Upload
ingenico-group
View
586
Download
0
Embed Size (px)
Citation preview
PCI at the POS / What’s New, What’s Next, and What Merchants Can Do to Simplify Compliance
OCTOBER 19, 2016
1 Welcome
Agenda• Introduction & objective
• About Ingenico Group
• Deep dive into PCI
• PCI Committee meeting recap
• The evolution of PCI
• How can merchants simplify compliance?
• EMV
• PCI strategies and best practices
• Ingenico Group PCI solutions
• Q&A
4
Speaker Introduction
Rob Martin
Vice President of
Security Solutions
Ingenico Group / North
America
Nate Potter
Director of Strategic
Retail Accounts
Ingenico Group / North
America
5
PollWhat is your biggest security challenge or pain point?
A. P2PE
B. PCI compliance
C. EMV chargebacks and migration
D. All of the above
About Ingenico Group2
7
Global Presence / Local Knowledge
170
88
25
countries
R&D centers
locations
78
27M
5,800
nationalities
employees
terminals
8
Ingenico Group’s offer / end-to-end solutions
Mobile
Solutions
Security
Solutions
Smart
Terminals
Services
& SupportOnline
PCI at the POS3
10
PCI – The Basics
11
What is PCI?
The Payment Card Industry Data Security Standard (PCI DSS) is a
proprietary information security standard for organizations that handle
branded credit cards from the major card schemes including:
12
PCI / standards explained
The various aspects of the security card holder data include:
PCI Data Security
Standard (DSS) –Covers the security of the
card holder data
environment.
PA-DSS (Payment
Application Data
Security Standard) –covers application security
for payment applications
with access to cardholder
data
PCI PTS (PIN Transaction Security) –Security requirements for payment terminals.
The requirements have expanded over the last
several years from only covering PIN Entry
Devices to now cover the Secure Reading and
Exchange of Data (SRED) and the use of
public/open protocols
Requirements for Point-to-
Point Encryption solutions
- The requirements cover all
aspects of a P2PE solution,
including the payment terminal,
the terminal application,
deployment, key management,
and the decryption environment.
13
Who needs to be PCI compliant?
14
Who needs to be PCI compliant?
• If you accept, process, store or transmit credit card information you need
to be PCI compliant.
Regardless of business size Regardless of the number of
transactions
15
What happened during September’s PCI Community
Meeting?
16
Notes from meeting
North America Community Meeting was held in September
• Discussion of the threat landscape with a focus on security over compliance.
• The 2016 Verizon Data Breach Investigation Report (VDBIR or Verizon Report) showed again
that the overwhelming majority of successful attacks are not coming from “zero day” attacks
but from known and patched vulnerabilities.
• POS malware (RAM-scrapers) is still very successful for the criminal attackers.
• As one sector devalues their data through P2PE, those that haven’t become the targets. For
example, Lodging was attacked in 2015 as major retailers – the main target from the previous
years – had incorporated P2PE.
17
The evolution of the PCI standards
18
The evolution of the PCI standards
PCI DSS 3.1 expires October 31st | PCI DSS 3.2 starts November 1st
• PCI issued PCI DSS v3.2, the latest version of PCI DSS v3, in April.
• The updates include a number of clarifications, updated guidance, and some new
requirements.
• Evolving requirements in the PCI DSS are due to the evolving threat landscape
from criminal entities targeting payments information and payments systems.
19
Why do all QSAs interpret the rules differently?
Where can they get good, secure advice?
20
Why do all QSAs interpret the rules differently?
Where can they get good, secure advice?
Get clear on PCI DSS
All QSAs are working off the same training, requirements, FAQs, and guidance from
PCI SSC.
PCI SSC QA department works to ensure the assessments are consistent across
the industry
FAQs and guidance from PCI SSC change over time. Your QSA could be acting on
new FAQs or guidance.
If you and your QSA are interpreting the rules differently, talk to your acquirer. Your
acquirer is the holder of the ROC and the arbiter on what they will accept or not
accept.
21
What upcoming PCI changes could influence merchants
and what can they do to prepare?
22
What upcoming PCI changes could influence merchants
and what can they do to prepare?
PCI P2PE
Vulnerabilities
Omni-Channel
and move to
CNP Fraud
Breach
detection gap
23
What upcoming PCI changes could influence merchants
and what can they do to prepare?
PCI P2PE
• When PCI P2PE v2 was released last
year, there were only a handful of
solutions worldwide that were validated.
• The number of validated solutions has
doubled
• The number of validated solutions and
components is expected to continue to
grow
24
What upcoming PCI changes could influence merchants
and what can they do to prepare?
Vulnerabilities
• The Verizon Data Breach Investigation
Report (Verizon Report) showed that
2015 data breaches were from known
vulnerabilities with patches available
• PCI and Visa are already reacting to this
• VISA is requiring Tier 4 merchants (small
merchants) use a Qualified Integrator
and Reseller for the installation of
payment systems
25
What upcoming PCI changes could influence merchants
and what can they do to prepare?
Omni-Channel and Movement of Fraud to
CNP
• EMV is moving fraud from the point of
acceptance to card-not-present
• Merchants are adopting omni-channel
offerings to unify physical presence, m-
comm, and e-comm
• Merchants should adopt unified, multi-layer
security strategies that cover all channels for
payment acceptance in a consistent way
26
What upcoming PCI changes could influence merchants
and what can they do to prepare?
Breach Detection Gap
• Verizon Report and Ponemon study show
that most compromise attacks are
successful in seconds or minutes with data
exfiltration in minutes or days
• In 83% of attacks, detection took weeks or
more
Source: 2016 VDBIR Executive Summary
Most of the detection was external – financial institutions or
law enforcement
EMV Migration4
28
What has happened to card present fraud in the US, post
EMV liability shift?
29
What has happened to card present fraud in the US, post
EMV liability shift?
54%
77%
54% MasterCard reported decrease in
CP fraud for those who accept
EMV
VISA reported decrease in CP
fraud
MasterCard reported increase in
CP fraud for those who DO NOT
accept EMV
30
With the card brands changing the liability shift chargeback
rules, why should a merchant with high volume and small value
tickets move to EMV?
31
Reasons to move to EMV
EMV is a critical component of an enhanced Multi-layered security
• The adoption of these technologies generally requires a system upgrade/uplift
• The business case for the uplift can come from chargebacks or from data protection/brand protection
• If a merchant is a small ticket merchant, the business case for system uplift will likely come from the addition of P2PE and, if applicable, tokenization for data and brand protection. When a merchant does this, they should include EMV as part of their security uplift project.
• With these security measures in place, if there is a successful attack on the POS, it will not yield data that can be monetized
32
What strategies does Ingenico Group recommend?
33
Recommendations / strategies at the point of acceptance
P2PE and semi-integrated can assist merchants in their compliance burden.• A PCI P2PE validated solution is best to alleviate a merchant’s compliance burden.
Multi-Layered Security
Semi-Integrated
Architecture
34
What does Ingenico Group recommend to meet inspection
requirements (PCI DSS v3 requirement 9.9)?
35
Recommendations / how to meet inspection requirements
Ingenico Group recommends a multi-layer approach to meeting these requirements:
Query the unit serial number
either daily or as part of each
transaction to guard against
terminal substitution
Have staff do basic/checklist
inspection daily –look for size
changes, changes in cabling, or any additions to the
terminal.
Do regular, more detailed inspections
of the terminal
36
Recommendations / how to meet inspection requirements
Ingenico Group recommends the use of stands:
37
Ingenico Group’s Secure
Payment Solutions
38
PCI-ready / Ingenico Group Solutions
Our diverse suite of secure payment solutions that can help you become
PCI compliant:
iPP 310
iSC Touch
480
iSMP for iPod touch®
iCT 250
On Guard P2PE
Telium Semi-
Integrated Solution
Thank YouQuestions?