Protecting payment card data

- [Narrator] Cyber criminals understand that credit cards are a lucrative target for attack. The payment card industry governing body, the PCI Council, has responded to this threat by issuing the PCI Data Security Standard as an actionable framework for developing a robust security regime for cardholder data. More recently, and in the light of state sponsored attacks on personal and government data identified in the Snowden leaks, government regulators have enacted regulatory requirements for notification of data breaches. In particular, the European General Data Protection Regulations. This has increased the business liability in the event of a data breach. It's now critically important for any business taking payments through credit cards to protect their information and transactions. It helps to understand the terminology of PCI when reviewing the Data Security Standard. Let's look at the key terms. A merchant is someone who takes a credit card or debit card as a form of payment. A service provider is someone who provides a service that is used for payment card information storage, or transactions of a merchant. A qualified security assessor is an independent person certified to report on PCI compliance. An internal security assessor works for the merchant, and is certified to submit a self-assessment. A data breach is a failure of security, which results in the loss of cardholder information. Cardholder data, or information, is the primary account number, the cardholder name, the expiration date, and the service code. The sensitive authentication data is the encoded data on the magnetic stripe or chip, the card verification value, and the pin. In the event of a data breach, the card company will launch an investigation to determine the cause. If the company has its PCI compliance, it can claim safe harbor. If not, it could face a hefty fine, or removal of its right to accept credit cards. Regardless, it will face remediation costs, which could include card replacement and possibly customer compensation. With that background to PCI, let's now look at the PCI Data Security Standard itself. The standard provides a set of actionable controls together with testing procedures to provide a clear definition of what has to be done to achieve compliance. Version 3.2 of the standard provides 12 technical and operational requirements areas, covering almost 200 mandatory controls. Let's have a look at some of the key controls for the first six requirements areas. The first requirement is to have an effective firewall configuration. This means that firewall configuration standards have been set, that all firewall changes are tested, and that the rule sets are reviewed every six months. A network diagram must be maintained for any part of the network that stores, transmits, or interfaces to payment card data. And data flows across the network need to be defined. Traffic not related to cardholder transactions must be denied access to the cardholder systems. So it's normal to have a segregated PCI zone on the internal network so that the traffic can be managed at the PCI zone gateway. A demilitarized zone is required for any systems with direct internet access, and this needs to be firewalled at both the internal and external gateways. Firewalls are not just for the enterprise. Mobile devices, including any employee-owned devices that are allowed to be connected to the internal network, must have personal firewall software installed and operational, with a configuration that's not able to be changed by the employee. This is a key consideration when thinking about bring your own device, or BYOD, environments. The next requirement is that all default passwords and insecure configuration settings are changed. Security configuration standards are required for each device and system component to allow effective hardening, and all necessary reports and services should be removed. Stored cardholder data has to be kept to a minimum and protected, and no sensitive authentication data can be stored, even in encrypted form, once authentication has been completed. The account number, when displayed, must be masked, typically by replacing all except the last four digits with asterisks. When stored, the account number must be protected through strong cryptography, or one-way hashing. Key management is a critical part of any cryptographic solution, and must be implemented effectively. Transmitted cardholder data on open networks, such as the internet and unprotected wireless networks, must be encrypted. And then user systems, such as email and messaging, must never be used to send unprotected account numbers. The cryptographic scheme must be effective, and what's effective may change over time. For many years, the Secure Sockets Layer, SSL, had been a common cryptographic solution for web access. In 2013, a fundamental vulnerability in the scheme was detected and exploited in the Heartbleed vulnerability. Subsequently, the PCI Security Standards Council determined that the Secure Sockets Layer protocol was no longer an acceptable solution for the protection of cardholder data. Systems processing cardholder data must implement antivirus software to provide protection against malware on both endpoint devices and servers. As some malware may enter a system prior to its signature being included in the antivirus database, regular scans must also be undertaken. Threats and vulnerabilities should be monitored through vendor alerts and threat intelligence feeds, and critical security patches must be installed within one month of release. Development and test accounts must be removed before systems are put into production, and custom development must include source code review prior to implementation, with special attention given to common vulnerabilities, such as SQL injection and cross-site scripting. Production account numbers must not be used for testing. The next six security requirements in the PCI Data Security Standard address the level of security required outside of the PCI environment. Of particular interest is the requirement to restrict physical access, which extends to special purpose devices used to read cards. ATMs, and more recently embedded readers in devices such as gas pumps, are regularly targeted by criminals who install skimmers, which can copy credit card data. These are big business. In April, 2015, a sweep of 6,000 gas stations in Florida found 81 skimmers attached to gas pumps. This particular scam has been estimated to make, in the US, as much as $3 billion a year for criminals. Let's revisit the Information is Beautiful data breaches site, shown here. At the far left of the graphic, there's the May, 2021 data breach into Air India, where credit card details were leaked. Check the number of customers for which details were taken, and assuming all had credit card details stored, calculate what this breach was worth to the criminals if each card was used for a malicious $10 purchase. (upbeat instrumental music) This has been a quick introduction to the PCI Data Security Standard. There's much more detail provided by the PCI Council on this and their other standards, and these are available for download from their website, shown here.