LETS Dive into PAYMENT CARD INDUSTRY(PCI) BY NAVEEN PAL
LETS Dive into PAYMENT CARD INDUSTRY(PCI)
BY NAVEEN PAL
IntroductionWorking as CEO in Peripheral Security Experts PVT
Ltd .Worked into Following domain VA , PT And
implementation of PCI DSS I have worked with many MNC such as Wipro ,
Blackberry , Vodafone TCS & implemented PCI DSS in India biggest Cinema Chain PVR Cinemas
I have been acknowledge by google , yahoo and many more
Objective
• Why is it Important • Understand Payment Card Industry • Understand PCI DSS Requirement
Why is it Important
2016-15 Biggest Data Breaches IRCTC Website Hacked Kaspersky Lab Multi-Bank Cyber heist Harvard University LastPassAnd many more
Credit & Debit Card Information
Credit & Debit Card is the most target by cyber criminal as its evolve the money matter
Where there is money , there comes the crime and criminal minds
BANKS
The acquiring bank (also merchant bank or acquirer) is the financial institution that maintains the merchant’s bank account. The contract with the acquirer enables merchants to process credit and debit card transactions. The acquiring bank passes the merchant’s transactions along to the applicable issuing banks to receive payment.
The issuing bank is the financial institution that issues cards to consumers on behalf of the card networks (Visa, MasterCard). The issuing bank is also known as the credit or debit card company. The issuer acts as the middle-man for the consumer and the card network by contracting with the cardholders for the terms of the repayment of transactions.
Who is WhoPayment Brands
Banks
Merchant
Service provider
Working Of Credit Card Transaction( Card Present )
Card Not Present
Some Of Important TermsAuthentication : Establishing who
Authorization : Validation done by Issuer
Clearing : Process done for the settlement
Settlement : agreement or resolution of a dispute ( Paying the Dues)
Payment Card Fraud1983 Re –embossed counterfeit fraud1988 Re-encoded counterfeit fraud1989 Card not present /fraud application1991 Never received issues 1994 Merchant Fraud1994 Identity Theft 2000 Skimmed counterfeit2007 Wireless / Chip sniffing and card
counterfeit / fraud2010 Server Hacking / Malware
Payment Card Industry The Payment Card Industry Data Security Standard (PCI DSS) is a
proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB. Private label cards – those which aren't part of a major card scheme – are not included in the scope of the PCI DSS.
PCI DSS applies to any entity which store , process and transmit account data in any form
Account data consist of card holder data (PAN) and sensitive data
Entity include Merchant Acquire Issuer Service providers
PCI –DSS Ver 3.0Control objectives PCI DSS requirement
Build and maintain a secure network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control measure
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security
Requirement 1 Install and maintain a firewall configuration to protect cardholder data Firewall and Router hardening Firewall rule Review Firewall rule justification Verify that all other inbound and outbound traffic is specifically denied, for
example by using an explicit ―deny all‖ or an implicit deny after allow statement.
Verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks.
Verify that any disclosure of private IP addresses and routing information to external entities is authorized.
Requirement 2Do not use vendor-supplied defaults for system passwords and other security parameters.
Remove or changes the defaults – setting , credential Hardening Encrypt non console access Review services and parameter files on systems to determine that Telnet
and other remote login commands are not available for use internally. Verify that administrator access to the web-based management interfaces
is encrypted with strong cryptography
Requirement 3 Protect stored cardholder data.
Storage of card holder data . Not storing Sensitive authentication Security of data while storing . Masking of Pan
Verify that the PAN is rendered unreadable using any of the following methods: One-way hashes based on strong cryptography Truncation Index tokens and pads, with the pads being securely stored
Requirement 4Encrypt transmission of cardholder data across
open, public networks.
Verify the existence of a policy stating that unprotected PANs are not to be sent via end-user messaging technologies.
Secured transmission – Wired Secured transmission Wireless
Requirement 5 Use and regularly update antivirus software.
Verify that all anti-virus software is current, actively running, and generating logs by performing the following
Obtain and examine the policy and verify that it requires updating of anti-virus software and definitions
For a sample of system components, verify that all anti-virus programs detect, remove, and protect against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)
Requirement 6Develop and maintain secure systems and
applications.
Risk Assessment Patching Secure Development Change Control Incident Management Web Application Firewall
Requirement 7Restrict access to cardholder data by business
need-to-know.
Obtain and examine written policy for data control, and verify that the policy incorporates the following
Access right assigned to need to known basis . Use creation and deletion process Confirm that access controls are implemented via an automated
access control system
Requirement 8Assign a unique ID to each person with computer
access.
Unique user id with role and rights of the user 2 factor authentication for remote access For a sample of system components, examine password files to verify that
passwords are unreadable during transmission and storage User access review Verify that inactive accounts over 90 days old are either removed or
disabled. For a sample of system components, obtain and inspect system
configuration settings to verify that password parameters are set to require passwords to be at least seven characters long.
Requirement 9Restrict physical access to cardholder data
Physical access control ( fingerprint or cards) CCTV Restrict physical access to cardholder data Visitor Policy Physical Security of Media Secure Destruction of Media Protecting POS device from tempering Verify that the storage location security is reviewed at least annually
Requirement 10Track and monitor all access to network resources and cardholder data.
Enable logs Time synchronization FIM on logs Log review Retention Period Verify that current audit trail files are protected from unauthorized
modifications via access control mechanisms, physical segregation, and/or network segregation .
Requirement 11
Regularly test security systems and processes.
Application Testing Wireless scan Internal VA Internal PT External VA External PT If automated monitoring is utilized (for example, wireless IDS/IPS,
NAC, etc.), verify the configuration will generate alerts to personnel. Review the scan reports and verify that four quarterly internal scans
occurred in the most recent 12-month period.
Requirement 12Maintain a policy that addresses information security
Information Security Policy Risk Assessment Back ground Verification Of employee Awareness training Examine the daily operational security procedures. Verify that they
are consistent with this specification, and include administrative and technical procedures for each of the requirements.
Verify that responsibility for creating and distributing security incident response and escalation procedures is formally assigned.
Verify through observation and review of processes that monitoring and responding to alerts from security systems including detection of unauthorized wireless access points are covered in the Incident Response Plan
Credit Card data can be found
Category
Criteria Requirements
Level 1 • Any merchant having more than six million total combined MasterCard and Maestro transactions annually
• Annual Onsite Assessment• Quarterly Network Scan
conducted by an ASV
Level 2 Any merchant with more than one million but less than or equal to six million total combined MasterCard and Maestro transactions annual
• Annual Self-Assessment• Onsite Assessment at
Merchant Discretion• Quarterly Network Scan
conducted by an ASV
Level 3 Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually
• Annual Self-Assessment.• Quarterly Network Scan
conducted by an ASV( Approved Scanning Vendor)
Level 4 All other merchants • Annual Self-Assessment
• Quarterly Network Scan conducted by an ASV
[email protected]@hackermail.comhttps://
www.facebook.com/haxornaveenpalhttps://twitter.com/navinpal123