Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.

Introduction

To Plastic Card Industry (PCI)

Data Security Standards (DSS)

April 28,2012

Cathy Pettis, SVP

ICUL Service Corporation

PCI Background

• PCI-DSS developed:– Encourage and enhance cardholder data

security– Facilitate adoption of consistent data security

measures globally– Provide a baseline of Operational and Technical

requiremeents to protect data

Who does PCI-DSS Apply TO

• To ALL entities involved in Payment Card Processing– Merchants– Acquirers– Processors– Issuers– Service Providers

The Question is

• Do you STORE

• PROCESS

• Or TRANSMIT

• Cardholder Data?????

The Answer

• YES, if• Store Cardholder Reports• Card Data Module on your Data Processing

System• Process Card Files- Post Transactions Batch

or On-line-ATM, Debit, Credit• Transmit Files-PBF, Card Issuance, Online

Authorizations

What are the Requirements

• Build and Maintain a Secure Network

• Protect Cardholder Data

• Maintain a Vulnerability Management Program

• Implement Strong Access Control Measures

• Regularly Monitor and Test Networks

• Maintain an Information Security Policy

Build and Maintain a Secure Network

• 1. Install and maintain a firewall configuration to maintain data

• 2. Do not uses vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

• 3. Protect stored cardholder data

• 4. Encrypt transmission of cardholder data across open,public networks

Maintain a Vulnerability Management Program

• 5. Use and regularly update anti-virus software and programs

• 6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

• 7. Restrict access to cardholder data and business NEED TO KNOW

• 8. Assign a unique ID to each person with computer and data access

• 9 Restrict physical access to cardholder data

Regularly Monitor and Test Networks

• 10. Track and Monitor all access to network resources and cardholder data

• 11. Regularly test security systems and processes

Maintain an Information Security Policy

• 12. Maintain a policy that addresses information security for all personnel

Requirements---Easy

• There are ONLY 12

PCI DSS Applicability

• Wherever account data is stored,processed or transmitted????

• Account data is Cardholder Data PLUS sensitive Authentication Data:– Cardholder Data- Primary Account Number

PAN– Cardholder Name– Expiration Date and Service Code

Applicability Information cont’d

• Sensitive Authentication Data includes:– Full magnetic stripe data or equivalent on a

chip– CAV2/CVC2/CVV2/CID– PINs/PIN Blocks

Here’s THE Test

Is Storage Permitted

• PAN Yes

• Cardholder Name Yes

• Service Code Yes

• Expiration Date Yes

• Full Magnetic Stripe Data No

• CVV/CVC/CAV/CID No

• PIN/PIN Block No

If YES, now what?

• Stored data MUST be unreadable

• PAN YES

• Cardholder Name No

• Service Code No

• Expiration Date No

• Sensitive Authentication Data Cannot be stored period

What Next

• Perform a Risk Assessment• Know what data you have, who has access

and what you do with it• Know how your network is secured• Establish an Information Security Policy

and Standards Document• Engage the Board of Directors, Internal

Auditor, External Auditor

What Next cont’d

• Make a Plan to become PCI Compliant

• Engage the services of a Qualified System Assessor (QSA)

• Validate your data providers are PCI Certified

Next

• Security Physical and Data is everyone’s responsibility

• Take it seriously and protect your member cardholder data

Questions???

Resources

• www.pcisecuritystandards.org

THANK YOU

• Cathy Pettis, SVP

• [email protected]