Opportunity Wales Objective 2 Project Report

Payment Card Industry Data Security Standard (PCI DSS) People, Processes and Technology

Author: Mandeep Kaler Version: Final (12/06/06)

eCommerce Innovation Centre, Cardiff University 2006

Table of Contents
1.0 2.0 3.0 4.0 5.0 6.0 Introduction Background The Present Situation Payment Card Industry Data Security Standard Requirements What must businesses do in order to achieve compliance? Conclusion 3 4 4 6 9 9

Appendix I: Additional Sources of Information Appendix II: Merchant and Payment Processor Levels Appendix III: Companies Offering Compliance Services in the UK

10 12 14

eCommerce Innovation Centre, Cardiff University 2006 2

1.0

Introduction

An increasing number of Welsh SMEs sell on-line, they need to be aware that the handling of credit card details is important even after a transaction has been successfully completed. Customers must feel safe in the transmission, processing and storage of their credit card information when purchasing over the Internet. Even SMEs who handle relatively low volumes of on-line payments need to have a security policy in place which addresses how credit card data and other confidential information are dealt with. Employees, hackers and both opportunist and organised thieves have stolen data and the Payment Card Industry Data Security Standard (PCI DSS) is the industrys attempt to limit the unauthorised access or theft of credit card details. Continuous reports of fraud, identity theft, and criticism of financial institutions by government watchdogs has led to a negative perception of credit card security amongst customers. The Payment Card Industry (PCI) who are made up of several credit card processors including Visa and MasterCard, now acknowledge the importance of secure handling of credit details in relation to customer confidence. The PCI has been made aware of the significant amount of cardholder data theft due to security problems within companies of all sizes. Several cases attracted media attention highlighting the need to higher security measures. The Bank of America Corporation discovered over a four year period, an employee had stolen 670,000 records and sold them onto criminals. The industry has created a set of rules to address the requirements needed to limit the loss or unauthorised access of customer credit information which can lead to fraud. The standard addresses security issues with regards to all companies who store, transmit or process credit card information. This includes all merchants (businesses accepting credit card payments) whether they are taking payment at point of sale or involved in distance selling such as telephone, fax and Internet sales. Whereas the PCI DSS applies to all merchants and service providers, the size of business, amount of transactions and history of previous breaches determines the level of compliance required. A business may have a Web site containing an eCatalogue and a payment system provided by a Payment Service Provider (PSP). If all credit card details are handled by the PSP and are not passed through or stored in the internal business systems, then the responsibility of the PCI DSS is on the PSP and not the business. If a company does not handle credit card details, the PCI DSS does not apply. The main target of the PCI is large companies processing 6 million credit transactions a year. They will have to carry out ongoing security audits whereas smaller companies who have less than 20,000 transactions should complete a non-compulsory self assessment questionnaire.

eCommerce Innovation Centre, Cardiff University 2006 3

How smaller companies will be monitored or fined is unclear as the current fee structure is unrealistic. Both large and small companies will have to comply with the 200 requirements which make up the PCI DSS and a lot of work and money is required in ensuring these security requirements are met. It must be noted that the PCI DSS is not law, however merchants must comply to it as part of their contract. Any merchants not following the standard could receive fines and could risk losing all credit card facilities. However, if the data security standard is proven to be ineffectual, then there is the possibility that the Government would legislate in order to protect cardholder information.

2.0

Background

The PCI DSS was created by Visa and MasterCard International. Other credit card associations have also approved the scheme. American Express, Diners Club, Discover Card and the Japan Credit Bureau (JCB) are the main credit card associations who support the new standard. These companies considered it best to amalgamate the individual security programs to provide a single standard which would be easier for merchants to accept. The PCI DSS is based on and replaces four previous programs: Visa Cardholder Information Security Program (CISP); MasterCard Site Data Protection (SDP); American Express Data Security (DSS); Discover Information Security Compliance (DISC). APACS, the association for payments and payment institutions in the UK are currently reviewing their payment guidelines to match the PCI DSS. APACS have guidelines concerning Track 2 data which consists of a merchant reading and storing account number information from the magnetic stripe of a credit card. The PCI DSS does not allow the storage of Track 2 data and is trying to make merchants store Track 1 data only which contains cardholder name and address information. The PCI DSS came into effect from June 2005, however it has allowed companies a period of 2 years to alter and update their systems to become compliant. From June 2007 any company which is not PCI compliant may face the possibility of fines.

3.0

The Present Situation

Two months after the June 2005 deadline for implementing and maintaining the PCI DSS, the Logic Group conducted a survey of 92 UK businesses. The results showed that many businesses were not informed about the standard with 57% unaware of PCI, and 73% having not taken any action to achieve compliance. 57% of businesses had received no industry support. Visa USA have reported that only 15% of their largest retail customers are fully compliant while MasterCard claims that 20% of its largest businesses have not even submitted a plan to introduce compliance. eCommerce Innovation Centre, Cardiff University 2006 4

If a company were to experience a security breach or found not complying with the security standard, they could face several penalties. A fine of 100,000 for a security breach A fine of 5 for each compromised account Possible restrictions on the merchants ability to accept payment. Permanent expulsion from the merchants program.

These fines are unrealistic for small companies, and it is currently not clear how they would be dealt with. The PCI is more interested in targeting the larger companies at first, with their focus likely to shift to smaller companies in the future once the PCI DSS has been established. It is possible that an acquirer such as Barclays or HSBC would possibly receive a fine and may pass it onto non-complying smaller companies but there is no precedent for this.

3.1

The Welsh Purchasing Card (WPC) and The Government Purchasing Card (GPC)

The public sector in Wales including Health Services and Local Authorities are currently adopting eProcurement as it has proven to reduce costs. As part of eProcurement, small suppliers are being introduced to the Welsh procurement Card (WPC) which allows public sector employees to purchase items from approved businesses using a credit card. In England they have a similar system referred to as the Government Purchasing Card (GPC). The WPC and GPC work the same as normal credit cards and as long as the supplier accepts credit card payments from the specific credit card processor (for example Visa or MasterCard), then they will accept the WPC and GPC. The information from these cards must be treated in the same way as any other credit card information in accordance with the PCI DSS.

eCommerce Innovation Centre, Cardiff University 2006 5

4.0

Payment Card Industry Data Security Standard Requirements

There are over 200 specific requirements which make up the complete PCI DSS. These requirements are divided between 12 sections as summarised below and apply to all members, merchants and payment service providers that process, store and transmit cardholder data. The full requirements can be accessed at: https://sdp.mastercardintl.com/pdf/pcd_manual.pdf 1. Install and maintain a firewall configuration to protect data A firewall regulates information sent between a private network such as an office network, and a public network such as the Internet. A combination of a hardware firewall and a software firewall will give the best protection. A hardware firewall will stop incoming traffic from the Internet and a software firewall will allow a user to control outgoing traffic to the Internet. This will limit exposure to non trusted networks or hosts. 2. Do not use vendor-supplied defaults for system passwords and other security parameters Vendor supplied passwords can sometimes be simple to determine and also be published in manuals. These passwords are meant to be temporary and should be changed at the first opportunity. Ensure that all passwords are not similar to the default supplied to the vendor or are easily guessable. 3. Protect Stored Data Storage of cardholder information should be kept to a minimum. Data should be retained for a time period to comply with legal purposes. When this period comes to an end, paper data should be shredded and electronic data should be securely disposed of. Deleting documents on a computer will only delete the documents record. The document will still exist and in time should be written over by new documents. This means that deleted information may still be recoverable. To permanently delete a document specialist software is required. In the event of disposing of a computer, the hard drive should be wiped using a wiping program as reformatting the drive can still make data recoverable. A wiping program will delete data and overwrite the entire hard disc with empty data several times to ensure than none of the previous information is recoverable. Do not store the contents of the magnetic stripe on the card. Do not store the 3 digit Card Verification Code (CVC) which is found on the back of the credit card. On Visa and MasterCard, the 3 digit CVC can be found on the signature panel in the back of the card as shown below. For American Express, the 4 digit CVC can be found to the top right of the raised card numbers on the front of the card as shown below.

eCommerce Innovation Centre, Cardiff University 2006 6

Do not store the Personal Identification Numbers (PIN). Credit Card numbers should only be shown in full to employees who are authorised to see it. For all other employees, the first six digits and last 4 digits of the credit card number are the maximum digits which can be displayed with all other digits masked. Therefore a customer card number should be displayed as: 1234 56XX XXXX 7890. Card information should be unreadable anywhere it is stored using encryption. 4. Encrypt transmission of cardholder data and sensitive information across public networks Encryption such as Secure Socket Layer (SSL) Point-to-Point Tunneling Control Protocol (PPTP), Internet Protocol Security (IPSEC) must be used to safeguard sensitive cardholder information sent over public networks such as the Internet using a minimum of 128 bit encryption. Wireless networks must use Wi-Fi Protected Access (WPA) if capable, to transmit cardholder data. Wired Equivalency Privacy (WEP) must be used with SSL, PPTP or IPSEC and not on its own. WEP keys must be changed every three months and whenever there are employee changes. Cardholder information must not be sent using unencrypted email. 5. Use and regularly update anti-virus software or programs Anti-virus software must be used with eMail systems, desktop computers and servers. Use and regularly update anti-virus software which can produce audit logs. Antivirus scans must take place regularly and must be updated regularly. 6. Develop and maintain secure systems and applications Security flaws within software and hardware can allow criminals to access systems. Ensure all vendor supplied security patches are installed within one month of availability. In house software must be based on industry best practice. Ensure that all configuration systems and software are fully tested before being fully implemented. 7. Restrict data access to pre-approved personnel only Access to cardholder information should be limited to staff who require it as part of their job. Systems with multiple users must restrict credit card access to personnel who need to have access.

eCommerce Innovation Centre, Cardiff University 2006 7

8. Assign a unique ID to each person with computer access All actions on cardholder data needs to be traced to the authorised personnel. Employ either a password, token device or biometrics along with the unique ID. Use two-factor authentication for all remote access to the network. This can include RADIUS, TACACS with tokens or VPN with individual certificates. Passwords must be managed including deletion or modification of passwords. Immediate revoking of passwords, deleting of accounts and changing passwords must occur every 90 days. 9. Restrict physical access to cardholder data Physical access to systems and hardcopies of cardholder details must be restricted. Access to servers, wireless access points, gateways and handheld devices must be limited to personnel who need access as part of their role. Cross cut shred, incinerate or pulp when disposing of hardcopy materials. Electronic data must be destroyed so cardholder information cannot be retrieved again. 10. Track and monitor all access to network resources and cardholder data Create system activity logs to keep a record of user activities. The logs can help determine where a system has been compromised. 11. Regularly test security systems and processes New flaws are continuously discovered and therefore regular testing of systems is required. Any external vulnerability scans must be performed by PCI qualified vendors referred to as Qualified Data Security Companies (QDSC) 12. Maintain a policy that addresses information security A security policy needs to address the importance information and responsibility of all employees.

eCommerce Innovation Centre, Cardiff University 2006 8

5.0 What must businesses do in order to achieve compliance?

Security assessments must be carried out at regular intervals but vary depending on the amount of transactions conducted by a business. Merchants are divided between 4 levels and payment processors are divided between 3 levels. Most SMEs are likely to qualify for Merchant Level 4. Level 4 applies to any business which conducts less than 20 thousand transactions regardless of how they accept and process credit cards. In order to comply, the PCI recommends that Level 4 Merchants carry out an annual self assessment questionnaire and an annual network scan. The questionnaire and network scan are not compulsory, only recommendations. Larger companies processing between 20 thousand and 6 million transactions will find themselves needing to perform varying degrees of annual audits and quarterly scans. For a full list of Merchant and Payment Processor Levels, please see the Appendix II. For those merchants who require independent compliance audits and testing, they can only use pre-approved companies referred to as Qualified Data Security Companies (QDSC) to carry out these requirements. For a list of approved companies offering compliance services in the UK, please see the Appendix III.

6.0

Conclusion

The PCI DSS gives best practice for SMEs who have to handle credit card information. By adhering to the standard, SMEs should find themselves in a position of preventing problems instead of dealing with them after they have occurred. With the possibility of bad publicity, fines and exclusion from accepting credit cards, its clear that Welsh SMEs need to act on and implement the standards requirements as soon as possible. The PCI DSS has been designed for businesses to make their employees, staff and systems more secure. This can be summarised as addressing people, processes and technology, as these three factors can contribute significantly to the exposure of credit card details. Where as this will not completely stop fraud it will help tighten up security and therefore limit the opportunities for data to be compromised. Still in its infancy, the PCI DSS has yet to fully establish itself and become recognised as a priority amongst companies. Unfortunately, many companies may think that losing the ability to process credit cards is an empty threat, as the PCI would not want its members to lose this ability and therefore lose money.

eCommerce Innovation Centre, Cardiff University 2006 9

Appendix I: Additional Sources of Information

MasterCard General MasterCard PCI DSS Resources https://sdp.mastercardintl.com/documentation/index.shtml MasterCard Payment Card Industry Data Security Standard Requirements Document https://sdp.mastercardintl.com/pdf/pcd_manual.pdf MasterCard Payment Card Industry Security Audit Procedures https://sdp.mastercardintl.com/doc/pci_audit_procedures.doc MasterCard Self Assessment Questionnaire https://sdp.mastercardintl.com/doc/758_pci_self_assmnt_qust.doc MasterCard PCI Security Scanning Procedures https://sdp.mastercardintl.com/pdf/pcs_manual.pdf MasterCard Approved Scanning Vendors https://sdp.mastercardintl.com/vendors/vendor_list.shtml VISA General VISA PCI DSS Resources http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_tools _faq.html Visa PCI DSS Requirements Document http://usa.visa.com/download/business/accepting_visa/ops_risk_management /cisp_PCI_Data_Security_Standard.pdf?it=il|/business/accepting_visa/ops_ris k_management/cisp_tools_faq.html|PCI%20Data%20Security%20Standard Visa PCI Audit Procedures http://usa.visa.com/download/business/accepting_visa/ops_risk_management /cisp_PCI_Security_Audit_Procedures_and_Reporting.doc?it=il|/business/acc epting_visa/ops_risk_management/cisp_tools_faq.html|PCI%20Security%20A udit%20%0D%0A%0D%0AProcedures Visa PCI Self Assessment Questionnaire http://usa.visa.com/download/business/accepting_visa/ops_risk_management /cisp_PCI_Self_Assessment_Questionnaire.doc?it=il|/business/accepting_vis a/ops_risk_management/cisp_tools_faq.html|PCI%20SelfAssessment%20%0D%0A%0D%0AQuestionnaire Visa PCI Security Scanning Procedures http://usa.visa.com/download/business/accepting_visa/ops_risk_management /cisp_PCI_Security_Scanning_Procedures.pdf?it=il|/business/accepting_visa/ ops_risk_management/cisp_tools_faq.html|PCI%20Security%20Scanning%2 0%0D%0A%0D%0AProcedures

eCommerce Innovation Centre, Cardiff University 2006 10

Visa PCI Merchant Level 1 and Service Provider Levels 1 and 2 Qualified Data Security Company List http://usa.visa.com/download/business/accepting_visa/ops_risk_management /cisp_Qualified_Data_Security_Company_List.pdf?it=il|/business/accepting_vi sa/ops_risk_management/cisp_tools_faq.html|Qualified%20Data%20Security %20%0D%0A%0D%0ACompany%20List Visa Qualified Data Security Company Requirements http://usa.visa.com/download/business/accepting_visa/ops_risk_management /cisp_Qualified_Data_Security_Company_Requirements.pdf?it=il|/business/ac cepting_visa/ops_risk_management/cisp_tools_faq.html|Qualified%20Data%2 0%0D%0A%0D%0ASecurity%20Company%20Requirements

eCommerce Innovation Centre, Cardiff University 2006 11

Appendix II: Merchant and Payment Processor Levels

Security assessments must be carried out at regular intervals but vary depending on the amount of transactions. Merchants are divided between 4 levels and payment processors are divided between 3 levels. Small companies will most likely fall into Merchant level 4 where no compulsory action is needed but is recommended. Larger companies will find themselves needing to perform annual audits and quarterly scans. Merchant Level 1 Which merchants qualify for level 1? Any merchant processing more than 6,000,000 transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. All payment service providers and merchants identified as Level 1 by any card association. What must a merchant do to comply with Level 1? Conduct an annual on-site security audit validated by an independently qualified security assessor or conduct an internal audit validated by a company officer. Have an independent vendor conduct a quarterly network scan. Merchant Level 2 Which merchants qualify for level 2? Any eCommerce merchant processing 150,000 to 6,000,000 transactions per year. What must a merchant do to comply with Level 2? Annual Self Audit PCI self assessment questionnaire completed by the merchant. A quarterly scan performed by an independent vendor. Merchant Level 3 Which merchants qualify for level 3? Any eCommerce merchant processing 20,000 to 150,000 transactions per year. What must a merchant do to comply with Level 3? Annual Self Audit PCI self assessment questionnaire completed by the merchant. Annual Self Audit PCI self assessment questionnaire completed by the merchant. A quarterly scan performed by an independent vendor.

eCommerce Innovation Centre, Cardiff University 2006 12

Merchant Level 4 Which merchants qualify for level 4? All merchants who are not applicable for Level 1, 2 or 3 regardless of their acceptance channel What must a merchant do to comply with Level 4? Recommended annual PCI Self Assessment questionnaire but not compulsory. Recommended annual network scan but not compulsory.

Service Provider Level 1 Which merchants qualify for Service Provider 1? Any Visa, MasterCard processor or payment gateway What must a merchant do to comply with Service Provider 1? Annual On-Site PCI Data Security Assessment Quarterly Network Scan Service Provider Level 2 Which merchants qualify for Service Provider 2? Any service provider not in level 1 that stores, processes or transmits over 1,000,000 transactions a year What must a merchant do to comply with Service Provider 2? Annual On-Site PCI Data Security Assessment Quarterly Network Scan Service Provider Level 3 Which merchants qualify for Service Provider 3? Any service provider not in level 1 that stores, processes or transmits less than 1,000,000 transactions a year What must a merchant do to comply with Service Provider 3? Annual Self-Assessment Questionnaire Quarterly Network Scan

eCommerce Innovation Centre, Cardiff University 2006 13

Appendix III: Companies Offering Compliance Services in the UK

Companies offering compliance services in the UK Company Ambiron TrustWave Cybertrust The Logic Group CyberSource KPMG One Sec Sysnet Web address www.atwcorp.co.uk www.cybertrust.com www.the-logic-group.com www.cybersource.co.uk www.kpmg.co.uk www.one-sec.com www.sysnet.ie

eCommerce Innovation Centre, Cardiff University 2006 14