THE PCI SSC IS AN OPEN GLOBAL FORUM
Established in 2006 by the founding payment card brands (American Express, Discover Services,
JCB International, MasterCard and Visa Inc.)
The Council has more than 650 Participating Organizations representing merchants, banks,
processors and vendors worldwide
Is responsible for the development, management, education, and awareness of the PCI DSS and
other standards to increase payment data security & compliance.
THE IMPORTANCE OF COMPLIANCE
The various methods and intelligence of malicious attacks are constantly increasing and ever
changing, therefore so should our due diligence with regard to compliance.
Penalties for a Breach
Significant fines per incident
Increased audit requirements
Potential loss of the ability to accept payment cards
Loss of staff time during security recovery
Loss of business revenue due to loss of public image
Cost of forensic investigation
PCI AWARENESS TRAINING (Knowledge is power)
Training is especially appropriate for:
Audit Managers, Business Analysts, Compliance Officers, Credit Analysts, Finance Managers, IS
Managers, IT Specialists, Project/Program Managers, Risk Management Analysts, Security
Analysts, Senior Developers, Software Engineers, System Administrators, Web Masters.
Training for employees is a strict mandate for compliance with the PCI DSS. Anyone can benefit
no previous PCI knowledge is required.
AGENDA
PCI DSS Program Overview
Payment Industry Terminology
Payment Transaction Flow
Service Provider Relationships
Payment Brand Compliance Programs
SAQ Overview
PCI Roles and Responsibilities
Scoping the Cardholder Date Environment
Cardholder Data Discover
Network Segmentation
PCI DSS Version 3.0 Overview
Compensating Controls
�PCI DSS Program Overview
Council offers strong and complete standards and supporting materials to improve payment card
data security.
1. PCI Data Security Standard (PCI DSS), which provides an actionable framework for
developing a robust payment card data security process.
2. Tools to assist organizations validate their PCI DSS compliance include Self-Assessment
Questionnaires
3. Council provides the PIN Transaction Security (PTS)
To help software vendors and others develop secure payment applications,
4. the Council maintains the Payment Application Data Security Standard (PA-DSS)
5. The Council also provides training to professional firms and individuals so that they can
assist organizations with their compliance efforts.
6. QSA, PA-QSA, ASV, ISA, QIR
Payment Industry Terminology
Acquirer: A bankcard association member that initiates and maintains relationships with
merchants that accept payment cards.
Cardholder: A person who uses a payment card to purchase goods and services.
Chargeback: A customer dispute over a specific charge to their payment card. The merchant is
notified of the dispute, a must respond to the chargeback, offering proof of validity for the
transaction.
Merchant: An organization or department that accepts payment cards as payment for goods or
services.
Processor:
An organization that is connected to a payment card association and provides authorization,
clearing and settlement services on behalf of a member. See the Glossary of Payment Card
Terms for details
�Payment Transaction Flow
�STEP 1 The consumer purchases goods or services from the merchant
STEP 2 There are a variety of ways to transmit the information to the acquiring bank:
STEP 3 The acquiring bank routes the transaction to a processor and then to the associations
either Visa, MasterCard or Discover.
STEP 4 The association system then routes the transaction to the issuing bank and requests an
approval.
STEP 5 The issuing bank sends back the response. If the cardholder is approved the issuing bank
assigns and transmits the authorization code back to the association.
STEP 6 The authorization code is sent from the card association to the acquiring bank.
STEP 7 The acquiring bank routes the approval code or response to the merchant terminal.
Depending on the merchant or transaction type, the merchant terminal may print a receipt for
the cardholder to sign, which obligates the cardholder to pay the amount approved.
STEP 8 The issuing bank bills the consumer.
STEP 9 The consumer pays the bill to Issuing bank.
Service Provider Relationships
Sometimes, securing your own network isn't enough to guard against a data breach; your
ecosystem of third-party providers can introduce a new set of risks to data as well.
Troy Leach, CTO of the PCI Security Standards Council, called third-party security a "weak point"
for organizations that sometimes make the mistake of entrusting sensitive data to third-party
vendors without verifying they have the proper security posture.
"Updates introduced with PCI DSS 3.0 and recent released Special Interest Group guidance
aim to help organizations adequately address payments risks in their contracts with third parties
and perform ongoing due diligence to ensure sufficient levels of card security are maintained by
their business partners.
PCI DSS Compliance Payment Brands
AMEX | VISA | MASTERCARD | DISCOVER & JCB |
The payment brands as they are commonly called in the payments industry
The payment brands still maintain a powerful voice regarding security and compliance.
��SAQ Overview
The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist
merchants and service providers in self-evaluating their compliance with the Payment Card
Industry Data Security Standard (PCI DSS).
For those of you unfamiliar with the PCI SAQs, there are five; A, B, C, C-VT and D. The first four
are designed for very specific business scenarios and D is the catch all when none of the
previous four seem to fit.
SAQ A Card-not-present Merchants, All Cardholder Data Functions Outsourced
SAQ B Merchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No
Electronic Cardholder Data Storage
SAQ C-VT Merchants with Web-Based Virtual Terminals, No Electronic Cardholder Data Storage
SAQ C Merchants with Payment Application Systems Connected to the Internet, No Electronic
Cardholder Data Storage
SAQ D All Other Merchants and All Service Providers Defined by a Payment Brand as Eligible to
Complete an SAQ
PCI Roles and Responsibilities
Each organizations specialized roles may differ need to be carefully considered. The categories
listed below are examples of some common roles:
Cashier/Accounting Staff
Procurement Team
IT Administrators and Developers
SAMPLE PCI-DSS POLICY PART 6: ROLES AND RESPONSIBILITIES:
(12.5) Chief Security Officer (or equivalent) is responsible for overseeing all aspects of
information security, including but not limited to:
(12.5.1) creating and distributing security policies and procedures
(12.5.2) monitoring and analyzing security alerts and distributing information to
appropriate information security and business unit management personnel
(12.5.3) (12.9) creating and distributing security incident response and escalation
procedures that include:
(12.9.1) roles, responsibilities, and communication
(12.9.1) coverage and responses for all critical system components
(12.9.1) notification, at a minimum, of credit card associations and acquirers
(12.9.1) strategy for business continuity post compromise
(12.9.1) reference or inclusion of incident response procedures from card associations
(12.9.1) analysis of legal requirements for reporting compromises (for example, per
California bill 1386)
(12.9.2) annual testing
(12.9.3, 12.9.5) designation of personnel to monitor for intrusion detection, intrusion
prevention, and file integrity monitoring alerts on a 24/7 basis
(12.9.4) plans for periodic training
(12.9.6) a process for evolving the incident response plan according to lessons learned
and in response to industry developments
(12.6; 12.6.1.a) maintaining a formal security awareness program for all employees that
provides multiple methods of communicating awareness and educating employees (for
example, posters, letters, meetings)
(10.6.a) review security logs at least daily and follow-up on exceptions
(12.2.a) The Information Technology Office (or equivalent) shall maintain daily
administrative and technical operational security procedures that are consistent with the
PCI-DSS (for example, user account maintenance procedures, and log review procedures).
System and Application Administrators shall:
(12.5.2) monitor and analyze security alerts and information and distribute to appropriate
personnel
(12.5.4) administer user accounts and manage authentication
(12.5.5) monitor and control all access to data
(12.8.1) maintain a list of service providers
(12.8.3) ensure there is a process for engaging service providers including proper due
diligence prior to engagment
(12.8.4, 12.4) maintain a program to verify service providers PCI-DSS compliant status,
with supporting documentation
(10.7.a ) retain audit logs for at least one year
The Human Resources Office (or equivalent) is responsible for tracking employee
participation in the security awareness program, including:
(12.6.1.b) facilitating participation upon hire and at least annually
(12.6.2) ensuring that employees acknowledge in writing at least annually that they have
read and understand the companys information security policy
(12.7) screen potential employees prior to hire to minimize the risk of attacks from
internal sources
Internal Audit (or equivalent) is responsible for executing an annual (12.1.2) risk
assessment process that identifies threats, vulnerabilities, and results in a formal risk
assessment.
General Counsel (or equivalent) will ensure that for service providers with whom
cardholder information is shared:
(12.8.1, 12.4) written contracts require adherence to PCI-DSS by the service provider
(12.8.2, 12.4) written contracts include acknowledgement or responsibility for the security
of cardholder data by the service provider
Scoping the Cardholder Date Environment
The scope is not technology dependent but it also is not focused solely on servers, applications
and firewalls. Processes and procedures may also form part of the scope as they could affect the
security of card data.
As the scope grows, so does the complexity. It is therefore in anyones interest to keep the scope
as small as possible.
Concept which is very often misunderstood is the scope of PCI, which is referred to as the
Cardholder Data Environment (CDE). This may be the most important term in the entire PCI
vocabulary because it is what determines those systems, applications, processes and procedures
which are considered relevant to PCI and which therefore need to be protected.
Cardholder Data Discover
ControlCase Data Discovery (CDD) addresses this key need of Credit Card Data Discovery
and was one of the first comprehensive scanners that not only searches for credit and debit
card data on file systems, but also in most commercial and open source databases, and all
�this searching is done WITHOUT installing any agents on any scanned system. We scan the
whole enterprise from one location.
https://controlcase.com/data_discovery.php
Network Segmentation
Network segmentation can be achieved through internal network firewalls, routers with strong
access control lists or other technology that restricts access to a particular segment of a
network. Implementation of VLAN and ACL properly.
PCI DSS Version 3.0 Overview
The five most important changes for merchants as:
Area 1: Penetration testing // testing activities (internal and external) using industry-accepted
penetration testing methodology.
Area 2: Inventorying system components // application vendors or system integrators differs so
merchants' IT and compliance teams will have to spend a lot more time developing and
improving ways to create and manage these inventories.
Area 3: Vendor relationships // if an organization uses a hosted data center vendor, the
physical access restrictions of that data center might be managed by the vendor, while the
administrative side of providing access might be managed by the customer organization. PCI DSS
3.0 requires that merchants explicitly agree to and document this segregation of duties with the
vendors or service providers in question.
Area 4: Antimalware // specific authorization from management to disable or alter the operation
of antivirus mechanisms.
Area 5: Physical access and point of sale // access be authorized and based on individual job
function and that access be revoked immediately upon termination (point 9.9)
Compensating Controls
A compensating control is a data security measure that is designed to satisfy the requirement for
some other security measure that is deemed too difficult or impractical to implement.
Segregation of duties (SoD) is an internal control designed to prevent error and fraud by
ensuring that at least two individuals are responsible for the separate parts of any task. Fraud
and error are risks in payroll management. To mitigate that risk, a company might have one
employee responsible for the accounting portion of the job and another responsible for signing
the checks. However, segregation of duties can be difficult for businesses with small staffs.
Compensating controls, in this case, might include maintaining and reviewing logs and audit
trails.
Likewise, encryption is an important security measure for potentially sensitive data. However, it
can be difficult and expensive to implement and can cause problems for applications.
Compensating controls in lieu of comprehensive data encryption include database security
applications and services, network access control (NAC), data leak prevention and e-mail
encryption. As is frequently the case, multiple compensating controls may be required to provide
security that is equivalent to the control being replaced.
