Understanding Credit Card

Security Requirements

Gregory Dove, Manager, Information Systems Audit Manager

AOA Meeting -- January 14, 2008

In The Virtual Storefront

Unlike merchants who operate in the physical world, you do not have
face-to-face contact,
a card-in-hand, or
an actual signature
a physical door with a lock and key
a security guard posted 24/7 for protection.
Cyber-thieves know all of this and are always on the look-out for
merchants who have hung up a virtual shingle, but have let their risk
management guard down.
Its up to you to understand the unique issues of running a virtual
storefront and take a strategic approach to proactively address
these issues and position your business for success.

The business case for security

Proper security enables a company to meet its business
objective by providing a safe and secure environment that helps
avoid:

Loss of revenue
Loss or compromise of data
Interruption of business process
Legal consequences
Damage to customer and partner confidence
Damage to reputation

A more secure retail store also enables easier and safer

connectivity with customers and business partners

If The Business Case didnt Convince You

If an organization doesn't know that they need
to be PCI compliant, or if an organization just
doesn't want to be bothered by having to
obtain PCI compliance, it soon will not matter.
The goal is to have all merchants, regardless
of their merchant level, compliant with PCI
DSS.
4

PCI DSS
Payment
Industry
StandardCard
that is
applied to: Data Security Standard
Merchants
Service Providers (Third Third-party vendor, gateways)
Systems (Hardware, software)

That:
Stores cardholder data
Transmits cardholder data
Processes cardholder data

Applies to:
Electronic Transactions
Paper Transactions

PCI DSS Exempt Myth

All merchants are subject to the standard and to card association rules
No exemption provided to anyone

Immunity does not apply because

Requirement is contractual - not regulatory or statutory

Card associations can be selective who they provide services to
Merchants accept services on a voluntary basis
Merchants agree to abide by association rules when they execute
merchant bank agreement

e-

Merchant banks are prohibited by association rules from indemnifying a

merchant from not being compliant with the standard
Association Rules require merchant banks to monitor merchants to ensure
their compliance
Failure of a merchant bank to require compliance jeopardizes the merchant
bank banks right to continue to be a merchant banks
Any fines levied are against the merchant bank, which in turns passes the
fines onto the merchant

The PCI framework is divided into 12 security

requirements
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security
parameters.
Protect Cardholder Data
3. Protect stored data.
4. Encrypt transmission of cardholder data and sensitive information across
public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications

The PCI framework is divided into 12 security

requirements
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Routinely test security systems and processes.
Maintain an Information Security Policy.
12. Establish high-level security principles and procedures.

Compliance Vs Validation
Compliance Means adherence to the standard
Applies to every merchant regardless of volume
Technical and business practices
Validation Verification that merchant (including its services
providers) is compliant with the standard
Applies based on Level assigned to merchant, based on
transaction volume
Two types of Validation
Self-Assessment
Certified by a Qualified Security Assessor (QSA)

Attestation Letter to Visa signed by both merchant and acquirer

bank attesting that validation has been performed

Two Components to Validation

Annual Assessment Questionnaire

Required of all merchants regardless of level

Self Self-Assessment or performed by Qualified Security Assessor (QSA)
Must not have any No answers its Fail or Pass
Applies to both technical and business

Security Vulnerability Scan - Quarterly

Required for External facing IP addresses
Web applications
POS Software and databases on networks
Applies even if there is a re-direction link to third third-party

Must be performed by Approved Scanning Vendor (ASV)

Validation based on Level assigned to merchant, based on transaction volume
Visa & MC schedules are different
Visas schedule is what most go by

10

Levels of Merchants
(Applies to Validation and Attestation, Not to Compliance)
Tier

Transactions per Year

Types of Targets

More than 6 million

Anyone with breach

Merchants, Merchant Agents,

Processors, Direct Connects

1 6 million

Merchants, Merchant Agents,

Processors

20K 1million

eCommerce Merchants

All other Merchants

Merchants

All merchants must perform external network scanning to achieve compliance.

The new program, released in May 2007, requires acquirers to develop and submit a formal written
compliance plan to Visa, which "identifies, prioritizes and manages overall risk within their Level 4
merchant populations," according to the CISP Bulletin.
For those acquirers who have not written and/or sent a summary of their plan, one must be emailed to
Visa no later than July 31, 2007. Email summaries to cisp@visa.com.

11

The current Visa and MasterCard validation

requirements are as follows:

Level 1-Visa/MasterCard-- Annual onsite review by merchant's

internal auditor or a Qualified Security Assessor (QSA) or Internal
Audit if signed by Officer of the company, and a quarterly network
security scan with an Approved Scanning Vendor (ASV).
Level 2-- Completion of PCI DSS Self Assessment Questionnaire
annually, and quarterly network security scan with an approved ASV.
Level 3-- Completion of PCI DSS Self Assessment Questionnaire
annually, and quarterly network security scan with an approved ASV.
Level 4-- Completion of PCI DSS Self Assessment Questionnaire
annually, and quarterly network security scan with an approved ASV.
Submit summary of PCI compliance plan, via acquirer, by July 30,
2007. If a breach has been reported, or found, Visa reserves the right
to move the Level 4 merchant to a Level 1. If so, the Level 4
merchant must abide by the Level 1 validation requirements.

12

The Level 4 Merchant Compliance Program

plan must consist of the following items: Acquirer

Timeline of Critical Events--Timeline of completion dates and milestones,

for overall strategy.
Risk-Profiling Strategy--Prioritization of Level 4 merchants into
subgroups, from merchants that post the greatest risk, to those that post
little risk at all. Factors such as merchant category transaction volume,
market segment, acceptance channel, number of locations can help the
acquirer target compliance efforts for each subgroup.
Merchant Education Strategy--Strategy designed to eliminate prohibited
data from being stored; protect stored data, and securing the environment
in accordance with PCI DSS. This includes ensuring that merchants are
only storing data they truly require, by complying with PCI DSSs, and by
making sure payment applications are compliant and any third-party agents
are on Visa's list of CISP-Compliant Service Providers.
Compliance Reporting--Monthly compliance reporting to executive or
board management. Visa may also periodically request that the acquirer
produce these reports.

13

Merchant levels: based on Visa transaction

volume over a 12-month period

For Visa, Inc., the merchant's transaction volume is based on the

aggregate number of Visa transactions-credit cards, debit cards,
prepaid cards - from a merchant Doing Business As ("DBA").

For merchants and/or merchant corporations who operate more than

one DBA, the aggregate volume of stored, processed or transmitted
transactions by the corporate entity must be considered, to determine
the validation level.
If the corporate entity does not store, process or transmit cardholder
data on behalf of the multiple DBAs, members will continue to consider
the DBA's individual transaction volume to determine the validation
level.

14

Security Breach Fines

Not levied by PCI Security Council
Fines levied by Card Associations
Against merchant bank, which passes fines on to merchant

Fines for security breach

Visa - Up to $500,000 per occurrence
MC Up to $500,000 per occurrence

Amount of fines dependent upon

Number of card numbers stolen

Circumstances surrounding incident
Whether Track Data was stored or not
Timeliness of reporting incident

Safe Harbor
Could limit fine amount if had been validated as compliant by a QSA
But validation is point in time Dont count on

15

Other Security Breach Costs

Fines levied by card associations to make notifications to
all card holders and replace cards
Costs of notifying customers of incident
Forensic Investigation Costs
Required by card associations
Must used approved firm (QSA)
Cost approximately $10,000

Cost associated with discontinuing accepting cards

Cost of an annual on-site security audit
Once a breach has occurred, elevated to a Level 1 merchant
Cost approximately $15,000 - $20,000

16

Document the Process Flow

Network Diagram is Required for all systems that
transmit, store or process transactions, from the
merchant system to the processor.
Put processing activities on a separate network segment
Campus network / 4CNET may need to be compliant or follow an
encrypted path

All point of entry into the network / system must be

identified and protected.
All Reports, downloads, and receipts must be
protected.
17

Why Not Paper

Physical protective measures are required for storing and
securing paper transactions.
Report distribution controlled and reports physically locked;
which is difficult to demonstrate compliance.
Transaction detail must be restricted to only authorized persons
and must be physically locked.

A detailed documented process of all printouts and paper

copies of transaction detail is required.
Difficult to demonstrate compliance without detailed
understanding of the flow process
Retention requirements must include adequate security
provisions

18

Source:

Payment Security Experts

10 Myths about PCI Compliance

1.

Im a small merchant, who only takes a handful of cards, so I dont need PCI.
A common misunderstanding with the standard is that small merchants, handling a few 10s of
credit cards a day are exempt from compliance. If you are a merchant and you are set up to
take credit cards, by any mechanism - then you need to be complaint.

2.

PCI only applies to E-commerce companies. No, PCI applies to every company
that stores, processes or transmits cardholder information. In fact anyone who takes card
present transactions that involve POS devices are more at risk than E-Commerce solutions,
quite often these types of transactions involve storage of track data (which is forbidden under
PCI). Disclosure of this type of data will bring heavy fines and requests for compensation from
the banks involved.

3.

You only have to be compliant with the majority of criteria. The pass mark for PCI
is 100%, so if you fail even one of the criteria, you fail PCI. The standard is not really meant to
be something to strive for; it is really a floor, a basis for further security measures. Failing to
achieve even one of the requirements, is failing to meet a basic standard for handling
cardholder information. All companies that routinely handle this type of data should be aiming
to exceed the standard.

19

Source: Payment Security Experts

10 Myths about PCI Compliance

4.

I only need to protect my credit card data, not ATM debit card related data.
Unfortunately, both are required. Many debit cards are dual-purpose signature debit,
which can be used on debit and credit card networks. As such, they are covered under
PCI and must be protected in the same way as credit cards.

5.

I can wait until my business grows. Unfortunately, the PCI standard applies to all
sizes of business and waiting could be costly. Should you be compromised and not be
compliant the fines and the compensation sort by the banks (it costs between $50 and $90
to replace one card) could be substantial.

6.

I can just answer yes to all the criteria on the self-assessment. The selfassessment is merely a mechanism for getting the information about the level of your
compliance to your merchant bank or to Visa. The standard applies at all times. Just
saying yes to the questions puts the merchant at great risk. If a compromise took place
and it was obvious that the merchant was not and has never been compliant, the matter
would be taken very seriously by VISA. The merchant would be risking the whole business
by answering yes to the questions, when there is no basis in fact for that answer.

20

Source:

Payment Security Experts

10 Myths about PCI Compliance

7.

As a merchant Im not liable if a credit card is compromised Merchants are liable and not
just for the credit card compromise, there are basically 4 scenarios where credit card data is
compromised: Merchants can be liable not only for the compromise but also for subsequent damages
from the issuing banks.

Discovery
Merchant
discovers the
compromise

Merchant PCI
Compliant?
Yes, and subsequent
forensic team confirm
this

VISA discovers the Yes, and subsequent

compromise
forensic team confirm
this

Reported by?

Possible Result

By the merchant to
VISA using the
approved process

VISA and the Merchant track the compromise and correct any errors in the process.
Unlikely any fines are levied and the problem is not made public

By VISA

VISA and the Merchant track the compromise and correct any errors in the process.
Merchant may be required to improve certain aspects of their security structure.
Unlikely any fines are levied and the problem is not made public

Merchant
discovers the
compromise

No, or was complaint, By the merchant to

but forensic team
VISA using the
discovered compliance approved process
lapsed

VISA and the Merchant track the compromise and correct any errors in the process.
Merchant is required to have full annual onsite audit
Merchant is required to correct any areas out of compliance and demonstrate
compliance at a date set by VISA
Fines or damages may be levied

VISA

No, or was complaint,

but forensic team
By VISA
discovered compliance
lapsed

VISA and the Merchant track the compromise and correct any errors in the process.
Merchant is required to have full annual onsite audit
Merchant will be fined by VISA via the bank and will have to pay restitution to all
issuing banks affected; the total of these fines may be $50 to $90 per card
compromised.

21

Source:

Payment Security Experts

10 Myths about PCI Compliance

I can wait until my bank asks me to be compliant. The dates for Merchants demonstrating

8.

compliance are long gone, and the Merchant is responsible for making sure they are in
compliance. Waiting until the bank asks you could be very costly indeed.

As a Merchant, I did not sign anything, saying I would be complaint; therefore, I do

not need to be. The PCI standard forms part of the operating regulations that are the rules under

9.

which Merchants are allowed to operate merchant accounts. The regulations signed when the
Merchant opens an account at the bank state that the VISA regulations have to be adhered to. Even if
you have been in business for decades, PCI still applies, if you store, process or transmit credit cards.

10. As a Merchant, Im entitled to store any data Many Merchants believe that they own the
customer and have a right to store all the data about that customer in order to help their business.
Not only is this incorrect regarding PCI, it may also be a violation of State and Federal legislation
regarding privacy. The PCI regulations specifically forbid storing of any of the following:

Unencrypted credit card number

CVV or CVV2
Pin blocks
PIN numbers

Track 1 or 2 data
Any of the above found in databases, log files,
audit trails, backups etc at a Merchant can result
in serious consequences for the Merchant,
especially if a compromise has taken place.

22

Conclusion
The Data Security Risk is Significant and
Therefore Requires Appropriate Controls

The threat of data compromise is global in scope (Web)

Many parties are involved in maintaining data security
The impact of data compromise is widespread financially,
legally, and in goodwill exposures
Data security is a primary risk concern for Members,
Merchants, Service Providers, Consumers, and Regulators
Data security has evolved from an operational problem and
financial threat to a significant reputation risk

23

 Hackers hit Dave & Buster's in credit-card fraud

BY BUSINESS MATTERS EDITOR JULY 1, 2008
Houston, Tex.-based Dave & Buster's restaurants was named in the case that began in 2006 when
information on more than a million credit and debit cards was compromised in a computer hacking
incident. A 27-count indictment was issued by a New York State grand jury, according to a Justice
statement. Charged were Maksym Yastremskiy of Ukraine, Aleksandr Suvorov of Estonia and Albert
Gonzalez of Miami. The three are charged with wire fraud conspiracy, wire fraud, conspiracy to possess
unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit
computer fraud, computer fraud and interception of electronic communications.
Justice officials call the crime "a scheme in which they hacked into POS terminals at 11 Dave &
Buster's restaurants at various locations around the United States. . . then sold the stolen data to others
who used it to make fraudulent purchases or resold it to make purchases, causing losses to financial
institutions."
Stolen was "Track 2" data, the statement said. "Track 2" data is described as card numbers and expiration
dates. Losses in the case have been been in excess of $600,000.
The indictments followed arrest of Yastremskiy in Turkey and Suvorov in Germany. Gonzalez was arrested
last month in Miami.
Al Hammock, senior vice president at Envision Credit Union, said no charges or debits were incurred
against cards issued to members. However, the institution has begun the process of reissuing cards to
468 debit card holders and 144 credit card holders as a precaution.
Fines could exceed $50,000,000.00 to Dave and Busters

24

$50,000,000
$590,000

$10,000,000

Combined fines
for all three
$60,590,000
25

Discussion
and
Questions

26