• Like


Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

You Know You Need PCI Compliance Help When…


Payment Card Industry (PCI) Data Security Standard (DSS) compliance is frequently misunderstood. Determining an effective strategy for the demonstration of compliance and its ongoing governance is …

Payment Card Industry (PCI) Data Security Standard (DSS) compliance is frequently misunderstood. Determining an effective strategy for the demonstration of compliance and its ongoing governance is critical to mitigate emerging payment security risks. Knowing when you need help, understanding which requirements are applicable, and determining the proper course of actions to adhere to the standard is often more complex than it may at first seem. Join Fortrex Technologies QSA Peter Spier and Senior Director of Information Security, Compliance and Fraud for PAETEC Holding Corporation, Jim Raub, for this discussion of common challenges and practical solutions.

Peter Spier, Senior Risk Management Consultant,Fortrex Technologies

Peter is President of the ISACA Western New York Chapter and is a Senior Risk Management Consultant at Fortrex Technologies based in Frederick, Maryland. Peter attained his graduate degree from Syracuse University's School of Information Studies and over the course of 12 years of experience has earned Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP), Qualified Security Assessor (QSA), Information Technology Infrastructure Library (ITIL) Foundation version 3, and HITRUST CSF Assessor certifications.

Jim Raub
Senior Director of Information Security, Compliance and Fraud, PAETEC Holding Corporation

Jim has held a wide range of IT positions over the past 30 years, with a concentration on security for the past decade. He has presented at numerous conferences and taught many business and college courses as an adjunct faculty member. Jim’s certifications include Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP). When he’s not working, he is an avid musician and volunteer at several non-profit organizations.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. You Know You Need PCI Compliance Help When… Presented By: Peter Spier Manager Professional Services Fortrex Technologies Jim Raub Senior Director of Information Security and Compliance PAETEC Holding Corporation © 2010. All rights reserved.
  • 2. Agenda • Instructor Biographies • Background On Fortrex • Background on PAETEC • Overview of the PCI DSS • 3 Challenges • Common Scenarios • Time to Seek Help • Compliance Roles • Assessment Preparation • PCI DSS 2.0 © 2010. All rights reserved.
  • 3. Instructor Biography • Peter Spier is President of the ISACA Western New York Chapter and Manager Professional Services at Fortrex Technologies (www.fortrex.com) based in Frederick, Maryland. • Certifications include: CISSP, CISM, PMP, QSA, PA-QSA, ITILFv3, and CSF Assessor • Masters degree from Syracuse University School of Information Studies • 15 years of experience © 2010. All rights reserved.
  • 4. Instructor Biography • Jim Raub is Sr. Director, Information Security and Compliance at PAETEC (www.paetec.com) based in Fairport, NY. • Current Certifications include: CISSP, CISA, & CTM. Past certifications from Cisco, Microsoft, Informix, CompTIA and others. • Bachelors degree, Summa cum Laude, from Syracuse University, with coursework towards Masters at University of Rochester • 35 years of experience in management, consulting, security, software development, IT infrastructure, networks, and database administration © 2010. All rights reserved.
  • 5. Background on Fortrex General Facts • IT Security, Operational Risk and Governance Consulting • Founded in 1997 • Headquarters in Frederick, Maryland • Privately Held • Approaching 1,000 Customers  Baltimore to Alaska to Guam • Broad Industry Coverage Integ rity, Excellence, Empowerment, Teamwork and • QSA, PA-QSA & ASV Thankfulness • Abundance of References © 2010. All rights reserved.
  • 6. Background on PAETEC General Facts • Founded in 1998 • Headquarters in Fairport, New York • Publicly Traded (Nasdaq: PAET) • Serving over 84 of the top 100 Metropolitan Statistical Areas (MSAs) in the U.S. with personalized communications solutions Caring Culture, Open • Core offerings include data, voice, and Communication, Unmatched Internet communications services Service, Personalized Solution • Value-added solutions encompass data center colocation, communications management software, equipment, security and financing programs © 2010. All rights reserved.
  • 7. Overview of the PCI DSS Reviewing PCI DSS Compliance Requirements For The First Time Can Be A Daunting Task The “Dirty Dozen” Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security © 2010. All rights reserved.
  • 8. Challenge #1 Are you a Merchant or a Service Provider? © 2010. All rights reserved.
  • 9. Merchants Defined • Merchant - Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. © 2010. All rights reserved.
  • 10. Service Providers Defined • Service Provider - Business entity that is not a payment card brand member or a merchant directly involved in the processing, storage, transmission, and switching or transaction data and cardholder information or both. o This also includes companies that provide services to merchants, services providers or members that control or could impact the security of cardholder data.  Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities.  Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded © 2010. All rights reserved.
  • 11. When Merchants Are Also Service Providers • A merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.  For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers © 2010. All rights reserved.
  • 12. Challenge #2 What compliance level are you? © 2010. All rights reserved.
  • 13. Merchant Compliance Levels American Level Visa MasterCard Discover JCB Express •Any merchant that has suffered •All merchants processing a total 2.5 million a hack or an attack that resulted of more than 6 million card American in an account data compromise transactions annually on the Express Card •Any merchant having greater Discover network. Merchants processing transactions or than six million total combined •Any merchant Discover, in its over 6 million Visa more per year; or One million MasterCard and Maestro sole discretion determines should transactions annually any Merchant JCB transactions annually meet the Level 1 compliance 1 (all channels) or •Any merchant meeting the validation and reporting that has had a transactions Global merchants data incident; or or more per Level 1 criteria of Visa requirements identified as Level 1 any Merchant year •Any merchant that MasterCard, •All merchants required by by any Visa region that American in its sole discretion, determines another payment brand to validate Express should meet the Level 1 and report their compliance as a otherwise deems merchant requirements to Level 1 merchant a Level 1 minimize risk to the system •All merchants processing a total •Any merchant with greater than of 1 million to 6 million card Merchants processing one million but less than or 50,000 to 2.5 Less than transactions annually on the 1 million to 6 million equal to six million total million American one million Discover network. 2 Visa transactions combined MasterCard and •All merchants required by Express Card JCB annually (all Maestro transactions annually transactions per transactions another payment brand to validate channels) •Any merchant meeting the year per year and report their compliance as a Level 2 criteria of Visa Level 2 merchant © 2010. All rights reserved.
  • 14. Merchant Compliance Levels American Level Visa MasterCard Discover JCB Express •All merchants processing a total of 20,000 to 1 million •Any merchant with greater than 20,000 card-not-present only combined MasterCard and Maestro e- transactions annually Less than 50,000 Merchants processing commerce transactions annually but less on the Discover American 20,000 to 1 million Visa than or equal to one million total 3 e-commerce transactions combined MasterCard and Maestro network Express Card N/A •All merchants transactions per annually ecommerce transactions annually required by another year •Any merchant meeting the Level 3 payment brand to criteria of Visa validate and report their compliance as a Level 3 merchant Merchants processing less than 20,000 Visa e- commerce transactions 4 annually and all other All other merchants All other merchants N/A N/A merchants processing up to 1 million Visa transactions annually © 2010. All rights reserved.
  • 15. Service Provider Compliance Levels American Level Visa MasterCard Discover JCB Express VisaNet processors or any •All TPPs service provider that stores, •All DSE’s that store, transmit, or 1 processes and/or transmits process greater than 300,000 total All TPPs All TPPs All TPPs over 300,000 Visa combined MasterCard and Maestro transactions annually transactions annually Any service provider that Includes all DSE’s that store, stores, processes and/or transmit, or process less than 2 transmits less than 300,000 300,000 total combined MasterCard N/A N/A N/A Visa transactions annually and Maestro transactions annually © 2010. All rights reserved.
  • 16. Challenge #3 What requirements apply? © 2010. All rights reserved.
  • 17. Merchant Reporting Requirements American Level Visa MasterCard Discover JCB Express •All merchants processing a total of more 2.5 million •Annual Report on than 6 million card transactions annually American Express Compliance (“ROC”) by on the Discover network. Card transactions One Qualified Security •Annual On-site •Any merchant Discover, in its sole or more per year; or million Assessor (“QSA”) Assessment1 discretion determines should meet the any Merchant that JCB 1 •Quarterly network scan •Quarterly network scan Level 1 compliance validation and has had a data transaction by Approved Scan by Approved Scan reporting requirements incident; or any s or more Vendor (“ASV”) Vendor (“ASV”) •All merchants required by another Merchant that per year •Attestation of payment brand to validate and report their American Express Compliance Form compliance as a Level 1 merchant otherwise deems a Level 1 •On-site Assessment (At •Annual Self-Assessment •All merchants processing a total of 1 Less than Merchant Discretion) 50,000 to 2.5 Questionnaire (“SAQ”) million to 6 million card transactions one •Annual Self-Assessment million American •Quarterly network scan annually on the Discover network. million 2 by ASV Questionnaire (“SAQ”)2 •All merchants required by another Express Card JCB •Quarterly network scan transactions per •Attestation of payment brand to validate and report their transaction by Approved Scan year Compliance Form compliance as a Level 2 merchant s per year Vendor (“ASV”) 1Effective 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors. 2 Effective 30 June 2011, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire. © 2010. All rights reserved.
  • 18. Merchant Reporting Requirements American Level Visa MasterCard Discover JCB Express •All merchants processing a total of 20,000 •Annual SAQ to 1 million card-not-present only Less than 50,000 •Quarterly network scan •Annual SAQ transactions annually on the Discover American Express 3 by ASV •Quarterly network scan network Card transactions N/A •Attestation of by ASV •All merchants required by another per year Compliance Form payment brand to validate and report their compliance as a Level 3 merchant •Annual SAQ recommended •Quarterly network scan •Annual SAQ 4 by ASV if applicable •Quarterly network scan All other merchants N/A N/A •Compliance validation by ASV requirements set by acquirer © 2010. All rights reserved.
  • 19. Service Provider Reporting Requirements American Level Visa MasterCard Discover JCB Express •Annual On-site security •Annual On-site •Annual On- assessment by QSA (or internal security assessment •Annual On-site •Annual On-site site security auditor if signed by officer of by QSA (or internal security assessment by security assessment by assessment by Service provider). OR Annual auditor if signed by 1 QSA QSA Self-Assessment Questionnaire officer of Service QSA •Quarterly network •Quarterly network •Quarterly D provider). scans by ASV. scans by ASV. network scans •Quarterly network scans by •Quarterly network by ASV. ASV scans by ASV. •Annual SAQ •Annual SAQ 2 •Quarterly network •Quarterly network N/A N/A N/A scan by ASV scan by ASV © 2010. All rights reserved.
  • 20. Realization • Each card brand’s transaction-driven tiering and corresponding requirements differs from one brand to the other • For Self Assessment Questionnaire (SAQ) merchants, if you employ more than one transaction type, you’re obligated to use SAQ D • For Level 2 Service Providers, you’re obligated to use SAQ D • SAQ D is the long one… © 2010. All rights reserved.
  • 21. Suppose • You have bandwidth to spare • Your internal audit personnel possess broad and deep compliance framework experience • A team member has successfully completed a PCI DSS compliance assessment in the past When should you consider bringing in expert assistance from the outside? © 2010. All rights reserved.
  • 22. When Compliance Looks Easy • Familiar with ISO:27001? • Spoken with a colleague who indicated that their SAQ was a simple matter of checking all the ‘Yes’ boxes and signing it? • PCI DSS can be mapped to other frameworks, but its focus is explicitly cardholder data security • Compliance is never as easy as just checking all the ‘Yes’ boxes © 2010. All rights reserved.
  • 23. When You Receive An E-mail Identifying Still Another Data Repository • Unidentified data repositories can: o Threaten momentum o Lower morale o Derail compliance efforts. • Late-in-the-game discoveries might cause you to: o Miss your target dates o Incur unforeseen penalties o Require re-work to remediate issues • Recommendation: Identify all payment flows through a combination of both human and automated means o Surveys o Interviews o Data analytics © 2010. All rights reserved.
  • 24. When You Are Not Certain Where Your Cardholder Data Environment Begins Or Ends • Does an unsolicited customer email automatically bring a system into the Cardholder Data Environment (CDE)? • If an end-user chooses to record a call and save it to local or LAN file, is the PC or fileserver in scope? • If the CDE firewall allows insecure protocols, is the scope reduced? • Is a workstation part of the CDE if it is used only to key in the Payment Account Number (PAN) to a hosted application through an encrypted channel?
  • 25. When You Re-Read The Same Requirement And Interpret It In Yet Another Way • Read the PCI DSS? • Attended seminars? • Poured over various forum threads and blog postings? • Was that requirement really non-applicable? • Does your planned compensating control truly go above and beyond the rigor and intent of the original requirement? • Is your “business justification” for leaving open a particular port or protocol sufficient? © 2010. All rights reserved.
  • 26. Time To Seek Help • Good counsel may at first seem to be in abundance, but identifying the appropriate resource to provide accurate direction is critical • A different business’s compliance approach probably does not apply to your own environment • You can not simply repeat last year’s response • It probably does take an expert to address the “low hanging fruit” • Consulting a QSA prior to an assessment may prove to be the shortest path to achieving compliance © 2010. All rights reserved.
  • 27. Suggested Compliance Roles •Audit •Database Administrators •Complete Self Assessment Questionnaire or Level 1 or 2 •Record management assessment •Access control management •Periodic review of controls •Project Managers •Governance •Assessment and validation planning •Compliance oversight •Stakeholder coordination and reporting •Policy development and distribution •Resource scheduling •Coordination of organizational business units •Reporting •Security Operations •Senior Management •Management and monitoring of controls •Report On Compliance review •Internal vulnerability scanning and/or penetration testing •Sign Attestation Of Compliance •Log Review •Qualified Security Assessors •Incident Response •On-site assessment •System Administration •Validation •Account and authentication management •Report On Compliance creation •Access control management •Submission to the payment brands •Configuration management •Countersign Attestation Of Compliance •Application Developers •Approved Scanning Vendors •Development and Testing •External quarterly vulnerability scans •Code review •Revision control © 2010. All rights reserved.
  • 28. Assessment Preparation Scope •Scope of the cardholder data environment is defined as all system components which transmit, process, or store cardholder data. •Limiting the scope of the cardholder data environment may reduce the scope of assessment and ongoing compliance efforts. •Scope reduction strategies may include: •Network Segmentation •Tokenization •All systems receiving cardholder data directly and performing tokenization are in scope •End-to-End Encryption •All systems receiving cardholder data directly and performing encryption are in scope © 2010. All rights reserved.
  • 29. Network Segmentation Unsegmented Segmented © 2010. All rights reserved.
  • 30. Tokenization © 2010. All rights reserved.
  • 31. End-to-End Encryption © 2010. All rights reserved.
  • 32. Assessment Preparation Prioritized Approach Methodology •Roadmap of compliance activities based on risk associated with storing, processing, and/or transmitting cardholder data. •Assists in prioritization of efforts to achieve compliance •Establishes milestones •Lowers the risk of cardholder data breaches sooner in the compliance process •Helps acquirers to objectively measure compliance activities and risk reduction by merchants, service providers, and others •Pragmatic approach that allows for “quick wins” •Supports financial and operational planning •Promotes objective and measurable progress indicators •Suitable for merchants who choose an on-site assessment or use SAQ D. © 2010. All rights reserved.
  • 33. Assessment Preparation Milestone Goals Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication data 1 and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it. Protect the perimeter, internal, and wireless networks. This milestone targets controls for 2 points of access to most compromises – the network or a wireless access point. Secure payment card applications. This milestone targets controls for applications, 3 application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data. Monitor and control access to your systems. Controls for this milestone allow you to detect 4 the who, what, when, and how concerning who is accessing your network and cardholder data environment. Protect stored cardholder data. For those organizations that have analyzed their business 5 processes and determined that they must store Primary Account Numbers, Milestone Five targets key protections mechanisms for that stored data. Finalize remaining compliance efforts, and ensure all controls are in place. The intent of 6 Milestone Six is to complete PCI DSS requirements and finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment. © 2010. All rights reserved.
  • 34. PCI DSS 2.0 Reason for Requirement Change Category Change Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN. Clarify Applicability of Introduction PCI DSS and cardholder Align language with PTS Secure Reading and Exchange of Data (SRED) Clarification data. module. Ensure all locations of cardholder data are Clarify that all locations and flows of cardholder data should be identified and Scope included in scope of PCI documented to ensure accurate scoping of cardholder data environment. Guidance DSS assessments Expanded definition of system components to include virtual components. Introduction Provide guidance on Updated requirement 2.2.1 to clarify intent of “one primary function per Guidance and Various virtualization. server” and use of virtualization. Further clarification of Provide clarification on secure boundaries between internet and card holder 1 the DMZ. data environment. Clarification Clarify applicability of Recognize that Issuers have a legitimate business need to store Sensitive 3.2 PCI DSS to Issuers or Authentication Data. Clarification Issuer Processors. © 2010. All rights reserved.
  • 35. PCI DSS 2.0 (Continued) Reason for Requirement Change Category Change Clarify key management Clarify processes and increase flexibility for cryptographic key changes, retired 3.6 processes. or replaced keys, and use of split control and dual knowledge. Clarification Apply a risk based Update requirement to allow vulnerabilities to be ranked and prioritized Evolving 6.2 approach for addressing according to risk. Requirement vulnerabilities. Merge requirements to eliminate redundancy and Merge requirement 6.3.1 into 6.5 to eliminate redundancy for secure coding for Expand examples of internal and Web-facing applications. 6.5 secure coding standards Include examples of additional secure coding standards, such as CWE and Clarification to include more than CERT. OWASP. Clarify remote copy, Update requirement to allow business justification for copy, move, and storage 12.3.10 move, and storage of of CHD during remote access. Clarification CHD. © 2010. All rights reserved.
  • 36. Thank You. © 2010. All rights reserved.