants (not included in descriptions for SAQs A,
B or C above) and all service providers defined by a payment
brand as eligible to complete an SAQ
B
21 Questions
C
38 Questions
D
Full DSS
Note: Sunset date for old version of SAQ is April 30, 2008
MasterCard Proprietary
13
PCI SSC Milestones in 2008
• Phased Approach for PA-DSS
–
Phase 1: Publish PA-DSS and testing procedures
–
Phase 2: PA-QSA testing approval
–
Phase 3: Payment application validation
• Searchable FAQ Tool launched on PCI SSC
Website
–
Responses developed by all five payment brands
help ‘pave the way’ for PCI DSS evolution
MasterCard Proprietary
14
PCI and SDP – Functional Areas
Standards Development and Interpretation
PCI SSC
Acquirers
QSAs
----------------------
----------------------------Payment Brands
Compliance Validation
Enforcement
MasterCard Proprietary
15
MasterCard Site Data Protection (SDP)
PCI SSC - Not in scope
• The following functions will be performed by each payment
brand individually
–
Approval and posting of compliant third party service
providers
–
Forensics and response to Account Data Compromise (ADC)
events
–
PCI compliance tracking and enforcement
MasterCard Proprietary
17
The SDP Program - 3 Major Components
• Reporting
–
Acquirers must submit quarterly compliance reports on
their affected merchants (level 1, 2 and 3)
–
Service Providers submit a Certificate of Validation (COV)
or a PCI action plan for review and approval
• Registration
–
Annual merchant requirement that is fulfilled via the
MasterCard Registration Program (MRP)
• Enforcement
–
Communications, Assessments and MCBS Billing
MasterCard Proprietary
18
Entities that Store, Transmit or Process Cardholder
Data
• Any entity that stores, transmits or processes cardholder
data must comply with the PCI DSS.
• This statement has broad application in the financial
industry.
• Under the SDP Program, only affected merchants and
service providers are required to validate their
compliance.
• MasterCard does not require compliance evidence or
validation from issuers or acquirers.
MasterCard Proprietary
19
Reporting - SDP Submission Form v3.0
Instruction Tab
Acquirer Data Tab
Merchant Data Tab
Available on www.mastercard.com/sdp
MasterCard Proprietary
20
Reporting - PCI Compliance Levels
Compliance
Date
Category
Criteria
Requirements
Level 1
• Merchants >6 MM annual transactions
• Annual Onsite Audit
• Quarterly Network Scan
30 June 2005
Level 2
• All merchants > 1 million total
MasterCard transactions <= 6 million
total MasterCard transactions
annually
• All merchants meeting the Level 2
criteria of a competing payment brand
• Service Providers <= 1MM annual
transactions
• Annual Self-Assessment
• Quarterly Network Scan
31 December 2008
Level 3
• All merchants with annual MasterCard
e-commerce transactions > 20,000
but less than one million total
transactions
• All merchants meeting the Level 3
criteria of a competing payment brand
• Annual Self-Assessment
• Quarterly Network Scan
30 June 2005
Level 4
All other merchants
• Annual Self-Assessment
• Quarterly Network Scan
Consult Acquirer
(all channels)
• Service Providers > 1MM annual
transactions
• All compromised merchants, TPPs
and DSEs
MasterCard Proprietary
21
Reporting - Level 4 Merchants
• Compliance with the PCI Data Security Standard is required
for all Level 4 merchants
• The only optional aspects of compliance for Level 4 merchants
are:
–
–
Active compliance validation with their acquirer
Card Association specific steps (e.g., MRP registration)
• To be compliant with the PCI DSS, Level 4 merchants must
successfully complete the following:
–
–
An annual PCI self assessment
Quarterly network security scans
MasterCard Proprietary
22
Registration - PCI and SDP Compliance
PCI Compliance
• PCI Onsite Assessment
• PCI Self Assessment
• PCI Quarterly Network Scanning
The successful completion of the above applicable compliance requirements means
the merchant is compliant with the PCI Data Security Standard.
SDP Compliance
• Compliance Validation with Acquirer
• Acquirer Registration of Merchant with
MasterCard
The successful completion of the above compliance requirements means the
merchant is compliant with the PCI Data Security Standard AND compliant with the
MasterCard SDP Program requirements.
PCI Compliance + SDP Compliance = Safe Harbor
MasterCard Proprietary
23
Enforcement – Areas of Focus
• Enforcement activities are generally managed in
three distinct categories:
–
Non-reporting or incomplete quarterly reporting
–
Merchant storage of sensitive authentication data
(post authorization)
–
Insufficient compliance progress
• Communications is the preferred route of
enforcement and range from informal to formal.
SDP Global Mailbox: [email protected]
MasterCard Proprietary
24
Enforcement - Process
• Each quarter, MasterCard reviews merchant
submissions against the 3 identified categories.
• Prior to any SDP noncompliance assessment, there is
direct customer communication, both formal (letters)
and informal (emails).
• The overall intent is to drive compliance, with SDP
noncompliance assessments as only one tool.
MasterCard Proprietary
25
SDP Enforcement
• In 3Q2008, MasterCard will begin to enforce the
completion of the Sensitive Authentication Data
Storage field
• Level 3 merchants
• Continued focus on timely and complete quarterly
reporting
MasterCard Proprietary
26
SDP and Account Data Compromise
• With a confirmed ADC, there is a demonstrated risk to
the payment system.
• MasterCard rules govern the immediate actions that
acquirers must undertake with an ADC event.
• Per MasterCard rules, all ADCs are classified as Level 1
with the compliance requirements of a annual onsite
assessment and quarterly network scans.
• Once action is taken by the ADC group, the merchant
enters an accelerated PCI compliance process.
MasterCard Proprietary
27
Contact Information
For general Site Data Protection inquiries:
Email:
[email protected]
Website:
www.mastercard.com/sdp
For MasterCard security initiatives visit
www.mastercardsecurity.com
For the PCI Security Standards Council
www.pcisecuritystandards.org
MasterCard Proprietary
28
Thank you.