Explore the essential security planning strategies to safeguard against cyber threats in the context of Payment Card Industry Data Security Standard (PCI DSS). Learn about the historical background, significance of PCI DSS, common attacks like Smash & Grab, and key controls for ATM/Point-of-Sale security. Discover how smart payment cards with EMV technology and CPP analysis enhance payment card controls. Stay informed on compliance requirements and best practices to protect sensitive cardholder data effectively.
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
Security Planning: An Applied Approach | 4/29/2025| 2 Payment Card Industry Data Security Standard(PCI DSS) Applies to: VISA History Initial PCI DSS standard released 2004 MasterCard Version 4.0 published March 2022 American Express full implementation required 1Q 2024 Discover JCB International
Security Planning: An Applied Approach | 4/29/2025| 3 Why PCI DSS? Gonzalez cracked and exposed over 170 million credit card numbers Stole from: Barnes & Noble, Boston Market, OfficeMax, Sports Authority, TJ Maxx, Dave & Buster s, Marshall s, Heartland Payment Systems, 7-Eleven, and Hannaford Brothers Sentenced to 20 years prison, 2009 Effect: Payment Card Industry Data Security Standard (PCI DSS)
Security Planning: An Applied Approach | 4/29/2025| 4 ATM & Point-of-Sale: Smash & Grab attack The Attack Controls Criminals attack via the Internet: Restrict remote access Step 1: social engineering establishes foothold in the network OR Use antivirus software Use strong (2-factor) authentication for PoS/ATM devices: e.g., what-you-know: a long and different password for each device what-you-have: a one-time password for remote access Remote access network scan finds PoS machine Step 2: brute force password guesser obtains access to the PoS device Step 3: Upon login to POS/ATM, install spyware such as PIN keystroke loggers and RAM scrapers, to record payment card information Recently patch all from OS to PoS app Remove other applications Prevent any use of these devices for other purposes Encrypt all customer data
Security Planning: An Applied Approach | 4/29/2025| 5 Other Payment Card Controls Smart payment cards with installed chips are difficult to counterfeit. Target date of October 2015 for updating PoS devices to accept EMV cards. Common Point of Purchase (CPP) analysis finds common points of purchases to determine where crime originated Audits of ATM/POS require: ATM/PCI Devices adhere to the latest standards of PCI compliance for such machines. Policies and procedures for PoS/ATM must be comprehensive, outlining overrides and balances, security controls, incident response, disaster recovery, maintenance and audit trails and their review. If any information is stored in the device =>strong encryption If an organization issues PINs, policies and procedures safeguard those processes If organization develops its own payment card implementation, additional PCI DSS requirements apply
Security Planning: An Applied Approach | 4/29/2025| 6 Payment Card Defenses PoS: Monitor Point of Sale (PoS) devices for physical changes Wireless: Wireless transmission is risky; use strong encryption. Disk: Retain credit card info on disk storage for as short an interval as possible (if at all) Media: Restrict access to any physical and computerized stored payment card receipts Manage employees: Employees may be solicited to skim payment cards or copy data for personal gain. Use background checks (even for temporary employees) Train employees to process payment transactions properly: Payment card numbers shall never be written down, emailed, or stored anywhere except by PoS terminals Payment cards should not be visible to other customers or employees.
Security Planning: An Applied Approach | 4/29/2025| 7 PCI Organization & Standards Payment Card Industry (PCI) Standards Management: PCI SSC Executive Committee: Payment card companies Standards Documents PCI Data Security Standard: for Industries who use payment cards Secure Software Standard: for industries who build software PCI SSC Leadership Team: Day-to-day management PCI SSC Board of Advisors: Users of Payment Cards
Security Planning: An Applied Approach | 4/29/2025| 8 Payment Card Data Card holder data includes: Sensitive authentication data includes: Primary Account Number (PAN): Payment card number must be encrypted Magnetic track data, which may contain: 3 or 4-digit control identifies service attributes or restrictions Optional PIN verification value authentication and authorization data stored on two tracks of magnetic stripe or on chip cardholder name service code expiration date. Card Verification Code (CVC) or Card Validation Value (CVV): varies by vendor On front or back of card PIN or PIN Block PIN block describes PIN storage: includes PIN, PIN length, and sometimes part of PAN number. CVC and PIN serve as passwords Sensitive Authentication data cannot be stored after authorization completes except with very secure controls
Security Planning: An Applied Approach | 4/29/2025| 9 PCI DSS Requirements: 12 Goals Security Areas Build and Maintain a Secure Network General Goals 1. Install and maintain network security controls 2. Apply secure configurations to all system components Protect Cardholder Data 3. Protect stored account data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems and networks from malicious software Maintain a Vulnerability Management Program 6. Develop and maintain secure systems and software Implement Strong Access Control Measures 7. Restrict access to system components and cardholder data by business need-to-know 8. Identify users and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to system components and cardholder data 11. Regularly test security of systems and networks 12. Maintain policies and programs that address information security for all personnel Regularly Monitor and Test Networks Maintain an Information Security Policy
Security Planning: An Applied Approach | 4/29/2025| 10 EMV Smart Chips Payment card theft reduced with smart chips Europay-Mastercard-Visa (EMV) smart payment cards use chips that are difficult to counterfeit required implementation October 2015 Payment cards still vulnerable in long distance (over-the-phone or over-the- internet) sales, where chip cannot be used. Artificial intelligence should monitor these transactions to verify likely valid
Security Planning: An Applied Approach | 4/29/2025| 11 Build and Maintain a Secure Network Req. 1: Install and Maintain Network Security Controls ISSUES: Vulnerabilities arise from each added device or software feature on a payment card network. Smaller card data environments result in less planning, less risk, fewer audit tests and lower audit costs. CONTROLS: Separate out the PCI equipment into its own network zone Support a minimal network configuration: no extra applications Fully document network configuration via network and data flow diagrams Configure security: e.g., firewalls should support only approved traffic inbound and outbound Include network security controls: anti-spoofing software and minimized DNS exposure
Security Planning: An Applied Approach | 4/29/2025| 12 Build and Maintain a Secure Network Req. 2: Apply Secure Configurations to All System Components ISSUES: Protect all systems in Payment Card Zone including any wireless networks to reduce the number of attack vulnerabilities CONTROLS: Remove non-vital applications, accounts and services Eliminate default passwords Optimize system security options for all systems in the payment card network zone. Encrypt any remote, administrative access Apply security rules to wireless networks Change encryption keys when personnel depart or after a suspected compromise.
Security Planning: An Applied Approach | 4/29/2025| 13 Protect Cardholder Data Req. 3: Protect Stored Account Data CONTROLS: Avoid storage of Payment card data, except for a documented business need. Minimize data retention periods with documented policy Purge data securely, quarterly, preferably through unrecoverable means. Retain sensitive authentication data (e.g., CVC and PIN) in encrypted format Delete sensitive authentication data following authorization. businesses issuing payment cards and few others may retain sensitive information with compensating security controls. Mask, encrypt, hash or truncate account numbers, as appropriate Prevent copying through unauthorized, remote access Strongly encrypt file systems and disks.
Security Planning: An Applied Approach | 4/29/2025| 14 Protect Cardholder Data Req. 3: Protect Stored Account Data ISSUES: Access to keys also means access to data, regardless of quality of data encryption. CONTROLS: Follow key management best practices Define and follow key management policies Ensure encryption of keys is as strong as encryption of data Ensure key-encrypting keys and data-encrypting keys are maintained separately, with minimal instances Encrypt keys when stored or transmitted Change keys by Authorized key custodians 1) regularly and 2) whenever key is potentially compromised Enable only key custodians to access and implement key management practices
Security Planning: An Applied Approach | 4/29/2025| 15 Protect Cardholder Data Req. 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks ISSUE: Transmissions are vulnerable across open, public networks, including the Internet and any wireless networks, such as Wi-Fi, cellular, Bluetooth, or satellite CONTROLS: Use strong encryption during transmission according to current best practices; no outdated (deprecated) protocols Use digital certificates to ensure connection endpoints are made to the proper destination; certificates must be valid and current Encrypt all aspects of the primary account number or PAN
Security Planning: An Applied Approach | 4/29/2025| 16 Maintain a Vulnerability Management Program Req. 5: Protect All Systems and Networks from Malicious Software ISSUES: Albert Gonzalez eventually installing spyware in centralized servers to collect payment cards A PoS smash-and-grab attack does not require physical presence, since criminals attack via the Internet Attackers use social engineering to establish a foothold in the network, then launch a brute force password guesser to obtain access to the PoS device. Attackers may scan a network for remote access to a PoS machine and then use a password guesser. Upon login, they install spyware such as PIN keystoke loggers and RAM scrapers, to record payment card information. This PCI DSS requirement protect payment card processors from spyware and malware, including viruses, ransomware, keyloggers, rootkits, and other new executable code.
Security Planning: An Applied Approach | 4/29/2025| 17 Maintain a Vulnerability Management Program Req. 5: Protect All Systems and Networks from Malicious Software CONTROLS: Use anti-malware solutions on all systems that could run malware. Regularly patch anti-malware software. Evaluate high risk systems more frequently (or continuously) Address anti-malware events promptly, and retain logs for one year Never allow disabling of anti-malware tools Use of automated anti-phishing controls are recommended across the entire organization; required: anti-phishing training.
Security Planning: An Applied Approach | 4/29/2025| 18 Maintain a Vulnerability Management Program Req 6: Develop and Maintain Secure Systems and Software Inventory payment card device software Install high-priority patches within one month Document changes to software within configuration management; evaluate for security and PCI DSS impact, and test thoroughly
Security Planning: An Applied Approach | 4/29/2025| 19 Maintain a Vulnerability Management Program Req 6: Develop and Maintain Secure Systems and Software In-house developed software handling payment card information must be built using the PCI Secure Software Standard. Train software developers annually on attacks and secure software techniques. Review code manually and/or automatically before release Block attacks automatically, either through well-secured applications or a web application firewall, and/or manually, via application logs. Train engineers on types of web attacks, including SQL and injection attacks; data structure and overflow attacks; encryption, authentication, and access control attacks; business logic attacks; and newly arisen CERT vulnerabilities Justify scripts executed as input at the server, ensure proper authorization and check for integrity Implement segregation of duties: separate production environment from development environment(s) Never use real data during development; never use test data during production
Security Planning: An Applied Approach | 4/29/2025| 20 Implement Strong Access Control Measures Req. 7: Restrict Access to System Components and Cardholder Data by Business Need to Know ISSUES: PCI DSS defines Access control: access to files, systems or applications Privilege: indicates what is allowed to be done on that system: (e.g.,) create, read, write, execute. PCI DSS subscribes to minimal possible permissions (need to know, least privilege, deny all default). CONTROLS: Use preferably role-based access control (RBAC) or attribute-based access control (ABAC). Review user accounts, including third party accounts, every 6 months by management to ensure appropriateness of the permissions. Minimize queries to card holder data
Security Planning: An Applied Approach | 4/29/2025| 21 Implement Strong Access Control Measures Req. 8: Identify Users and Authenticate Access to System Components ISSUES: It is important to properly identify a person who will have access to POS, or card holder data, system, or application Identify function= uniquely identify the person Authenticate function= prove they are who they claim to be. CONTROLS: Require multifactor authentication in the card data environment; requires 2+ of: what you know, what you are, and/or what you have. (important against smash-and-grab attacks) single factor authentication only required for point of sale devices multifactor authentication required for administrative or remote access and server card data environments
Security Planning: An Applied Approach | 4/29/2025| 22 Implement Strong Access Control Measures Req. 8: Identify Users and Authenticate Access to System Components CONTROLS: Make employees aware of all authentication policies Immediately remove terminated employees Disable inactive users within 90 days. Grant permissions for temporary employees or third-party users only for the explicit time they are expected to serve; monitor for appropriate behavior. Encrypt stored passwords in files or transmission
Security Planning: An Applied Approach | 4/29/2025| 23 Implement Strong Access Control Measures Req. 9: Restrict Physical Access to Cardholder Data CONTROLS: Monitor entry to sensitive data centers that process or store payment card data Log individual access (e.g., keycard, biometrics, CCTV) and retain for 3 months Authenticate PoS/ATM maintenance person to catch social engineering attacks. Protect access to network equipment, communication jacks, with access to cardholder transactions, from public access. Log, escort and badge visitors in the cardholder data environment; badges should clearly expire to prevent unauthorized reuse. Inventory and protect cardholder backups and media Confirm backups regularly (at least annually) Purge cardholder data securely
Security Planning: An Applied Approach | 4/29/2025| 24 Implement Strong Access Control Measures Req. 9: Restrict Physical Access to Cardholder Data ISSUE: Criminals are attracted to unattended devices, or where PINs are commonly entered, and heavy volume devices or merchants Recognizing tampering is easier with a picture and recorded serial numbers CONTROLS: Install Point of interface (PoS or ATM) equipment in a tamper-proof way according to directions Prevent booting from an infected external device Inventory PoS/ATM devices, listing make, model, serial number, location Prepare policies to inspect devices periodically, and more frequently in public places Train employees to recognize tampering and substitution, and report suspicious actions like unplugging devices or intimidation Train employees and managers to check for loose parts OR mark the device with an ultraviolet light marker
Security Planning: An Applied Approach | 4/29/2025| 25 Regularly Monitor and Test Networks Req. 10: Log and Monitor All Access to System Components and Cardholder Data ISSUES: Attackers like to delete logs CONTROLS: Retain logs to track each user access to cardholder data; system failures; changes to user/new accounts and system configurations (including installed/removed software) Continually log all transactions without exception and record any deviation Protect logs, system configurations and their archives, with integrity checks; enable only authorized people to access them Monitor system logs daily (e.g., from O.S., authentication, security, and network services carrying payment card data); automatically analyze for easier review Act on suspicious incidents in a timely manner Synchronize logs across all devices to one accurate time; enables event coordination Retain logs for 1 year; during potential breach, retain 3 months of logs with easy, fast access
Security Planning: An Applied Approach | 4/29/2025| 26 Regularly Monitor and Test Networks Req. 11: Test Security of Systems and Networks Regularly ISSUES: Man-in-the-middle attacks involve unauthorized wireless access points (or Wi-Fi routers) posing as authorized access points. Two issues: employees could log into them, disclosing password credentials, or unauthorized wireless devices could be used to exfiltrate confidential payment data CONTROLS: Inventory authorized devices Detect unauthorized devices early through physical inspection, wireless scans, and other intrusion detection means Schedule internal vulnerability tests, external scanning tests and penetration tests. Run automated vulnerability scans at least every 3 months and after significant changes to the payment card system/network. Test with qualified, independent testers using up-to-date scanning tools on the internal organizational network.
Security Planning: An Applied Approach | 4/29/2025| 27 Regularly Monitor and Test Networks Req. 11: Test Security of Systems and Networks Regularly ISSUES: PCI requires testing with approved testers CONTROLS: Test with qualified, independent testers using up-to-date scanning tools on the internal organizational network. Address defects in a timely manner commensurate with the defect s risk Perform external scanning tests every 3 months by a PCI Approved Scanning Vendor (according to the organization s configuration and capabilities Perform penetration tests annually or after a significant change, by an independent, qualified tester. They should attempt to: penetrate the card data environment and specialized servers; tested internally, externally, and from other network zones of the organization; extensively test the network, systems and applications software. Other requirements exist for service providers and multi-tenant service providers (e.g., cloud)
Security Planning: An Applied Approach | 4/29/2025| 28 Maintain an Information Security Policy Req. 12: Support Information Security with Organizational Policies and Programs Review information security policies annually and as significant changes occur. Publish and disseminate polices and security-related roles to all pertinent personnel. Document security roles so people are aware of their roles. Develop an Acceptable Use Policy documenting how staff may use computers, mobile devices, remote login, removable storage, internet and email usage, and acceptable software on organizational computers. Provide a security awareness training program annually and for new hires, covering social engineering, phishing and acceptable use of computing technologies. Use multiple methods to communicate security awareness. Screen security staff for the Card data environment before hiring; screening cashiers is recommended but not required.
Security Planning: An Applied Approach | 4/29/2025| 29 Maintain an Information Security Policy Req. 12: Support Information Security with Organizational Policies and Programs Manage service providers and performs review every 3 months to ensure that logs, alarms, and security configurations are handled properly and changes maintained in a change management system. Document management review outcomes and any fixes addressed. Maintain an inventory of 3rd-party service providers (e.g., IT consultants review logs). Ensure signed contracts acknowledge payment card responsibilities, including assigning PCI DSS rule responsibility; PCI compliance status shall be provided upon request and reviewed annually. Assign an information security role as part of executive management (e.g., CISO) Ensure executive management documents their roles and accountability, in ensuring payment card security.
Security Planning: An Applied Approach | 4/29/2025| 30 Maintain an Information Security Policy Req. 12: Support Information Security with Organizational Policies and Programs Inventory and review hardware and software technologies Reviewed at least every 6 months, and after a major change, to maintain accurate CDE documentation Perform an annual review to ensure that CDE components remain patched and secure (e.g., with valid PCI compliance status) Apply patches in a timely manner and address outdated technology in a senior management plan Perform a thorough risk analysis annually, approved by senior management evaluate all 12 PCI DSS requirements include a control matrix that analyzes which controls address various risks, via preventive, detective, and corrective means.
Security Planning: An Applied Approach | 4/29/2025| 31 Maintain an Information Security Policy Req. 12: Support Information Security with Organizational Policies and Programs Address business continuity by describing how operations may continue when IT fails or is attacked Prepare an incident response plan (IRP) to define how security and other incidents will be handled Include in the plan: business recovery, data backup, and timely reporting of breaches to payment brands and government, when appropriate Review and test IRP annually Ensure the Incident response function is available 24 hours per day Train personnel to recognize and manage intrusions through various network and system devices Recognize and remediate payment card access, when found outside the CDE Review means of encryption annually, to ensure sufficient cryptographic strength, through checking recent industry trends, standards and vulnerabilities
Security Planning: An Applied Approach | 4/29/2025| 32 Three Levels of PCI Auditors Approved Scanning Vendor (ASV): authorized to perform quarterly external vulnerability scans; Qualified Security Assessor (QSA): external auditor performs annual on-site audits; Internal Security Assessor (ISV): can complete a Merchant s Attestation of Compliance (AOC). Report on Compliance (ROC): A full audit report. Attestation of Compliance (AOC): Summary form submitted annually for merchants and service providers to attest to the results of a PCI DSS assessment documented in a Self-Assessment Questionnaire or Report on Compliance. The Summarized AOC requires that the auditor certify that the merchant is compliant with the twelve PCI DSS requirements, has successfully passed quarterly penetration scans, and uses appropriate payment card equipment. Even smaller organizations submit an AOC annually.
Security Planning: An Applied Approach | 4/29/2025| 33 Information Required in AOC who performed the assessment; types of transactions (or channels ) supported: card present, e-commerce, or phone/mail order, and whether/how each payment channel is stored, processed, and/or transmitted; description of the payment card environment, including other systems in the zone; the location(s), number, and type (e.g., retail) of systems; PCI products used, vendors, versions, certifications and expiration dates; 3rd party service providers used; their names and descriptions of service provided; status of each of 12 requirements, plus appendix a2, if applicable; the period of assessment, and what parts of assessment were performed remotely; status of assessment: partially/fully tested; compliant/not compliant/compliant with legal exception (or extenuating circumstance); signatures of those attesting to assessment status; action plan, for non-compliant tests.
Security Planning: An Applied Approach | 4/29/2025| 34 Annual QSA Audit Qualified Security Assessors (QSA) are qualified by PCI SSC to perform annual on-site assessments. The audit process includes examining documents, observing actual configurations, and interviewing knowledgeable staff. Companies need to submit: system data-flow diagrams, network diagrams, and configuration standards and rules for systems, networks and security. QSAs generate a Report on Compliance (ROC), outlining the detailed results AOC is signed by both QSA and an executive officer All documents scans, ROC, and AOC - are submitted to the acquirer or payment brand
Security Planning: An Applied Approach | 4/29/2025| 35 VISA Required Reports Merchant Level Annual Transaction Level Required reports Level 1 > 6 million transactions Annually: Submit Report of Compliance (ROC) by a QSA or internal auditor; Submit Attestation of Compliance (AOC) Quarterly: Network scan by Approved Scan Vendor (ASV) Level 2 1-6 million transactions 20,000-1 million e- commerce trans. <= 1 million trans. < 20,000 e- commerce trans. Annually: Submit Self-Assessment Questionnaire (SAC); Submit Attestation of Compliance (AOC) Quarterly: Network scan by Approved Scan Vendor (ASV) Level 3 Level 4
Security Planning: An Applied Approach | 4/29/2025| 36 Visa s Incident Report Notification Timeline (2022) Report event To regional Global Risk Investigation Group to Visa & Bank contracted Compromise Event Suspected or confirmed PCI Forensic Investigator Provide preliminary forensic report Complete Incident Report Forensic analysis completed Provide Final forensic report Within 3 days Within 3 days Visa may determine a forensic investigation Is required Within 5 days Within 5 days Within 10 days
How is your network compliant versus not compliant? What can you limit to ensure you meet PCI DSS? What parts of PCI DSS are most important for you to address? What other regulation does your organization need to address? CASE STUDY EXERCISE
