Credit Card Info

[SOXGal]

For those who deal with credit card transactions, how are you handling the credit card info. in your database? Is masking the credit card number sufficient or will encryption needed?

Also, the DBA's access will be closely scrutinize but what about other folks?

I am new to the credit card thing, so if anyone can share with me your thoughts and experiences, I would greatly appreciate it.

Thanks,
SG

[milan]

SOX does not specifically address security requirements over credit card information. However, security standards and compliance requirements are addressed in the Payment Card Industry (PCI) Data Security Standard.

If your company processes credit card transactions, maintains credit card information, and processes an established volume of credit card transactionns, you can determine compliance requirements, by reviewing the materials and resources online.

A PCI Self-Assessment may be found online at:
http://www.usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Self_Assessment_Questionnaire.doc

The Payment Card Industry Data Security Standard (PCI) is a standard based on the Visa Cardholder Information Security program (CISP), MasterCard Site Data Protection program (SDP), American Express Security Operating Policy (DSOP), and Discover Information Security and Compliance (DISC).

Merchants and service providers who store, transmit, or process credit card transactions must comply with this standard. Failure to comply can result in fines, restrictions being imposed by the card brand, or the merchant or service provider can be prohibited from accepting the card.

The PCI Data Security Standard is built upon, the "Digital Dozen", an easy to remember list of 12 basic security requirements with which all credit card payment system constituents need to comply. The security standard establishes:
• Three Defined program groups, based on their roles in the payment system
• More detailed requirements and sub-requirements for each program group, always tying back to the CISP "Digital Dozen"
• Defined and consistent testing procedures for independent validation of compliance
• A list of some 30 independent security assessors able to perform a CISP review
• A defined process for ensuring the on-going applicability of requirements and testing procedures
• A robust education and awareness effort
• Stated willingness to work towards acceptance of other trust marks and vice versa
• Penalties for failure to comply

Digital Dozen

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored data
Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures
Requirement 7: Restrict access to data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

A good resource of information may be found at:
http://www.visa-asia.com/ap/sea/merchants/riskmgmt/ais_downloads.shtml

Hope this helps,

Milan

[milan]

PCI Key Points:

Background. Whenever someone clicks a “Pay” button on your company's website, the payment info is processed in-house or by a 3rd-party credit card processing service provider, which then sends info to a credit card association member. The member then interfaces with the credit card company to eventually get payment into your company's bank accounts.

What is PCI Compliance? The PCI Standard is not a law. It’s a regulation created by payment card companies (MasterCard and Visa Card being the leaders) and enforceable under contractual obligations with these credit card companies.

Members and merchants agree to abide by these standards under the terms of their contracts with payment card companies. The Payment Card Industry (PCI) Standard outlines the security requirements for transmitting, storing, accessing, or processing cardholder data.

Compliance requirements. In general, the greater the annual volume of transactions the more stringent the security requirements. Compliance is required on a per-merchant account (MID) basis, which means that for departments with multiple MIDs each account has to be reviewed to ensure cardholder data is being handled correctly. The security requirements are inline with industry best practices.

Penalties for Non-compliance (Visa). The credit card companies may impose penalties or fines on members, merchants, or their agents. Members or merchants are subjected to fines up to $500,000 per incident if there is a compromise on their network resulting in the loss or theft of cardholder information, and the network was subsequently found to be non-compliant at the time of the compromise.

Also, if a member or merchant fails to immediately notify credit card companies of suspected or confirmed loss or theft of transaction information, the member or merchant will be subject to a penalty of up to $100,000 per incident. If merchants fail to pay fines, then the credit card companies may deny the privilege of accepting credit cards.

Responsibilities. Members must comply with PCI, and are responsible for ensuring that their merchants, service providers, and their merchants' service providers are compliant as well.

Deadlines. The deadline for PCI compliance for merchants with 20K to 6,000K transactions per year (referred to as level 3 and 2 under PCI) was June 30, 2005. If a security breach occurs today resulting in compromise of a customer's cardholder account data, the Company could be subjected to penalties or fines.

Regards,

Milan

[harrywaldron]

It is indeed very wise to ensure this field is controlled. Milan has offered a wealth of information and having researched general security needs in the past, it is good planning to ensure to highly sensitive customer information like this is highly protected.

Some high level ideas include:

1. Research and plan this thoroughly - Google or other searches on "Protecting Credit Card information" might help you. Work with your DBAs, development team, and security folks to develop an optimal solution. Evaluate and use the best practices out there.

2. Ensure customer information is not easily exposured on your outbound Internet servers (you can shake hands between the Internet and application servers through special ports and other techniques)

3. Use SSL encryption in your applications if they are web based

4. Definitely encrypt this field and any other related fields

5. Only allow the most trusted "need to know" folks access it. Otherwise display all "*" across the screen

6. The use of a 3rd party processing firm is always a good option, if it's too difficult to secure internally.

7. While information protection is essential for SOX and other requirements, recognize that one major slipup (where a hacker/cracker might gain access) could be detrimental to your public relations and you could incur some liabilities.

Good luck and I hope you find a good protective solution

[walshi]

I am working on my first PCI project. The main thing to bear in mind is that PCI has no interest in internal financial systems only the operational system handling card holder information.

This organisation has avoided SOX so far so I am only working on controls for a small set of applications.

The principle here is that card holder information is masked on all applications - Senior Manangement and Information Security have to approve requests for "Clear Card" access - all access is auditable.

That said the IT controls are much the same for PCI and SOX.

One difference is that the line "We are not a bank" that I have heard on projects in manufacturing companies does not apply here.

[milan]

[harrywaldron]

While I need to update PCI links and key information, there are numerous items captured in this past post: