Protecting Your Customers’ Card Data ASTRA Presentation
19 Slides2.76 MB
Protecting Your Customers’ Card Data ASTRA Presentation 05.14.2013 Brian Chapman and Peter O’Rourke
Data Compromises In the News Bank of America Merchant Services 2
Common Causes of a Breach or Compromise Trivial and common passwords for POS systems Not changing the vendor-supplied password upon installation Outdated antivirus software definitions Use of vulnerable or non-compliant software Remote access to systems by third-party providers Having remote access turned on at all times Bank of America Merchant Services 3
What is PCI? PCI stands for the Payment Card Industry and is used to refer to: The PCI Security Standards Council (PCI SSC), an industry body founded by the major card brands to protect cardholder data. Founders: The global Security Standards created and maintained by the PCI SSC to protect cardholder payment data. Important: Compliance with PCI Security Standards is mandatory for merchants and their service providers, and is enforced by the major card brands that established the PCI SSC. Bank of America Merchant Services 4
Determining Your PCI Level and Validation Requirements Bank of America Merchant Services 5
A Closer Look at the PCI DSS–Requirements All card-accepting merchants must comply with all applicable requirements, below. Important: Not all PCI DSS requirements apply to all merchants. Merchants must review each requirement to determine applicability to the merchant’s card payment acceptance systems and business processes. Objective Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Bank of America Merchant Services PCI DSS Requirement 1 Install and maintain a firewall configuration to protect cardholder data 2 Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks 5 Use and regularly update anti-virus software 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need-to-know 8 Assign a unique ID to each person with computer access 9 Restrict physical access to cardholder data 10 Track and monitor all access to network resources and cardholder data 11 Regularly test security systems and processes 12 Maintain a policy that addresses information security
PCI Level 4 Support Program Bank of America Merchant Services 23
PCI Level 4 Support Program cont Bank of America Merchant Services 8
Enhancing Data Security and Reducing Your PCI Scope Point-to-Point Encryption (P2PE) Encryption is designed to protect cardholder data from the point of data entry. Uses a key management feature making cardholder data unreadable to anyone that does not have the encryption key. Protects Cardholder Data in Transit If properly implemented, P2PE can reduce your scope of PCI DSS validation. Tokenization Technology Replaces cardholder data (PAN) with surrogate values (Token) Designed to work in concert with encryption to eliminate storage of cardholder data Allows merchant to limit the storage of cardholder data with the tokenization system If properly implemented, tokenization can reduce your scope of PCI DSS validation EMV Chip Technology Protects against counterfeit cards by replacing static data with dynamic Works with card-present transaction only Requires a dual processing terminal (mag stripe and chip) 9
PCI Reference Websites PCI Security Standards Council: https://www.pcisecuritystandards.org PCI Mobile PA-DSS FAQs: https://www.pcisecuritystandards.org/documents/pa-dss mobile apps-faqs.pdf Point 2 Point Encryption: https://www.pcisecuritystandards.org/documents/P2PE Hardware Solution %20Requirements Initial Release.pdf PCI DSS Tokenization Guidelines: https://www.pcisecuritystandards.org/documents/Tokenization Guidelines Info Supplement.pdf Approved Scanning Vendors and Qualified Security Assessors: https://www.pcisecuritystandards.org/qsa asv/find one.shtml Validated List of Payment Applications: https://www.pcisecuritystandards.org/security standards/vpa/ List of PCI SSC Approved PIN Transaction Security Devices: https://www.pcisecuritystandards.org/security standards/ped/index.shtml Navigating the PCI DSS: https://www.pcisecuritystandards.org/documents/navigating dss v20.pdf Visa CISP: www.visa.com/cisp MasterCard SDP: www.MasterCard.com/SDP Discover DISC: http://www.discovernetwork.com/fraudsecurity/disc.html American Express DSOP: https://www209.americanexpress.com/merchant/singlevoice/dsw/FrontServlet?request type dsw&pg nm merchin fo&ln en&frm US Bank of America Merchant Services 10
Protecting Cardholder Data: The TransArmor Solution
Introducing the TransArmor Solution – TransArmor is an easy-to-implement service that helps protects merchants and card data using a multi-level defense: Combines encryption and tokenization to protect data at every processing stage o Depending on version, uses technology from RSA, the global leader in IT security, or combined technology from RSA and VeriFone Removes payment card information from the merchant by replacing the Permanent Account Number (PAN) with a card-based “token” o Maintains all the merchant’s business benefits of storing the payment card data without the associated risk Delivered as part of the payment processing service Bank of America Merchant Services 12
How Does It Work? Merchant Bank of America Merchant Services Card Present POS & Backoffice Payment System Encrypted Card Data Processing Petroleum Card Not Present Token Call Center Card Vault E-Commerce Bank of America Merchant Services 13
What Is Tokenization? Tokens protect data at rest and in use. – Form of data substitution replacing sensitive PAN values with nonsensitive, randomly-generated token values – Differ from encryption: tokens have no direct relationship with the data they replace – Match the format of the initiating PAN – if PAN is 16 digits, token is 16 digits Do not overlap major brand (Visa, MC, AMEX, Discover) BIN ranges (first digit is 0-2 or 7-9) Do not pass MOD-10 or Luhn checks – Card-based, meaning they have a 1:1 relationship with an account number - same token will always be returned for a specific PAN Do not expire - same token follows the card through the entire card lifecycle Bank of America Merchant Services 14
What Makes TransArmor Different? Important Points of Differentiation Combines end-to-end encryption and tokenization, rather than relying solely on encryption alone (which protects data only while in transit but not when in use or at rest) Minimizes IT resource allocation to implement and typically involves little-to-no new hardware in most cases, changes to back-end IT systems, or employee training Completely removes sensitive data from the environment, thus reducing the scope of PCI compliance. (Encryption and in-house tokenization solution cannot remove the data from the merchant environment) Flexibility to choose a software- or hardware-based model makes it easier to integrate—no new hardware or software is required, it is scalable as compliance rules change, and it is not a bolt-on product that requires a third- party vendor to touch the payment process Bank of America Merchant Services 15 TransArmor
EMV Cards
EMV – EMVCo (Europay , MasterCard and Visa ) is an organization that was formed to manage, maintain and enhance chip specifications for payment, ensuring interoperability globally. – EMVCo.com is the public portal for all things EMV. – EMV cards, also known as chip-based cards, contain an embedded microprocessor. The microprocessor chip carries the business rules and authentication needed by the card for payment, and is protected by various security features to make it tamper-resistant. – Chip technology greatly reduces a criminal's ability to create counterfeit cards by introducing dynamic values for each transaction. Bank of America Merchant Services 17
Card Brand Adaption and Timeline VISA October 2012 – Tech Innovation Program (TIP) MasterCard – – Introduction of MasterCard PCI DSS Compliance Validation Exemption Program – Discover (Diners Club and PULSE) American Express Discover Authorization Interface-Partial Chip Card transaction indicator introduced Discover expands EMV program to include Contactless Acquirer Mandates April 2013 – U.S. Acquirer Processors to – U.S. Region acquirers must be support chip processing capable of processing MasterCard contact and contactless chip transactions – Acquirer & Direct Connect Merchant Support for Discover’s EMV-compliant payment specification (DPAS) – U.S. Processors must be able to support American Express EMV chip-based contact, contactless and mobile transactions. October 2013 – Potential Reduction of Calculated Account Data Compromise Operational Reimbursement and Fraud Recovery October 2015 – Liability Shift for credit and debit domestic and cross border transactions – Chip and Chip / PIN liability shift participation – Additional Potential Reduction of Calculated Account Data Compromise Operational Reimbursement and Fraud Recovery – Liability Shift – Liability Shift October 2017 – Liability Shift for automated fuel dispensers – Chip and Chip / PIN Liability shift for automated fuel dispensers – Liability Shift for automated fuel dispensers – Liability Shift for automated fuel dispensers Bank of America Merchant Services – PCI Data Security Relief 18
Q & A—We’re standing by to answer your questions.
