PCI DSS Compliance Services - Galitt · 2016-04-01 · PCI DSS Compliance Services...
Transcript of PCI DSS Compliance Services - Galitt · 2016-04-01 · PCI DSS Compliance Services...
January 2016
PCI DSS Compliance Services
20160104-Galitt-PCI DSS Compliance Services.pptx
Agenda
© Copyright Galitt 2
1. Introduction
2. Overview of the PCI DSS standard
3. PCI DSS compliance approach
Global trends
Introduction
© Copyright Galitt 3
Contactless Cards & NFC
Mobile Acceptance
Digital Wallets E-commerce & M-commerce
Chip on the Cloud / HCE
Rise of card payments across the globe (Card Present & Card Not Present)
Growth of fraud and security breaches
In 2014, card-based payment fraud in France is estimated to 395,6 million euros, with a projection for a 10% increase every year
Advances in the payment sector have created opportunities for card-based payments over various channels : face-to-face, internet, mobile …
Embedded security at various levels
• Payment transaction authorisation management (e-rsb)
• Use of EMV “Chip-and-PIN” vs. magnetic stripe cards
• Extended interoperability between domestic banks
Introduction The French card-based payment eco-system
4
Benefits
• Convenience for the cardholder
• High transaction processing and payment guarantee for merchants
BUT BEWARE !
© Copyright Galitt
• Following a data breach in France, fraud may be performed wherever an equivalent security framework is not enforced.
• This risk must not be underestimated; everyone must take responsibility for protecting cardholder data from compromise.
Introduction The impacts of a data breach
© Copyright Galitt
5
• Damage of reputation and loss of credibility
• Depending on the extent of the breach, brand value may be highly impacted, dropping of 17% to 31%
• Average reputation recovery time is of 11,8 months
• Financial loss
• Average cost of data breach (total): 2,9M€
• Average cost of data breach (per record) : 127€
• Re-issuing of compromised cards
• Loss of revenue
• Penalties from card brands
• Collateral damages: business consequences
• Loss of credibility by business partners: card brands, banks, service providers, merchants, …
• High attrition rate (e.g. 4,4% in France)
5
Damage of reputation and
brand value
Remediation of security
vulnerabilities
Card brand penalties
Fraud costs
Key impacts
5
(*) Source: « 2011-Ponemon_reputation_impact_of_a_compromission » (**) Source: Report ''Cost of Data Breach'‘ of Ponemon Institute et Symantec – June, 2013
• Attacks and fraud schemes perpetrated in France
• Data breaches abroad
Introduction Data breach figures in France and abroad
© Copyright Galitt 6
3x
160K
188
560
Compromise of merchant points of sale and ATMs has tripled between 2011 and 2012, according to the GIE CB report.
Loss of 160 000 euros in a “MIM card” fraud scheme performed against a large merchant in 2014/2015.
Approximately 200 points of sale terminals were hacked in 2013 while only 30 were compromised in 2011.
Over 500 gas pumps were compromised in 2014, rising from 188 in 2012 (source: 2014 OSCP report)
Hacking of a US leading hotel group in September 2015, compromising payment terminals in restaurants, bars and gifts shops.
80M 80 millions customers could be impacted by data compromised within a US leading health insurance company (2015)
Increase of face-to-face merchants accepting “CB” counterfeit cards in France, compromised through fraud schemes abroad (source: GIE CB report)
(**) OSCP : Observatoire de la Sécurité des Cartes de Paiement
Introduction Darknet markets
© Copyright Galitt 7
• Large volumes of card data reselling on « Carding » websites
• Average value on the market:
• Fraud opportunities based on stolen cardholder data
• PAN: purchase of goods in insecure e-commerce websites (no CVX2 validation)
• PAN + Expiry Date + CVX2: purchase of goods in classic e-commerce websites
• Complete ISO2 magnetic stripe : card-present transactions in non-EMV environments
• Complete ISO2 magnetic stripe data + PIN : card-present transactions and cash withdrawal in non-EMV environments
• Stolen cardholder data
• Primary Account Number (PAN) and CVX2: 1€
• Magnetic stripe data: from 8€ to 73€
• « White plastic » card with magnetic stripe: 100€
• Magnetic stripe data and PIN code: 1 000€
• Fraud kits
• Malware: from 1 000€ to 2 000€
• Skimming equipment: from 1 000€ to 2 000€
Agenda
© Copyright Galitt 8
1. Introduction
2. Overview of the PCI DSS standard
3. PCI DSS compliance approach
• Background
• Initially developed by the 5 card brands below
• Supported by major players in the payment card industry (e.g. smartcard and terminal manufacturers)
• Objectives of PCI standards
• Reduce card fraud by protecting cardholder data
• Define a common approach and set of rules to be adopted by major card brands, based on existing cardholder data protection programmes
• Define a set of industry-wide requirements and processes through different standards
Overview of the PCI DSS standard
9 © Copyright Galitt
Overview of the PCI DSS standard
© Copyright Galitt 10
• PCI DSS aims to protect Cardholder Identification and Sensitive Authentication Data
Primary Account Number (PAN)
Cardholder name
Expiry date
Magnetic stripes (tracks 1 and 2 containing PIN block – Personal Identification Number – encrypted PIN and Service Code)
123
Track-equivalent data also stored in the chip
Cardholder Identification Data Sensitive Authentication Data
Primary Account Number (PAN) Cardholder Name Expiration Date Service Code
Full track data (magnetic-stripe data or equivalent on a chip) CVX2 (CAV2/CVC2/CVV2/CID) PINs/PIN blocks
Card verification code (CAV2/CVC2/CVV2/CID)
Bank Logo
Overview of the PCI DSS standard
© Copyright Galitt 11
• Who’s subject to PCI DSS?
• PCI DSS applies to all entities involved in payment card processing that either store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD):
• Merchants that accepts card-based payments from one or many card brands
• Payment Service Providers (PSP)
• Acquiring and Issuing banks
• PCI DSS is used as a technical and operational standard to protect cardholder data. The table below provides a high-level overview of the 12 PCI DSS requirement groups:
Build and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
Overview of the PCI DSS standard
© Copyright Galitt 12
• Merchant profiles vs. PCI DSS compliance validation requirements
LEVEL MERCHANT PROFILE COMPLIANCE VALIDATION REQUIREMENTS
1
• Merchants processing more than 6 million Visa or MasterCard transactions annually via all channels
• Merchants that have been compromised • Merchants identified as a level 1 by another
card brand • Any merchant designated by the card brand at
its discretion
• Annual Report on Compliance (ROC) following an on-site audit by either a Qualified Security Assessor (QSA) or qualified Internal Security Auditor (ISA)
• Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) • Attestation of Compliance form (AoC)
Exemption: declassification to a level 2 in case of 95% EMV transactions
2
• Merchants processing between 1 and 6 million Visa or MasterCard transactions annually via all channels.
• Merchants identified as a level 2 by another card brand
• Annual Self-Assessment Questionnaire (SAQ). Assistance by a Qualified Security Assessor is required.
• Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) • Attestation of Compliance form (AoC)
3
• Merchants processing from 20,000 to 1 million Visa or MasterCard e-commerce transactions annually.
• Merchants identified as a level 3 by another card brand.
• Annual Self-Assessment Questionnaire (SAQ) • Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) • Attestation of Compliance form (AoC)
Exemption: scan exemption for merchants using certified solutions
4
• Merchants processing fewer than 20,000 Visa or MasterCard e-commerce transactions annually.
• Non e-commerce merchants processing up to 1 million Visa transactions annually.
• Annual Self-Assessment Questionnaire (SAQ) • Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) • Attestation of Compliance form (AoC)
• The merchant profile is defined based on the total number of transactions processed by the merchant’s multiple acquiring banks. • Domestic transactions performed with “co-badged” cards (VISA or MasterCard + Carte Bancaire) must also be accounted for.
Agenda
© Copyright Galitt 13
1. Introduction
2. Overview of the PCI DSS standard
3. PCI DSS compliance approach
PCI DSS compliance approach
• A PCI DSS compliance program may transform the organisation not only from a technical perspective, but also from a business processes standpoint.
• The success of such a program depends on the involvement and contribution of different business functions : people.
Project governance
People
Business processes
Information Systems
Payment processes
HR
IT Finance
Legal
Accounting
Platforms
Operating Systems
Applications
Databases
Networks
Project sponsors
Contributors
Project Managers
Senior Management
Key questions
What is the scope of my organisation subject to PCI DSS?
14 © Copyright Galitt
How can this scope be reduced?
What is the best compliance strategy for my organisation?
1
2
3
• Key drivers and challenges for conducting a PCI DSS compliance program
PCI DSS compliance approach
© Copyright Galitt 15
Drivers
• Improved risk management approach, which as a result, reduces the likelihood of security breaches and data theft.
• Perception as a trusted partner as security is demonstrated to be a priority within organisation.
• Reduce or avoid financial penalties by card brands in case of data theft by demonstrating compliance and a strong security posture.
• Adopt PCI DSS as a security baseline, enforcing best practice to protection general sensitive data.
Challenges
• Defining the scope of the program is a complex task and often requires the help of a QSA.
• Roles and responsibilities to deliver the program are often unclear.
• Obtaining support from Senior Management is key to the success of the program and therefore mandatory.
• Maintaining the state of compliance as the environment rapidly evolves.
• PCI DSS work streams being deprioritized due to budget constraints and other internal, competing initiatives.
X
PCI DSS compliance approach
Galitt can assist your organisation throughout all phases of a PCI DSS compliance program
16 © Copyright Galitt
Business Process and Applications Mapping
PCI DSS Gap Analysis and Remediation Plan
Pro
ject
man
agem
ent
Certification audit (Level 1 merchants)
Self Assessment Questionnaire (Merchants of level 2, 3 and 4)
External vulnerability scans from an « Approved Scanning Vendor »
PCI DSS Compliance Strategy and Roadmap
Definition of the Cardholder Data Environment (scope)
Consulting, implementation of security controls, remediation of findings…
PLA
NN
ING
& P
REP
AR
ATI
ON
C
OM
PLI
AN
CE
REM
EDIA
TIO
N
PCI DSS training and awareness
Galitt contact details
Contacts
Thank you!
www.galitt.us www.galitt.com
© Copyright Galitt US 17
Rémi GITZINGER
Director - Payment Consulting
+33 1 77 70 28 59
Bruno KOVACS
Consulting Manager & QSA
+33 1 77 70 28 12