Weekend Conference 7 & 8 September 2013
The influence of PCI upon retail
payment design and architectures
Ian White QSA
Head of UK&I and ME PCI Team
September 4, 2013
Agenda
• The PCI DSS
• The Retail Environment
– Card Payments
– The Retail Environment
• The retail store
• eCommerce
• The call centre (MOTO)
• Current challenges
• Further Information
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
3
The PCI Data Security Standard
• Managed by the PCI SSC on behalf of the Card Brands (Visa,
MasterCard, AMEX, Discover and JCB)
• Currently on version 2.0, with Version 3.0 published 7th Nov 2013
• Compliance is managed by the individual Card Brands
• Recognises Merchants and Service Providers (or TPP / DSE)
• Annual validation usually based around transaction volumes (SAQ or
Report On Compliance)
• QSA and ISA roles exist to support independent validation against
the control requirements
• An industry standard – but backed by legislation in some
jurisdictions and should be perhaps viewed as “best practice”
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
4
The Payment Card Industry standards
• PCI DSS
Covers the security of environments that store, process or transmit Account Data.
• PCI PA DSS
Covers Payment Applications so that they can support PCI DSS compliance
• PCI PTS
Covers hardware devices, for example HSM and PEDs, for protection of PIN
• PCI P2PE
Encryption, decryption and key management within secure devices (hardware / hardware)
• PCI PIN
Secure management, processing and transmission of PIN data during online and offline
payment processing
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
5
Cardholder Data
Track 1
Account Data
Track 2
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
6
The PCI DSS Requirements
Build and Maintain a Secure Network
1.
2.
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3.
4.
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5.
6.
Use and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7.
8.
9.
Restrict access to cardholder data by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
ISG Weekend Conference 7 & 8 September 2013
PCI DSS Version 2.0
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
7
The Retail Environment
Acceptance Channels
Corporate Systems
Institutions
Authorization
Servers (Site A)
Acquirer
Store POS
POS Terminals Controller
Acquirer
POS
Databases
(Site B)
Printer
(Site E)
Internet
Finance
(Site C)
Loyalty
MOTO
Call Center (Site D)
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
8
“Connected To” Systems
• “Connected To” systems support the controls that protect the
Cardholder Data Environment (CDE) and as such may be considered
to be “in scope” of the PCI DSS for some requirements
• Typical examples include:
– Active Directory (User accounts)
– Log Management
– AV / malware software update / management servers
– Patching servers
– Backup servers
– Terminal Servers
– Time Servers
– Support personnel desktops / laptops
– …
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
9
Authorisation
The merchant requests and receives authorisation from the issuer to
proceed with the transaction and receives an authorisation code
Service Provider
Merchant
WWW
2
3
7
6
1
Card
Scheme
network
Acquirer
BofE
4
5
Cardholder
Issuer
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
10
Clearing
Acquirer sends issuer purchase information and issuer responds and then
prepares for Settlement of funds
Merchant
Service Provider
Acquirer
WWW
BofE
Card
Scheme
network
3
1
2
Cardholder
Issuer
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
11
The Store Environment - expected
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
12
The Store Environment – actual?
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
13
The Store Environment – with segmentation
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
14
The Store Environment – P2PE?
PED and stand-alone chipand-PIN reader that are P2PE
validated
POS servers communicate
with corporate office and card
data is transmitted to P2PE
solution provider
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
15
Point–to-Point-Encryption (P2PE)
• Currently very few solutions have
been validated (2)
• The POI device encrypts the card
data at the read head using a key
that the merchant has no access to.
• P2PE supports HW to HW and socalled HW to Hybrid solutions (the
term “Hybrid” refers to the decryption
of the data taking place outside of
the HSM and in software on a host
system that uses an HSM to protect
the keys)
• The use of a P2PE solution might
enable a merchant to use a wide
range of devices such as the iPAD
as they would only be providing a
secure communications path for the
(encrypted) data.
• PCI SSC list of validated P2PE
solutions as at 6th Sept 2013
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
16
The eCommerce Environment - expected
PCI SSC QSA training 2011
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
17
The eCommerce Environment – actual?
PCI SSC QSA training 2011
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
18
The eCommerce Environment – with segmentation
Which PCI DSS
requirements apply
here – if any?
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
19
The eCommerce Environment – Using a Third Party?
Which PCI
DSS
requirements
apply here –
if any?
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
20
The Call Centre – areas to consider
• Policies and Procedures
• Virtual terminals
• Call recording software
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
21
Some of the current challenges for retail
•
•
•
•
•
•
•
•
Logging
Legacy systems and encryption
CCTV – especially in retail store environment
P2PE vs E2EE
Wireless scanning / NAC
Virtualisation / Cloud Services
Contractual frameworks for third parties
Loyalty schemes (Tokenisation?)
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
22
Further Information
Go to www.pcissc.org for detailed
information and documentation
(standards, guidance and FAQ
The Card Brands and Acquiring banks have many documents that provide
detailed advice and guidance on the PCI DSS and associated compliance issues
http://www.verizonenterprise.com/DBIR/2013/
Ian.white@intl.verizon.com
ISG Weekend Conference 7 & 8 September 2013
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
23