PCI DSS Compliance: a Step Into the Payment Ecosystem and Nets Compliance Program

PCI DSS Compliance: A step into the payment ecosystem and Nets compliance program

”Continuous compliance through good governance” Who are the PCI SSC?

• The Payment Card Industry Security Standard Council is an independent body providing oversight of the payment card security standards on a global basis. It was founded by American Express, Discover, JCB International, MasterCard, and Visa.

• The Council’s main standards are:  PCI Data Security Standard (PCI DSS)  PCI Pin Transaction Security Standard (PCI PTS)  Payment Application Data Security Standard (PA DSS)  Point-to-Point Encryption Standard (P2PE)

PUBLIC What is PCI DSS?

• PCI is not government legislation. It is an industry regulation.

• PCI DSS was developed to enhance cardholder security and to provide a baseline to protect cardholder data.

• PCI DSS applies to any entity that stores, processes, or transmits cardholder data.

• The cardholder data environment is comprised of people, processes and technologies.

• For Nets, PCI DSS is like our license to operate. Without it we cannot conduct businesses.

PUBLIC PCI DSS standards overview

The PCI DSS is based on six primary goals.

1. Build and maintain a secure network and systems 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy

Each goal contains a set of requirements across 12 domains with a total of 350+ requirements.

PUBLIC What is card holder data?

• PCI DSS applies wherever account data is stored, processed, or transmitted. Account Data consists of Cardholder Data and/or Sensitive Authentication Data, as depicted in the chart on this screen.

• Account data should be properly protected in compliance with PCI DSS or not stored at all. Sensitive authentication data must not be stored.

PUBLIC Actors across the payment ecosystem

PUBLIC Malicious actor

PUBLIC The Actors Defined

• Cardholder  Customer purchasing goods/services as “card present” or “card not present” transactions • Issuer  Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard, Visa)  Payment brand issuing a payment card directly (e.g. Amex, Discover, JCB) • Merchant  Organization accepting the payment card during a purchase • Acquirer Teller, subsidiary of Nets Group  Entity the merchant uses to process the payment card transactions  Receive authorization requests from merchant and forward to issuer for approval  Provide authorization, clearing, and settlement services to merchants  Also referred to as: merchant bank or Payment Brand (Amex, Discover, JCB) • Payment processor / payment brank network  Nets Group

PUBLIC Which entities are in PCI scope?

• Issuer  Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard, Visa)  Payment brand issuing a payment card directly (e.g. Amex, Discover, JCB) • Merchant  Organization accepting the payment card during a purchase • Acquirer  Bank or entity the merchant uses to process the payment card transactions  Receive authorization requests from merchant and forward to issuer for approval  Provide authorization, clearing, and settlement services to merchants  Also referred to as: merchant bank or Payment Brand (Amex, Discover, JCB) • Payment processor / payment brank network  Nets Group

PUBLIC PCI Governance at Nets

PUBLIC What to avoid

PUBLIC Governance structure 2016+ This governance structure should be applicable to any kind of compliance management, but in this case PCI DSS compliance management is used as the example. Future scaling to multi-framework compliance management is more a matter of resourcing than anything else.

PUBLIC PCI Compliance Annual Timeline

Example evidence The audit is a snapshot in time. PCI compliance deliverable dates must be achieved 365 days a year. Example audit deadlines ROC Signature

Final Pre-Audit Pre-Audit Audit

2016 2017

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr

Evidence Collection & Issue Remediation Evidence is collected prior to and during the audit, and previously identified issues remediated.

Evidence Validation & Issue Closure The audit looks back 12 months to verify compliance in the previous year.

PUBLIC PCI Compliance Wheel for BAUANNUALLY SEMIChange-ANNUALLY cryptographic keys for keys that have reached the end of their crypto- Reviewperiod (PCI firewall 3.6.4 and). router rule sets at least every six months (PCI 1.1.7). QUARTERLY DAILY/WEEKLY/MONTHLYReviewIdentify publicand securely-facing webdelete applications stored cardholder via manual data or that automated exceeds application defined Reviewretentionvulnerability the periods following security that assessmentat are least required daily tools (PCI for or10.6.1legal, methods, regulatory,): at least and/or annually business and after -requirementsany All changessecurity events(PCI (PCI 6.6 3.1). ). - Logs of all system components that store, process, or transmit CHD and/or SADPerformMaintain periodic logs of all evaluations media and to conduct identify media and evaluate inventory evolving (PCI 9.7.1) malware threats -in Logs order of toall confirmcritical system whether components systems continue to not require anti-virus -softwarePerform Logs of internalall (PCI servers 5.1.2). and and external system penetration components testing that perform at least annuallysecurity functions and after (for any significantexample, firewalls, infrastructure intrusion or application-detection systems/intrusionupgrade or modification-prevention (PCI 11.3.1 systemsRemove/disable& 11.3.2 (IDS/IPS),). inactive authentication user accounts servers, within e-commerce 90 days (PCI redirection 8.1.4). servers, etc.). ChangePerform user penetration passwords/passphrases tests at least annually at least and once after every any 90 changes days (PCI to 8.2.4). Install segmentation applicable controls/methods critical vendor-supplied to verify securitythat the patchessegmentation within methodsone month are of releaseTestoperational for (PCIthe andpresence6.2.a). effective, of wireless and isolate access all points out-of (802.11),-scope systems and detect from andsystems in identifythe CDE all(PCI authorized 11.3.4). and unauthorized wireless access points (PCI 11.1). Use intrusion-detection and/or intrusion-prevention techniques to detect and/orPerformReview preventthe quarterly security intrusions internal policy into andvulnerability theupdate network. the scans policy and when rescans the as environment needed, until all Monitor“highchanges-risk” (PCIall vulnerabilitiestraffic 12.1.1). at the perimeter (as identified of the in cardholderRequirement data 6.1) environment are resolved. as Scans well asmust at criticalbe performed points in by the qualified cardholder personnel data environment, (PCI 11.2.1). and alert personnel to suspected Perform risk compromises. assessments on the following situations (PCI 12.2): KeepPerform- at least all intrusion quarterlyannually- detectionandexternal upon vulnerability andsignificant prevention changes scans, engines, via to thean baselines,Approved environment andScanning signatures(for upVendorexample, to date (ASV) acquisition, (PCI approved 11.4). merger, by the relocation, Payment Card etc.), Industry Security Standards Council- on identifies (PCI SSC). critical Perform assets, rescans threats, as andneeded, vulnerabilities, until passing and scans are achieved Keep(PCI- create 11.2.2). system a formal, configuration/settings documented analysis updated. of risk.

Educate personnel on cardholder data security (PCI 12.6.1)..

Monitor service provider compliance (PCI 12.8.4).

Test incident response plan at least annually (PCI 12.10.2).

Review and update service documentation. PUBLIC PCI Compliance Wheel forInfosecCompliance Wheel ComplianceManagementPCI

Final Assessment Pre - Assessment PUBLIC

BAU vs. Compliance Management Wheel

BU/GU responsibility: Compliance requirement fullfillment for corresponding area of responsibility Finding remediation Evidence collection (from recurring tasks completion & finding remediation)

InfoSec’s responsibility: PCI assessment cycle PCI audit management PCI finding remediation follow-up

PUBLIC Key Takeaways

PCI is NOT just an IT issue

A well-defined governance structure with key roles & responsibilities must be in place to support compliance across the organization

PCI Compliance validation is a review of the last 12 months thus cramming for the audit is not an option

Requires continuous compliance 365 days a year with demonstrable evidence of compliant processes and procedures to achieve certification

PUBLIC