2. Copyright 2009 Evolve Systems®
Agenda
•Compliance Overview
•Cyber Threats
•Payment Card Overview
•PCI Compliance
•Controls Framework
•Questions
PCI = Payment Card Industry
DSS = Data Security Standard
3. Copyright 2009 Evolve Systems®
1970-1980
1980-1990
1990-2000
2000-
Present
The Regulatory Environment Represents a
New Enterprise Challenge
Computer Security Act of 1987
EU Data Protection
HIPAA
FDA 21CFR Part 11
C6-Canada
GLBA
COPPA
USA Patriot Act 2001
EC Data Privacy Directive
CLERP 9
CAN-SPAM Act
FISMA
Sarbanes Oxley (SOX)
CIPA 2002
Basel II
NERC CIP 02-09)
CISP
Payment Card Industry
(PCI)
California Individual Privacy
SB1386
Other State Privacy Laws
(38)
Privacy Act of 1974
Foreign Corrupt Practice
Act
of 1977
Compliance Trends
4. Copyright 2009 Evolve Systems®
State Privacy Laws
Businesses must establish basic
information security programs
Businesses must proactively manage
their confidential
consumer information
Businesses must take steps to know
when their defenses have been
breached
In the event of an
actual or suspected
security breach
businesses have a
legal obligation to
notify impacted
consumers resulting
in new security
requirements
Compliant infrastructures are
required!
7. Copyright 2009 Evolve Systems®
Attack Vectors
• Virus Attack
• Spyware (intentional and unintentional)
o Worms and Trojans
o Image embedded Trojans
• Targeted attacks that exploit poor
system configuration and
vulnerabilities
• Targeted attacks against a "friendly"
who either loses your data or passes
along the attack
• Physical theft
• System misuse by an authorized user
o Internal staff
o Third parties
9. Copyright 2009 Evolve Systems®
DSW Shoe Warehouse
customer database
was hacked and 1.4
million records were
stolen and records
over $6.5 million
reserve on 2005
financial statements.
Scary Bedtime Stories
What is the cost of non-compliance
Other headlines….
- TJ MAX causes several
states to introduce new
legislation to protect
cardholder data.
- Card Systems
International forced to
sell operations at a loss.
- Ongoing compromises are
driving changes in the
DSS to include dual factor
authentication and
wireless security.
FTC fines Choice Point
$10 million for unfair
business practices for
failure to protect
consumer data.
10. Copyright 2009 Evolve Systems®
Costs of a PCI Compromise
Notify Clients and Provide
Privacy Guard
Fines and Penalties
Loss of Clients
Fraud liability (ADCR)
Reputation Loss
$50 x 10,000 = $500,000
$10,000 to $1 million
10,000 clients – 15% = 1,500 clients
1,500 x $100 in fees = $150,000 in lost fees
1,000 accounts x $500 = $500,000
PRICELESS!
A hypothetical merchant compromises 10,000 accounts when
a third party service provider has a server stolen.
What is the potential financial impact?
PCI = Payment Card Industry
DSS = Data Security Standard
11. Copyright 2009 Evolve Systems®
Cardholder Verification Number (CVV2)
Cardholder Verification Number (CVN)
(CID/CVV2/CVC2)
CVV2
CVV
12. Copyright 2009 Evolve Systems®
Processor
Gateway
Service Provider
Cardholder
Merchant
PCI Relationship Matrix
Acquiring Bank
App Vendors
Acquiring BankIssuing Bank
Merchant Cardholder Environment
13. Copyright 2009 Evolve Systems®
Six Goals: Twelve Requirements – PCI DSS
Build and Maintain a Secure
Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test
Networks
10.Track and monitor all access to network resources and cardholder data
11.Regularly test security systems and processes
Maintain Information
Security Policy
12.Maintain a policy that addresses information security
The “Digital Dozen” The Payment Card Industry Data Security Standard
14. Copyright 2009 Evolve Systems®
The Mandate: Merchant Levels Defined
Level Merchant Classification Criteria
1
Visa & MasterCard: Any merchant-regardless of acceptance channel-that:
Processes over 6 million Visa or MasterCard transactions per year
Has suffered a hack or an attack that resulted in an account data compromise
Visa or MasterCard determines should meet the Level 1 merchant requirements
Has been identified by any other payment card brand as Level 1
AMEX: Any merchant-regardless of acceptance channel-that processes over 2.5 million AMEX
transactions
2
Visa & MasterCard: Any merchant that processes 1 million to 6 million Visa or MasterCard
transactions, regardless of acceptance channel
AMEX: Any merchant-regardless of acceptance channel-that processes 50,000 to 2.5 million
AMEX transactions
3
Visa & MasterCard: Any merchant that processes 20,000 to 1 million Visa or MasterCard e-
commerce transactions
AMEX: Any merchant-regardless of acceptance channel-that processes less than 50,000 AMEX
transactions
4
Visa & MasterCard: Any merchant that processes fewer than 20,000 Visa or MasterCard e-
commerce transactions or processes fewer than 1 million Visa or MasterCard transactions,
regardless of acceptance channel
15. Copyright 2009 Evolve Systems®
Compliance Validation Requirements
Level Validation Actions SCOPE Validated By
1
• Annual On-Site Security
Audit - AND -
• Authorization and
Settlement Systems
• Independent Assessor or
Internal Audit if signed by
Officer
• Quarterly Network Scan • Internet Facing
Perimeter Systems
• Qualified Independent
Scan Vendor
2 & 3
• Annual Self-Assessment
Questionnaire
- AND -
• Any system storing,
processing, or
transmitting cardholder
data
• Merchant
• Optional support from
qualified vendor
• Quarterly Network Scan • Internet Facing
Perimeter Systems
• Qualified Independent
Scan Vendor
4
• Annual Self-Assessment
Questionnaire
• Internet Facing
Perimeter Systems
• Merchant
• Optional support from
qualified vendor
• Network Scan
Recommended
• Internet Facing
Perimeter Systems
• Qualified Independent
Scan Vendor
16. Copyright 2009 Evolve Systems®
Food Service Industry represents the majority of the compromises.
Retail Industry is the next largest industry seeing compromises.
52%
27%
4%
4%
3%
3%
2%
FoodService
Retail
Entertainment
Travel
University
Payment Processor
Telecom
Non-Profit/NGO
Media
Government
Petroleum
Medical
Construction
Case Analysis: Compromise by Industry
17. Copyright 2009 Evolve Systems®
Top PCI DSS Violations
#1 Requirement 12: Maintain a
policy that addresses
information security
#2 Requirement 3: Protect
stored data
#3 Requirement 6: Develop
and maintain secure systems
and applications
#4 Requirement 10: Track and
monitor access to network
and card data
#5 Requirement 11: Regularly
test security systems and
processes
#6 Requirement 8: Assign a
unique ID to each person with
computer access
#7 Requirement 1: Install
and maintain a firewall to
protect cardholder data
Violations >50% Found During Forensic Investigations
Violations <50% Found During Forensic Investigations
Violations Found During Initial PCI DSS Audits
PCI = Payment Card Industry
DSS = Data Security Standard
19. Copyright 2009 Evolve Systems®
Visa Fine Schedule*
(other card associations have different costs)
Data compromise or non-compliance with PCI requirements:
• First Violation -- Up to $50,000
• Second Violation -- Up to $100,000
• Third Violation -- At Visa’s discretion for more than two violations in 12
months
Merchants who store full-track data:
• Initial penalty of $50,000
• Thereafter Visa assesses fines up to $100,000 monthly until track data is
removed
• Representative fine structure based on public information distributed by
Chase Paymentech. Actual fines to merchants may vary based on their
acquirer.
* Your Fines May Vary…
20. Copyright 2009 Evolve Systems®
Assessment Scope Where is the card holder data?
Customer Production Environment
Acquiring Bank
Wells Fargo, BoA,
Chase
Admin Environment
Portal Access to Reconciliation Data (Charge Back / Sales Audit)
Transaction Servers or
Payment Gateway
Transaction Record & Archive
Data Warehouse
Payment Gateway and
Transaction Database
Batch
Settlement
Application
Servers
Back Office &
Customer Svc
• Marketing
• Customer Service
• Ecommerce
• Phone / Fax
• Gift Cards
• Fraud
• Accounting /
Administration
Phone,Fax,Email
Web Server
(card not present)
POS Terminals
(card present in
stores and parking
facilities)
Authorization
Document Vaults
Paper records
21. Copyright 2009 Evolve Systems®
Phase Compliance Mandates Effective
Date
I. Newly boarded merchants must not use known vulnerable payment applications,
and VisaNet Processors (“VNPs”) and agents must not certify new payment
applications to their platforms that are known vulnerable payment applications.
1/1/08
II. VNPs and agents must only certify new payment applications to their platforms
that are PABP-compliant.
7/1/08
III. Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use
PABP-compliant applications.
10/1/08
IV. VNPs and agents must decertify all vulnerable payment applications. 10/1/09
V. Acquirers must ensure their merchants, VNPs and agents use only PABP-
compliant applications.
7/1/10
Oct 23 Announcement from Visa: “It is critical that merchants and agents do not
use payment applications known to retain prohibited data elements and that
corrective action is immediately taken to address any identified deficiencies
because these applications are at risk of being compromised.”
New Visa Application Requirements
22. Copyright 2009 Evolve Systems®
Summary
• Assessment – vs - Audit
• Penalties for non-compliance is high but guidelines on
“Assessment” procedures are marginal (sample size, evidence of
control effectiveness, retention period, testing oversight)
• The testing procedures for each control activities are
PRESCRIPTIVE .. Maintain evidence of controls
• Self Assessment Questionnaire must track to the environment
• Organizations may not understand the cardholder
environment
• Reporting process depends on the acquiring bank
• More risks to manage than test procedures measure
23. Copyright 2009 Evolve Systems®
23
What’s One More Certification?
Payment Application
Best Practices
[PABP]