What exactly is PCI compliance and does it really matter? In a nutshell, it’s a required way to reduce the risk of credit card theft and YES, unlike many requirements out there, it really does matter. There’s a lot of confusion and mis information about PCI compliance. To begin, let’s address who it applies to…..the answer….every business, large or small, that accepts a credit card must be PCI compliant. If you’re a small restaurant owner and haven’t heard about PCI compliance from your bank yet, you will….and sooner rather than later. In the early days of PCI compliance, the banks focused on inspecting compliance with the largest retailers…those with more than 1 million credit card transactions in year. However, since smaller victims are the preferred target, banks are spending more time and effort to inspect the level of PCI compliance with small businesses like restaurants. We’re getting calls from many restaurants who received a letter from the bank asking them for a copy of their PCI self-assessment questionnaire. Other banks are placing a “PCI non-compliance” fee on the monthly statement until the restaurant proves their compliance. PCI compliance is NOT a government regulation. However, don’t let that convince you that it doesn’t have teeth. It does! All the credit card companies and banks adhere to PCI compliance. And the rules, fines, and pass through costs are very real. Another misconception out there is WHO is accountable for PCI compliance. It’s not equipment vendors. If there’s a breach, 100% of the accountability is passed to the business owner. So you might be wondering, does PCI compliance really work? In other words, if you’re PCI compliant, can you still get breached? The answer is YES. However, statistics clearly show that being PCI compliant significantly reduces the chance that your business will be a victim. The standard does a great job of addressing vulnerabilities. Becoming PCI compliant really means that you’re paying serious attention to security. And when you’re paying serious attention, the risk of becoming a victim is greatly diminished.
Credit card companies and merchant banks shifted the risk of data breach to the merchants through the introduction of PCI DSS. PCI DSS applies to all entities involved in credit card processing. Most merchants have no idea that the PCI requirements exist. The market is filled with inaccurate information and myths around PCI requirements and compliance. Achieving and maintaining PCI compliance is an arduous process.
Examples of just a few of the 250+ control requirements that are part of PCI DSS
You will be notified by the Secret Service, your merchant bank or credit card company that your business is the suspected site of a data breach. Once notified, you will be required to: Immediately stop taking credit cards. Pay for a forensic audit. Implement the remediation actions outlined in the forensic audit. Work with a Qualified Security Assessor to demonstrate PCI Compliance. PCI – minimum requirements to be secure- low hanging fruit
The effects of credit card breach on small business are truly daunting. To begin, the average direct cost of a data breach is $80,000. Those costs include forensic analysis, fines, and credit card replacement. It’s no surprise then that 70% of breached businesses don’t survive a year after a major incident. What IS somewhat surprising is that some estimates put the risk of suffering a major data breach at 1 in 6 over the next 24 months. To put that in another perspective, a business is far more likely to suffer a data breach than a fire. 98% of breaches originate from organized criminal groups. In other words, it’s not teenagers sitting in their parents basement doing the breaches. It’s criminals across the world looking to make money. It’s what they do for living. And they work at it 365 days of the year. And when they steal credit card information, there’s a well organized underground market to sell stolen information. The average days between intrusion and detection is 174. Businesses are breached and don’t realize it until considerable damage is done. It’s also a very under reported crime.
As for the PCI requirements themselves, think of them as layers to on an onion. At first glance, it doesn’t seem like much. There are just 6 control objectives which are build and maintain a secure network, 2 protect cardholder data, 3, maintain a vulnerability management program, 4, implement strong access control measures, 5, monitor and test networks, and 6, maintain an information security policy. Not bad, right?…well, then those objectives than turn into 12 requirements which are commonly referred to as the “the digital dozen”. 12 is still a management number. Where it becomes overwhelming for most restaurant owners is when you dive into the annual self assessment questionnaire. In order to address the digital dozen, the business owner must answer over 200 detailed questions. And many of those questions are of the technical variety. It’s no wonder then, why the vast majority of businesses are not PCI compliant. They simply underestimate how long it will take and the resources required to fully meet the requirement. Within 12 levels, breaks down into 280 requirements. All based on the SAQ.
SAQ – depends on how you answer. E.g. do you store credit cards? Eliminates some of the 280 requirements. How do I determine my merchant level? Credit card processor can tell you how they have categorized you. Isolate your POS network Don’t store data, all data is encrypted Weak security configurations Operating system flaws where levels of encryption much lower than industry standards
Note: There are no “levels” of compliance, you’re either compliant, or you’re not What you’re required to do depends on you environment, e.g. do you store credit cards?
Pci compliance overview earth link business
What is PCI Compliance? Definition – Payment Card IndustryData Security Standard (PCI-DSS) Set up in 2004 by Visa, MasterCard,American Express, Discover, andJCB to reduce the risk of credit cardtheft and transfer liability tomerchants Requires mandatory adoption by allbusinesses that store, process,transmit credit/debit card data6Control Objectives6Control Objectives12Core Requirements280+AuditProcedures
I don’t need to be compliant because…“…I don’t process many credit cards.”“…I don’t store credit card information.”“…I’m not a major brand retailer.”PCI DSS is complex, and applies to all merchantswho accept credit cardsMany misconceptions about PCI DSSOR I’m compliant because…“ …My POS systems are compliant”“…I have firewalls in place”“…I’ve passed an ASV scan”“…I’ve implemented the basic requirements”
If you cannot answer yes to the three questionsbelow, you are NOT PCI CompliantHave ALL employees completed a PCI Certified securityawareness training program upon hire and annually thereafter?Have all employees read and signed a formal security policy?Can you demonstrate that all remote access from you, youremployees or vendors incorporate 2-factor authentication?123A recent survey by Gartner, Inc. found that18 percent of respondents admitted to not being PCI-compliant
Timeline: What happens if I ambreached?Timing ActionDay 1 Notification of breachStop taking credit cardsMonitor for PR/social impactDay 5 Complete forensic auditContact a Qualified Security Assessor (QSA)Day 7 Obtain remediation proposalsDay 10 toDay 40-180Execute remediation planReplace credit cardsDisclose breachAddress brand impactPossible reclassification as Level 1
What’s the likelihood and risk of breach?Average per location direct cost of a data breach,excludes indirect costs such as damage to brand$80KSmall businesses will suffer a credit card breachin the next 24 months1 in 6Breaches originate from organized criminalgroups98%Average days between intrusion and detection17497%of U.S. incidents are brick & mortar merchants91%of U.S. breach events occurred at small merchants
Data Breach Cost Breakdown• ~$20,000 for an internal forensic audit• $50 per breached card for reissuance• Up to $500,000 in regulatorycompliance violation fines• Payment of transactions held backfrom merchant processor• Damage to brand/lost revenue• Loss of credit privileges/credit impactWhat’s the financial impact to my business?
What are the requirements for PCI Compliance?123456Build and Maintaina Secure NetworkProtect cardholder dataMaintain a vulnerabilitymanagement programImplement strong accesscontrol measuresRegularly monitor and testnetworksMaintain an informationsecurity policy1. Install and maintain a firewall configuration toprotect data.2. Do not use vendor-supplied defaults forsystem passwords or other security parameters3. Protect stores data4. Encrypt transmission of cardholder dataand sensitive information across public networks5. Use and regularly update antivirus software6. Develop and maintain secure systems andapplications7. Restrict access to data by businessneed to know8. Assign a unique ID to each person with computeraccess9. Restrict physical access to cardholder data10. Track and monitor all access to networkresources and cardholder data11. Regularly test security systems and processes1. Maintain a policy that addresses informationsecurity280 specific requirementsunder the 12 levels
LEVEL CRITERIA On-SiteSecurityAuditSelf-AssessmentQuest-ionnaire(SAQ)NetworkAuthorizedVendor Scan(ASV)1Any merchantprocessing morethan 6 milliontransactions peryearRequiredAnnuallyRequiredQuarterly2Any merchantprocessing 1 to 6million transactionsper yearRequiredAnnuallyRequiredQuarterly3Any merchantprocessing 20,000 to1 milliontransactions peryearRequiredAnnuallyRequiredQuarterly4All other merchants,not in Levels 1, 2 or3RequiredAnnuallyRequiredQuarterlyWhat do I need to do to validate PCI compliance?•4 merchant levelsbased on volume oftransactions•Validationrequirements varybased on level
How to Proactively Protect Your Businessfrom BreachStep 1: Establish Financial ProtectionStep 2: Validate PCI ComplianceStep 3: Achieve ComplianceStep 4: Maintain Compliance
Step 1: Financially Protect Your BusinessAcquire adequate breach protection for eachstore location to help cover direct costs in theevent of a breachFor as little as $1 per day perlocation, this can cover the costs of:•Forensic audit and consultationwith a Qualified SecurityAssessor (QSA)•Replacement of credit cards andrelated expenses•Fines and penalties incurred
Step 2: Validate PCI CompliancePCI compliance must be validated on an ongoingHave each block build (start withOn-Site Security Audit)
Step 3: Achieve PCI complianceAddress gaps identified during thevalidation processUp to 280 requirements dependingon your environmentCommon issues:• Outdated Firewalls• Insecure Remote Access• Weak security configurations• Operating system flaws• Lack of staff training• Flawed security policies• Poor change control procedures
Step 4: Maintain Compliance• Conduct on-going PCI Trainingfor employees includingcashiers, IT staff• Document and enforce securitypolicies• Conduct regular assessmentsand network scans for alllocations, and remediate gaps• Identify and work closely with aPCI Compliance Partner whocan help
PCI Compliance ValidationService for Level 2-4 merchants Provides $100,000 in breachprotection per location Includes Web-based tools for: Wizard-based Self AssessmentQuestionnaire (SAQ) Authorized Scan Vendor (ASV)scanning Task Management and Reporting Security Policy Templates PCI eLearning (cashier, IT andowner) Powered by ANX eBusinessProtect Your Business &Validate PCI Compliance with EarthLink
Questions?Contact Mike Shelah410firstname.lastname@example.org