PCI in Practice: Payment Security in China

During the PCI Community meeting in Sydney, Australia on the 18th and 19th of November 2014, atsec (Beijing) Information Technology Co.,Ltd (hereafter “atsec China”)* invited payment security experts from China to give a presentation on the topic of “payment security in China.”

The study focused on policies, regulations and standards related to payment security and risks in China. The presentation also included the experience and methodology for how atsec China performs PCI assessment in China, and a case study regarding Air China’s experience with PCI compliance.

This document includes an abstract of the study paper to share with the industry.

* atsec China is a Joint Venture between Mr. Yan Liu, Managing Director of atsec China and atsec information security GmbH, the atsec holding in Munich Germany. atsec GmbH is the majority shareholder of atsec China.

Disclaimer

atsec China is an independent lab specializing in IT security evaluations.

The presentation was given by Yan Liu, Managing Director of atsec China Operations and Senior Consultant (atsec China), Gary Gu, Vice President (99Bill), and Tao Chen, PCI Project Manager (Air China).

The authors do not represent any Chinese government agency or Chinese government-controlled lab. All information used for this presentation is publicly available on the Internet, though most of the material is in Chinese.

The presentation consists of background, challenges, approach and summary.

Background

China’s electronic payment space is currently growing rapidly. According to recent investigation, there are about 270 non-financial payment organizations in China, and this number continues to grow. The e-payment penetration rate keeps rising, Internet retail volume is growing rapidly, and the e-payment sector remains highly concentrated. There are different payment innovation patterns with underlying risk factors (e.g. Mobile POS, Biometric technology, etc.) The payment risk profile trends include, but are not limited to: security risk around mobile payment becoming increasingly critical, surge of CNP risk hitting domestic and cross-border e-commerce, data leakage protection continuing as a challenge to the industry, and cybercrime becoming more organized and sophisticated. The security risk management focus areas include product security, data security, transaction security, and fund security.

Starting in 2008, some of the payment service providers in China considered becoming PCI compliant because of the requirements of global payment business and branding. Currently about 80% of service providers in China who are supporting payment from global card brands are already PCI compliant. In 2012, the first bank’s credit card center passed PCI compliance for their acquiring business. ICBC (Industrial and Commercial Bank of China Limited) attained PCI compliance in 2013. ICBC has one of the largest and most complex cardholder data environments (CDE).

99Bill is one of the service providers that attained PCI compliance early, in 2009. The assessment was performed by atsec China QSA lab, and PCI DSS is the first data security standard 99Bill followed. In addition, 99Bill is currently compliant with some of other national and global programs including ISO/IEC 27001, classified security protection level-3 certification issued by the Ministry of Public Security, ADSS (Account Date Security Standard) issued by China UnionPay, and the license of a non-financial organization’s payment system issued by the People’s Bank of China.

The key national security standards in China include GB 17859-1999, “Classified Criteria for Security Protection of Computer Information System” and GB/T 20271-2006, “Information Security Technology - Common Security Technology Requirements for Information Systems”. Both standards are used for classified security protection certification. The standards classify the security protection capability of Computer Information Systems into five levels: Level 1 - Discretionary Protection, Level 2 - System Audit Protection, Level 3 - Security Flag Protection, Level 4 - Structure Protection, and Level 5 - Access Verification Protection. They outline the incremental requirements for each security protection level from security functions in ten aspects including Discretionary Access Control, Mandatory Access Control, Labels, Identification, Object Reuse, Audit, Data Integrity, Covert Channel, Trusted Path, and Trusted Recovery. In addition, GB/T 18336.1-2008, GB/T 18336.2-2008, and GB/T18336.3-2008 are the Chinese translations of Common Criteria Part 1, 2 and 3.

There are quite a few surveillance and authority organizations in China, and some of them are briefly introduced in this paper. First, the People‘s Bank of China (PBC) was established on December 1, 1948. In September 1983, the State Council decided to have the PBC function as a central bank. Starting from September 2010, the PBC issued licenses for payment organizations in China after an assessment (including requirements regarding information security, but also business, performance, etc.) according to the “non-financial institutions payment service management measures” (the Chinese name is 非金融机构支付服务管理办法). The list of licensed organizations can be found at: http://www.pbc.gov.cn/publish/zhengwugongkai/3580/index.html. Under the schemas, there are a few laboratories performing the testing and two major certification bodies for certification. Payment & Clearing Association of China (PCAC) was founded on May 23, 2011, upon the approval of the State Council and the Ministry of Civil Affairs of China. Registered at the Ministry of Civil Affairs as a national non-profit organization, PCAC serves as a self-regulatory body of the payment and clearing service industry of China, and operates under the business guidance and oversight from the People’s Bank of China. On February 28, 2014, PCAC, VISA China and atsec China held a payment security conference in Beijing. The conference materials can be found at (some of the information is in Chinese): http://www.atsec.cn/cn/news--361.html

The global card brands in China facilitate collaboration with industry and build a more secure and trusted payment network in China. For example, Visa’s qualified service provider (QSP) program was started on April 1, 2013. A list of who has passed the QSP certification by VISA can be found at: http://www.visa.com.cn/merchants/riskmanagement/accountsecurity.shtml. PCI QSA validation is one of the requirements for QSP. In addition to that, VISA will perform audits with respect to the requirements related to business operation, risk management and GBPP, etc. VISA acts as an additional oversight layer to acquirer due diligence. China UnionPay issued the Account Date Security Standard (full Chinese name of the standard: 银联卡收单机构账户信息安全管理标准) initially in 2008.

Currently more and more merchants are pursuing PCI compliance, including airlines, e-commerce companies, etc. Let’s take a look at Air China’s PCI compliance as a case study. Air China is the only airline with the National Flag marking on her planes. The business handles not only the transport of international and domestic passengers and goods, but also the task of state leaders’ official visits. As of October 2014, Air China has 512 aircraft, 323 air routes, and is open to 32 countries and regions in the world. In 2014, passenger volume is up to 77.974 million. The amount of e-ticket transactions was 874 billion Chinese Yuan last year.

There are six factors driving the need to achieve PCI DSS compliance.

1. The transformation of commercialized e-business. With the development of e-business in China, Air China completed the quick transformation in ticket booking from agent selling to e-tickets.
2. The sensitive payment data or information that needs to be collected during payment.
3. The importance of reliability and data. With the ongoing growth of e-tickets, management began paying more attention to payment reliability and data security.
4. Air China conducts e-business through multiple channels.
5. With the high level of attention to information security, government regulations and industrial requirements are becoming increasingly strict.
6. Our business partners, who have already achieved PCI compliance, are requesting it. Meanwhile, Air China is required to ensure the security of payment information during transmission.

Due to the business and compliance requirements mentioned above, Air China began to cooperate with atsec China on PCI compliance officially in November 2013.

Challenges

Looking forward, there are different challenges faced by the China payment sector: new rivals (domestic and abroad), product innovation, talent, compliance, the legal system, risk management, technology, and operational efficiency.

The PCI standards family was developed globally and smoothly. Nevertheless, due to quite a few differences between regions, it would not be easy and convenient for some Chinese organizations to understand and learn the standards requirements efficiently. On the other hand, it would also be a challenge for the world outside of China to understand the payment industry, and its surveillance requirements, regulations, etc. in China. As the global brand focusing on independent security assessment and evaluation, atsec China aims to be the bridge between China and the rest of the world for the information security industry. atsec China helps Chinese organizations to understand, apply and promote international standards (such as PCI, Common Criteria, CC, and FIPS 140) while assisting experts across the world to understand China. In addition to PCI QSA, ASV, PFI and PA QSA of atsec China, globally atsec offers evaluation and testing services leading to formal certification of information security technology, including evaluations under Common Criteria schemes in the U.S., Germany, and Sweden. The atsec U.S. organization also operates a Cryptographic and Security Testing Laboratory accredited under the Cryptographic Module Validation and the Cryptographic Algorithm Validation Programs of the National Institute of Standards and Technology (NIST) in the U.S. and Communications Security Establishment Canada (CSEC) in Canada for validating cryptographic modules under the FIPS 140-2 standard. atsec China achieved the China National Accreditation Service for Conformity Assessment (CNAS) and the China Metrology Accreditation (CMA) laboratory accreditations in order to ensure that the laboratory is competent to perform testing and produce reliable data.

Let’s zoom in on Air China’s challenges encountered during the beginning of PCI compliance. There are several payment channels and these businesses are run in different systems according to the initial analysis. In addition, the cardholder data is also located in different systems, which made it necessary to segment the network. All of these factors made PCI compliance rather complicated. Therefore, the first principle is simplicity.

We noted that the key payment process is the integrated e-payment platform. It is the core of all the payment information transmission and storage. After consideration, discussion and decision, a project implementation plan was created.

Initial compliance will focus on the core platform, and then extend to other payment channels. The goal of Air China is to achieve PCI compliance on all the payment systems, and enhance overall security. Last August, Air China completed initial compliance for the core platform, and will continue the work with atsec China to complete PCI compliance for the e-business website and call center system soon.

Approach

An initial readiness assessment is always important for any security assessment or evaluation project. The scope definition and detailed gap analysis for the cardholder data environment were completed during the beginning of the project. The general project process is diagrammed in the following image.

It is also very important for the assessed entity to assign a Project Manager who understands the standard itself, and who will also push forward the implementation within the organization. Especially within large-scale organizations, communication and coordination between different internal departments (e.g. security team, system administrators, developers, and operators) are always key for success of the compliance implementation.

The PCI implementation of Air China started with data optimization. The business departments were led to recognize the confidential payment data, meanwhile helping them review business procedures regarding when sensitive data should be deleted. Practical solutions were provided, so as to achieve business sustainability and reduce conflict from the business departments to the greatest extent.

During the establishment of new technical measures and business, Air China combined the existing ISO/IEC 27001, the information security protection procedure and the technical requirements, and took advantage of current regulation and technical measures to integrate the multi-security system. PCI requirements are the foundation for improving secure data protection in Air China as a whole. In this way, an established and stable payment environment is available for compliance with various standards.

That is also atsec China’s methodology on establishing an integrated and unified management system. Payment organizations could consider using PCI standards as the baseline for data protection. In addition, national or local standards and regulations should be met. ISO/IEC 27001 could be established for high-level information security management systems, Common Criteria could be used for secure development and risk management, FIPS 140-2 could be referenced as a best practice on cryptography, and O-TTPS could be considered as the supply chain security practice to mitigate maliciously tainted and counterfeit products, and so on. Overall, the management system serves the organization’s own operation, business and culture; different standards and regulations could be compliant respectively.

Remarks and Summary

In addition to the protection of the cardholder data environment, Air China plans to use the standard requirements as a best practice to all data control and management within Air China’s IT system, not just for a certificate. According to the three-year plan for data security construction made by Air China, it will continue and extend PCI compliance, and apply the experience to wider data security construction in Air China. Combined with the PCI standard, Air China will take two steps and carry it out in five phases in order to achieve the whole data lifecycle management. As a result its business can benefit from reliable data security. A diagram explaining the plan for after Air China’s initial compliance is shown below.

In general, the values of security compliance are summarized below.

1. Meet the mandatory requirements defined by external cooperating organizations like card brands and related customers.
2. Increase confidence during business cooperation with:
1. Surveillance organizations or authority organizations;
2. Customers, partners, suppliers; and
3. Internal organizations or departments.
3. Further improve internal management and control by:
1. Improving security management, and integrating high level policy into the business process efficiently;
2. Establishing measurable methods for management and technology;
3. Enhancing the assurance of security control within the organization;
4. Enhancing the security awareness, and benefit for corporate culture; and
5. Enhancing the investment confidence.
4. Reduce costs by:
1. Reducing the cost and investment for security incidents and risks; improving processes on risk management, business continuity, and incident response;
2. Reducing the cost on the audit or assessment in other areas, like due diligence;
3. Reducing the insurance cost;
4. Clarifying the security roles and responsibility;
5. Improving competitiveness; and
6. Establishing trust and recognition globally.

Finally, the recommendations are emphasized as follows:

1. Harmonization with national standards and global standards;
2. Further industry collaboration including governments, authority agencies, standards organizations, certification bodies, and especially the card brands, banks, service providers, and merchants in the payment industry.
3. CDE Scope and implementation plans are important for the initial implementation of PCI DSS compliance.
4. A risk-based approach is suggested for security technology implementation and management.

The presentation slides “Payment security in China” during PCI SSC 2014 AP community meeting can be downloaded at:
http://www.atsec.cn/downloads/pdf/PCISSC_2014CM_PaymentSecurityInChina_20141109_v7Sub_YanLiu_atsec_Final_released.pdf

References

1. PCI SSC: https://www.pcisecuritystandards.org/
2. atsec: www.atsec.cn
3. VISA: http://www.visa.com.cn/index.shtml
4. The People’s bank of China: http://www.pbc.gov.cn/
5. MPS information classified security protection: http://www.cspec.gov.cn/web/
6. UnionPay: http://cn.unionpay.com/