acertigo ag on sbs talk 2011
DESCRIPTION
TRANSCRIPT
© 2011 Acertigo AG
Payment Card Industry Data Security Standard
PCI Compliance
requirements and approach
27. May 2011, Salzburg
© 2011 Acertigo AG
1. COMPANY PROFILE
2. BASICS PAYMENT CARD INDUSTRY STANDARDS
3. BASICS PCI DSS / PA-DSS
4. HOW TO ACHIEVE PCI COMPLIANCE
5. PROJECT EXAMPLE
6. CONTACT
CONTENT
© 2011 Acertigo AG
Experienced and professional partner for our customers in the PCI field since 2004
Since 2004 accredited Assessor for most of the PCI standards, like PCI DSS, PA-DSS, PCI PIN Security
Accreditation for the regions of Europe, Middle East and Africa
More than 150 PCI audit customers in about 20 countries
More than 3.000 merchants as portal customers
Locations: Stuttgart, Zurich
Partner offices in several countries
COMPANY PROFILE
© 2011 Acertigo AG
PA-DSS customers in several industries:
parking management software
hotel & spa management software
ATM network providers
POS network providers
petrol station
payment gateway software
PCI DSS customers across all type of customers
processors and banks
network operators
payment service providers
merchants
COMPANY PROFILE Expertise in PCI compliance work
© 2011 Acertigo AG
1. COMPANY PROFILE
2. BASICS PAYMENT CARD INDUSTRY STANDARDS
3. BASICS PCI DSS / PA-DSS
4. HOW TO ACHIEVE PCI COMPLIANCE
5. PROJECT EXAMPLE
6. CONTACT
CONTENT
© 2011 Acertigo AG
Vendor
Member Bank Acquiring
Service Provider
Member Bank Issuing
Card Issuing
PCI DSS
BASICS PAYMENT CARD INDUSTRY STANDARDS Focus of the different standards
PCI PA-DSS
© 2011 Acertigo AG
PCI DSS and PA-DSS are not a Compliance Program
PCI DSS and PA-DSS are a global standard as security baseline
Compliance programs, like AIS, SDP, DSOP
are maintained and promoted by each brand
determine to whom the standards applies
defines the classification criteria
determine changes in agreements
defines deadlines
defines fees and penalties
BASICS PAYMENT CARD INDUSTRY STANDARDS PCI standards and brand‘s compliance programmes
© 2011 Acertigo AG
Comprehensive requirements to enhance the security of cardholder data.
Standard covers requirements for security management, policies, procedures, infrastructure architecture, software development and other protective measures.
Intent is that companies implement a proactive protection of cardholder data.
Consists of twelve sections defining requirements with regard to peoples, processes and IT infrastructure.
Validation is performed according to version 2.0 which is effective since October 2010.
BASICS PAYMENT CARD INDUSTRY STANDARDS The PCI DSS standard
© 2011 Acertigo AG
Comprehensive requirements to enhance the security of payment applications handling cardholder data.
Standard covers requirements for Development Guidelines and Procedures, Encryption, Secure remote management, Implementation Guide, Access Control.
Intent is that software vendors provide an application which is aligned with PCI DSS requirements and do not hinder a PCI DSS compliant usage by the customer.
Consists of fourteen sections defining requirements with regard to software development, processes and implementation guiding.
Validation is performed according to version 2.0 which is effective since October 2010.
BASICS PAYMENT CARD INDUSTRY STANDARDS The PA-DSS standard
© 2011 Acertigo AG
* Data to be protected if stored with PAN
** Storage after authorization
Handling of preauth data is according to card scheme
data elements storage
allowed
protection
required
cryptography
required
Cardholder Data PAN
Expiration Date*
Service Code*
Cardholder Name*
YES
YES
YES
YES
YES
YES
YES
YES
YES
NO
NO
NO
Sensitive
Authentification
Data
Full Magnetic Strip**
CVC2/CVV/CID**
PIN/PIN block**
NO
NO
NO
N/A
N/A
N/A
N/A
N/A
N/A
BASICS PAYMENT CARD INDUSTRY STANDARDS Data objectives
© 2011 Acertigo AG
1. COMPANY PROFILE
2. BASICS PAYMENT CARD INDUSTRY STANDARDS
3. BASICS PCI DSS / PA-DSS
4. HOW TO ACHIEVE PCI COMPLIANCE
5. PROJECT EXAMPLE
6. CONTACT
CONTENT
© 2011 Acertigo AG
Software Vendor Software vendors (“vendors”) develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, and then sell, distribute, or license these payment applications to third parties (customers or resellers/integrators).
Reseller and Integrators Resellers and integrators are those entities that sell, install, and/or service payment applications on behalf of software vendors or others.
Customer Customers are merchants, service providers, or others who buy or receive a third-party payment application to store, process, or transmit cardholder data as part of authorizing or settling of payment transactions.
PA-QSA PA-QSAs are QSAs that have been qualified and trained by PCI SSC to perform PA-DSS reviews.
BASICS PCI DSS / PA-DSS Stakeholders
© 2011 Acertigo AG
Software Vendor
Creating PA-DSS compliant payment applications that facilitate and do not prevent their customers’ PCI DSS compliance (the application cannot require an implementation or configuration setting that violates a PCI DSS requirement)
Following PCI DSS requirements whenever the vendor stores, processes or transmits cardholder data (for example, during customer troubleshooting)
Creating a PA-DSS Implementation Guide, specific to each application, according to the requirements in the Payment Application Data Security Standard
Educating customers, resellers, and integrators on how to install and configure the payment applications in a PCI DSS-compliant manner
Ensuring payment applications meet PA-DSS requirements by successfully passing a PA-DSS review as specified in PCI PA-DSS Requirements and Security Assessment Procedures
BASICS PCI DSS / PA-DSS Stakeholders responsibility
© 2011 Acertigo AG
Reseller and Integrators
Implementing only PA-DSS compliant payment applications into a PCI DSS compliant environment (or instructing the merchant to do so)
Configuring such payment applications (where configuration options are provided) according to the PA-DSS Implementation Guide provided by the vendor
Configuring such payment applications (or instructing the merchant to do so) in a PCI DSS compliant manner
Servicing such payment applications (for example, troubleshooting, delivering remote updates, and providing remote support) according to the PA-DSS Implementation Guide and PCI DSS.
BASICS PCI DSS / PA-DSS Stakeholders responsibility
© 2011 Acertigo AG
Customers
Implementing a PA-DSS-compliant payment application into a PCI DSS-compliant environment;
Configuring the payment application (where configuration options are provided) according to the PA-DSS Implementation Guide provided by the vendor;
Configuring the payment application in a PCI DSS-compliant manner;
Maintaining the PCI DSS-compliant status for both the environment and the payment application configuration.
PA-QSA
Performing assessments on payment applications in accordance with the Security Assessment Procedures and the PA-QSA Validation Requirements
Providing an opinion regarding whether the payment application meets PA-DSS requirements
Providing adequate documentation within the ROV to demonstrate the payment application’s compliance to the PA-DSS
Submitting the ROV to PCI SSC, along with the Attestation of Validation (signed by both PA-QSA and vendor).
BASICS PCI DSS / PA-DSS Stakeholders responsibility
© 2011 Acertigo AG
Documents
Audit procedures
Program Guide
Compliance is validated against the current version 2.0 of these documents.
PCI DSS is referred in PA-DSS
BASICS PCI DSS / PA-DSS Documentation for validation
© 2011 Acertigo AG
1. COMPANY PROFILE
2. BASICS PAYMENT CARD INDUSTRY STANDARDS
3. BASICS PCI DSS / PA-DSS
4. HOW TO ACHIEVE PCI COMPLIANCE
5. PROJECT EXAMPLE
6. CONTACT
CONTENT
© 2011 Acertigo AG
Analysis - scope determination
- gap analysis
- concept advisory
- action plan / timeline
HOW TO ACHIEVE PCI COMPLIANCE Typical PCI compliance project tasks
Remediation - implement technical changes
- implement procedures
- adjust documentation
- ongoing review
PA-DSS Review - onsite audit by QSA
- final certification
Maintain Compliance - improvement
- awareness
- integrate compliance issues
as a business as usual
action items
ready for review
approval
Periodical
reviews
© 2011 Acertigo AG
1. COMPANY PROFILE
2. BASICS PAYMENT CARD INDUSTRY STANDARDS
3. BASICS PCI DSS / PA-DSS
4. HOW TO ACHIEVE PCI COMPLIANCE
5. PROJECT EXAMPLE
6. CONTACT
CONTENT
© 2011 Acertigo AG
Thank you for the attention!
Acertigo AG Wilhelmsplatz 8, 70182 Stuttgart, Germany phone + 49 711 620 30 300 fax + 49 711 620 30 200 email [email protected]
Ralph Wörn CEO
© 2011 Acertigo AG
COPYRIGHT
Acertigo AG – Stuttgart and its companies [“Acertigo”] retain all ownership rights to this document [the "Document"]. Use of
the Document is governed by applicable copyright law. Acertigo may revise this Document from time to time without notice.
This document is provided “as is” without warranty of any kind. In no event shall Acertigo be liable for indirect, special,
incidental, or consequential damages of any kind arising from any error in this document, including without limitation any loss
or interruption of business, profits, use or data.
All contents provided in this document are protected by copyright. None of the material may be reproduced, copied or
distributed in any form without the prior written permission of Acertigo AG. All rights are reserved including those in the
translation.
Trademarks: Most of the names and trade names, including hardware and software terms, mentioned in this document are
either registered trademarks or should be considered as such. All information contained on this document has been
published without regard to a possible patent protection. All names of goods are used without the guarantee of usability. All
rights are reserved.
Acertigo is a registered Trademark in Germany and other countries.