Your SlideShare is downloading. ×

PCI DSS The Cost Of Non Compliance

5,231
views

Published on

An introduction to PCI DSS Compliance for web designers and developers. Learn about the risks and ways to mitigate those risks.

An introduction to PCI DSS Compliance for web designers and developers. Learn about the risks and ways to mitigate those risks.

Published in: Technology, Education

2 Comments
2 Likes
Statistics
Notes
No Downloads
Views
Total Views
5,231
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
283
Comments
2
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. PCI DSS The Cost of Non-Compliance Joseph Fung April 29, 2008
    • 2. Today’s Menu
      • PCI Who and When
      • Impact and Risk
      • Mitigating the Risk
    • 3. Part I: Who and When
    • 4. The Payment Card Industry
      • Payment Card Industry (PCI) Security Standards Council – Founded in Dec 2004
      • Develop and Maintain the PCI Data Security Standard (DSS)
      PCI SSC - https://www.pcisecuritystandards.org Part I: PCI Who & When
    • 5. Relationships Part I: PCI Who & When Merchant (Website Owner) Payment Card Industry Banks Processors
    • 6. The Timeline
      • Sep 2006 PCI DSS Introduced
      • Jul 2007 Contracts Updated
      • Dec 2007 PCI DSS Compliance Required
      • Feb 2008 New Tools Launched https://www.pcisecuritystandards.org/tech/saq.htm
      • ~2010 Additional Requirements Enforced
      Part I: PCI Who & When
    • 7. Who is responsible?
      • Everyone assumes someone else is taking responsibility for education
      Part I: PCI Who & When
    • 8. Why are we here?
      • We want to give our clients the best advice possible.
      Part I: PCI Who & When
    • 9. Part II: Impact and Risk
    • 10. Who needs to be compliant?
      • All Merchants.
      • Includes Brick & Mortar, Mail order and telephone order and e-commerce
      Part II: Impact & Risk
    • 11. Will this impact end consumers?
      • No, not really.
      • Consumers are protected by many systems and vehicles – the end consumer is almost always right.
      Part II: Impact & Risk
    • 12. What is the value of compliance?
      • Demonstrate due diligence
      • Enhance confidentiality, integrity and authenticity of data
      • Competitive edge: positive image and enhanced trustworthiness
      • Safe Harbor from fees
      Part II: Impact & Risk
    • 13. What are the consequences?
      • Class Action Lawsuits
      • Insurance Claims
      • Cancelled Merchant Accounts
      • Card Provider Fines ($50K - $500K)
      • Government Fines ($5M - $20M)
      • Damaged Client Relationships
      Part II: Impact & Risk
    • 14. 2 Example (Fictional) Stories
      • Jim: Online store using OS Commerce
      • Kate: Consultant using MOTO
      Part II: Impact & Risk
    • 15. The Hitch:
      • Compliance is not easy….there are MANY bases to cover, and most companies do not have the resources for full compliance.
      • Next….reviewing those bases…
      Part II: Impact & Risk
    • 16. Part II: Impact & Risk
    • 17. *These data elements must be protected if stored in conjunction with the PAN. ** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted). PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. Part II: Impact & Risk
    • 18. PCI DSS Overview
      • 12 Requirements in 6 Groups
      • 3 particularly relevant to e-commerce
      • 8 must be addressed by business owner
      Part II: Impact & Risk https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
    • 19. Build and Maintain a Secure Network
      • Requirement 1 : Install and maintain a firewall configuration to protect cardholder data
      • Requirement 2 : Do not use vendor-supplied defaults for system passwords and other security parameters
      Part II: Impact & Risk
    • 20. Protect Cardholder Data
      • Requirement 3 : Protect stored cardholder data
      • Requirement 4 : Encrypt transmission of cardholder data across open, public networks
      Part II: Impact & Risk
    • 21. Maintain a Vulnerability Management Program
      • Requirement 5 : Use and regularly update anti-virus software
      • Requirement 6 : Develop and maintain secure systems and applications
      Part II: Impact & Risk
    • 22. Implement Strong Access Control Measures
      • Requirement 7 : Restrict access to cardholder data by business need-to-know
      • Requirement 8 : Assign a unique ID to each person with computer access
      • Requirement 9 : Restrict physical access to cardholder data
      Part II: Impact & Risk
    • 23. Regularly Monitor and Test Networks
      • Requirement 10 : Track and monitor all access to network resources and cardholder data
      • Requirement 11 : Regularly test security systems and processes
      Part II: Impact & Risk
    • 24. Maintain an Information Security Policy
      • Requirement 12 : Maintain a policy that addresses information security
      Part II: Impact & Risk
    • 25. Special Note on Hosting Providers
      • Per Requirement 12: All service providers with access to cardholder data must adhere to the PCI DSS
      • Hosting providers must pay special attention to their role in this. They must form traceable silos.
      Part II: Impact & Risk
    • 26. Making sense of it….
      • Although we are not responsible for our client’s PCI DSS compliance, there are things we can do to help.
      Part II: Impact & Risk
    • 27. Part III: Mitigating the Risk
    • 28. PCI Requirement 3
      • Use autocomplete=”off”
      • Star out all but the last 4 digits
      • Never display the security code
      • Don’t store the CVV number
      • Encrypt using the mySql AES encryption functions
      • Use TTL for displayed information
      Part III: Mitigating the Risk
    • 29. PCI Requirement 4
      • Always pass credit card information via SSL (that includes any information sent to the browser in the Admin side of things)
      • Have a qualified IT consultant secure any wireless networks (using VPNs over public wireless networks)
      Part III: Mitigating the Risk
    • 30. PCI Requirement 6
      • Enable automatic updates for software
      • Include scheduled maintenance as part of the project
      • User 3 rd -party monitoring systems
      Part III: Mitigating the Risk
    • 31. PCI Requirement 7
      • Use software that allows you to restrict access to credit card information (or better yet, don’t store data).
      Part III: Mitigating the Risk
    • 32. PCI Requirement 10
      • Test the level of logging you can collect from your host (look for access logs and ssl access logs)
      Part III: Mitigating the Risk
    • 33. Best Practices
      • Review the PCI DSS Requirements with your clients that accept payment cards
      • Visit the PCI SSC website quarterly, or subscribe to RSS Feed https://www.pcisecuritystandards.org/pcissc_news.xml
      • Require service providers and third parties to demonstrate PCI compliance
      • Store less, better access control, understand the data flow
      Part III: Mitigating the Risk
    • 34. Best Practices contd…
      • Perform a thorough scoping project to determine all credit card data flows from transaction to billing
      • Update frequently: compliance is for a specific software version/product and valid for one year
      Part III: Mitigating the Risk
    • 35. Best Practices contd…
      • Implement waiver/sign off on understanding PCI Compliance
      • Update processes frequently: compliance is for a specific business/feature and valid for one year
      Part III: Mitigating the Risk
    • 36. Best Practices contd…
      • Automate log rotations and saving (some hosting providers delete automatically)
      • Maintain separate development, test, and production environments
      • Don’t rely on WEP protection (use WPA or WPA2)
      Part III: Mitigating the Risk
    • 37. Best Practices contd…
      • Never send PANs over email
      • Never send PANs over email
      • Never send PANs over email
      Part III: Mitigating the Risk
    • 38. Bonus Best Practice…
      • Use the Self Assessment Questionnaire as the Gap Analysis, and talk to the client about the Ideals of PCI compliance before the Logistics . Aim to pass the belief, not just the checklist.
      Part III: Mitigating the Risk Get the questionnaire at https://www.pcisecuritystandards.org/tech/saq.htm
    • 39. Conclusion
      • Review PCI Standards with your clients and let them know the risks.
      • They are obliged to comply, and we would all like to help them get there.
      Part III: Mitigating the Risk
    • 40. Questions/Comments?
      • Feel free to ask now or email me: joseph@lewismedia.com