Q3 2019 PCI QUARTERLY NEWSLETTER - Mastercard...•Online Skimming Attacks Bulletin SSC RESOURCES •Key Blocks Blog Series •Updated PCI PIN V2.0 Technical FAQs •Helpful PCI SSC

1 | ©2019 Mastercard. Proprietary. All Rights Reserved.

Q3 2019 PCI QUARTERLY NEWSLETTER

MASTERCARD NEWS & REMINDERS PCI DSS to NIST Cybersecurity Framework Mapping In July, the PCI Security Standards Council (SSC) released new resources that show how the PCI Data Security Standard (DSS) maps to the NIST Cybersecurity Framework (CSF), a globally recognized cybersecurity standard. Both the PCI DSS and the NIST CSF are solid security approaches that address common goals and principles for securing data. Mastercard encourages customers to review this mapping to understand how to align security efforts to meet your organization’s objectives. Read At A Glance: Mapping PCI DSS to the NIST Cybersecurity Framework.

Cybersecurity Best Practices with NIST CSF As part of SDP Standards, PCI DSS compliance is required for all customer environments that store, process, or transmit cardholder data (see section 10.3.1 of the Security Rules and Procedures). For customer environments where the PCI DSS does not apply, Mastercard is recommending as a best practice that customers comply with the NIST CSF to ensure baseline cybersecurity controls are implemented. While PCI DSS provides guidance on how to meet security requirements for payment environments, the NIST CSF identifies general security outcomes and activities—vital to the safety and security of the payments system.

MASTERCARD

NEWS & REMINDERS • PCI DSS to NIST

Cybersecurity Framework Mapping

• Cybersecurity Best Practices with NIST CSF

• PCI 3DS Compliance Reminder

• SDP Form due 30 Sept.

EVENTS • Cybersecurity & Risk

Summit—Europe • Customer Compliance

Forum PCI 360 • ADC Event Management

Best Practices • PCI 3DS Prioritized

Approach Tool

PCI COUNCIL

NEWS & UPDATES • PCI DSS V4.0 RFC • SPoC and Contactless

Updates • Software Security

Framework Programs • Software Security and

PA-DSS • Online Skimming Attacks

Bulletin

SSC RESOURCES • Key Blocks Blog Series • Updated PCI PIN V2.0

Technical FAQs • Helpful PCI SSC

Resources EVENTS • NA, Europe, and Asia-

Pacific Community Meetings

TRAINING • Acquirer, Merchant • QIR

IN THIS ISSUE

2 | ©2019 Mastercard. Proprietary. All Rights Reserved.

PCI 3DS Compliance Reminder With the 2017 release of the PCI 3DS Core Security Standard that supports EMVCo’s EMV® 3-D Secure (3DS) Protocol and Core Functions Specification, Mastercard established a new 3-D Secure Service Provider (3-DSSP) category for organizations that perform or provide 3DS functions. As a reminder, a 3-DSSP, classified as a Level 1 Service Provider, must register with Mastercard and validate compliance to the SDP Department by submitting their PCI 3DS Attestation of Compliance (AOC). For newly registered 3-DSSPs not yet compliant, the PCI 3DS Prioritized Approach Tool must be completed and submitted for review. SDP Form due 30 Sept. The next SDP Acquirer Submission and Compliance Status Form (SDP Form) for Level 1, Level 2, and Level 3 merchant PCI DSS compliance reporting to Mastercard will be due on 30 September. Acquirers should download the latest version of the form, V5.0, complete it in its entirety and submit it on-time to avoid potential noncompliance assessments for late reporting/non-

reporting. Note—an acquirer must also certify to Mastercard via the SDP Form that it has a risk management program in place for their Level 4 merchant portfolio to identify and manage security risk. For more information on the next SDP Form submission deadline, merchant PCI DSS compliance requirements, or questions on the Level 4 risk management program certification, acquirers can send an email to [email protected]. See also SDP FAQs. EVENTS Cybersecurity & Risk Summit—Europe Mastercard’s Cybersecurity & Risk Summit will be held at the Rixos Libertas Dubrovnik on 30 September–3 October in Dubrovnik, Croatia. Join the Global Risk Leadership (GRL) team and industry experts who will share the latest updates on intelligence and technology to address the latest cyber threats, the role of Artificial Intelligence in reducing fraud and risk, and biometrics and the importance of digital identity. Do not forget to register for pre and/or post-conference workshops (like the Cybercrime & Payments Security Workshop) led by subject matter experts. View the agenda.

GLOBAL RISK LEADERSHIP EVENTS

Cybersecurity & Risk Summit – Dubrovnik, Croatia 30 September-3 October

Connect with industry leaders in the region on payment security issues. Compliance Forum – Purchase, New York 29-30 October

Collaborate with experts in managing Mastercard‘s global compliance programs. PCI 360

Download Mastercard’s PCI 360 Educational Resources

Mastercard PCI 3DS Prioritized Approach Tool

The Mastercard PCI 3DS Prioritized Approach is a tool for organizations to use when tracking progress toward their compliance with PCI 3DS Standard. Newly registered 3-DSSPs not yet 3DS compliant may submit this action plan to SDP.

MASTERCARD

3-D Secure Service Providers Registration & PCI 3DS Validation

3 | ©2019 Mastercard. Proprietary. All Rights Reserved.

Customer Compliance Forum The 2019 Customer Compliance Forum is being held on 29-30 October at the Mastercard Corporate Headquarters in Purchase, NY. Hear first-hand from compliance programs’ business owners about how compliance can best protect your business. Participate in engaging discussions with experts and peers while sharing best practices on ways to minimize fraud and risks to the system. Gain a better understanding of Mastercard Standards and the tools you need to improve compliance, chargeback performance, and merchant on-boarding. View the agenda. For more information on GRL events including topics covered, send an email to [email protected]. PCI SECURITY STANDARDS COUNCIL NEWS & UPDATES PCI DSS V4.0 RFC The next request for comments (RFC) period for PCI DSS V4.0 is planned for October 2019, then again mid-2020. All Participating Organizations, Qualified Security Assessors (QSAs), and Approved Scanning Vendors (ASVs) are invited to participate. Specific timing on the next major release of the standard will be determined based on feedback received during the development period, but it is not anticipated for publication prior to late 2020. For more on the RFC process, key priorities, and timing of the PCI DSS V4.0, read 3 Things to Know about PCI DSS v4.0 Development. SPoC and Contactless Updates The PCI SSC has now listed its first approved Software-Based PIN Entry on COTS (SPoC) Solution on their website, which enables EMV contact and contactless transactions with PIN entry on the merchant's consumer device using a secure PIN entry application along with a Secure Card Reader for PIN (SCRP).

The PCI SSC also completed the second of two RFC periods on the draft PCI Contactless Payments on COTS (CPoC) Standard which provides security requirements for solutions that enable contactless, or “tap and go”, transactions on merchant COTS devices.  The CPoC Standard is targeted for publication by end of 2019, with the CPoC Program to follow in 2020. Read SPoC and Contactless Updates and Contactless Payments on COTS Standard. Software Security Framework Programs As part of the PCI Software Security Framework, PCI SSC is rolling out two new validation programs to support the design, development and maintenance of modern payment software. The Secure Software Lifecycle (Secure SLC) and Secure Software Programs are intended for use by payment software vendors to demonstrate that both their development practices and their payment software products address overall software security to protect payment data. Software Security Framework Assessors will evaluate vendors and their payment software products against the PCI Secure SLC and Secure Software Standards. Read press release. Software Security and PA-DSS The Payment Application Data Security Standard (PA-DSS) V3.2 will be expiring in 2022. PA-DSS will be replaced by the PCI Software Security Framework. To help understand and plan for the transition, the PCI SSC has published a PCI Software Security Framework FAQs document. The resource addresses key questions related to the PCI Software Security Framework, including its impact to PA-DSS validated applications and how PA-DSS will be phased out over time. Read: PCI Software Security Framework FAQS: PA-DSS Impact and Transition.

PCI 360 (continued)

ADC Event Management Best Practices

This best practices document highlights how customers and other stakeholders can implement proactive and reactive response strategies to address data compromise events.

SSC RESOURCES

Key Blocks Blog Series

Read this blog series to learn more about how this security method helps secure payment data, applicability, and the 3 phases for implementing requirements. Updated PCI PIN V2.0 Technical FAQs

The updated PTS PIN Security Technical FAQs document is now available on the PCI SSC website. Helpful PCI SSC Resources

Search for answers to PCI-related questions: FAQs, Document Library, and PCI Perspectives Blog.

PCI COUNCIL

MASTERCARD

4 | ©2019 Mastercard. Proprietary. All Rights Reserved.

Online Skimming Attacks Bulletin The PCI SSC and the Retail & Hospitality ISAC have issued a joint bulletin to highlight the emerging threat of online skimming. Attacks like these, infect e-commerce websites with malicious code, known as sniffers or JavaScript (JS) sniffers and are very difficult to detect. Once a website is infected, payment card information is “skimmed” during a transaction without the merchant or consumer being aware that the information has been compromised. Read the blog post to learn more about this type of attack and how best to detect and prevent it. EVENTS NA, Europe, and Asia-Pacific Community Meetings The PCI North America Community Meeting, Europe Community Meeting, and Asia-

Pacific Community Meeting are just around the corner. Do not miss the chance to meet face to face with payment security leaders and other organizations to collaborate, network, learn, and share ideas at these annual PCI Community Meetings. Engaging presentations, timely content, and networking opportunities will allow you to connect with industry peers in these regions. Instructor-led PCI training classes are still available at the Europe and Asia-Pacific Community Meetings. Be sure to register.

• North America: 17-19 September— Vancouver, BC, Canada (See Mastercard Office Hours)

• Europe: 22-24 October— Dublin, Ireland

• Asia-Pacific: 20-21 November— Melbourne, Australia

EVENTS

North America CM – Vancouver, BC, Canada 17-19 September

Europe CM– Dublin, Ireland 22-24 October

Asia-Pacific CM– Melbourne, Australia 20-21 November

TRAINING The PCI SSC offers a variety of training and re-qualification courses in eLearning and instructor-led formats.

Acquirer Training

Merchant Training

Qualified Integrators & Resellers (QIR) Training

For more information on PCI training courses, send an email to the PCI SSC at [email protected] or download Training Programs at a Glance.

PCI COUNCIL

PCI SSC Community Meetings North America, Europe & A/Pacific