PCI DSS and GDPR Made Easy

Transcription

1 PCI DSS and GDPR Made Easy

2 ENRICO ERMANNO DALL ARA PCI QSA , CISSP, GPEN Chief Security 366 SECOM ITB, Berlin, March 9th 10:30

3 Can you afford 4% of yearly turnover in fine?

4 REGULATIONS: GDPR AND General Data Protection Regulation: It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. The GDPR allows for steep penalties of up to 20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance. Starting May 25 th 2018! 77 Days from Now

5 PCI DSS PCI SSC (MasterCard, Visa, American Express, JCB and Discover) Merchant Service Providers Mandatory Compliance if you accept Credit Card Payments Standard with 12 Mandatory Requirements

6 PCI DSS MERCHANT LEVELS MERCHANT LEVEL MASTERCARD VISA MERCHANT REQUIREMENTS Level 1 > 6 MM trans. Regardless of channel, or Hacked/attacked in past, or Othervise ID d by V/MC > 6 MM trans. Regardless of channel, or Hacked/attacked in past, or Othervise ID d by V/MC Report on Compliance (ROC) Quarterly scan showing no high vulnerabilities Level 2 Any e-commerce merchant processing between 150M and 6MM transactions per year Any merchant processing 1MM to 6 MM transactions per year PCI self-assessment questionnaire (all Yes or N/A ) Quarterly scan showing no high vulnerabilities Level 3 Any e-commerce merchant processing between 20M and 150M transactions per year Any e-commerce merchant processing between 20M and 1MM transactions per year PCI self-assessment questionnaire (all Yes or N/A ) Quarterly scan showing no high vulnerabilities Level 4 All other merchants regardless of channel All other merchants regardless of channel Compliance mandatory Validation Optional

7 PCI DSS SERVICE PROVIDERS LEVELS LEVEL VISA MASTERCARD DISCOVER AMERICAN EXPRESS JCB 1 Visanet processors or any service provider that stores, processes and/or transmits over 300,000 Visa transactions annually All TPPs All DSE s that store transmit or process greater than 300,000 total combined MasterCard and Maestro transactions annually All TPPs All TPPs All TPPs 2 Any service provider that stores, processes and/or transmits less than 300,000 Visa transactions annually All DSE s that store transmit or process greater than 300,000 total combined MasterCard and Maestro transactions annually N/A N/A N/A

8 PII AND CHD: AMBROSIA FOR BAD GUYS Person Identifiable Information (PII): [Article 4(1)] Any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person Card Holder Data (CHD): At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date service code Sensitive Authentication Data (SAD): Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions. Standard with 12 Mandatory Requirements

9 HOW TO PROTECT PII AND CHD? Anonymization: Enrico Ermanno Dall Ara. xxxxxx Pseudonymization: Enrico Ermanno Dall Ara. ID1234 Encryption: Enrico Ermanno Dall Ara. +f+tqdgpsxypwrmdstft0plmvkq/vputq6zqp5us5ihm4h7+jvtomiwntuxu SZOnRFXqmO6PacjEgNC5jaW6KQ==

10 THE SCOPE - A BRIEF INTRODUCTION Scope in GDPR is the total of the perimeters of circulation of PII from a legal and technical point of view Scope in PCI DSS is everything that stores, process, transmits or receives CHD Scopes can be very big and therefore very costly! The hell of compliance

11 PROBLEMS Storing or transmission of CC (mandatory, risks, costly, time consuming) Readiness of disposability of PII (mandatory, risks, costly, time consuming) Audits and Compliance (might be tough to face)

12 STEALING CREDIT CARD DATA Credit Card Stolen!!! Channel Manager XML with CLEAR TEXT CREDIT CARD DATA!!! Booking Info

13 FINES IF YOU FAIL COMPLIANCE Direct consequences ( ) PCI DSS: /month to /month plus per credit-card compromised GDPR: or 4% of annual turnover Indirect Consequences: Loss of reputation Additional costs for Forensic investigation Problems with card brands Jeopardized relationship with Banks More stringent compliance requirements

14 A TOKEN TO HEAVEN Solution is called tokenization KISS: Technically a Token is a string of meaningless characters that might substitutes PII or CHD in a way that they are meaningless to malicious individuals. Credit Card Number: Token: 550e8400-e29b-41d4-a

15 STEALING CREDIT CARD DATA 366 Booking XML with TOKEN <cc>kjhsakjdshakjfh kldlskjff</cc> Channel Manager Booking Info

16 Octorate SECOM A CASE STUDY IN PCI DSS Meet Octorate s CEO: Fabrizio Scuppa

17 A CASE STUDY OCTORATE SECOM Actors Octorate (CM) 366 Secom Needs Storing of Cardholder data for payment and hotel booking purposes IT Security effort reduction PSP Agnostic Reduce PCI DSS cost for compliance

18 STEALING CREDIT CARD DATA Payment Agnostic! Payment Gateway 366 Booking XML with TOKEN <cc>kjhsakjdshakjfh kldlskjff</cc> Booking Info

19 A CASE STUDY OCTORATE SECOM Outcome Freedom to chose any payment service provider (PSP Agnostic) Avoided direct Credit Card Storage Access to Payment and booking data Less complicated PCI DSS audit -> Reduced costs of compliance

20 Q & A

21 THANK YOU! Hall 7.1 / 120d ( There are candies!!! )

22