Transcript Implementing PCI DSS Requirements Within Your Organisation

Implementing PCI DSS
Requirements Within
Your Organisation
September 2008
Simon Breeden
Visa Europe
Data security and your brand
• How much would your brand be worth if you lose your
customers trust?
• Would your customers’ stay with you
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
2
Presentation Identifier.2
Your brand needs security!
• Compromises do happen everyday, everywhere
• In the customer’s view, consumers, card schemes and
merchants share responsibility for protecting their card
data
• Yet… 63% of customers views merchants as
the weakest link when it comes to protecting
their data…¹
¹Source: Javelin Strategy and Research 2007
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
3
Presentation Identifier.3
In customers’ eyes we all share
responsibility to prevent fraud
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
4
Presentation Identifier.4
Merchants as the weakest link
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
5
Presentation Identifier.5
Customer confidence seriously
impacted by a data breach
In the case of a breach….
49% of customers believe merchants to be the most likely
source of the data breach
3 out of 4 customers won’t shop again at a compromised
merchant
84% of customers want to shop at merchants who are
security market leaders
Investing in PCI DSS should be part of your customer
retention plans
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
6
Presentation Identifier.6
Media and regulators are watching
us…
-National and European Government are showing
increasing interest in the area of account information
security
• The European Commission is considering legislation on
the duty to notify (suspicion of breach and actual
compromise) – already adopted in California, Minnesota
and Texas
-Media increasingly questioning industry compliance and
progress…..
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
7
Presentation Identifier.7
Is PCI DSS mandated for everybody?
PCI DSS is mandated for all merchants and other
entities with access to card data
No access to data = no need for compliance validation
In the future, more companies may consider not handling data
directly, rather than going through the cost and risk of securing
them
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
8
Presentation Identifier.8
What is it for ?
• Protecting customer confidence
• Mitigating against fraud and other losses
• Protecting against reputational damage
• Avoiding further regulatory control
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
9
Presentation Identifier.9
PCI DSS part of overall Visa Security
POS
Environment
Chip & PIN
Tel Aviv - !8th September 2008
Online e-comm
Back office
Verified by Visa
PCI DSS
Visaas
Europe
Information Classification
Needed
10
Presentation Identifier.10
DATA
What is important about ‘data’ ?
Visa Europe
Card number
Chip
Expiry date
Magnetic Stripe
CVV2 The card account number, plus a three-digit
made up of “Track 1”
Card Verification Value 2 (CVV2) is indent-printed
and Track 2” data
on the signature panel
Track data and CVV2 should never be stored after authorisation
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
12
Presentation Identifier.12
You are only as safe as the least safe link in
the chain
Processor
Internet payment gateway
Web hosting company
Merchant
Acquiring bank
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
13
Presentation Identifier.13
Data Theft is……………
• Organised
• Multi-national
• Increasing in frequency
• Very, very lucrative
• Easy
• Almost risk-free
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
14
Presentation Identifier.14
Most Companies don’t help themselves
• Track data and CVV2 is the ‘honey pot’ that hackers look
for
• 80%+ of entities that are hacked are storing Track data and
CVV2
• 70-80% of companies compromised go out of business
within one year
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
15
Presentation Identifier.15
PCI DSS is good business practice
Think of it as spring cleaning!
PCI DSS is an opportunity to take a
fresh look at how your company works
and identify any issues with people,
processes, and systems;
• This enables you to
• Check your house is in order
• Discard unwanted items
• Rethink your data storage business
needs
• Fix issues
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
16
Presentation Identifier.16
The First Thing!
PCI DSS is mandated for all merchants and other
entities who store, process and/or transmit card data
No data = no need for compliance validation
Companies have the option of investing in data security or
hire a third party to manage data on their behalf
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
17
Presentation Identifier.17
The Second Thing!
The key to a successful compliance programme is to:
• Identify stakeholders
- Finance Director, Risk Committee, Information
Security Officer, IT Director, Operations Director, …
• Get business sponsorship
- Present PCI DSS and the risk of non-compliance to
the Board
- Brand image is at stake
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
18
Presentation Identifier.18
Making PCI Compliance a Reality
Visa’s recommended approach is
– Complete data flow analysis early
– Complete a comprehensive gap analysis
– Define a detailed remediation plan
How does
PCI relate?
Tel Aviv - !8th September 2008
Data Flow
Analysis
Gap Analysis
Remediation
Plan
Visaas
Europe
Information Classification
Needed
Implement
Remediation
Compliance
Validation
19
Presentation Identifier.19
Scoping and Sampling
Proper scoping and thorough reviews are critical
Beware of:
Not scoping and identifying all potential systems that may
hold cardholder information
• Can lead to critical and destructive hacks
• The data flow mapping exercise should identify all
points of storage, processing & transmission
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
20
Presentation Identifier.20
PCI DSS Scoping
PCI DSS applies to all systems and networks that store,
process, and/or transmit cardholder data, and all connected
systems
• Includes networking equipment that transmits cardholder
data (i.e. routers, switches, firewalls, wireless access
points)
• Encrypted cardholder data is still within scope
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
21
Presentation Identifier.21
Quick Wins
• Do not store track data or CVV2 post authorisation
• Delete card data everywhere you can
• Update security policy
• Update templates to ensure PCI DSS is included in all new
projects
• Data retention policy & process
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
22
Presentation Identifier.22
Advice on Payment Applications
• PA-DSS is here!
• Released by PCI SSC on 15 April 2008
• Set of comprehensive security standards for use by
vendors to ensure their products assist PCI DSS
compliance
• Ensure new applications are PA-DSS compliant
• Get the comfort of knowing you have an application
which, if implemented correctly, helps you to become PCI
DSS compliant
• PA-DSS certified applications do not make you compliant,
but they help you get there
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
23
Presentation Identifier.23
Merchant Compliance Validation
1. Processing more than 6 million Visa transactions per year,
compromised in the last year
Annual on-site security audit and quarterly network scan
2. Processing 1 million to 6 million Visa transactions per year
Annual self assessment questionnaire audit and quarterly
network scan
3. Processing 20,000 to 1 million Visa e-com transactions per year
Annual self assessment questionnaire audit and quarterly
network scan
4. Processing up to 20,000 Visa e-com transactions per year and
all merchants processing up to 1 million Visa transactions per
year
Recommended annual self assessment questionnaire audit and
quarterly network scan
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
24
Presentation Identifier.24
Service Provider Compliance Validation
1. All VisaNet processors, payment gateways and Internet
payment service providers regardless of volumes
Annual on-site security audit and quarterly network scan
2. Any service provider not in level 1 and stores, processes
or transmits more than 1 million Visa accounts or
transactions per year
Annual on-site security audit and quarterly network scan
3. Any service provider not in level 1 and stores, processes
or transmits less than 1 million Visa accounts or
transactions per year
Annual self assessment questionnaire audit and quarterly
network scan
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
25
Presentation Identifier.25
Compliance Management
If you do not comply
• There are levels of fines that are imposed
• There are fines for data compromise
Ultimate Sanction
• Prohibition by all brands to deal with card and card
data
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
26
Presentation Identifier.26
However it is a Journey….
•
No expectation of immediate compliance
•
However…..
•
•
•
No open ended deadlines to comply
Evidence of commitment to comply
•
Planned approach
Compliance is a 24 hour a day activity – not a once a
year activity to satisfy an audit
Tel Aviv - !8th September 2008
Visaas
Europe
Information Classification
Needed
27
Presentation Identifier.27