PCI Compliance Overview


Published on

PCI Compliance Overview. How to safely accept credit cards.

Published in: Technology, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

PCI Compliance Overview

  1. 1. PCI Compliance Overview How to Safely Accept Credit Cards
  2. 2. What is PCI? When you accept credit cards, you must also follow a set of guidelines for protecting credit card data • Payment Card Industry Data Security Standard (PCI-DSS) • Set of regulations developed and enforced by the major card brands.  • Requires an annual Self Assessment Questionnaire (SAQ) as a way to evaluate the security in your office.  • Depending on how you process credit cards, your SAQ might ask questions pertaining to how you store credit card data, who has access to your machine, or whether you process credit cards via a wireless connection.  • The process helps identify potential security risks and protects both you and your clients from fraud.
  3. 3. Goals of PCI-DSS • Build and maintain a secure network • Protect cardholder data • Maintain a vulnerability management program • Implement strong access control measures • Regularly monitor and test networks • Maintain an information security policy
  4. 4. Just the Facts • More than 80% of attacks target small merchants • Criminals are turning their attention to smaller merchants with lax security • Most attacks can be prevented by simple methods • Following the PCI-DSS can help protect your law firm from fraud and/or costly fines
  5. 5. Who Must Comply? • Any merchant that processes, transmits, or stores credit card data • Every merchant is responsible for compliance even if using PCI Certified Service Providers • Every merchant must validate compliance every year
  6. 6. 12 Requirements for Compliance • Build and Maintain a Secure Network • • • Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data • • • Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program • • • Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures • • Requirement 8: Assign a unique ID to each person with computer access • • Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks • • • Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain and Information Security Policy • Requirement 12: Maintain a policy that addresses information security
  7. 7. Requirement 4 -- Examples Encrypt transmission of cardholder data across open, public networks • Practical Application • Do not send unencrypted credit card data by email, chat programs, instant messaging, etc.
  8. 8. Case Studies – Requirement 4 • Emailing the full credit card number is one of the most common violations • Unencrypted faxes • Contractor emails 27,000 names and social security numbers to home email * • “Email, (especially if internal-to-internal) is often perceived as private and escapes the examination of information security teams…” ** * http://www.datalossdb.org/ ** http://www.verizonbusiness.com/resources/reports/rp_2010-payment-card-industry-compliance-report_en_xg.pdf
  9. 9. Requirement 7 -- Example Restrict access to cardholder data by business need to know • Practical Application • Only grant permission to select people in your office to run credit card transactions and have access to stored credit card data
  10. 10. Case Studies – Requirement 7 • “…The typical U.S. organization loses 7% of its annual revenues to fraudulent activity” * • Small organizations have a higher median loss • Establish internal controls
  11. 11. Requirement 9 -- Example Restrict physical access to cardholder data • Practical Application • Paper receipts with full credit card data must be kept under lock and key. A process is in place to securely transport data if necessary. All credit card data is securely destroyed when no longer needed.
  12. 12. Case Studies – Requirement 9 • Credit Union improperly disposed of credit card data and exposes 257 records. • Non-profit worker misplaces 212 files containing birthdates, social security numbers, addresses, and phone numbers.
  13. 13. Requirement 12 -- Example Maintain a policy that addresses information security • Practical Application • Develop comprehensive policies and procedures to address employee responsibilities, incident response plans, service provider monitoring, etc.
  14. 14. Case Studies – Requirement 12 • “…The overwhelming majority of data breaches (especially of cardholder data) come down to a failure to do what is planned.” * • PCI is not a date on a calendar. It is an ongoing event.
  15. 15. Becoming Compliant • You’re already on the right track • AffiniPay and LawPay’s PCI Central provides a simplified solution • Replaces the cumbersome and time consuming paper process • Guides you through the 12 requirements & SAQ • Online SAQ can be completed in 20-30 minutes • All online – PCI Central stores your information, generates an electronic certificate and knows all the rules, so you don’t have to