The Payment Card Industry PCI Data Security Standard:

1

• The Payment Card Industry (PCI) Data Security
  Standard
• What it is and why you might find it useful
• Fred Hopper, CISSP
• TASK - 27 March 2007

2
My Background and Perspective

• IT Infrastructure Support, Network Management,
  Info Security and Corporate Security
• Previous roles at Davis Henderson and Canadian
  Standards Association
• Head of Corporate Security for Metaca Corporation
  - one of Canadas leading manufacturers and
  personalizers of Financial, Loyalty, ID,
  Satellite TV, Telco, Health, and Insurance cards.

3
Payment Card Security History

• Companies who manufacture and personalize cards
  for other organizations (e.g. banks) are called
  Card Vendors
• Card Vendor security has historically focused on
  the physical security of the product rather than
  data security.

4
The First Credit Card

• The First Supper - Frank X. McNamara (1950)

5
Later Diners Club Cards
6
American Express
7
Todays Risks

• Most significant risk these days is with the
  compromise and misuse of the data rather than the
  physical card itself
• Card Vendors have had to meet detailed Logical
  (i.e. Information) Security requirements in
  recent years, with detailed standards and annual
  audits
• Current weak points in system some merchants
  and third party data processors.

8
Todays Risks
9
Card Skimming and Background for PCI DSS

• Until the 1990s, magstripe reading and encoding
  hardware and the knowledge to use it were hard to
  come by. Personal computers and inexpensive
  hardware changed everything.
• Improvements and miniaturization in electronics
  in recent years has also been reflected in
  skimming equipment
• Features of current equipment include flash
  memory, internal clocks, firmware supporting
  timestamps, databases, Bluetooth
• Password protected access to memory and features
  to protect data from law enforcement and rival
  skimming gangs.

10
Skimming Hardware
11
Skimming Hardware
12
Skimming Hardware
13
Skimming Hardware
14
Skimming Hardware
15
Skimming Hardware
16
Skimming Hardware
17
Skimming Software
18
Counterfeiting Supplies
19
Important Card Data

• Financial card dimensions, location of magnetic
  stripe, and data encoding and layout all covered
  in ISO standards

www.magtek.com
20
Important Card Data
21
Important Card Data

• For processing transactions it is necessary for
  merchant to present multiple fields to acquiring
  financial institutions e.g. PAN, expiry date,
  CVV/CVC, PVV or Pin Offset.

22
Payment Card Data

• Skimming is still a lot of work and risk, why not
  just try to get card track data in bulk?
• Carding sites exist to trade in stolen card
  numbers e.g. Carderplanet, Mazafuka,
  Shadowcrew, Darkprofits
• Where do these numbers come from? At lot of them
  are stolen from Merchants and Data Processors who
  store data more data than they need and do so
  insecurely, and are subsequently compromised
• Payment card industry has been aware of this
  problem for years and has been responding in
  various ways, one of which is the Payment Card
  Industry Data Security Standard (PCI DSS).

23
Payment Card Security Standards Prior to 2004

• Each card association had different rules
• Visa Account Information Secuity (AIS) and
  Cardholder Security Information Program (CISP)
• MasterCard Site Data Protection (SDP)
• American Express Data Security Standard (DSS)
• Discover Discover Information Security
  Compliance Program (DISC).

24
Formation of the PCI Security Standards Council

• Visa, MasterCard, American Express, Discover and
  JCB decided to standardize on a common set of
  data security requirements for merchants and data
  processors the PCI Data Security Standard (PCI
  DSS)
• PCI Security Standards Council was formed in 2004
  as an independent organization in order to
  maintain and promote the PCI DSS
• Version 1.0 of the PCI DSS was published in
  January 2005
• Version 1.1 published in September 2006
• www.pcisecuritystandards.org .

25
Scope of PCI DSS

• If your shop handles financial card data
• PCI DSS requirements are applicable if a Primary
  Account Number (PAN) is stored, processed or
  transmitted
• PCI DSS security requirements apply to all
  system components defined as any network
  component, server or application that is included
  in or connected to the cardholder data
  environment
• Failure to comply will eventually result in
  surcharges, fines and substantially increased
  liability in the event of a data breach
• If a PAN is not stored, processed or transmitted
  then PCI DSS requirements do not apply.

26
Scope of PCI DSS

• If your shop does not handle financial card data
• Strictly speaking, PCI DSS requirements do not
  apply to your organization
• You may still want to utilize PCI DSS in order to
  protect personal information (NPPI), commercially
  sensitive information, trade secrets, etc.
• Q Why use PCI DSS instead of other InfoSec
  standards (e.g. ISO 17799?)
• A Its concise (16 pages), easy to interpret and
  was developed through consensus by organizations
  who knew it would be a challenge to obtain
  compliance from its target audience. In other
  words, it is well thought out, well documented
  and attainable.

27
PCI DSS Requirements

• The PCI Data Security Standard is comprised of 12
  general requirements designed to
• Build and maintain a secure network
• Protect cardholder data
• Ensure the maintenance of vulnerability
  management programs
• Implement strong access control measures
• Regularly monitor and test networks
• Ensure the maintenance of information security
  policies
• Does this sound familiar?..

28
PCI DSS vs. CISSP CBK
29
Control Objectives (1 of 6)

• Build and Maintain a Secure Network
• Requirement 1 Install and maintain a firewall
  configuration to protect cardholder data
• Requirement 2 Do not use vendor-supplied
  defaults for system passwords and other security
  parameters.

30
Sample of Format Used
31
Control Objectives (2 of 6)

• Protect Cardholder Data
• Requirement 3 Protect stored cardholder data
• Requirement 4 Encrypt transmission of cardholder
  data across open, public networks.

32
Control Objectives (3 of 6)

• Maintain a Vulnerability Management Program
• Requirement 5 Use and regularly update
  anti-virus software
• Requirement 6 Develop and maintain secure
  systems and applications.

33
Control Objectives (4 of 6)

• Implement Strong Access Control Measures
• Requirement 7 Restrict access to cardholder data
  by business need-to-know
• Requirement 8 Assign a unique ID to each person
  with computer access
• Requirement 9 Restrict physical access to
  cardholder data.

34
Control Objectives (5 of 6)

• Regularly Monitor and Test Networks
• Requirement 10 Track and monitor all access to
  network resources
• Requirement 11 Regularly test security systems
  and processes.

35
Control Objectives (6 of 6)

• Maintain an Information Security Policy
• Requirement 12 Maintain a policy that addresses
  information security.

36
Conclusion

• PCI DSS is out there and if your systems process
  payment card numbers, you must be compliant
• Even of you do not process payment card numbers,
  the PCI DSS provides an excellent information
  security framework for your organizations
  Information Security Management System.

37

• Questions and Answers
• Fred Hopper
• Director, Corporate Security, IT and Quality
• Metaca Corporation
• fhopper_at_metaca.com