1. Payment Card Industry DSS
(PCI)
Presented By: Claire Gallagher EVP, OASIS Group
November 11th, 2013
2. Payment Card Industry DSS
(PCI)
What is PCI DSS?
Payment Card Industry Digital Security Standards
A collaborative effort to achieve a common set of security
standards for use by entities that process, store or
transport payment card data.
3. Agenda
• Overview of PCI DSS
• Compliance Levels and Requirements
• How we Achieved PCI Compliance
• Benefits of PCI to you & your Clients
• Lessons Learnt
• Discussion, Questions
4. Overview of PCI
Topics in this section
• PCI-DSS Defined
• Merchant Level
• Service Provider Levels
• PCI Assessments
• PCI Enforcement
5. PCI Defined
Payment Card Industry Digital Security Standards:
A collaborative effort to achieve a common set of security
standards for use by entities that process, store or
transport, payment card data.
6. Multiple Credit Card Organisations
Participating in PCI Efforts:
Members Include
• Visa
• MasterCard
• American Express (Amex)
• Diner’s Club
• Discover Card
• JCB.
7. Merchant Levels
Level Conditions
Level 1 Any Merchant processing over 6,000,000 transactions per
year, compromised in the last year, or identified by another
payment card brand as Level 1
Level 2 Any Merchant processing between 150,000 and 6,000,000
e-commerce transactions per year, or identified by another
payment card brand as Level 2
Level 3 Any Merchant processing between 20,000 and 150,000
ecommerce
transactions per year, or identified by another
payment card brand as Level 3
Level 4 Any Merchant processing less than 20,000 e-commerce
transactions per year, and all other Merchants processing
up to 6,000,000 transactions per year
8. Service Provider Levels
Level Conditions
Level 1 Criteria: Visa System Processors or any service provider that
stores, processes and/or transmits over 300,000 transactions per
year
Validation Requirements: Annual Report on Compliance (ROC)
by QSA, Quarterly network scan by Approved Scanning Vendor
(ASV), Attestation of Compliance (AOC) Form
Result: Included on Visa Europe’s List of PCI DSS validated
service providers
Level 2 Criteria: Any service provider that stores, processes and/or
transmits less than 300,000 transactions per year
Validation Requirements: Annual Self-Assessment
Questionnaire (SAQ), Quarterly network scan by Approved
Scanning Vendor (ASV), Attestation of Compliance (AOC)
Result: Not included on Visa Europe’s List of PCI DSS validated
service providers
11. PCI DSS Structure
Six Key Sections:
• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
12. Network Scanning
Targets Internet Facing Devices, Systems and
Applications Including :
• Routers and Firewalls
• Servers and Hosts (Including Virtual!)
• Applications
13. Self Assessment
A selected subset of the full Onsite Audit criteria
completed by the Merchant or Service Provider Submitted
to Acquirer(s) (eg: Visa, Mastercard) Made up mainly of
Yes/No/Not Applicable responses Is broken into five of
the six sections from PCI DSS:
• Build and Maintain a Secure Network
• Protect Cardholder Data
• Implement Strong Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
14. QSA Onsite Review
• Is a detailed audit against the PCI Data Security Standard
• Potentially targets all systems and networks that store,
process and/or transmit cardholder information
• Includes review of contractual relationships, but not
assessment of the Third Parties themselves
• Biggest difficulties in having onsite reviews are the initial
scoping and the subsequent cost of correction to compliant
levels
• QSA provides a Report on Compliance when compliant for
Submission to the Acquirer. Interim reports may be asked
for by the Acquirer
15. PCI Enforcement
• Visa and MasterCard require their Acquirers to ensure the
compliance of their Merchants and Service Providers.
• Visa and MasterCard are able to penalise their Acquirers for
having Merchants or Service Providers that are
noncompliant.
• Acquirers can pass on penalties to their Merchants and
Service Providers through their contractual relationships.
• Penalties can presently be financial against the Acquirer
and restrict a Merchant’s / Service Provider’s ability to
accept transactions.
16. How OASIS Achieved Compliance
• Engaged a third party Qualified Security Assessor (QSA’S).
• Undertook a Gap Analysis.
• A Gap Analysis identifies the measurable gap between current policies,
procedures and practices and the Payment Card Industry Data Security
Standard. A Gap Analysis is the preferred route for identifying
mechanisms to reduce risks and costs and processes associated with
achieving compliance
• Scored 82% on the Gap Analysis.
• ISO 27001 covered a lot of the requirements in the PCI.
• 1 week to close off issues raised in Gap Analysis, eg: Data Classification
Policy, Abandoned Boxes Policy, Annual Information Security Training
Program.
17. Benefits of PCI to You & Your Clients
• Benefit #1: Decreased Risk of Security Breaches PCI
compliance isn't just about satisfying a list of guidelines --
it's a very real and proven way to protect you and your
customers' data from outside attacks. In fact, a recent
Verizon study found that compliant businesses are 50%
more likely to successfully withstand a breach.
• Benefit #2: Peace of Mind For You (and Your Clients)
With breaches much less likely to happen, you'll have one
less thing to worry about in the daily course of running your
business. You'll appreciate this peace of mind, and over
time, your customers will, too (see the next benefit below).
18. Benefits of PCI to You & Your Clients
Continued…
Benefit #3: Boost In Customer Confidence
Your customers may not currently understand every detail about what it
means to be compliant, but their awareness about the issue is growing.
Every day, more and more of your customers are growing savvy about
how their data is protected when they use their credit cards. It's only a
matter of time before customers see PCI compliance as a sign that your
business follows best practices. That feeling of security will directly
increase buyers' confidence, and make them more likely to choose you
over a non-compliant competitor.
19. Benefits of PCI to You & Your Clients
Continued…
Benefit #4: Avoid Costly Fines
PCI compliance dramatically lowers your likelihood of getting breached, but
it doesn't completely eliminate the possibility. If you are breached, fines can
grow as high as $500,000 per incident. Companies who are PCI compliant
significantly reduce their risk of a breach, and therefore, their likelihood of
receiving a fine. If a company is breached, regardless of their state of
compliance, they must immediately inform customers and their processor of
the data breach in writing. The processor or bank will initiate an audit on that
company to see if the merchant was in fact PCI DSS compliant at the time of
the breach.
Benefit #5: Relatively Quick and Easy
This is one benefit that comes from what PCI compliance doesn't do: with
the right partner, you won't have to make any substantial changes or
disruptions to your business while attaining compliance. The process may
seem complicated (and in many ways, it is), but a good compliance partner
will shield you from the complexities and make it seem simple.
20. Lessons Learned
• Already having the ISO 27001 was a huge advantage
as the majority of the work was done as proven in our
Gap Analysis.
• Unless it is a definite requirement for your client it is
easier not to process credit card information, and
remain a Merchant user.
• Take the time to choose the right QSA