Visa Cemea Account Information Security (AIS) Programme
Presentation Identifier.2Information Classification as Needed 2 AIS Programme | January 2007
Content
• Overview Payment Card Industry Data Security Standard (PCI DSS
• Visa’s AIS Programme
• Benefits of the AIS Programme
• Compliance Validation Requirements and process
• Security Breaches and Vulnerability Experiences
Overview of PCI DSS Standard
Presentation Identifier.4Information Classification as Needed 4 AIS Programme | January 2007
PCI Data Security Standard (PCI DSS)
Original published as the Visa Account Information Security Standard in 2000 and globally mandated in 2001
Growing pressure from the industry to create a single aligned global standard resulted in the alignment of standard with other payment schemes.
Payment Card Industry Data Security Standard published in Jan 2005 as the globally aligned standard supported by the payment schemes participating in the PCI initiative.
Presentation Identifier.5Information Classification as Needed 5 AIS Programme | January 2007
PCI Participants
GLOBAL
MasterCard
Discover Card
JCB
Diners’ Club
American Express
Visa
PCI
Presentation Identifier.6Information Classification as Needed 6 AIS Programme | January 2007
PCI DSS Objectives
The main objective of PCI DSS is to improve the overall level of security for payments globally by:
• Promoting a secure environment for cardholder data
• Reducing inter-scheme redundancies and inconsistencies in requirements.
• Streamlining processes and reducing expenses
• Single validation to satisfy the requirements of all participating schemes.
Presentation Identifier.7Information Classification as Needed 7 AIS Programme | January 2007
Elements of PCI DSS Alignment
Aligned Standards and Validation Tools• PCI Data Security Standard (DSS)
• PCI Security Audit Procedures
• PCI Self-Assessment Questionnaire
• PCI Network Security Scan Requirements
Future AlignmentPayment Application Best Practices
PCI Payment Application Security Standard
Presentation Identifier.8Information Classification as Needed 8 AIS Programme | January 2007
PCI Security Standard Council
To manage the aligned standard, validation tools and centrally manage the process of approving security assessors, the participants of PCI formed Payment Card Industry Security Standard Council (PCI SSC) in Sept 06
PCI SSC is responsible for • Managing and maintaining the aligned standards including
future updates.• Approving on-site security assessors• Approving network scan vendors
• PCI SSC is a global forum
Presentation Identifier.9Information Classification as Needed 9 AIS Programme | January 2007
Overview of PCI DSS
Consists of twelve basic requirements supported by more detailed sub requirements:
Build and maintain a secure network • Requirement 1. Install and maintain a firewall configuration to protect data
• Requirement 2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data • Requirement 3. Protect stored data
• Requirement 4. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a vulnerability management program • Requirement 5. Use and regularly update anti-virus software
• Requirement 6. Develop and maintain secure systems and applications
Presentation Identifier.10Information Classification as Needed 10 AIS Programme | January 2007
Overview of PCI DSS…cont
Implement strong access control measures • Requirement 7. Restrict access to data by business need-to-know
• Requirement 8. Assign a unique ID to each person with computer access
• Requirement 9. Restrict physical access to cardholder data
Regularly monitor and test networks• Requirement 10. Track and monitor all access to network resources and cardholder data
• Requirement 11. Regularly test security systems and processes
Maintain an information security policy
• Requirement 12. Maintain a policy that addresses information security
Presentation Identifier.11Information Classification as Needed 11 AIS Programme | January 2007
Storing Cardholder Data
What is allowed to be stored, transmitted, or processed?– PAN, and expiration date.
How should the PAN be protected when stored?– Encrypted, hashed, or truncated
What MUST NOT be stored post-authorization?– Full track data (Track 1 or 2)– CVV2– PIN block/ Clear PIN
Presentation Identifier.12Information Classification as Needed 12 AIS Programme | January 2007
Storing Track Data For Troubleshooting Purposes
Sometimes track data must be stored (temporarily) for troubleshooting purposes
Why? Track misreads, network errors, encryption issues, etc.
Procedures should be defined around this issue:
- Retention period
- Destruction procedure
- Limits to number cardholder data stored
Visa’s AIS Programme
Presentation Identifier.14Information Classification as Needed 14 AIS Programme | January 2007
Visa’s AIS Programme
Due to the different business models and legal liabilities, all participants of PCI agreed that each scheme maintain, manage and enforce its own compliance program.
In Visa PCI DSS is validated via the regional Account Information Security Programme.
The programme is known as AIS Programme in all Visa regions, except in US where it is called Cardholder Information Security Programme (CISP)
Presentation Identifier.15Information Classification as Needed 15 AIS Programme | January 2007
Visa’s responsibilities
Enforce compliance via regional AIS programme
Manages communications, education, and support for Members, Merchants, and Service Providers.
Review and sign-off Report of Compliance for members, merchants and service providers.
Works with Visa Members to ensure compliance of their merchants and service providers.
Presentation Identifier.16Information Classification as Needed 16 AIS Programme | January 2007
Member’s responsibilities
All Members must comply with the PCI Data Security Standard
Members are responsible for ensuring the compliance of their merchants, service providers and other agents who store, process, or transmit cardholder data
Ensure their merchants, service providers or other agents do not store track data post authorization.
Report any data breach to Visa and take the appropriate action to mitigate further damage to the business and the Visa brand
Undergo compliance validation as outlined within the regional AIS programme from Jan 2008
Benefits of the AIS Programme
Presentation Identifier.18Information Classification as Needed 18 AIS Programme | January 2007
Benefits of the AIS Programme
Limits risk associated with data compromise and fraud
Improves confidence in the payment industry
Protects reputation
Promote brand Integrity
Boost consumer confidence
Provides competitive edge
Compliance Validation, Requirements and process
Presentation Identifier.20Information Classification as Needed 20 AIS Programme | January 2007
Compliance Validation, Requirements and process
Merchant Levels Defined
Cemea VBV Mandate
Acquirer responsibilities
Service Provider Levels Defined
Member levels Defined
Compliance Validation Cycle
Compliance validation process
Who can validate compliance
Presentation Identifier.21Information Classification as Needed 21 AIS Programme | January 2007
Merchant Levels Defined
Merchant level Description Validation required Deadline
1 Any merchant regardless of acceptance channel processing over 6,000,000 Visa transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise.Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimise risk to the Visa system.Any merchant identified by any other payment card brand as Level 1.
(1) Annual on-site audit
(2) Quarterly network scan
31st Dec 2006
2 Any merchant, regardless of acceptance channel, processing up to 6,000,000 Visa transactions per year.
(1) Annual self assessment questionnaire
(2) Quarterly network scan
31st Dec 2006
Only merchants who have the ability to store, process or transmit dataneed to be validated
Presentation Identifier.22Information Classification as Needed 22 AIS Programme | January 2007
VBV Mandate
E-commerce merchants are not allowed to store data in Cemea region.
Exceptions are granted to certain type of e-commerce merchants on a case by case basis.
Acquirers need to seek approval from Visa’s senior management prior to allowing merchants to store data.
Presentation Identifier.23Information Classification as Needed 23 AIS Programme | January 2007
Acquirer responsibilities
Visa Acquirers are responsible for:
Ensuring their merchants are PCI DSS compliant
Managing merchant communications
Working with their Merchants until full compliance has been validated• Merchants are not compliant until all requirements have been met
and validated.• Acquirer is responsible for providing Visa their merchants’
compliance status.
Any liability that may occur as a result of non-compliance with PCI DSS
Presentation Identifier.24Information Classification as Needed 24 AIS Programme | January 2007
Service Provider Levels Defined
Service provider level Description Validation required Deadline
1 All VisaNet processors (member and non-member)+ and all payment gateways*
(1) Annual on-site audit
(2) Quarterly network scan
31 Dec 2006
2 Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually.
(1) Annual on-site audit
(2) Quarterly network scan
31 Dec 2006
3 Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually.
(1) Annual Self assessment Questionnaire
(2) Quarterly network scan
31 Dec 2006
Presentation Identifier.25Information Classification as Needed 25 AIS Programme | January 2007
Members responsibilities
Members must use, and are responsible for ensuring that their merchants use service providers that are PCI DSS compliant.
Visa Members are responsible for any liability that may occur as a result of non-compliance of service providers with PCI DSS
Presentation Identifier.26Information Classification as Needed 26 AIS Programme | January 2007
Members Levels Defined
Level Threshold Validation Requirement
1 Members who process, store or transmit 600,000 or more transactions per year
1. Annual on-site validation
2. Quarterly vulnerability scan
2 Members who process, store or transmit 120,000 up to 600,000 transactions per year
1. Annual self assessment
2. Quarterly vulnerability scan
3 Members who process, store or transmit 120,000 or less
1. Annual self assessment
2. Quarterly vulnerability scan
Compliance validation to commence on Jan 2008
Presentation Identifier.27Information Classification as Needed 27 AIS Programme | January 2007
Validation Cycle
All entities must validate compliance on an annual basis.
Annual revalidation is required within 12 months from date of previous Report of Compliance was accepted
Quarterly scans must be performed at every three months interval.
Presentation Identifier.28Information Classification as Needed 28 AIS Programme | January 2007
Compliance Validation Process - Merchants
Acquirers are responsible for managing the compliance validation of their merchants as outlined within the merchant validation thresholds.
Where a Level 1 Merchant is identified, Acquirers must provide information regarding the Level 1 merchant to Visa.
Once the appropriate validation has been completed, the acquirer must provide Visa a Assertion Of Compliance letter indicating
– Name of merchant and type of validation completed– Every requirement is met (including those met via compensating controls)
• All remediation is complete and revalidated• Terminology used must reflect compliance
– The PCI Security Audit Procedures were followed if an on-site review was performed.
– All findings are accurate– No evidence of magnetic stripe data or CVV2 data storage
Presentation Identifier.29Information Classification as Needed 29 AIS Programme | January 2007
Compliance Validation Process – Service Providers
Service Providers are required to undertake compliance validation independently by contracting the appropriate security vendor
Once the validation is completed, the QSA and Service Providers must sign a Assertion Of Compliance letter indicating• What validation task was completed• Every requirement is marked “In Place” (including those met via
compensating controls)– Terminology used must reflect compliance– All remediation is complete and revalidated
• The PCI Security Audit Procedures were followed if an on-site was performed
• All findings are accurate• No evidence of magnetic stripe data or CVV2 data storage
Where an on-site is performed, a copy of the ComplianceReport must be submitted to Visa for sign off prior to submittingthe letter of assertion
Presentation Identifier.30Information Classification as Needed 30 AIS Programme | January 2007
Who can validate compliance
On-site review must be performed by a PCI SSC approved Qualified Security Assessor (QSA)
Self assessment – Ideally must be performed by an internal IT auditor or a QSA to ensure impartiality and accuracy.
Vulnerability scanning must be performed by a PCI SSC approved Scan Vendor (ASV)
Presentation Identifier.31Information Classification as Needed 31 AIS Programme | January 2007
Other related requirements
-PCI PIN Security Standard
Clear PIN and PIN Block must not be stored in transaction journal or logs post authorisation.
-International Member Letter 14/04
Effective 1st April 2007, PAN must be truncated in cardholder copy of receipt.
Effective 1st April 2005, all newly deployed devices must have the capability to truncate PAN
Security Breaches and Vulnerability Experiences
Presentation Identifier.33Information Classification as Needed 33 AIS Programme | January 2007
Security Breaches Overview
Payment Card Industry Experience
Security Breaches
Hacker Focus
Impact of Data Compromises
Incident Response Procedures
Presentation Identifier.34Information Classification as Needed 34 AIS Programme | January 2007
Payment Card Industry Experience
Increased regulatory pressure to address security risk
Risk of consumer loss of confidence in brand and payment system
Globally organized criminals increasingly involved in hacks
Data compromises result in fraud losses
Presentation Identifier.35Information Classification as Needed 35 AIS Programme | January 2007
Security Breaches
No segmentation and/or firewall
Un-patched systems and/or default configuration
No logging
No encryption or authentication on wireless access points
Default passwords
No intrusion monitoring
Unsecured point of sale technology
System Vulnerabilities
Presentation Identifier.36Information Classification as Needed 36 AIS Programme | January 2007
Hacker Focus
Hackers are attacking: • Brick-and-mortar merchants
• E-commerce merchants
• Third-party entities in the payment system
• In-house processed banks
Hackers looking for:• Software that stores sensitive cardholder data
• Personal information
• Corporate intellectual property
• Track data and payment account numbers
Presentation Identifier.37Information Classification as Needed 37 AIS Programme | January 2007
Impact of Data Compromises
Notification/disclosure
Brand/reputation
Loss of business/consumer confidence
Financial liabilities
• Compromised Entity
• Visa Member
Litigation
Government intervention/legislation
Presentation Identifier.38Information Classification as Needed 38 AIS Programme | January 2007
Incident Response Procedures
Contain and limit exposure
• Understand entity’s environment
• Identify how compromise occurred
• Identify if full magnetic stripe data retained
• Engage forensic team immediately
Action Items
• Contract with qualified forensic team to determine findings
• Validate full track has been removed
• Bring environment into PCI DSS compliance
Presentation Identifier.39Information Classification as Needed 39 AIS Programme | January 2007
Useful contacts
Standard, validation tools and approved vendors.www.pcisecuritystandards.org./
Information Visa Cemea’s AIS Programmewww.visacemea.com/ac/ais/data_security.jsp
Reporting data breach
• Visa Regional Risk Head