PHILIPPINES :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Effective Data Security Measures onEffective Data Security Measures onPayment Cards through PCI DSSPayment Cards through PCI DSS

Learning Bites

• Comprehend the foundations, requirements, and benefits of PCI-DSS

• Recognize the need for compliance and the issues and challenges that come with it

• Understand the documentation and audit requirements of the standard

• Demonstrate compliance to all legal and regulatory requirements.

High Profile Data BreachesHigh Profile Data Breaches

• There were an estimated 33 million debit cards and 8 million creditcards in circulation in The Philippines in 2009.

• The number of credit cards in circulation enjoyed healthy growthin 2010 as financial companies kept interest rates low, similar to2009 levels.

• Also, industry players have introduced a “pay later”function, which creates a low interest rate climate to encourageusage of cards.

• With the growth of financial cards in circulation, the value of cardtransactions also increased, at the expense of cash transactionvalue as a proportion of total consumer expenditure.

• The value share growth of card payments is expected to continuein the forecast period as consumers increasingly becomingcomfortable using financial cards.

(Source: Euromonitor International, January 2010 & February 2011)

In the Philippines…In the Philippines…

Hacking Statistics – by Industry

38%

19%

14%

13%

5%4% 4% 2% 1%

Hospitality Services Financial Services Retail

food & Beverages Business Services Technology

Others Education Manufacturing

55%21%

16%

5% 3%

Outside Inside-Accidental

Inside-Malicious Unknown

Inside

Hacking Statistics – by Vector

Data Breaches StatisticsData Breaches Statistics

Founders of PCI SSCFounders of PCI SSC

PCI security standards are technical and operational requirements set by the PCI SecurityStandards Council (PCI SSC) to protect cardholder data. The standards apply to allentities that store, process or transmit cardholder data

Payment Card Industry Security StandardsPayment Card Industry Security Standards

• Member of organizations who can be eitherAcquirers ofIssuers (or both)Visa & Mastercard

• Members of the Visa or Mastercard organizations whichhandle merchantsAcquirers

• Members of the Visa or Mastercard organizations thatissue the cards to CardholdersIssuers

Merchants

Cardholders

Service Providers

• Those entities who “accept” card transactions

• Well, cardholders…

• Entities that provide any service requiring theprocessing, storing or transport of card information on behalfof any of the above

TerminologiesTerminologies

and/or

AcquirerIssuer

Merchant Cardholder

is a member ofis a member of

providesprocessingservices to

uses card tobuy from

issues cards to

may or may not be the same as

Diagrammatically…Diagrammatically…

Key Regulations/RequirementsKey Regulations/Requirements –– by VISAby VISA

PCI DSS VersionsPCI DSS Versions

• About 130 individual requirements under the 12requirements

• With the major exception of the requirement toencrypt cardholder data, the requirements onlyrepresent generally accepted good securitypractice.

• PCI does not represent an onerous ideal but verymany organisations are still only fully compliant witha small proportion of the requirements

• The standard is very prescriptive (unlike egSOX, ISO27001) but compensating controls arepermitted in certain areas subject to acquirer’s orPayment Brand’s approval

PCI DSS RequirementsPCI DSS Requirements -- OutlinedOutlined

Build and Maintain a SecureNetwork

1. Install and maintain a firewall configuration to protect cardholderdata

2. Do not use vendor-supplied defaults for system passwords andother security parameters

Protect Cardholder Data 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, publicnetworks

Maintain a VulnerabilityManagement Program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement Strong AccessControl Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and TestNetworks

10. Track and monitor all access to network resources and cardholderdata

11. Regularly test security systems and processes

Maintain an InformationSecurity Policy

12. Maintain a policy that addresses information security

PCI DSS is based on fundamental data security practices

PCI DSS GeneralPCI DSS General InformationInformation

The Prioritized Approach and its milestones areintended to provide the following benefits:

• Roadmap that an organization can use to address itsrisks in priority order

• Pragmatic approach that allows for “quick wins”

• Supports financial and operational planning

• Promotes objective and measurable progressindicators

• Helps promote consistency among Qualified SecurityAssessors

PCIPCI DSS Prioritized ApproachDSS Prioritized Approach

Build & Maintain a SecureNetwork

(Requirement1 & 2)

Protect Cardholder Data(Requirement3 & 4)

Maintain a VulnerabilityManagement Program(Requirement5 & 6)

Implement Strong AccessControl Measures

(Requirement7, 8 & 9)

Regularly Monitor & AccessNetworks

(Requirement 10 & 11)

Maintain an InformationSecurity Policy

(Requirement12)

Security Milestone # 1If you don’t need it,

don’t store it

Security Milestone # 2Secure the perimeter

Security Milestone # 3Secure applications

Security Milestone # 5Protect stored cardholder data

Security Milestone # 4Control access to your

systems

Security Milestone # 6Finalize remaining compliance

efforts & ensure all controlsare in place

12 PCI DSSRequirements

PrioritizedApproach

PCI DSS Requirements and MilestonesPCI DSS Requirements and Milestones

• Map out data flow• Gap Analysis& Risk Assessment

• Plan andimplement

remediation

• On-site Assessment• Self-Assessment Questionnaire(SAQ)

REPORT

Assess

• PCI DSS Framework and Scope ofAssessment

• Gap Analysis• Risk Assessment

Remediate

• Development of Remediation Plan• Implementation of Remediation Plan• PCI Security Scan (Pentest &

Vulnerability Assessment)• Physical Security Assessment

Report

• On-Site Assessment & Attestation ofCompliance

• Self Assessment Questionnaire (SAQ)

PCI Compliance,PCI Compliance, Phases & DeliverablesPhases & Deliverables

• PCI (Payment Card Industry) compliance - a requirement for accepting credit cardtransactions — can be difficult.

• About 65% of global enterprises are still working on their PCI compliance initiatives.

• But PCI compliance is an ongoing effort, not abounded IT security project.

Forrester ResearchSeptember 2008

PCI DSS Compliance:PCI DSS Compliance: Difficult & OngoingDifficult & Ongoing

• Identifying data locations(PAN, track 2, CVV2/CVC2)

• Encryption of cardholder data

• Monitoring cardholder dataaccess

• Changing business processes

• Changing technology

• Cost of compliance

18

Key ChallengesKey Challenges

Thank you very much!

facebook.com/eccinternational

linkedin.com/company/ecc-international

eccinternational.wordpress.com