The Payment Card Industry:
(PCI) Compliance 101
Name: John Cebulski
Title: Security Engineer
Contact: jcebulski@us.checkpoint.com
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
puresecurity™
Today’s Agenda
 Modern history of PCI
 PCI Data Security Standard v1.1
–
–
–
–
Version 1.1 updates
Compensating controls
General roles and responsibilities
PCI compliance validation process
» Network scanning
» Company audit
» Report of compliance
 Why worry about PCI DSS?
 The challenges of PCI compliance
–
–
–
–
Customer challenges of PCI compliance
Devices affected
Results of PCI challenges
Companies in the PCI spotlight
 Tips for facing the compliance challenge
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
2
Modern History of the Payment Card Industry

Mid-1980s
– Rapid growth in payment card industry, fraud increases
– Individual companies begin early fraud detection and prevention efforts

1990s
– Sophistication of networks increases
– Fraud and detection technologies grow
– Fraud continues to increase
– 1999: Gramm-Leach-Bliley Act

2000s
– 2000: Visa Cardholder Information Security and Account Information Security
programs
– 2000: MasterCard: Site Data Protection program
– Early 2000s: Major fraud disclosures*
– 2002: Sarbanes–Oxley Act
– 2005: MasterCard and Visa jointly release PCI Data Security Standard 1.0
– 2006: PCI Security Standards Council, PCI 1.1 released
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
3
Drivers for PCI Data Security Standardization
Date
 Organization
Increased fraud
Offense
– Fraud is big business!!
– 2005*
» 9.3 million US victims
June 2004
Ukrainian Roman
Caught with more
» $54.4 billion total fraud costs in one year
Vega aka ‘BOA’
than 80,000 credit
card accounts
 Regulatory requirements
September 2004
– Increased pressure
Carderplanet.com
Credit card
– Vague implementation
hackingguides
site
 Confusing payment card efforts
October 2004
As of May 2007—still
running
Shadowcrew
Sales of stolen
– Overlapping requirements
and and
counterfeit IDs
duplicated activities
– Increased confusion on part of
merchants and providers
Cardersmarket.com
Buys and sells
payment card data
*Source: Javelin Strategy & Research, January 2006
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
4
PCI Data Security Standard v1.1 Today
 Six Categories
 12 Sections
• Many subsections
 PCI DSS is only part of
PCIPCI
Compliance
for
MasterCard
Compliance
for
VISA
compliance
• PCI DSS
• MasterCard’s
Site Information
Data Protection
Program
(SDP)
Visa’s Cardholder
Security
Program
If a Primary Account
(CISP)
http://usa.visa.com/merchants/risk_management/cisp.html
http://www.mastercard.com/us/sdp/index.html
Number (PAN) is stored,
puresecurity™
processed, or
transmitted, the PCI
DSS requirements
APPLY.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
5
What’s New to the PCI Landscape?






New to PCI 1.1 (Sept. 2006)
Clarification of vague language
ApplicationCOMPLIANCE
firewalls required byTIMEFRAME
June 30, 2008 (6.6)
Malicious software, like spyware and adware, are included in antivirus
Level
1 Merchant/Service
Provider deadline:
capabilities
(5.1.1)
• September
30, controls”
2007 section (Appendix B)
New
“compensating
Penetration testing to include application and network layers (11.3)
 Level 2 Merchant/Service Provider deadline:
• December 31, 2007
 Level 3 Merchant/Service Provider deadline:
• Contact acquirer
or card
vendor Compliance
VISA and
MasterCard
4 the
Merchant
 Level
“Leading
Charge” fordeadline:
PCI compliance
• Summary
of PCI
compliance
plan, via acquirer,
 Emphasis
on Level
1, 2,
and 3 Merchants
by July 30,
2007
 Acquirers
should
have submitted a summary of their L4 Merchants’
PCI compliance plan by July 30, 2007
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
6
Example: Compensating Control
Source: Appendix C
Compensating Controls WS
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
7
PCI Today—Roles
DEFINE
ENFORCE
AUDIT
IMPLEMENT
PCI Security
Standards Council
Acquirers
Payment Card
Brands
Participating
Organizations
(banks
that
process
transactions)
• Independent
body
QSAs
and ASVs
(accept
credit/debt
card payments)
• Enforcement
armvalidate
(and acquirers)
• •Eliminates
competing
and
overlapping
Assess
and
compliance
•• Merchants,
Service
Providers
Enforcement
arm
• Can levy stiff
fines
brand-specific
requirements
›• Can
Any organization
that stores, processes,
levy
stiff
fines
•
Prohibit
process
of
card transactions
• Reports
given
tocredit
customers
or
transmits
cardholder
data
• Prohibit processing
of credit card
transactions
• Members
include American
Express,
• what
Listed
on
the
council
Web
site
Financial
Services,
JCB,
•• Merchant
or
Service
Provider
Categorization
ToDiscover
degree
must
they be
compliant?
• Manage
Merchant’s
compliance
programs
MasterCard
Worldwide,
and Visa
Int’l
• Levels
• MasterCard's SDP program
›1–4 for Merchants
• Defines
security and process requirements
›1–3other
for Service
Providers
and
general
security guidelines
• Varying
levels
of audits,
scans,
and
• Certifies
Qualified
Security
Assessors
assessments
on level
statusVendors
(QSAs) andbased
Approved
Scanning
(ASVs) and maintains certification lists
www.pcisecuritystandards.org
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
8
PCI Compliance Validation
 Audits and Self-Assessments
 Network Scans
 Report on Compliance
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
9
PCI Compliance Validation
Merchant
Service Provider
Level
1
2
3
4
1
2
3
Description
 Over 6M annual
transactions
 15,000 to
6M annual
transactions
 20,000 to
150,000
annual
transactions
 All others
 All
processors
and
payment
gateways
 Not in level 1
 Not in level 1
 Stores,
processes, or
transmits over
1M accounts
annually
 Stores, processes, or
transmits less than 1
M accounts annually
Annually
Annually
 Security breach
resulting in data
compromise
 Based on
vendor’s choice
On-Site
Security
Audit
Annually
Self
Assessment
Network
Scans
Quarterly
Annually
Annually
Annually
Quarterly
Quarterly
Quarterly
puresecurity™
Annually
Quarterly
Quarterly
Quarterly
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
10
PCI Compliance Validation:
What can I expect from an audit?
Company XYZ
is audited
by QSA
QSA completes
audit based on
PCI Audit
Procedures
Company receives report
From QSA with
“Open Items” and
“Target Resolution Dates”
puresecurity™
Company
passes audit
Company XYZ keeps
audit and submits to
Card Vendor or Acquirer
QSA
reassesses
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
11
PCI Compliance Validation
› Performed by a certified auditor
› Externally facing IP addresses
› Scan of ALL 65,535 ports
› Severity Levels 3–5 must be remedied
 Technical report with vulnerabilities and steps for resolution
 PCI-approved compliance statement to Vendor or Acquirer
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
12
PCI Report on Compliance and Visa:
Level 1–3 Merchants
 Level 1 Merchants (via Acquirer)
–
–
–
–
On-site PCI data security assessment completed by QSA
Letter signed by a merchant officer
Confirmation of report accuracy form completed by QSA
Acquirer accepts ROC and submits confirmation ROC form and
acceptance letter to Visa
 Level 1, 2, and 3 Merchants
– Acquirers responsible for ensuring quarterly network security scans for
Level 1, 2, and 3 Merchants
– Quarterly network security scans may be required of Level 4 Merchants as
specified by their acquirers
 Level 2 and Level 3 Merchants
– Must complete the annual PCI self-assessment questionnaire
– Level 4 Merchants may be required by their acquirers to complete the PCI
self-assessment questionnaire
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
13
PCI Report on Compliance and Visa:
Service Providers
 Level 1 and Level 2 Service Providers
–
–
–
–
Annual self-assessment questionnaire
Annual on-site PCI data security assessment
Supply to the acquirer, serving as a template for the ROC
Employ a QSA to complete the Report on Compliance
 Level 1, 2, and 3 Service Providers
– ASV performs a quarterly network scan on the Internet-facing
network perimeter systems
 Level 3 Service Providers
– Complete the annual PCI self-assessment questionnaire
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
14
Why Worry About PCI DSS?
 Reduce the risk of incidents
– Prevent a “CNN moment”
» Negative publicity
– Loss of revenue
– Placed in higher Level, requiring
more frequent compliance measures
– Fines and penalties levied
» From acquirer to acceptor
 Barred from processing credit card transactions
 Higher processing fees
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
15
The PCI Challenge for
Merchants and Service Providers
 All or Nothing: 99 percent compliance is still failing.
PCI DSS v1.1 begins to address this issue
(Compensating Controls) and is the new standard as of
January 1, 2007.
 Cost Effective and Unified: Purchasing and
integrating point solutions takes time and effort. Many
companies do not have the in-house staff to address
this challenge. TCO must be addressed.
 Performance Becomes a Concern
 Multiple Standard Requirements
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
16
The PCI Challenge: One of Many
 Gramm-Leach-Bliley
Growing lists of regulations
can deplete resources
COSO/COBIT
Business
partners
Terrorism
 Sarbanes-Oxley Act of 2002
 U.K .Public Records Office DOD 5015.2
 E.U. Data Protection Directive
 CA SB 1386, 1950
 FDA 21 CFR 11
 Homeland Security Act
 U.S. Patriot Act
EU data protection
 HIPAA
HIPAA
Basel II
 Basel II
BS7799
Physical security
Privacy
PCI DSS
Business continuity
 Foreign Corrupt Practices Act
Liability
 SEC Rules 17a-3 and 17a-4
 Computer Fraud and Abuse Act
Investment
SB1386
GLBA
Information
security
ISO17799
Industry regulation
 Fair and Accurate Credit Transactions Act (FACT)
 NASD 3110
puresecurity™
Operational risk
Data Storage
 IASB/FASB
 EPA
Data retention
Credit risk
Compliance
 TREAD Act
Audits
Sarbanes - Oxley
 Computer Security Act
Reputation
Intellectual
property
 FISMA
 Customs C-TPAT
 Canada’s PIPEDA
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
17
The PCI Challenge:
Devices affected
The PCI DSS v1.1 requirements apply to ALL “system components,”
defined as any network component, server, or application included in,
or connected to, the cardholder data environment
“Network component” refers to firewalls, network appliances,
routers, switches, wireless access points, and other network and
security components
Servers include, but are not limited to authentication, database,
domain name service (DNS), email, network time protocol (NTP),
proxy, and Web servers
Applications include all purchased and
custom applications, including internal and external (Web) applications
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
18
The PCI Challenge - Result
A Very Complicated, Sprawling Network to Manage
 Firewalls, OS servers, routers,
switches, IPS, antivirus, Web
servers, policies, and rules
 Gigabytes to terabytes of
data in different formats
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
19
Companies in the PCI Spotlight
 Bank of America
 BJ’s Wholesale Club
 Cardsystems Solutions
 ChoicePoint (NOT CHECK POINT)
 CitiGroup
Fines
 DSW SHOW Warehouse
 Hotels.com
2005 Visa levied fines of
 LexisNexis
$3.4 million
 Wachovia
 Polo–Ralph Lauren
2006 Visa levied fines of
$4.6 million
Source: Qualys http://www.qualys.com/forms/wp/pci/?lsid=6880
Source: Visa (USA) SAN FRANCISCO
–December 12, 2006
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
20
Tips for Facing the PCI Challenge
 Build/leverage relationships with VARs and other resellers
 Attend seminars and guest speaking engagements
– Nuggets of information
– Network with peers
 Use existing regulatory compliance programs
– ISO 27001 certifications and Sarbanes-Oxley audits look at many of the
same requirements as PCI DSS v1.1
– PCI DSS offers areas of cross compliance with HIPAA and SOX
 Books and periodicals (the ol’ Amazon.com search)
 Take the “plunge,” register for vendor white papers
– Valuable nuggets contained within vendor
 Utilize PCI security standards resources
– www.pcisecuritystandards.org
– Self-assessments
– Review scanning and audit procedures
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
21
Resources and Research
 PCI Security Council Web site
– www.pcisecuritystandards.org
– PCI DSS v1.1, What’s new in v1.1, Scanning and Auditor validation requirements
 Qualys
– White paper: Winning the PCI Compliance Battle
– www.qualys.com/forms/wp/pci/?lsid=6880
 Check Point
– www.checkpoint.com/securitycafe/readingroom/general/pci_compliance.html
 Still Secure
– www.stillsecure.com/pci/index.php?rf=pcihp
– PCI Compliance: A Technology Overview (management best practices)
 www.pcicomplianceguide.org
– A 5-step guide for PCI compliance
 SANS
– www.sans.org
– Using SIM systems for PCI compliance
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
22
THANK YOU!!
Questions?
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
puresecurity™
Appendix and Links
 See below
puresecurity™
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
24
Regulatory Cross Compliance
 HIPAA 164.308
– Administrative Safeguards
»
»
Security and access management
Secure incident handling
 HIPAA 164.312
– Technical Safeguards
»
Access and audit control, integrity
 Sarbanes-Oxley sections 404, 409, 302
– Effective controls on data privacy
– Real-time disclosure
– CEO and CFO responsibilities for secure certification
 PCI Data Security Standard Section 10
– Tracking and monitoring all access to cardholder data
– Implement audit trails
– Record, secure, and review various audit trails for system components
 PCI Data Security Standard section 11
– Use NIDS, NIPS, HIDS, HIPS to monitor and alert to compromises
»
Require SIEM solutions that can effectively tie in point product data
puresecurity™
back
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
25