How is skimming used to target PCI data?
Copying payment card numbers by tampering with POS devices, ATMs, Kiosks or copying the magnetic stripe using handheld skimmers.
How is phishing used to target PCI data?
By doing reconnaissance work through social engineering and or breaking in using software vulnerabilities or e-mails.
How can Payment Data be Monetized?
By skimming the card to get the full track of data, and then making another like card. Using the card information in a “Card-not-present transactions such as e-commerce or mail order, Telephone order. Card data is also sold in bulk to other criminals who perform their own fraud using the stolen data.
Who all are targeted ?
Retail, Food and Beaverage, Hospitality, Financial Services, non-profit. EVERYONE!
What is the PCI SSC ?
Payment Card Industry Security Service Counsel is an independent industry standards body providing oversight of the development and management of Payment Card Industry Data Security Standards on a global basis.
What are some of the PCI SSC founding payment brands.
American Express, Discover Financial, JCB International, Master Card, Visa inc.
What are the Resources provided by the PCI SSC?
PCI DSS, PA-DSS, P2PE, PTS (POI, HSM and PIN) Card Production, and supporting documents.
Roster of QSAs, PA-QSAs, PCIPs, ASVs, validated payment applications, PTS Devices, and P2PE solutions
PCI Security Standards Counsil FAQs
Education and Outreach programs
Participating Organization Membership, Community Meetings, feedback.
What is the overview of PCI DSS?
Covers security of the envrionments that store, process or transmit account data.
Environements receive account data from payment applications and other seoucres (e.g.., acquirers)
what is the overview of PCI PA-DSS
Covers secure payment applications to support PCI DSS compliance
Payment application recieves account data from PIN-entry devices (PEDs) or other devices and begins payment transaction.
What is the overview of PCI P2PE
Covers encryption, decryption, and Key management requirements for point to point encryption solutions.
What is the overview of PCI PTS-POI?
Covers the protection of sensitive data at the point of interaction devices and their secure components, including cardholder PINs and account data, and the cryptographic keys used in connection with the protection of that cardholder data.
What is the overview of PCI PTS-PIN Security?
Covers secure management, processing and transmission of personal identification number (PIN) data during online and offline payment card transaction processing.
What is the overview of PCI PTS-HSM
Covers physical, logical and device security requirements for securiing hardware security modules.
What is the overview of PCI Card Production
Covers physical and logical security requirements for systems and business processes.
What PCI DSS compliance program does American Express develop and maintain?
Data Security Operating Policy (DSOP)
What PCI DSS compliance program does Discover develop and maintain?
Discover Information Security Compliance (DISC)
What PCI does DSS compliance program does JCB develop and maintain?
Data Security Program
What PCI does DSS compliance program dose MasterCard develop and maintain?
Site Data Protection
What PCI does DSS compliance program dose VISA Inc develop and maintain?What PCI does DSS compliance program dose MasterCard develop and maintain?
Cardholder Information Security Program (CISP) Account Information Security (AIS) program
What is all included in the Payment brand Compliance programs?
Tracking and enforcement
Penalties, fees, compliance deadlines
Validation process and who needs to validate.
Approval and posting of compliant entities
Definition of merchant and services provider levels.
What are Payment brands responsible for
Defining rules for forensic investigations and responding to account data compromises
Monitoring and facilitation investigations of account data compromise to completion.
What is PA-DSS?
Payment Application Data Security Standard.
What does PA-DSS applies to?
Third party payment applications such as POS, shopping carts, etc…..
What does a PA-DSS do?
Ensures a payment application can function in a PCI DSS compliant manner.
If a merchant uses a PA-DSS does it mean they are PCI-DSS compliant?
No
Are PA-DSS in scope for PCI DSS?
Yes
What is a PCI P2PE?
Point to Point Encryption.
What all must be included in a P2PE solution.
Secure encryption of payment card at the point of interaction.
P2PE-vallidated applications at the point of interaction.
Secure management of encryption and decryption devices.
Management of the decryption environment and all decrypted account data.
Use of secure encryption methodolaogfies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage.
What is the relationship between PA-DSS and PCI DSS?
PA-DSS must facilitate and not prevent DSS compliance.
What is the relationship between P2PE and PCI-DSS?
Incorprates requirements from PTS, PCI=DSS, PA-DSS and PCI PIN to protect account data from the point of capture until it reaches the payment processor.
What does PTS stand for?
PIN Transaction Security
what is PTS?
PTS is a set of modular evaluation requirements managed by PCI SSC, for PIN acceptance POI terminals.
What is the PTS program about?
The program ensures terminals cannot be manipluated or attached to allow the capture of Sensitive Authentication data, nor allow access to clear-text PINs or Keys.
What does SRED stand for?
Secure Read and Exchange Module
What does SRED allow?
It allows terminals to b approved for the security encrption of cardholder data as part of the Point to Point Encryption prgram.
What does PIN mean?
Personal Identification Number.
What are required in the PCI PIN security Requirements
Management, processing and transmission.
What is a Cardholder?
Customer, individual making a purchase of goods or services. The process could involve a card present or not present transaction.
Who is the Issuer?
Bank or organization issuing a payment card on behalf of a Payment Brand (e.g. Visa, Master Card)
Which Payment Brands issue credit cards directly?
American Express, Discover, JCB
Who is the Merchant?
Organization accepting the payment card for payment during a purchase.
What is an Acquirer?
This is the Bank or entity the merchant uses to process their payment card transactions.
What does the Acquirer do?
It receives authorization request from the merchant and forwards it to the issuer for approval.
Provides authorization, clearing and settlement services to merchants.
What is the Acquirer also know by?
Merchant Bank, ISO, Payment Brand – Amex, Discover, JCB.
How does the Card Processing process work.
- Cardholder presents their card.
- Acquirer asks payment brand to determine issuer.
- Payment brand network determines issuer and request approval.
- Issuer approves purchase.
5.Payment brand network sends approval to acquirer
- Acquirer sends approval to merchant
- Cardholder completes purchase and receives receipt.
What are or is a Service provider?
Service provider(s) is or are businesses that are involved in processing, storing or transmitting cardholder information on behalf of another entity.
What is does QIR stand for?
Qualified Integrator Reseller
What is the role of a QIR?
Integrators and Resellers are those entities that sell, install, and /or service payment applications on behalf of software vendors or others.
What are some of the responsibilities of a QIR?
- Implementing the application into the merchant environment.
- Intergrating the application into other software ans systems, where applicable.
- Configuring the payment application (where configuration options are porvided)
- Servicing the payment applications (for example, troubleshooting, delivering remote updates, and providing remote support?
Why are QIRs so important to Data Security?
- QIRs have an important role to play in securing account data.
- Software vendors are responsible for developing applications
- Applications usually have configuration or installation options which could impact security.
How does a Qualified Installation impact the PCI DSS assessment ?
- The documentation from a QIR provides useful information about how the application was installed.
- Application configuration may have changed since the installation.
3.
PA-DSS
Payment Application Data Security Standard (POS, shopping carts, etc.)
PTS (POI)
Pin Transaction Security Point of Interaction Standard (Attended and Unattended Devices)
HSM (PIN)
Hardware Security Module Pin Standard (not required but may assist in becoming compliant)
P2PE
Point to Point Encryption Standard (Most helpful standard to reduce scope)
SRED
Secure Read and Exchange Module allows terminals to be approved for secure encryption of cardholder data.
POI Examples
Attended : Cash Registers
Unattended Encrypted PIN Pads : ATM
Unattended Payment Terminals : Gas Pump
PCI PIN Security Requirements
Management
Processing
Transmission
Payment Card Flow
Cardholder presents card -> Acquirer asks payment brand to determine issuer -> Payment brand network determines issuer and requests approval-> Issuer approves purchase-> Payment brand network sends approval to the acquirer -> Acquirer sends approval to merchant-> Cardholder completes purchase and receives receipt.
Aquirer (Also Called?)
-Merchant Bank
-Independent Sale Organization (ISO)
-Payment Brand (Amex, Discover, JCB)
-Never Visa or Mastercard
Payment Card Flow (Clearing)
Acquirer sends purchase information to the payment brand network -> payment brand network sends purchase information to the issuer -> issuer prepares data for cardholder statement -> payment brand network provides complete reconciliation to acquirer.
Payment Card Flow (Settlement)
Issuer determines acquirer via the payment brand network -> Issuer sends payment to acquirer -> Acquirer pays merchant for cardholders purchase -> Issuer bills cardholder
Service Provider
A business that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data on behalf of another entity. Sometimes a service provider is a merchant.
QIR’s
Qualified Integrators and Resellers
-Assure quality and provide feedback
What QIR’s do?
-Implementing applications into a merchant environment
-Integrating applications into new software or systems.
-Configuring the payment application
-Servicing payment applications to provide troubleshooting/remote updates or support.
PA-DSS Implementation Guide
-What the QIR uses in order to implement a PCI DSS compliant payment application into a CDE environment.
-After installation the QIR creates an implementation statement and gives it to the customer for their signature.
CID
Card Identification Number (American Express)
CAV2/CID/CVC2/CW2
Card specific code on back of card (Discover, JCB, Mastercard, Visa)
Cardholder Data
-PAN
-Cardholder Name
-Expiration Date
-Service Code
Sensitive Authentication Data
-Full magnetic stripe data or chip data
-CAV2/CVC2/CVV2/CID
-PINs/PIN blocks
-Cannot be stored after authorization
Track 1 Data
Contains all fields of Both Track 1 and Track 2
-Length up to 79 characters.
Track 2 Data
Provides shorter processing time for older dial up transmissions.
-Length up to 40 characters
Inventorying Cardholder Environment
-System Name
-Cardholder data stored
-Reason for storage
-Retention period
-Protection mechanism.
Is storing track data permitted after authorization?
No
PCI DSS Goals
-Build and maintain a secure network and systems
-Protect Cardholder Data
-Maintain a vulnerability management program
-Implement strong access control measures
-Regularly monitor and test networks
-Maintain an information security policy.
Requirement 1
Install and maintain a firewall configuration to protect cardholder data.
Requirement 2
Do not use vendor-supplied defaults for system passwords and other security parameters.
Requirement 3
Protect stored cardholder data. (Hashing, truncation, tokenization, and encryption)
Requirement 4
Encrypt transmission of cardholder data across open, public networks.
Requirement 5
Protect all systems against malware and regularly update anti-virus software or programs.
Requirement 6
Develop and maintain secure systems and applications. (Coding, patching)
Requirement 7
Restrict access to cardholder data by business need to know.
Requirement 8
Identify and authenticate access to system components. (Access control)
Requirement 9
Restrict physical access to cardholder data.
Requirement 10
Track and monitor all access to network resources and cardholder data. (Logs/Changes)
Requirement 11
Regularly test security systems and processes. (Vuln. Scans, PenTests, Network Scans)
Requirement 12
Maintain a policy that addresses information security for all personnel.
Masking
The first six and last 4 digits are the only account numbers viewable.
Storing track data “long-term” or “persistently” is permitted when __?
It is being used by issuers.
Requirement A1
Shared hosting providers must protect the cardholder data environment.
Requirement A2
SSL and Early TLS implementations.
Requirement A3
Designated Entities Supplemental Validation (DESV)
What has to exist for a compensating control?
Legitimate Technical Constraint
or
Documented Business Constraint
SAQ A
Card not present (E-Commerce, Mail Order/Telephone Order) w/outsourced storage to PCI compliant 3rd party.
SAQ A-EP
E-Commerce merchants with a website that does not take cardholder data.
SAQ B
Imprint-only merchants with no electronic cardholder data storage.
SAQ B-IP
Merchants using only stand-alone, PTS-approved payment terminals with an IP connection to a payment processor.
SAQ C
Merchants with segmented payment application systems, and no electronic cardholder data storage.
SAQ C-VT
Merchants using only web-based virtual payment terminals, with no electronic cardholder data storage.
SAQ D
All merchants not included in the description for all other SAQ types.
SAQ P2PE
Merchants who have implemented a validated Point-to-Point Encryption Solution that is listed on the PCI SSC website, with no electronic cardholder data storage.
Prioritized Approach 1
Remove sensitive data and limit data retention.
Prioritized Approach 2
Protect systems and networks, and be prepared to respond to a system breach.
Prioritized Approach 3
Secure payment card applications.
Prioritized Approach 4
Monitor and control access to your systems.
Prioritized Approach 5
Protect stored cardholder data.
Prioritized Approach 6
Finalize remaining compliance efforts, and ensure all controls are in place.
Best Practices for Business As Usual
1) Monitor security controls to ensure they are operating effectively and as intended.
2) Detect and respond to failures in security controls in a timely manner.
3) Review changes to the environment.
4) Upon changes to organizational structure, review the impact to PCI DSS scope and requirements.
5) Implement periodic reviews and communications to confirm that PCI DSS requirements continue to be in place are personnel are following secure processes.
6) Review hardware and software technologies to confirm that they continue to be supported by the vendor and can meet the entity’s security requirements, including PCI DSS.
Tokenization
Is a process by which the primary account number (PAN) is replaced with a surrogate value called a “token”.
Encryption
The algorithmic process of transforming plaintext into unreadable ciphertext, and is the core technology for any point-to-point encryption solution.
Which of the below functions is associated with Acquirers?
A. Provide settlement services to a merchant
B. Provide authorization services to a merchant
C. Provide clearing services to a merchant
D. All of the options
Correct Answer: D
Which of the following entities will actually approve a purchase?
A. Non-Issuing Merchant Bank
B. Issuing Bank
C. Payment Transaction Gateway
D. Acquiring Bank
Correct Answer: B
Which of the following lists the correct “order” for the flow of a payment card transaction?
A. Clearing, Settlement, Authorization
B. Clearing, Authorization, Settlement
C. Authorization, Clearing, Settlement
D. Authorization, Settlement, Clearing
Correct Answer: C
Service Providers include companies which_____________or could______________the security of cardholder
data.
A. are PCI compliant, prove effective controls for
B. control, impact
C. manage, test
D. control, subrogate
Correct Answer: B
QUESTION 16
Cardholder Data may be stored in “KNOWN” and “UNKNOWN” locations.
A. True
B. False
Correct Answer: A
Storing Track Data “Long-Term” or “persistently” may be permitted if_______________.
A. it is being stored by issuers
B. it is reported to the PCI SSC annually in a RoC
C. it is encrypted by the merchant storing it
D. it is hashed by the merchant storing it
Correct Answer: A
PCI DSS Requirement 3.4 states the PAN must be rendered unreadable when stored, using___________.
A. Encryption, Truncation, or Obfuscating
B. Hashing, Scrambling, or Encrypting
C. Encryption, Hashing, or Truncation
D. Truncation, Scrambling, or Encrypting
Correct Answer: C
Requirement 2.2.2 states “Enable only necessary and secure services, protocols, daemons, etc., as required
for the function of the system”. Which of the following is considered secure?
A. SSH
B. RLogon
C. Telnet
D. FTP
Correct Answer: A
When scoping an environment for a PCI DSS assessment, it is important to identify ___.
A. All flows of cardholder data
B. All of the options
C. Components that store cardholder data
D. Business facilities involved in processing transactions
Correct Answer: B
QUESTION 21
Merchants involved with only e-commerce transactions that are completely outsourced to a PCI DSS compliant
service provider would use which SAQ?
A. SAQ C/VT
B. SAQ B
C. SAQ D
D. SAQ A
Correct Answer: D
Imprint-Only Merchants with no electronic storage of cardholder data would use which SAQ?
A. SAQ C/VT
B. SAQ B
C. SAQ A
D. SAQ D
Correct Answer: B
When a Service Provider has been defined by a payment brand as eligible to complete a SAQ, which SAQ is
used?
A. SAQ D
B. SAQ B
C. SAQ A
D. SAQ C
Correct Answer: A
Information Supplements provided by the PCI SSC may “supersede” requirements.
A. True
B. False
Correct Answer: B
If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those
virtualization technologies.
A. False
B. True
Correct Answer: B
The presumption of P2PE is that cardholder data in transit is protected when it is encrypted to the extent that
an entity in possession of the ciphertext alone can easily reverse the encryption process
A. False
B. True
Correct Answer: A
Encrypting account data at the point of capture is one way an entity involved in payment card processing via
mobile devices can actively help in controlling risks to the security of cardholder data.
A. True
B. False
Correct Answer: A
In order to be considered a compensating control, which of the following must exist?
A. A legitimate technical constraint and a documented business constraint.
B. A legitimate technical constraint.
C. A legitimate technical constraint of a documented business constraint.
D. A documented business constraint.
Correct Answer: C
PCI DSS Requirement 1
A. Install and maintain a firewall configuration to protect cardholder data
B. Do not use vendor supplied defaults for system passwords and other security parameters
C. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion
methods
D. Protected Cardholder Data during transmission over the internet, wireless networks or other open access
networks or systems (GSM, GPRS, etc.)
Correct Answer: A
PCI DSS Requirement 2
A. Install and maintain a firewall configuration to protect cardholder data
B. Do not use vendor supplied defaults for system passwords and other security parameters
C. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion
methods
D. Protected Cardholder Data during transmission over the internet, wireless networks or other open access
networks or systems (GSM, GPRS, etc.)
Correct Answer: B
PCI DSS Requirement 3
A. Install and maintain a firewall configuration to protect cardholder data
B. Do not use vendor supplied defaults for system passwords and other security parameters
C. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion
methods
D. Protected Cardholder Data during transmission over the internet, wireless networks or other open access
networks or systems (GSM, GPRS, etc.)
Correct Answer: C
PCI DSS Requirement 4
A. Install and maintain a firewall configuration to protect cardholder data
B. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion
methods
C. Protected Cardholder Data during transmission over the internet, wireless networks or other open access
networks or systems (GSM, GPRS, etc.)
D. Use and regularly update anti-virus software or programs
Correct Answer: C
PCI DSS Requirement 5
A. Use and regularly update anti-virus software or programs
B. Protected Cardholder Data during transmission over the internet, wireless networks or other open access
networks or systems (GSM, GPRS, etc.)
C. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion
methods
D. Do not use vendor supplied defaults for system passwords and other security parameters
Correct Answer: A
PCI DSS Requirement 6
A. Use and regularly update anti-virus software or programs
B. Develop and maintain secure systems and applications
C. Assign a unique ID to each person with computer access
D. Restrict access to cardholder data by business need to know
Correct Answer: B
PCI DSS Requirement 8
A. Identify and authenticate access to system components
B. Restrict physical access to cardholder data
C. Develop and maintain secure systems and applications
D. Use and regularly update anti-virus software or programs