©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. The Payment Card Industry: (PCI) Compliance 101 Name:

©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity™

The Payment Card Industry:(PCI) Compliance 101

Name: John CebulskiTitle: Security Engineer

Contact: [email protected]

puresecurity™2©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.

Today’s AgendaToday’s Agenda

Modern history of PCI

PCI Data Security Standard v1.1– Version 1.1 updates– Compensating controls– General roles and responsibilities– PCI compliance validation process

» Network scanning» Company audit» Report of compliance

Why worry about PCI DSS?

The challenges of PCI compliance– Customer challenges of PCI compliance– Devices affected– Results of PCI challenges– Companies in the PCI spotlight

Tips for facing the compliance challenge


Modern History of the Payment Card IndustryModern History of the Payment Card Industry

Mid-1980s

– Rapid growth in payment card industry, fraud increases

– Individual companies begin early fraud detection and prevention efforts

1990s

– Sophistication of networks increases

– Fraud and detection technologies grow

– Fraud continues to increase

– 1999: Gramm-Leach-Bliley Act

2000s

– 2000: Visa Cardholder Information Security and Account Information Security programs

– 2000: MasterCard: Site Data Protection program

– Early 2000s: Major fraud disclosures*

– 2002: Sarbanes–Oxley Act

– 2005: MasterCard and Visa jointly release PCI Data Security Standard 1.0

– 2006: PCI Security Standards Council, PCI 1.1 released


Increased fraud– Fraud is big business!!Fraud is big business!!

– 2005*» 9.3 million US victims» $54.4 billion total fraud costs in one year

Regulatory requirements– Increased pressure

– Vague implementation guides

Confusing payment card efforts– Overlapping requirements and

duplicated activities

– Increased confusion on part of merchants and providers

*Source: Javelin Strategy & Research, January 2006

Buys and sells payment card data

Cardersmarket.comCardersmarket.comAs of May 2007—still running

Sales of stolen and counterfeit IDs

ShadowcrewShadowcrewOctober 2004

Credit card hacking site

Carderplanet.comCarderplanet.comSeptember 2004

Caught with more than 80,000 credit card accounts

Ukrainian Roman Ukrainian Roman Vega aka ‘BOA’Vega aka ‘BOA’

June 2004

OffenseOrganizationDate

Drivers for PCI Data Security StandardizationDrivers for PCI Data Security Standardization


PCI Data Security Standard v1.1 TodayPCI Data Security Standard v1.1 Today

Six Categories 12 Sections

• Many subsections PCI DSS is only part of compliance

If a Primary Account Number (PAN) is stored,

processed, or transmitted, the PCI DSS requirements

APPLY.

PCI Compliance for VISA

• PCI DSS

• Visa’s Cardholder Information Security Program (CISP)

http://usa.visa.com/merchants/risk_management/cisp.html

PCI Compliance for MasterCard

• PCI DSS

• MasterCard’s Site Data Protection Program (SDP)

http://www.mastercard.com/us/sdp/index.html


New to PCI 1.1 (Sept. 2006)New to PCI 1.1 (Sept. 2006) Clarification of vague language Application firewalls required by June 30, 2008 (6.6) Malicious software, like spyware and adware, are included in antivirus

capabilities (5.1.1) New “compensating controls” section (Appendix B) Penetration testing to include application and network layers (11.3)

VISA and MasterCard ComplianceVISA and MasterCard Compliance

“Leading the Charge” for PCI compliance Emphasis on Level 1, 2, and 3 Merchants Acquirers should have submitted a summary of their L4 Merchants’

PCI compliance plan by July 30, 2007

What’s New to the PCI Landscape?What’s New to the PCI Landscape?

COMPLIANCE TIMEFRAME

Level 1 Merchant/Service Provider deadline: • September 30, 2007

Level 2 Merchant/Service Provider deadline:• December 31, 2007

Level 3 Merchant/Service Provider deadline:• Contact acquirer or card vendor

Level 4 Merchant deadline: • Summary of PCI compliance plan, via acquirer, by July 30, 2007


Example: Compensating ControlExample: Compensating Control

Source: Appendix C Compensating Controls WS


PCI Security Standards CouncilPCI Security Standards Council

• Independent body

• Eliminates competing and overlapping brand-specific requirements

• Members include American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa Int’l

• Defines security and process requirements and other general security guidelines

• Certifies Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) and maintains certification lists

QSAs and ASVsQSAs and ASVs

• Assess and validate compliance

• Reports given to customers

• Listed on the council Web site

Participating OrganizationsParticipating Organizations (accept credit/debt card payments) (accept credit/debt card payments)

• Merchants, Service Providers› Any organization that stores, processes, or transmits cardholder data

• Merchant or Service Provider Categorization

• Levels›1–4 for Merchants›1–3 for Service Providers

• Varying levels of audits, scans, and assessments based on level status

Payment Card BrandsPayment Card Brands

• Enforcement arm (and acquirers)• Can levy stiff fines• Prohibit process of credit card transactions

• To what degree must they be compliant?

Acquirers Acquirers (banks that process transactions) (banks that process transactions)

• Enforcement arm • Can levy stiff fines• Prohibit processing of credit card transactions

• Manage Merchant’s compliance programs• MasterCard's SDP program

PCI Today—RolesPCI Today—Roles

DEFINE

ENFORCE

AUDIT

IMPLEMENT

www.pcisecuritystandards.org


PCI Compliance ValidationPCI Compliance Validation

Audits and Self-Assessments Network Scans Report on Compliance


Merchant Service Provider

Level 1 2 3 4 1 2 3

Description Over 6M annual transactions

Security breach resulting in data compromise

Based on vendor’s choice

15,000 to 6M annual transactions

20,000 to 150,000 annual transactions

All others All processors and payment gateways

Not in level 1

Stores, processes, or transmits over 1M accounts annually

Not in level 1

Stores, processes, or transmits less than 1 M accounts annually

On-Site Security Audit

Annually Annually Annually

Self Assessment

Annually Annually Annually Annually

Network Scans

Quarterly Quarterly Quarterly Quarterly Quarterly Quarterly Quarterly



PCI Compliance Validation:What can I expect from an audit?PCI Compliance Validation:What can I expect from an audit?

Company XYZ is audited

by QSA

QSA completes audit based on

PCI Audit Procedures

Company passes audit

Company XYZ keeps audit and submits to

Card Vendor or Acquirer

Company receives report From QSA with

“Open Items” and“Target Resolution Dates”

QSA reassesses


› Performed by a certified auditor

› Externally facing IP addresses

› Scan of ALL 65,535 ports

› Severity Levels 3–5 must be remedied Technical report with vulnerabilities and steps for resolution PCI-approved compliance statement to Vendor or Acquirer



PCI Report on Compliance and Visa:Level 1–3 MerchantsPCI Report on Compliance and Visa:Level 1–3 Merchants

Level 1 Merchants (via Acquirer)– On-site PCI data security assessment completed by QSA– Letter signed by a merchant officer – Confirmation of report accuracy form completed by QSA – Acquirer accepts ROC and submits confirmation ROC form and

acceptance letter to Visa

Level 1, 2, and 3 Merchants– Acquirers responsible for ensuring quarterly network security scans for

Level 1, 2, and 3 Merchants– Quarterly network security scans may be required of Level 4 Merchants as

specified by their acquirers

Level 2 and Level 3 Merchants– Must complete the annual PCI self-assessment questionnaire– Level 4 Merchants may be required by their acquirers to complete the PCI

self-assessment questionnaire


PCI Report on Compliance and Visa:Service ProvidersPCI Report on Compliance and Visa:Service Providers

Level 1 and Level 2 Service Providers– Annual self-assessment questionnaire– Annual on-site PCI data security assessment– Supply to the acquirer, serving as a template for the ROC– Employ a QSA to complete the Report on Compliance

Level 1, 2, and 3 Service Providers– ASV performs a quarterly network scan on the Internet-facing

network perimeter systems

Level 3 Service Providers– Complete the annual PCI self-assessment questionnaire


Reduce the risk of incidents– Prevent a “CNN moment”

» Negative publicity

– Loss of revenue– Placed in higher Level, requiring

more frequent compliance measures– Fines and penalties levied

» From acquirer to acceptor

Barred from processing credit card transactions

Higher processing fees

Why Worry About PCI DSS?Why Worry About PCI DSS?


The PCI Challenge for Merchants and Service ProvidersThe PCI Challenge for Merchants and Service Providers

All or Nothing:All or Nothing: 99 percent compliance is still failing. PCI DSS v1.1 begins to address this issue (Compensating Controls) and is the new standard as of January 1, 2007.

Cost Effective and Unified:Cost Effective and Unified: Purchasing and integrating point solutions takes time and effort. Many companies do not have the in-house staff to address this challenge. TCO must be addressed.

Performance Becomes a ConcernPerformance Becomes a Concern

Multiple Standard RequirementsMultiple Standard Requirements


Sarbanes - OxleySarbanes - Oxley

LiabilityLiability GLBAGLBA

HIPAAHIPAA

EU data protectionEU data protection

Industry regulationIndustry regulation

Business continuityBusiness continuity

Operational riskOperational risk

PrivacyPrivacy

ISO17799ISO17799

Basel IIBasel II

Data retentionData retention

InvestmentInvestment

Physical securityPhysical security

AuditsAudits

ComplianceCompliance Credit riskCredit risk

TerrorismTerrorism

ReputationReputation

Data StorageData Storage

SB1386SB1386

Businesspartners

Businesspartners

BS7799BS7799

COSO/COBITCOSO/COBIT

Intellectualproperty

Intellectualproperty

Informationsecurity

Informationsecurity

The PCI Challenge: One of ManyThe PCI Challenge: One of Many

Growing lists of regulations Growing lists of regulations can deplete resourcescan deplete resources

Sarbanes-Oxley Act of 2002 Gramm-Leach-Bliley

Homeland Security Act

FISMA

HIPAA

Computer Security Act

Computer Fraud and Abuse Act

IASB/FASB NASD 3110

SEC Rules 17a-3 and 17a-4

TREAD Act Canada’s PIPEDA

U.S. Patriot Act

Fair and Accurate Credit Transactions Act (FACT)

E.U. Data Protection Directive

Foreign Corrupt Practices Act

Basel II

FDA 21 CFR 11

Customs C-TPAT

EPA

CA SB 1386, 1950

U.K .Public Records Office DOD 5015.2

PCI DSSPCI DSS


“Network component” refers to firewalls, network appliances, routers, switches, wireless access points, and other network and

security components

Servers include, but are not limited to authentication, database, domain name service (DNS), email, network time protocol (NTP),

proxy, and Web servers

Applications include all purchased andcustom applications, including internal and external (Web) applications

The PCI DSS v1.1 requirements apply to ALL “system components,” defined as any network component, server, or application included in,

or connected to, the cardholder data environment

The PCI Challenge:Devices affectedThe PCI Challenge:Devices affected


A Very Complicated, Sprawling Network to ManageA Very Complicated, Sprawling Network to Manage

Firewalls, OS servers, routers, switches, IPS, antivirus, Web servers, policies, and rules

Gigabytes to terabytes of data in different formats

The PCI Challenge - Result


Bank of AmericaBank of America BJ’s Wholesale ClubBJ’s Wholesale Club Cardsystems SolutionsCardsystems Solutions ChoicePoint (NOT CHECK POINT)ChoicePoint (NOT CHECK POINT) CitiGroupCitiGroup DSW SHOW WarehouseDSW SHOW Warehouse Hotels.comHotels.com LexisNexisLexisNexis WachoviaWachovia Polo–Ralph LaurenPolo–Ralph Lauren

Source: Qualys http://www.qualys.com/forms/wp/pci/?lsid=6880

Companies in the PCI SpotlightCompanies in the PCI Spotlight

FinesFines

2005 Visa levied fines of$3.4 million

2006 Visa levied fines of$4.6 million

Source: Visa (USA) SAN FRANCISCO–December 12, 2006


Tips for Facing the PCI ChallengeTips for Facing the PCI Challenge

Build/leverage relationships with VARs and other resellers

Attend seminars and guest speaking engagements– Nuggets of information– Network with peers

Use existing regulatory compliance programs– ISO 27001 certifications and Sarbanes-Oxley audits look at many of the

same requirements as PCI DSS v1.1– PCI DSS offers areas of cross compliance with HIPAA and SOX

Books and periodicals (the ol’ Amazon.com search)

Take the “plunge,” register for vendor white papers– Valuable nuggets contained within vendor

Utilize PCI security standards resources– www.pcisecuritystandards.org– Self-assessments– Review scanning and audit procedures


Resources and ResearchResources and Research

PCI Security Council Web site– www.pcisecuritystandards.org– PCI DSS v1.1, What’s new in v1.1, Scanning and Auditor validation requirements

Qualys– White paper: Winning the PCI Compliance Battle– www.qualys.com/forms/wp/pci/?lsid=6880

Check Point– www.checkpoint.com/securitycafe/readingroom/general/pci_compliance.html

Still Secure– www.stillsecure.com/pci/index.php?rf=pcihp– PCI Compliance: A Technology Overview (management best practices)

www.pcicomplianceguide.org– A 5-step guide for PCI compliance

SANS– www.sans.org– Using SIM systems for PCI compliance

©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity™

THANK YOU!!

Questions?


Appendix and LinksAppendix and Links

See below


Regulatory Cross ComplianceRegulatory Cross Compliance

HIPAA 164.308– Administrative Safeguards

» Security and access management» Secure incident handling

HIPAA 164.312– Technical Safeguards

» Access and audit control, integrity

Sarbanes-Oxley sections 404, 409, 302– Effective controls on data privacy– Real-time disclosure– CEO and CFO responsibilities for secure certification

PCI Data Security Standard Section 10– Tracking and monitoring all access to cardholder data– Implement audit trails– Record, secure, and review various audit trails for system components

PCI Data Security Standard section 11– Use NIDS, NIPS, HIDS, HIPS to monitor and alert to compromises

» Require SIEM solutions that can effectively tie in point product data back

Documents

©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. The Payment Card Industry: (PCI) Compliance 101 Name: