PCI DSS

LETS Dive into PAYMENT CARD INDUSTRY(PCI)

BY NAVEEN PAL

IntroductionWorking as CEO in Peripheral Security Experts PVT

Ltd .Worked into Following domain VA , PT And

implementation of PCI DSS I have worked with many MNC such as Wipro ,

Blackberry , Vodafone TCS & implemented PCI DSS in India biggest Cinema Chain PVR Cinemas

I have been acknowledge by google , yahoo and many more

Objective

• Why is it Important • Understand Payment Card Industry • Understand PCI DSS Requirement

Why is it Important

2016-15 Biggest Data Breaches IRCTC Website Hacked Kaspersky Lab Multi-Bank Cyber heist   Harvard University LastPassAnd many more

Credit & Debit Card Information

Credit & Debit Card is the most target by cyber criminal as its evolve the money matter

Where there is money , there comes the crime and criminal minds

BANKS

The acquiring bank (also merchant bank or acquirer) is the financial institution that maintains the merchant’s bank account. The contract with the acquirer enables merchants to process credit and debit card transactions. The acquiring bank passes the merchant’s transactions along to the applicable issuing banks to receive payment.

The issuing bank is the financial institution that issues cards to consumers on behalf of the card networks (Visa, MasterCard). The issuing bank is also known as the credit or debit card company. The issuer acts as the middle-man for the consumer and the card network by contracting with the cardholders for the terms of the repayment of transactions.

Who is WhoPayment Brands

Banks

Merchant

Service provider

Working Of Credit Card Transaction( Card Present )

Card Not Present

Some Of Important TermsAuthentication : Establishing who

Authorization : Validation done by Issuer

Clearing : Process done for the settlement

Settlement : agreement or resolution of a dispute ( Paying the Dues)

Payment Card Fraud1983 Re –embossed counterfeit fraud1988 Re-encoded counterfeit fraud1989 Card not present /fraud application1991 Never received issues 1994 Merchant Fraud1994 Identity Theft 2000 Skimmed counterfeit2007 Wireless / Chip sniffing and card

counterfeit / fraud2010 Server Hacking / Malware

Payment Card Industry The Payment Card Industry Data Security Standard (PCI DSS) is a

proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB. Private label cards – those which aren't part of a major card scheme – are not included in the scope of the PCI DSS.

PCI DSS applies to any entity which store , process and transmit account data in any form

Account data consist of card holder data (PAN) and sensitive data

Entity include Merchant Acquire Issuer Service providers

PCI –DSS Ver 3.0Control objectives PCI DSS requirement

Build and maintain a secure network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software on all systems commonly affected by malware

6. Develop and maintain secure systems and applications

Implement strong access control measure

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

Requirement 1 Install and maintain a firewall configuration to protect cardholder data Firewall and Router hardening Firewall rule Review Firewall rule justification Verify that all other inbound and outbound traffic is specifically denied, for

example by using an explicit ―deny all‖ or an implicit deny after allow statement.

Verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks.

Verify that any disclosure of private IP addresses and routing information to external entities is authorized.

Requirement 2Do not use vendor-supplied defaults for system passwords and other security parameters.

Remove or changes the defaults – setting , credential Hardening Encrypt non console access Review services and parameter files on systems to determine that Telnet

and other remote login commands are not available for use internally. Verify that administrator access to the web-based management interfaces

is encrypted with strong cryptography

Requirement 3 Protect stored cardholder data.

Storage of card holder data . Not storing Sensitive authentication Security of data while storing . Masking of Pan

Verify that the PAN is rendered unreadable using any of the following methods: One-way hashes based on strong cryptography Truncation Index tokens and pads, with the pads being securely stored

Requirement 4Encrypt transmission of cardholder data across

open, public networks.

Verify the existence of a policy stating that unprotected PANs are not to be sent via end-user messaging technologies.

Secured transmission – Wired Secured transmission Wireless

Requirement 5 Use and regularly update antivirus software.

Verify that all anti-virus software is current, actively running, and generating logs by performing the following

Obtain and examine the policy and verify that it requires updating of anti-virus software and definitions

For a sample of system components, verify that all anti-virus programs detect, remove, and protect against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)

Requirement 6Develop and maintain secure systems and

applications.

Risk Assessment Patching Secure Development Change Control Incident Management Web Application Firewall

Requirement 7Restrict access to cardholder data by business

need-to-know.

Obtain and examine written policy for data control, and verify that the policy incorporates the following

Access right assigned to need to known basis . Use creation and deletion process Confirm that access controls are implemented via an automated

access control system

Requirement 8Assign a unique ID to each person with computer

access.

Unique user id with role and rights of the user 2 factor authentication for remote access For a sample of system components, examine password files to verify that

passwords are unreadable during transmission and storage User access review Verify that inactive accounts over 90 days old are either removed or

disabled. For a sample of system components, obtain and inspect system

configuration settings to verify that password parameters are set to require passwords to be at least seven characters long.

Requirement 9Restrict physical access to cardholder data

Physical access control ( fingerprint or cards) CCTV Restrict physical access to cardholder data Visitor Policy Physical Security of Media Secure Destruction of Media Protecting POS device from tempering Verify that the storage location security is reviewed at least annually

Requirement 10Track and monitor all access to network resources and cardholder data.

Enable logs Time synchronization FIM on logs Log review Retention Period Verify that current audit trail files are protected from unauthorized

modifications via access control mechanisms, physical segregation, and/or network segregation .

Requirement 11

Regularly test security systems and processes.

Application Testing Wireless scan Internal VA Internal PT External VA External PT If automated monitoring is utilized (for example, wireless IDS/IPS,

NAC, etc.), verify the configuration will generate alerts to personnel. Review the scan reports and verify that four quarterly internal scans

occurred in the most recent 12-month period.

Requirement 12Maintain a policy that addresses information security

Information Security Policy Risk Assessment Back ground Verification Of employee Awareness training Examine the daily operational security procedures. Verify that they

are consistent with this specification, and include administrative and technical procedures for each of the requirements.

Verify that responsibility for creating and distributing security incident response and escalation procedures is formally assigned.

Verify through observation and review of processes that monitoring and responding to alerts from security systems including detection of unauthorized wireless access points are covered in the Incident Response Plan

Credit Card data can be found

Category

Criteria Requirements

Level 1 • Any merchant having more than six million total combined MasterCard and Maestro transactions annually

• Annual Onsite Assessment• Quarterly Network Scan

conducted by an ASV

Level 2 Any merchant with more than one million but less than or equal to six million total combined MasterCard and Maestro transactions annual

• Annual Self-Assessment• Onsite Assessment at

Merchant Discretion• Quarterly Network Scan

conducted by an ASV

Level 3 Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually

• Annual Self-Assessment.• Quarterly Network Scan

conducted by an ASV( Approved Scanning Vendor)

Level 4 All other merchants • Annual Self-Assessment

• Quarterly Network Scan conducted by an ASV

[email protected]@hackermail.comhttps://

www.facebook.com/haxornaveenpalhttps://twitter.com/navinpal123