Post on 29-May-2020
IBM
Introduction to PCI DSS
March 2015
Month-Year
IBM6/1/2015 Security Services Template2
Agenda
PCI DSS History
What is PCI DSS? / PCI DSS Requirements
What is Cardholder Data?
What does PCI DSS apply to?
Payment Ecosystem
How is PCI DSS Enforced?
Benefits of Compliance / Non-Compliance Consequences
IBM Capabilities
IBM
PCI DSS History
6/1/2015 Introduction to PCI DSS3
Visa developed the Cardholder Information Security Program (CISP) in 2001
MasterCard and other card providers started developing separate criteria
In 2004, Visa and MasterCard formally agreed to combine efforts– Created the Payment Card Industry (PCI) Data Security Standard (PCI DSS)
PCI DSS 1.1 released September 2006
PCI DSS 1.2 released October 2008
PCI DSS 1.2.1 released July 2009
PCI DSS 2.0 released in October 2010
PCI DSS 3.0 released in October 2013
IBM
What is PCI DSS?
6/1/2015 Security Services Template4
PCI DSS stands for Payment Card Industry Data Security Standard. It is a
global security program that was created to increase confidence in the
payment card industry and reduce risks to the Payment Card Brands,
Merchants, Service Providers and Consumers.
IBM
PCI DSS Requirements
6/1/2015 Security Services Template5
Build and Maintain a Secure Ntwork
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data sent across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
IBM
What is Cardholder Data?
6/1/2015 Security Services Template6
Cardholder data includes:
– Primary Account Number (PAN)
– Cardholder Name
– Service Code
– Expiration Date
Sensitive authentication data includes:
– Full Magnetic Stripe
– CVC2/CVV2/CID/CAV2
– PIN / PIN Block
Cardholder data may be stored, but only the
PAN must be masked when displayed (Req. 3.3)
and rendered “unreadable” (Req. 3.4)
Sensitive authentication data may not be stored
after authorization (Req 3.2)
The PAN is the defining factor in the applicability of PCI DSS requirements.
PCI DSS requirements are applicable if a PAN is stored, processed, or transmitted.
If PAN data is not stored, processed or transmitted, PCI DSS requirements do not
apply.
IBM
Who Does PCI DSS apply to?
6/1/2015 Security Services Template7
Any entity that stores, process and/or transmits cardholder data must comply
with the PCI Data Security Standard (DSS).
Additionally, any entities which provide services that could impact the security of
cardholder data may have a PCI compliance obligation.
Entities may include, but are not limited to, merchants and service providers.
Applies to:
– Retail (online & brick & mortar)
– Hospitality (restaurants, hotel chains, etc.)
– Transportation (i.e. airlines, car rental, etc.)
– Financial Services (banks, credit unions, card processors, etc.)
– Energy (oil, gas, utilities, etc),
– Healthcare/Education (hospitals, universities)
– Government (Federal, Provincial, Municipal)
– Not-For-Profit Organizations (Red Cross, churches, etc)
IBM
Payment Ecosystem
6/1/2015 Introduction to PCI DSS8
MerchantsAcquirers /
Processors
Service Providers
Payment Brand
Networks
Issuers
IBM
How is PCI DSS Enforced?
6/1/2015 Introduction to PCI DSS9
MerchantsAcquirers /
ProcessorsService Providers
IssuersPayment Card Brands
PCI DSS is enforced contractually.
IBM
Benefits of Compliance
6/1/2015 Security Services Template10
Compliance with the PCI DSS means that your systems are “secure”, and
customers can trust you with their sensitive payment card information:
– Trust means your customers have confidence in doing business with you
– Confident customers are more likely to be repeat customers, and to
recommend you to others
– Implementation of PCI DSS controls protects sensitive data, reduces the risk
of compromise, and helps maintain your corporate reputation
Compliance improves your reputation with acquirers and payment brands
– These are the partners you need in order to do business
Compliance has indirect benefits as well:
– Through your efforts to comply with PCI Security Standards, you’ll likely be
better prepared to comply with other regulations as they come along, such as
HIPAA, SOX, etc.
– The PCI DSS can help form the basis for a corporate security strategy
– Assets and processes developed for PCI Compliance can be leveraged
generally across the organization as information security best practices
– You will likely identify ways to improve the efficiency of your IT infrastructure
IBM
Non-Compliance Consequences
6/1/2015 Security Services Template11
If non-compliant and a breach occurs:– Breached entity is liable for the acquirer/issuer's losses and card re-issuance costs– Breached entity will likely have significant investigative and legal costs– Possible fines or restrictions imposed by card brands (prohibiting future credit card
processing) – Repayment of losses may exceed the ability to pay and cause total failure of the
organization
Other potential consequences:– Damaged brand reputation– Negative publicity– Loss of customers and corporate trust– Penalties and fees levied by card brands for non-compliance
• Visa USA fining some non-compliant merchants $25K per month
• MasterCard’s fee structure for Level 1 & 2 merchants and service
providers includes quarterly escalating fines of up to $25K, $50K, $100K, $200K.
• Some Canadian merchants are being fined. Fines are in the range of $5K - $10K per
month.
IBM
IBM Capabilities
6/1/2015 Introduction to PCI DSS12
IBM is a PCI QSA (Qualified Security Assessor), Approved Scanning Vendor
(ASV), and PFI (PCI Forensic Investigator)
IBM is authorized to certify organizations.
40+ Certified PCI QSAs across the different regions
IBM cannot certify its own business units or services to avoid a conflict of
interest. A third-party QSA company will have to be retained to obtain a
certification
IBM PCI QSAs can assist performing gap analysis and provide remediation
advice
IBM
Questions?
6/1/2015 Introduction to PCI DSS13
IBM
Appendix
6/1/2015 Introduction to PCI DSS14
IBM
Defining a Cardholder Data Environment
6/1/2015 Introduction to PCI DSS15
A critical strategic step in any PCI compliance initiative is formally
defining a cardholder data environment.
If a system stores, processes, or transmits cardholder data, it must be
included in the cardholder data environment.
The PCI DSS applies to any network component, server, or application
that is included in or connected to the cardholder data environment.
In “flat networks” where an organization does not pursue scope
reduction strategies, the entire network is in scope of the PCI DSS
assessment.– In complex environments, achieving PCI compliance of the entire network
infrastructure may be financially and operationally unachievable. In this case,
every server, desktop, network device and application must comply with each
and every control of the PCI DSS.
IBM
Defining a Cardholder Data Environment
6/1/2015 Introduction to PCI DSS16
The CDE boundary is is typically implemented via firewall rules or
strong access control lists on the security device forming the boundary
of the CDE – normally a firewall or a router with a firewall module
capable of performing stateful inspection.
In order to adequately form a boundary of the CDE, all inbound and
outbound connectivity to the CDE must be limited to those specific
ports and protocols required for the business.
All such allowed connectivity must be via secure protocols, and have a
documented business justification.
IBM
Supporting Infrastructure
6/1/2015 Introduction to PCI DSS17
It is important to consider systems outside of the CDE, which although they do
not store, process, or transmit cardholder data, are still “connected to” the
CDE.
These may be systems which are providing security services to the CDE or
which are simply allowed to communicate with the CDE.
In each such case, such a “supporting system” must be evaluated in order to
determine whether it should be considered in PCI scope as well. Ultimately, if
the compromise of such a system outside of the CDE, may impact the security
of a system within the CDE or cardholder data, then it should be considered in
PCI scope.
– For example, a server providing management of a CDE firewall would be considered
in scope, as a compromise of such a system may allow an attacker to modify firewall
rules, and therefore impact the security of the CDE and cardholder data.
IBM
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.