PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance –Love it, Hate it, butDon’t Ignore it11NTCpciStephen J. Michaele
Session Evaluation Each entry via text or web is a chance to win great NTEN prizes throughout the day! TEXT ONLINE Text <Insert Session Use <Insert Session Hashtag Here> to Hashtag Here> at 69866. http://nten.org/ntc/evalSession Evaluations Powered By:
Agenda• The PCI DSS Standard – What is it? Who are major actors in the process?• The Scope of the PCI Standard – How to get started• Common Myths of PCI• Developing a Process to Achieve Compliance – The PCI Prioritized Approach• Beyond PCI Compliance – What’s Next• Wrap Up and Final Questions
What is PCI DSS?• PCI DSS = Payment Card Industry Data Security Standards• Developed by the PCI Standards Security Council “The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of the PCI Data Security Standard and other standards that increase payment data security.” http://www.pcisecuritystandards.org
SSC, QSA, ASV…Who’s in Charge Here? Security Standards Council Card Brands • Creates and • Track compliance promotes standard • Issue fines and • Certifies auditors incentives Acquiring Banks Qualified Security Assessors Approved Scan Vendors • Process transactions • Audit merchants • Scan merchants • Gather compliance • Report to acquiring • Report to acquiring reports banks banks Level 1 Merchants Level 2 Merchants Level 3 Merchants Level 4 Merchants Card-Issuing BanksSource: InformationWeek – PCI and the Circle of Blame
How Much Are You Willing to Risk? Some researchers are reporting that approximately 77% of people say they would stop shopping at stores that suffer data breaches.
Requirements for Merchant Levels and the PCI DSS Level/ Merchant Validation Tier Criteria Requirements 1 Merchants processing over 6 million • Annual Report on Compliance by QSA Visa transactions annually (all • Quarterly network scan by ASV channels) • Attestation of Compliance Form 2 Merchants processing 1 million to 6 • Annual Self-Assessment Questionnaire million Visa transactions annually • Quarterly network scan by ASV (all channels) • Attestation of Compliance Form 3 Merchants processing 20,000 to 1 • Annual SAQ million Visa transactions annually • Quarterly network scan by ASV • Attestation of Compliance Form 4 Merchants processing less than • Annual SAQ recommended 20,000 Visa transactions annually • Quarterly network scan by ASV • Compliance validation requirements set by acquirerSource: Individual Card Company Websites
Selecting an SAQ – Five TypesSAQ Description A Card-not-present (e-commerce or mail/telephone-order)) merchants, all cardholder data functions outsourced. This would never apply to face-to- face merchants. B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage.C-VT Merchants using only web-based virtual terminals, no electronic cardholder storage C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. D All other merchants not included in descriptions for SAQ types A though C above, and all service providers defined by a payment brand as eligible to complete an SAQ.
The Card Authorization Process 1. A customer purchases a product or service from your store 2. The payment gateway encrypts data and securely sends it through the payment processing network 3. The transaction is reviewed for authorization or decline, and the results are sent back through the Payflow payment gateway 4. Your customer receives a confirmation receipt and you fulfill the order 5. Once the transaction is processed, funds are transferred from the customer’s bank account to your merchant bankSource: http://www.paypal.com
What is the Scope of the PCI Standard? Process Store TransmitSource: Information Supplement – PCI DSS Wireless Guideline
PCI DSS is a Comprehensive Standard ContainingTechnology, Process, and Monitoring Requirements • Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect data (18) – Do not use vendor-supplied defaults for system passwords and other security parameters (11) • Protect Cardholder Data – Protect stored cardholder data (22) – Encrypt transmission of cardholder data across open, public networks (3) • Maintain a Vulnerability Management Program – Use and regularly update anti-virus software or programs (3) – Develop and maintain secure systems and applications (34)
PCI DSS is a Comprehensive Standard ContainingTechnology, Process, and Monitoring Requirements • Implement Strong Access Control Measures – Restrict access to cardholder data by business need-to-know (9) – Assign a unique ID to each person with computer access (20) – Restrict physical access to cardholder data (26) • Regularly Monitor and Test Networks – Track and monitor all access to network resources and cardholder data (23) – Regularly test security systems and processes (9) • Maintain an Information Security Policy – Maintain a policy that addresses information security for employees and contractors (44)
Ten Common Myths of PCI DSS • One vendor and product will make us compliant • Outsourcing card processing makes us compliant • PCI compliance is an IT project • PCI will make us secure • PCI is unreasonable; it requires too much • PCI requires us to hire a Qualified Security Assessor • We don’t take enough credit cards to be compliant • We completed a SAQ so we’re compliant • PCI makes us store cardholder data • PCI is too hardhttps://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf
The Compliance Process Will Force You toAddress Security Issues at a Detailed Level
Automated Scans are a Valuable Tool forMonitoring and Maintaining Secure Systems
Manage Achieving PCI Compliance as a Major Cross-Functional Effort• Assign a project manager and build a team – IT, Finance, HR, Legal, etc.• Assume you’ll need some budget dollars to help address compliance issues• Hold regularly scheduled meetings• Track progress on closing compliance items at an individual item level and produce status reports• Build accountability into your ongoing processes
Solicit Participation – What Do You Need From Your Organization• Support for the initiative within individual groups – Communication about it’s importance and value – Participation in and support for the ongoing review processes• Become aware of security issues – Question potential vendors and partners on their compliance with PCI standards – Reengineer processes to be more secure – Share data on a need to know basis – Classify and label information appropriately – If there’s a question about data security don’t guess at the answer ask someone who knows• Question your people – We’re searching for credit card data in paper or electronic form, if you’ve got it let us know about it so it can be appropriately protected
Where is the Credit Card Data?• What are the existing processes you know about (and what don’t you know)?• Existing web forms?• Email system?• On local desktops and laptops? Excel files, Word docs, CSV files, PDF Reports…• On your network?
PCI Prioritized Approach 1. Remove sensitive authentication data and limit data retention. 2. Protect the perimeter, internal, and wireless networks. 3. Secure payment card applications. 4. Monitor and control access to your systems. 5. Protect stored cardholder data. 6. Finalize remaining compliance efforts, and ensure all controls are in place.Source: The Prioritized Approach to Pursue PCI DSS Compliance
PCI Prioritized Approach ExampleSource: The Prioritized Approach to Pursue PCI DSS Compliance
What Changes Did Personnel See?• Tighter physical security (badges, camera surveillance for server rooms and central storage rooms)• Tighter access controls to information resources (strong passwords frequently changed, no shared accounts, access to data more closely logged)• Paper storage of data limited based upon business requirements (two years) – stored data inventoried, older data securely disposed• More formalized information access and security policies requiring annual reviews and signoffs• Additional review of third party agreements when payments are being accepted on our behalf• Background checks for personnel with access to credit card data (including IT, finance, customer service, etc.)
PCI Compliance Isn’t an Activity But a Process Plan PCI Act Do Compliance Study (Test)
Lifecycle Process for Changes to PCI DSSSource: https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf
What’s On the Horizon?• Massachusetts Data Security Law 201 CMR 17.00 – Standards for the Protection of Personal Information of Residents of the Commonwealth – Pertains to anyone that owns or licenses personal information about a resident of Massachusetts – Personal information defined as last name, first name (or initial) in combination with SSN, driver’s license number, or financial information (credit/debit card, financial account info, etc.)• States are considering more of these laws• Be prepared to secure all personal information
Recapping: 10 Things You Should Now Know About PCI Compliance1. PCI DSS is not an International, Federal, or State law but rather its an information security standard developed by the PCI Security Standards Council (see http://www.pcisecuritystandards.org).2. Any business that stores, processes, or transmits credit card data is responsible for complying with the standard.3. Compliance and enforcement of the standard is mandated by the various payment card brands (VISA, MC, AMEX, etc.). This includes the assessment of any fines or penalties associated with a security breach of the data.4. The easiest route of compliance is to not store, process, or transmit credit card data - outsource everything related to credit card processing (this is often an unrealistic approach).5. If you must handle credit card data you should seek to: centralize it, protect it, and monitor access to it.
Recapping: 10 Things You Should Now Know About PCI Compliance6. There are five different Self-Assessment Questionnaires (SAQ) ranging from simple to extremely complex based upon how a business handles credit card data.7. At its most complex level, the standard covers twelve requirement areas in six major categories of compliance and 200+ individual questions. A defined set of information security standards, policies, and procedures is a major component of the compliance process (and often one of the most difficult to implement).8. In order to be compliant you must be compliant with every individual requirement and pass automated security scans of eCommerce systems handling credit card data.9. You need to be as concerned about your business processes as you are about technology processes in order to be compliant.10.Compliance and security is an ongoing process not a single project.
Where Can You Get Help and More Info• PCI Security Standards Council Website: http://www.pcisecuritystandards.org• Individual Payment Card Brand Websites/Email Addresses: – American Express: http://www.americanexpress.com/datasecurity or EMail: American.Express.Data.Security@aexp.com – VISA: http://www.visa.com/cisp or Email: firstname.lastname@example.org – MasterCard: http://www.mastercard.com/sdp or Email: email@example.com – Discover: http://discovernetwork.com/fraudsecurity/disc.html or Email: firstname.lastname@example.org – JCB: http://www.jcb-global.com/english/pci/index.html or Email: email@example.com
Where Can You Get Help and More Info• 2009 Verizon Data Breach Investigations Report – http://www.verizonbusiness.com/resources/security/reports/ 2009_databreach_rp.pdf• SANS Institute (SysAdmin, Audit, Network, Security) – http://www.sans.org
We Can Keep the Conversation Going• My Coordinates – Email: firstname.lastname@example.org – Phone: (732) 548-6100 x19 – LinkedIn: www.linkedin.com/in/smichaele – Website: www.csystemsllc.net