IBM

Introduction to PCI DSS

March 2015

Month-Year

IBM6/1/2015 Security Services Template2

Agenda

PCI DSS History

What is PCI DSS? / PCI DSS Requirements

What is Cardholder Data?

What does PCI DSS apply to?

Payment Ecosystem

How is PCI DSS Enforced?

Benefits of Compliance / Non-Compliance Consequences

IBM Capabilities

IBM

PCI DSS History

6/1/2015 Introduction to PCI DSS3

Visa developed the Cardholder Information Security Program (CISP) in 2001

MasterCard and other card providers started developing separate criteria

In 2004, Visa and MasterCard formally agreed to combine efforts– Created the Payment Card Industry (PCI) Data Security Standard (PCI DSS)

PCI DSS 1.1 released September 2006

PCI DSS 1.2 released October 2008

PCI DSS 1.2.1 released July 2009

PCI DSS 2.0 released in October 2010

PCI DSS 3.0 released in October 2013

IBM

What is PCI DSS?

6/1/2015 Security Services Template4

PCI DSS stands for Payment Card Industry Data Security Standard. It is a

global security program that was created to increase confidence in the

payment card industry and reduce risks to the Payment Card Brands,

Merchants, Service Providers and Consumers.

IBM

PCI DSS Requirements

6/1/2015 Security Services Template5

Build and Maintain a Secure Ntwork

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data sent across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

IBM

What is Cardholder Data?

6/1/2015 Security Services Template6

Cardholder data includes:

– Primary Account Number (PAN)

– Cardholder Name

– Service Code

– Expiration Date

Sensitive authentication data includes:

– Full Magnetic Stripe

– CVC2/CVV2/CID/CAV2

– PIN / PIN Block

Cardholder data may be stored, but only the

PAN must be masked when displayed (Req. 3.3)

and rendered “unreadable” (Req. 3.4)

Sensitive authentication data may not be stored

after authorization (Req 3.2)

The PAN is the defining factor in the applicability of PCI DSS requirements.

PCI DSS requirements are applicable if a PAN is stored, processed, or transmitted.

If PAN data is not stored, processed or transmitted, PCI DSS requirements do not

apply.

IBM

Who Does PCI DSS apply to?

6/1/2015 Security Services Template7

Any entity that stores, process and/or transmits cardholder data must comply

with the PCI Data Security Standard (DSS).

Additionally, any entities which provide services that could impact the security of

cardholder data may have a PCI compliance obligation.

Entities may include, but are not limited to, merchants and service providers.

Applies to:

– Retail (online & brick & mortar)

– Hospitality (restaurants, hotel chains, etc.)

– Transportation (i.e. airlines, car rental, etc.)

– Financial Services (banks, credit unions, card processors, etc.)

– Energy (oil, gas, utilities, etc),

– Healthcare/Education (hospitals, universities)

– Government (Federal, Provincial, Municipal)

– Not-For-Profit Organizations (Red Cross, churches, etc)

IBM

Payment Ecosystem

6/1/2015 Introduction to PCI DSS8

MerchantsAcquirers /

Processors

Service Providers

Payment Brand

Networks

Issuers

IBM

How is PCI DSS Enforced?

6/1/2015 Introduction to PCI DSS9

MerchantsAcquirers /

ProcessorsService Providers

IssuersPayment Card Brands

PCI DSS is enforced contractually.

IBM

Benefits of Compliance

6/1/2015 Security Services Template10

Compliance with the PCI DSS means that your systems are “secure”, and

customers can trust you with their sensitive payment card information:

– Trust means your customers have confidence in doing business with you

– Confident customers are more likely to be repeat customers, and to

recommend you to others

– Implementation of PCI DSS controls protects sensitive data, reduces the risk

of compromise, and helps maintain your corporate reputation

Compliance improves your reputation with acquirers and payment brands

– These are the partners you need in order to do business

Compliance has indirect benefits as well:

– Through your efforts to comply with PCI Security Standards, you’ll likely be

better prepared to comply with other regulations as they come along, such as

HIPAA, SOX, etc.

– The PCI DSS can help form the basis for a corporate security strategy

– Assets and processes developed for PCI Compliance can be leveraged

generally across the organization as information security best practices

– You will likely identify ways to improve the efficiency of your IT infrastructure

IBM

Non-Compliance Consequences

6/1/2015 Security Services Template11

If non-compliant and a breach occurs:– Breached entity is liable for the acquirer/issuer's losses and card re-issuance costs– Breached entity will likely have significant investigative and legal costs– Possible fines or restrictions imposed by card brands (prohibiting future credit card

processing) – Repayment of losses may exceed the ability to pay and cause total failure of the

organization

Other potential consequences:– Damaged brand reputation– Negative publicity– Loss of customers and corporate trust– Penalties and fees levied by card brands for non-compliance

• Visa USA fining some non-compliant merchants $25K per month

• MasterCard’s fee structure for Level 1 & 2 merchants and service

providers includes quarterly escalating fines of up to $25K, $50K, $100K, $200K.

• Some Canadian merchants are being fined. Fines are in the range of $5K - $10K per

month.

IBM

IBM Capabilities

6/1/2015 Introduction to PCI DSS12

IBM is a PCI QSA (Qualified Security Assessor), Approved Scanning Vendor

(ASV), and PFI (PCI Forensic Investigator)

IBM is authorized to certify organizations.

40+ Certified PCI QSAs across the different regions

IBM cannot certify its own business units or services to avoid a conflict of

interest. A third-party QSA company will have to be retained to obtain a

certification

IBM PCI QSAs can assist performing gap analysis and provide remediation

advice

IBM

Questions?

6/1/2015 Introduction to PCI DSS13

IBM

Appendix

6/1/2015 Introduction to PCI DSS14

IBM

Defining a Cardholder Data Environment

6/1/2015 Introduction to PCI DSS15

A critical strategic step in any PCI compliance initiative is formally

defining a cardholder data environment.

If a system stores, processes, or transmits cardholder data, it must be

included in the cardholder data environment.

The PCI DSS applies to any network component, server, or application

that is included in or connected to the cardholder data environment.

In “flat networks” where an organization does not pursue scope

reduction strategies, the entire network is in scope of the PCI DSS

assessment.– In complex environments, achieving PCI compliance of the entire network

infrastructure may be financially and operationally unachievable. In this case,

every server, desktop, network device and application must comply with each

and every control of the PCI DSS.

IBM

Defining a Cardholder Data Environment

6/1/2015 Introduction to PCI DSS16

The CDE boundary is is typically implemented via firewall rules or

strong access control lists on the security device forming the boundary

of the CDE – normally a firewall or a router with a firewall module

capable of performing stateful inspection.

In order to adequately form a boundary of the CDE, all inbound and

outbound connectivity to the CDE must be limited to those specific

ports and protocols required for the business.

All such allowed connectivity must be via secure protocols, and have a

documented business justification.

IBM

Supporting Infrastructure

6/1/2015 Introduction to PCI DSS17

It is important to consider systems outside of the CDE, which although they do

not store, process, or transmit cardholder data, are still “connected to” the

CDE.

These may be systems which are providing security services to the CDE or

which are simply allowed to communicate with the CDE.

In each such case, such a “supporting system” must be evaluated in order to

determine whether it should be considered in PCI scope as well. Ultimately, if

the compromise of such a system outside of the CDE, may impact the security

of a system within the CDE or cardholder data, then it should be considered in

PCI scope.

– For example, a server providing management of a CDE firewall would be considered

in scope, as a compromise of such a system may allow an attacker to modify firewall

rules, and therefore impact the security of the CDE and cardholder data.

IBM

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response

to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated

or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure

and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to

be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,

products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.