Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PCI DSS: What it is, and why you should care


Published on

Introduction to the Payment Card Industry Data Security Standard and it's implications for any business. Given as a SCIP webinar April 2017.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

PCI DSS: What it is, and why you should care

  2. 2. Introductions • About Sean – Senior IT Assurance and Security Consultant – PCI Credentials: QSA and PCIP – @SeanDGoodwin – Slides can be found at: 2
  3. 3. Disclaimers • While I am a QSA, I am not your QSA • Your Acquiring Bank (or Card Brands) have the final say on your compliance requirements • There is no “perfect” compliance plan, these tips are based on my experiences 3
  4. 4. 4 Today’s Agenda • History • Why now? • Common misconceptions • Compliance vs. Validation • PCI DSS • How to get started • Data flow analysis • Lower cost of compliance • Penalties, fines and costs associated with non- compliance
  5. 5. 5 PCI DSS History • Payment Card Industry Data Security Standard (PCI DSS) is a standard for credit card data security • Established in 2004 by the major payment card brands – Visa, MasterCard, American Express, Discover and JCB • First major revision in 2006 • Contains series of more than 280 security controls designed to protect credit card data.
  6. 6. 6 Why now? • Banks and payment processors are asking corporate clients to give validation and assurance on PCI DSS compliance • POS Device Hacks in Healthcare on the rise – (2016 Verizon Data Breach Report) • Attackers are focusing on corporate systems due to flat networks and siloed business units
  7. 7. Why now? • Typical business lines with possible PCI DSS exposure: – Food services – Parking – Gift shops – Fundraising/Development Office – Retail Centers – Pharmacies / ER 7
  8. 8. 8 Misconceptions about PCI DSS • HIPAA/GLBA/SOX compliance means PCI DSS compliance • PCI DSS is only a recommendation, not a requirement • Passing an Approved Scanning Vendor (ASV) scan means PCI DSS compliance • Process low number of credit cards so I don’t have to be compliant with all rules • Don’t store credit card information, so I don’t have to be compliant
  9. 9. Misconceptions about PCI DSS • I use PayPal/Authorize.NET therefore I don’t have to be compliant • PCI only applies to eCommerce merchants • I use a PA-DSS certified application so I am compliant • PCI is vague with room for interpretation 9
  10. 10. Merchant vs. Service Provider • Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. • Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider 10
  11. 11. Merchant Levels Level Criteria Requirements 1 Over 6 million Visa or MasterCard transactions in a 12-month period • Onsite Assessment and Report on Compliance (ROC) performed by QSA • Quarterly network scans by ASV 2 Between 1 and 6 million Visa or MasterCard transactions in a 12 month period • Onsite Assessment and either a ROC or Self- Assessment Questionnaire (SAQ) completed by QSA or ISA • Quarterly network scans by ASV 3 Between 20,000 and 1 million Visa or MasterCard e-commerce transactions in a 12 month period • Self-Assessment Questionnaire (SAQ) • Quarterly network scans 4 Less than 20,000 ecommerce or less than 1 million transactions with one card brand in a 12 month period • Self-Assessment Questionnaire (SAQ) • Quarterly network scans 11
  12. 12. SAQ Validation Type 12
  13. 13. PCI DSS Standard 3.2 13 • Six Goals 1. Build and Maintain a Secure Network and Systems 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy
  14. 14. PCI DSS Standard 3.2 14
  15. 15. How to Comply with PCI DSS • Determine Scope – Determine which system components and networks are in scope for PCI DSS • Assess – Examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement • Report – Assessor and/or entity completes required documentation (e.g. SAQ or ROC), including documentation of all compensating controls • Corrective Action Plan (CAP) 15
  16. 16. PCI Scoping Questions • Where are we taking credit card and transaction data information? • How are we taking the credit card information? • Where are we storing the credit card information? • Can we eliminate or centralize the processing of credit card data? • Do we have an accurate and up-to-date asset inventory and POS inventory? • Identify all system components that are located in or connected to the CDE • CDE is comprised of People / Process / Technology 16
  17. 17. PCI Data Flows • Card-not-present – MOTO (Mail order/telephone order) • Card-present POS – Point of Sale, includes swipe device on mobile phone or tablet • eCommerce transactions – Web-based 17
  18. 18. Inventory of POS Devices • Make and model of device • Location of device (e.g. shop or office where device is in use) • Serial number of device • General description of device (e.g. counter-top pin- entry device) • Information about any security seals, labels, hidden markings, etc. that can help identify if device has been tampered with 18
  19. 19. Inventory of Merchant Vendors • Have you outsourced storage, processing, or transmission of Card Holder Data (CHD) to third party providers? • What is the role of each service provider? • Has all of the appropriate due diligence been performed on each service provider? • Are the service providers PCI compliant?(ROC) Do they have a current SOC report? • Is there someone in the organization responsible for these contracts? 19
  20. 20. 20 Lowering the cost of compliance • Network Segmentation reduces - Scope - Cost of the assessment - Cost and difficulty of implementing and maintaining compliance • P2PE – Point to Point encryption • Eliminate the unnecessary storage of cardholder data • If you don’t need it, get rid of it!
  21. 21. Merchant Based Vulnerabilities • Point-of-sale devices • Mobile devices, personal computers or servers • Wireless hotspots • Web shopping applications • Paper-based storage systems • The transmission of cardholder data to service providers • Remote access connections 21
  22. 22. Common Problem Areas • Cafeteria • Business Office / Fundraising • Phone Payments • Gift shops 22
  23. 23. Anatomy of an Audit • Physical walkthroughs • Interviewing key stakeholders/business units • Understanding PCI contractual obligations • Observing process and procedures 23
  24. 24. 24 Penalties, Fines and Costs • Not levied by PCI Security Council – Fines levied by card associations – Against merchant bank, which passes fines on to merchant • Fines for security breach – Visa - Up to $500,000 per occurrence – MC - Up to $500,000 per occurrence • Amount of fines dependent upon – Number of card numbers stolen – Circumstances surrounding incident – Whether Track Data was stored or not – Timeliness of reporting incident
  25. 25. Who will need to be involved? • Finance • Compliance • IT infrastructure • Security • PCI Steering Committee!! 25
  26. 26. Where to Start • PCI DSS Prioritized Approach 1. Remove sensitive authentication data and limit data retention. 2. Protect systems and networks, and be prepared to respond to a system breach. 3. Secure payment card applications. 4. Monitor and control access to your systems. 5. Protect stored cardholder data. 6. Finalize remaining compliance efforts, and ensure all controls are in place • PCI Document Library – 26
  27. 27. 27 Thank you! QUESTIONS? Sean D. Goodwin, CISA, PCIP, QSA Senior IT Assurance and Security Consultant Wolf & Company, P.C. @SeanDGoodwin