PCI DSS The Cost Of Non Compliance


Published on

An introduction to PCI DSS Compliance for web designers and developers. Learn about the risks and ways to mitigate those risks.

Published in: Technology, Education

PCI DSS The Cost Of Non Compliance

  1. 1. PCI DSS The Cost of Non-Compliance Joseph Fung April 29, 2008
  2. 2. Today’s Menu <ul><li>PCI Who and When </li></ul><ul><li>Impact and Risk </li></ul><ul><li>Mitigating the Risk </li></ul>
  3. 3. Part I: Who and When
  4. 4. The Payment Card Industry <ul><li>Payment Card Industry (PCI) Security Standards Council – Founded in Dec 2004 </li></ul><ul><li>Develop and Maintain the PCI Data Security Standard (DSS) </li></ul>PCI SSC - https://www.pcisecuritystandards.org Part I: PCI Who & When
  5. 5. Relationships Part I: PCI Who & When Merchant (Website Owner) Payment Card Industry Banks Processors
  6. 6. The Timeline <ul><li>Sep 2006 PCI DSS Introduced </li></ul><ul><li>Jul 2007 Contracts Updated </li></ul><ul><li>Dec 2007 PCI DSS Compliance Required </li></ul><ul><li>Feb 2008 New Tools Launched https://www.pcisecuritystandards.org/tech/saq.htm </li></ul><ul><li>~2010 Additional Requirements Enforced </li></ul>Part I: PCI Who & When
  7. 7. Who is responsible? <ul><li>Everyone assumes someone else is taking responsibility for education </li></ul>Part I: PCI Who & When
  8. 8. Why are we here? <ul><li>We want to give our clients the best advice possible. </li></ul>Part I: PCI Who & When
  9. 9. Part II: Impact and Risk
  10. 10. Who needs to be compliant? <ul><li>All Merchants. </li></ul><ul><li>Includes Brick & Mortar, Mail order and telephone order and e-commerce </li></ul>Part II: Impact & Risk
  11. 11. Will this impact end consumers? <ul><li>No, not really. </li></ul><ul><li>Consumers are protected by many systems and vehicles – the end consumer is almost always right. </li></ul>Part II: Impact & Risk
  12. 12. What is the value of compliance? <ul><li>Demonstrate due diligence </li></ul><ul><li>Enhance confidentiality, integrity and authenticity of data </li></ul><ul><li>Competitive edge: positive image and enhanced trustworthiness </li></ul><ul><li>Safe Harbor from fees </li></ul>Part II: Impact & Risk
  13. 13. What are the consequences? <ul><li>Class Action Lawsuits </li></ul><ul><li>Insurance Claims </li></ul><ul><li>Cancelled Merchant Accounts </li></ul><ul><li>Card Provider Fines ($50K - $500K) </li></ul><ul><li>Government Fines ($5M - $20M) </li></ul><ul><li>Damaged Client Relationships </li></ul>Part II: Impact & Risk
  14. 14. 2 Example (Fictional) Stories <ul><li>Jim: Online store using OS Commerce </li></ul><ul><li>Kate: Consultant using MOTO </li></ul>Part II: Impact & Risk
  15. 15. The Hitch: <ul><li>Compliance is not easy….there are MANY bases to cover, and most companies do not have the resources for full compliance. </li></ul><ul><li>Next….reviewing those bases… </li></ul>Part II: Impact & Risk
  16. 16. Part II: Impact & Risk
  17. 17. *These data elements must be protected if stored in conjunction with the PAN. ** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted). PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. Part II: Impact & Risk
  18. 18. PCI DSS Overview <ul><li>12 Requirements in 6 Groups </li></ul><ul><li>3 particularly relevant to e-commerce </li></ul><ul><li>8 must be addressed by business owner </li></ul>Part II: Impact & Risk https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
  19. 19. Build and Maintain a Secure Network <ul><li>Requirement 1 : Install and maintain a firewall configuration to protect cardholder data </li></ul><ul><li>Requirement 2 : Do not use vendor-supplied defaults for system passwords and other security parameters </li></ul>Part II: Impact & Risk
  20. 20. Protect Cardholder Data <ul><li>Requirement 3 : Protect stored cardholder data </li></ul><ul><li>Requirement 4 : Encrypt transmission of cardholder data across open, public networks </li></ul>Part II: Impact & Risk
  21. 21. Maintain a Vulnerability Management Program <ul><li>Requirement 5 : Use and regularly update anti-virus software </li></ul><ul><li>Requirement 6 : Develop and maintain secure systems and applications </li></ul>Part II: Impact & Risk
  22. 22. Implement Strong Access Control Measures <ul><li>Requirement 7 : Restrict access to cardholder data by business need-to-know </li></ul><ul><li>Requirement 8 : Assign a unique ID to each person with computer access </li></ul><ul><li>Requirement 9 : Restrict physical access to cardholder data </li></ul>Part II: Impact & Risk
  23. 23. Regularly Monitor and Test Networks <ul><li>Requirement 10 : Track and monitor all access to network resources and cardholder data </li></ul><ul><li>Requirement 11 : Regularly test security systems and processes </li></ul>Part II: Impact & Risk
  24. 24. Maintain an Information Security Policy <ul><li>Requirement 12 : Maintain a policy that addresses information security </li></ul>Part II: Impact & Risk
  25. 25. Special Note on Hosting Providers <ul><li>Per Requirement 12: All service providers with access to cardholder data must adhere to the PCI DSS </li></ul><ul><li>Hosting providers must pay special attention to their role in this. They must form traceable silos. </li></ul>Part II: Impact & Risk
  26. 26. Making sense of it…. <ul><li>Although we are not responsible for our client’s PCI DSS compliance, there are things we can do to help. </li></ul>Part II: Impact & Risk
  27. 27. Part III: Mitigating the Risk
  28. 28. PCI Requirement 3 <ul><li>Use autocomplete=”off” </li></ul><ul><li>Star out all but the last 4 digits </li></ul><ul><li>Never display the security code </li></ul><ul><li>Don’t store the CVV number </li></ul><ul><li>Encrypt using the mySql AES encryption functions </li></ul><ul><li>Use TTL for displayed information </li></ul>Part III: Mitigating the Risk
  29. 29. PCI Requirement 4 <ul><li>Always pass credit card information via SSL (that includes any information sent to the browser in the Admin side of things) </li></ul><ul><li>Have a qualified IT consultant secure any wireless networks (using VPNs over public wireless networks) </li></ul>Part III: Mitigating the Risk
  30. 30. PCI Requirement 6 <ul><li>Enable automatic updates for software </li></ul><ul><li>Include scheduled maintenance as part of the project </li></ul><ul><li>User 3 rd -party monitoring systems </li></ul>Part III: Mitigating the Risk
  31. 31. PCI Requirement 7 <ul><li>Use software that allows you to restrict access to credit card information (or better yet, don’t store data). </li></ul>Part III: Mitigating the Risk
  32. 32. PCI Requirement 10 <ul><li>Test the level of logging you can collect from your host (look for access logs and ssl access logs) </li></ul>Part III: Mitigating the Risk
  33. 33. Best Practices <ul><li>Review the PCI DSS Requirements with your clients that accept payment cards </li></ul><ul><li>Visit the PCI SSC website quarterly, or subscribe to RSS Feed https://www.pcisecuritystandards.org/pcissc_news.xml </li></ul><ul><li>Require service providers and third parties to demonstrate PCI compliance </li></ul><ul><li>Store less, better access control, understand the data flow </li></ul>Part III: Mitigating the Risk
  34. 34. Best Practices contd… <ul><li>Perform a thorough scoping project to determine all credit card data flows from transaction to billing </li></ul><ul><li>Update frequently: compliance is for a specific software version/product and valid for one year </li></ul>Part III: Mitigating the Risk
  35. 35. Best Practices contd… <ul><li>Implement waiver/sign off on understanding PCI Compliance </li></ul><ul><li>Update processes frequently: compliance is for a specific business/feature and valid for one year </li></ul>Part III: Mitigating the Risk
  36. 36. Best Practices contd… <ul><li>Automate log rotations and saving (some hosting providers delete automatically) </li></ul><ul><li>Maintain separate development, test, and production environments </li></ul><ul><li>Don’t rely on WEP protection (use WPA or WPA2) </li></ul>Part III: Mitigating the Risk
  37. 37. Best Practices contd… <ul><li>Never send PANs over email </li></ul><ul><li>Never send PANs over email </li></ul><ul><li>Never send PANs over email </li></ul>Part III: Mitigating the Risk
  38. 38. Bonus Best Practice… <ul><li>Use the Self Assessment Questionnaire as the Gap Analysis, and talk to the client about the Ideals of PCI compliance before the Logistics . Aim to pass the belief, not just the checklist. </li></ul>Part III: Mitigating the Risk Get the questionnaire at https://www.pcisecuritystandards.org/tech/saq.htm
  39. 39. Conclusion <ul><li>Review PCI Standards with your clients and let them know the risks. </li></ul><ul><li>They are obliged to comply, and we would all like to help them get there. </li></ul>Part III: Mitigating the Risk
  40. 40. Questions/Comments? <ul><li>Feel free to ask now or email me: joseph@lewismedia.com </li></ul>