Uploaded byokrantz
6,942 views

1. PCI Compliance Overview

This document discusses the importance of PCI compliance for businesses that accept credit cards. It begins by explaining what PCI is and the penalties for non-compliance, which include fines and forensic investigation costs. It then outlines who must comply with PCI standards based on their role in processing credit card transactions. The document concludes by emphasizing the costs of a security breach and provides tips for businesses to improve their PCI compliance.

Related topics:
PCI DSS Training IT Security

Embed presentation

Why it‘s important to your business PCI COMPLIANCE
What is PCI In 2004 the Pament Card Industry Data Security Standard (PCI-DSS) was created by the 4 major credit cards brands – Visa, MasterCard, Discover and American Express. In 2006 JCB joined these four to form the PCI Security Standards Council (PCI SSC), establishing additional security standards and updating the existing ones. Ensure you are compliant so you avoid costly security breaches that can include: 100% responsibility for cardholder losses Card brand fines up to $500,000 per incident Forensic investigations expenses as high as $100,000 IT Compliance Consulting 2
Terminology of Who’s Who Visa and MasterCard are made up of Member organisations who can be either Acquirers, Issuers or both Acquirers are the Members of the Visa or MasterCard organisations which handle Merchants Issuers are the Members of the Visa or MasterCard organisations that issue the cards to Cardholders Merchants are those entities who “accept” card transactions Cardholders are consumers like you and me Service Providers are the entities that provide any service requiring the processing, storing or transport of card information on behalf of any of the above IT Compliance Consulting 3
Who must comply The Payment Card Industry Data Security Standards (PCI-DSS) apply to all members, merchants and service providers that store, process or transmit cardholder data Additionally, these security requirements apply to all system components which are defined as any network component, server or application included in, or connected to, the cardholder data environment Although compliance is universally required, compliance validation requirements can vary By classification: Service Providers (entities that process, store, or transmit cardholder data on behalf of other entities) have stronger validation requirements than Merchants By size: Entities that process larger volumes have stronger validation requirements than those who process smaller volumes IT Compliance Consulting 4
Responsibilities MasterCard is responsible for certifying products and companies capable of fulfilling the scanning requirements These are referred to Approved Scanning Vendors (ASVs) Visa is responsible for training and certifying companies and individuals capable of fulfilling the on-site audit requirements Such companies are called Qualified Security Assessors (QSAs) The other PCI organisations are contributors to the standards IT Compliance Consulting 5
Data in Scope Cardholder Data PAN (Primary Account Number) Cardholder Name Card verification code (CVV, CVC) Expiration Date Apart from the cardholder name, all other data must be protected when stored in any form, electronic or paper Authentication Data Referred to as Track Data (1 or 2) Three elements Full Magnetic Strip Data CVV2/CVC2/CID2 (Security Code) PIN / PIN Block None of this data can ever be stored after authorization IT Compliance Consulting 6
Cardholder Data: Storage Guidelines Data Element Storage Protection permitted required Primary Account Number (PAN) Yes Yes Cardholder Name* Yes Yes* Cardholder Data Service Code* Yes Yes* Expiration Date Yes Yes* Sensitive Magnetic Stripe No N/A Authentication Data CVV2/CVC2/CID2 No N/A PIN / PIN Block No N/A * These data elements must be protected if stored in conjunction with the PAN IT Compliance Consulting 7
Protect your Business and your Customers With data security compromises on the rise, it is more important than ever to take measures to safeguard your customers and your business Criminals or “hackers” can pose a risk to your business both on-site and remotely, making it necessary to implement procedures to protect your sensitive data, whether it is stored in a file cabinet or on a computer The largest breach in history – 94 million card numbers stolen in 2007, occured at TJ Max, a large US clothing retailer. They agreed to pay $60 million to card networks to settle complaints 11 TJ-Max Hackers were caught, coming from the US, Ukraine, China, Estonia and Belarus 70 % of all database breaches are internal IT Compliance Consulting 8
What are the costs of a security breach? The cost associated with a compliance failure or data breach can be very expensive for any merchant or service provider, especially a small or medium sized business owner. These costs include: Forensic investigation of computer or point of sale systems: $10,000 - $20,000 Replacement cards for breached accounts: $20-$30 per card Card Association fines for non-compliance with the PCI Standard, up to $500,000 Loss of business reputation and customer loyalty, and potentially credit card acceptance IT Compliance Consulting 9
Common excuses after a security breach I thought my IT Department was taking care of that I thought we had a secure website with a firewall I didn’t know my filing cabinets had to be secured I didn’t know 70% of all database breaches are internal I thought outsourcing to a vendor relieved me of the responsibility My bank never mentioned anything about PCI to me The merchant agreement with the bank didn’t specifically indicate we would be responsible for fines IT Compliance Consulting 10
Compliance-Validation-Attestation Compliance - Adherence to the standard Applies to every merchant/ service provider regardless of volume Applies to both technical and business practices Validation - Verification that merchant/ service provider is compliant with the standard Depends upon type of card capture method(s) utilized Two types of Validation Self-Assessment Questionnaire (SAQ) Annually – applies to every merchant Vulnerability Scanning Quarterly – applies if external-facing IP addresses are involved (Web and POS Software). Must be performed by a Qualified Scanning Vendor (QSV) Attestation - Providing proof of validation to card processor Card processor reports to Visa and MasterCard Attest whenever requested by the card processor IT Compliance Consulting 11
Card Capture Channels Card Present Card Not Present Card can be swiped Card cannot be swiped • All Credit Cards • All Credit Cards • Pin based debit cards with the • Debit cards with the Visa/ Visa/ MasterCard logo MasterCard logo Face to Face transactions Remote transactions • Through the Internet • Mail / Telephone Order (MOTO) • Interactive Voice Response (IVR) Requirements to be followed are determined primarily by the card capture method being utilized IT Compliance Consulting 12
Do’s to become PCI Compliant Build and maintain a secure network Protect cardholder data Segregation of duties by department Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy IT Compliance Consulting 13
Don'ts to stay PCI compliant Transmitting credit card numbers unsecured by Fax E‐mail Text message Instant messaging Storing of audio recordings of CVV, CVC, etc. Storing of full Magnetic Stripe track data - one of the most ‐ common violations of PCI‐DSS) Storing CVV2/CVC2/CID2 anytime after the transaction has been authorized Forgetting about paper copies and disk drives in multifunctional printers IT Compliance Consulting 14
Easy Improvements Store Less Data Don’t store cardholder data unless there is a compelling business reason to do so Determine where credit card data exists in your organization, what it is used for and why it is needed Eliminate “shadow databases” (Excel worksheets, etc.) View online reports, don’t download them (downloading = storing) Ensure your systems don’t store magnetic stripe data by default Retaining of CVV2/ CVC2/ CID2 data and PIN subsequent to authorization is never allowed Better Access Controls Limit cardholder data only to employees with “need to know” Segment databases and networks – thereby limiting scope of PCI Implement requirements specified in the Standard, as identified in the annual Self Assessment Questionnaire (SAQ) Establish formal written Policies and Procedures IT Compliance Consulting 15
Compliance Levels of Merchants Quarterly Self-Assessment Network Security Vulnerability Scan Questionaire Scan (Penetr. test)* Level 1 Required, in addition to Not Required Required > 6 million transactions or annual on-site (annually) previously compromised certification Level 2 Required Required Required > 1 million transactions (annually) (annually) Level 3 Required Required Required > 20K e-commerce txs. (annually) (annually) Level 4 Required Recommended Recommended < 20K e-commerce txs. (annually) (annually) < 1 million total txs. * External facing IP addresses, that only store cardholder data IT Compliance Consulting 16
Compliance Levels of Service Providers Quarterly Self-Assessment Network Security Vulnerability Scan Questionaire Scan (Penetr. test)* Level 1 Required, in addition to Not Required Required All processors and annual (annually) payment gateways on-site certification Level 2 Required, in addition to Required Required Not level 1 and stores, annual *** (annually) processes or transmits on-site certification more than 1 million txs. ** Level 3 Required Required Recommended Not level 1 and stores, (annually) processes or transmits less than 1 million txs. * External facing IP addresses, that only store cardholder data ** On-site certification required only by MasterCard as of 2011 *** Required annually only by VISA IT Compliance Consulting 17
Service Providers It is the responsibility of the merchant to utilize compliant service providers If the service provider is not compliant, then the merchant is not compliant Any fines for breaches pertain to the merchant not to the service provider Examples of Service Providers Gateway and Web Hosting Backup Storage and IT Infrastructure PCI Requirement 12.8 applies, requiring merchant to “manage” the service provider: Maintaining a “written agreement” specifying the service provider’s responsibility for compliance Performing due diligence to ensure PCI compliance prior to engagement Monitoring the service provider’s compliance status Monitoring the Service Provider Some vendors are registered as compliant by Visa or MC. The merchant should obtain “evidence” of compliance from vendor (e.g. Report on Compliance –RoC) Merchant cannot answer SAQ truthfully if requirements are not met IT Compliance Consulting 18
PCI DSS Structure Is made up of six key sections: Build and maintain a secure network Protect cardholder data Maintain a vulnerability management Program Implement strong control measures Regularly monitor and test networks Maintain aninformation security policy Each section has a set of Requirements, for example: Build and maintain a secure network Requirement 1: Install and maintain a firewall configuration to protect data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. IT Compliance Consulting 19
PCI DSS Structure, Continued Each Requirement has a rationale and a set of subrequirements specified for review, e.g. Requirement 1: Install and maintain a firewall configuration to protect data Firewalls are computer devices that control computer traffic allowed into a company’s network from the outside, as well as traffic into more sensitive areas within a company’s internal network. All systems need to be protected from unauthorized access from the Internet, whether for e-commerce, employees’ Internet-based access via desktop browsers, or employees’ email access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network Requirement 1.1 Establish firewall configuration standards that include: 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration 1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks 1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the Intranet IT Compliance Consulting 20
Building and Maintaining a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Internet firewall security needs to be installed and functional on all computers, payment applications and POS systems using IP connectivity, including those with a dial up connection to the internet Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters. Passwords should be personalized for all users. All unnecessary services should be disabled IT Compliance Consulting 21
Protecting Cardholder Data Requirement 3: Protect stored cardholder data. Do not store the contents of the track data from the magnetic stripe on the credit card or the CVV or CVC information (3 digit code on the back on the card) post authorization Only store cardholder account information that is essential to your business. Hard copies of reports and paper receipts must be placed in a secured area and shredded when discarded. Implement a policy on how long data will be stored for and why (i.e. business or legal purposes) Requirement 4: Encrypt transmission of cardholder data across open or public networks. Databases and files containing payment card information must be encrypted. Encryption software is required for systems using internet connectivity for transmission of cardholder information IT Compliance Consulting 22
Maintaining a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Install and maintain updated anti-virus software on all computers and servers. The number one reason for hacker fraud is Trojan or Backdoor virus intrusion Requirement 6: Develop and maintain secure systems and applications. Check with your software supplier to ensure you are using the latest version. You can also verify if your software and version are included on the PCI Security Standards Council’s Validated Payment Application list Old technology and software is an open invitation for hackers. Don’t take for granted that your supplier has informed you of possible vulnerabilities or updates. Remember it is you that will be subject to fines if your business is compromised IT Compliance Consulting 23
Implementing Strong Access Control Measures Requirement 7: Restrict access to cardholder data on a need-to-know basis. Complex passwords should always be used to limit access to cardholder information Requirement 8: Assign a unique ID to each person with computer access. Ensure each employee has a unique user name and password to restrict access to computers and transaction systems’ data. Make sure you update passwords when any employee leaves who had access to cardholder data Requirement 9: Restrict physical access to cardholder data IT Compliance Consulting 24
Regularly Monitoring and Testing Networks/ Maintaining an Information Security Policy Requirement 10: Track and monitor all access to network resources and cardholder data as well as to network resources (i.e. computers and transaction systems). You must be able to show proof of tracking Requirement 11: Regularly test security systems and processes. Document a policy for testing of security systems and processes. You must be able to show proof of testing of your internet security and policy processes Requirement 12: Maintain a policy that addresses information security. Document and maintain an enforceable policy that details safeguarding of payment card information IT Compliance Consulting 25
PCI-DSS relative to other standards PCI-DSS Consistency of controls SOX 404 GLBA SR Expertise required HIPAA SR ISO 17799-2000 Generic Prescriptive IT Compliance Consulting 26
Milestones for Prioritizing PCI DSS Compliance efforts The Prioritized Approach includes six milestones. The list below summarizes the high-level goals and intentions of each milestone. 1. Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication and other cardholder data is not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it! 2. Protect the perimeter, internal and wireless networks. This milestone targets controls for points of access to most compromises – the network or a wireless access point IT Compliance Consulting 27
Milestones for Prioritizing PCI DSS Compliance efforts cont. 3. Secure payment card applications. This milestone targets controls for applications, application processes and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data 4. Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when and how concerning who is accessing your network and cardholder data environment IT Compliance Consulting 28
Milestones for Prioritizing PCI DSS Compliance efforts cont. 5. Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, milestone five targets key protections mechanisms for that stored data 6. Finalize remaining compliance efforts and ensure all controls are in place. The intent of milestone six is to complete PCI DSS requirements and finalize all remaining related policies, procedures and processes needed to protect the cardholder data environment IT Compliance Consulting 29
On-site Assessment Is a detailed audit against the PCI Data Security Standard Potentially targets all systems and networks that store, process and/ or transmit cardholder information Includes review of contractual relationships, but not assessment of the Third Parties themselves Must be performed using an offering from a Visa certified Qualified Security Assessor (QSA) such as Trustwave Biggest difficulties in having on-site reviews are the initial scoping and the subsequent cost of correction to compliant levels The QSA provides a report on compliance when compliant, for submission to the Acquirer. Interim reports may be asked for by the Acquirer IT Compliance Consulting 30
On-site Review Practicalities Make sure you scope correctly The appropriate placement of a stateful firewall can reduce the scope dramatically If not compliant, it will be necessary to submit planning information on how compliance will be achieved This will be monitored and policed both by your QSA and Acquirer It may be possible to use compensating controls to meet a requirement Must be controls over and above what is already specified, and Must meet the intent of the requirement At the discretion of the QSA and must be agreed to by the Acquirer IT Compliance Consulting 31
PCI DSS Control Evaluation The PCI Security Audit Procedures give some guidance on what will be checked for. An example of this can be seen by: 6.3.7 Review of custom code prior to release to production or customers, to identify any potential coding vulnerability Testing procedure 6.3.7.a - Obtain and review written policies to confirm they dictate that code reviews are required, and must be performed by individuals other than the originating author of the code 6.3.7.b - Confirm that code reviews are occurring for new code as well as after code changes IT Compliance Consulting 32
Tokenization This new technology replaces sensitive cardholder data (the PAN in particular) with a randomized token that represents the data. Tokenization eliminates the storage of actual cardholder data and brings the following benefits: Scope reduction by allowing fewer system components to have access to real card holder data – the most significant benefit Cardholder data security can be improved when data encryption is combined with tokenization Avoids the complexity of key management requirements when replacing encryption IT Compliance Consulting 33
Network Security Scanning Targets Internet facing devices, systems and applications including routers and firewalls servers and hosts (including virtual) Applications May not have any severity 3 or greater issues: 5 (Urgent) - Trojan Horses, file read and write exploits, remote command execution 4 (Critical) - Potential Trojan Horses, file read exploit 3 (High) - Limited exploit IT Compliance Consulting 34
Security Incident Plan Requirements of: Card Association Rules Requirement number 12 of the PCI DSS OSC’s policy -“Merchant Cards Security Incident Plan” Basic points Must have a formal plan Applies to both technology and paper breaches Acquirer must be notified in all cases – immediately Card associations take into consideration timeliness of reporting when determining fines for breach IT Compliance Consulting 35
Limit Personnel Access to Restricted Data Background checks must be performed prior to hiring for any positions with unrestricted access to cardholder data (not necessary for cashier level personnel with access to only one card at a time) All personnel involved in credit card transactions must attend security training annually Physical and logical access only granted on a ‘need to know’ basis IT Compliance Consulting 36
FAQ‘s Q: Am I PCI compliant if my point-of-sale system is compliant? A: No. PCI compliance goes beyond the hardware or software used for payment card processing. You are expected to be compliant to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS contains 12 requirements addressing 6 core principles for network architecture, cardholder data protection, vulnerability management, access controls, network security and information security policies. These include items such as policies for storing reports/receipts, physical access to data, passwords, etc. Using a validated payment application and/ or an PCI approved PIN Entry Device (PED) may aide in reducing scope of potential areas requiring attention. However, to be considered PCI compliant, you must validate your compliance by completing and passing the PCI SAQ and network vulnerability scans (if applicable) IT Compliance Consulting 37
FAQ’s Q: As a merchant, I did not sign anything saying I would be compliant; therefore, I don’t need to be A: The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. The regulations signed when you open an account at the bank state that the VISA regulations have to be adhered to. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit card data Q: Who needs to comply with the PCI DSS? A: ALL organizations, regardless of size or number of transactions, that process, store or transmit cardholder data must comply with the PCI DSS. Essentially, all merchants with a Merchant Identification number (MID) and all service providers that touch cardholder data are required to comply with the PCI DSS. IT Compliance Consulting 38
PCI Glossary CISP - Visa’s Cardholder Information Security Program SDP - MasterCard’s Site Data Protection Program PCI SSC - Payment Card Security Standards Council PCI DSS - Payment Card Industry Data Security Standard * PCI PA-DSS - PCI Payment Application Data Security Standard* PTS - PIN Transaction Security Standard * QSA - Qualified Security Assessor (e.g., Trustwave) ASV - Approved Scanning Vendor (e.g., Trustwave) SAQ - Self Assessment Questionnaire (A, B, C, or D) * Note: Three separate standards can apply IT Compliance Consulting 39

More Related Content

PPTX
Introduction to PCI DSS
bySaumya Vishnoi
 
PPTX
PCI DSS Compliance Checklist
byControlCase
 
PPT
PCI DSS
byDuy Do Phan
 
PPTX
PCI DSS Compliance
bySaumya Vishnoi
 
PPTX
A practical guides to PCI compliance
byJisc
 
PPTX
Webinar - pci dss 4.0 updates
byVISTA InfoSec
 
PPTX
PCI DSS 4.0 Webinar Final.pptx
byControlCase
 
PDF
PCI-DSS_Overview
bysameh Abulfotooh
 
Introduction to PCI DSS
bySaumya Vishnoi
 
PCI DSS Compliance Checklist
byControlCase
 
PCI DSS
byDuy Do Phan
 
PCI DSS Compliance
bySaumya Vishnoi
 
A practical guides to PCI compliance
byJisc
 
Webinar - pci dss 4.0 updates
byVISTA InfoSec
 
PCI DSS 4.0 Webinar Final.pptx
byControlCase
 
PCI-DSS_Overview
bysameh Abulfotooh
 

What's hot

PPTX
PCI DSS 3.2
byKimberly Simon MBA
 
PDF
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
PCI DSS for Pentesting
byn|u - The Open Security Community
 
PDF
Introduction to NIST Cybersecurity Framework
byTuan Phan
 
PPTX
IT Audit Methodologies
bySALIH AHMED ISLAM
 
PDF
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
PDF
(Old version) My Gap analysis results between ISO27001: 2022 and 2013 version.
byJS
 
PDF
NIST Cybersecurity Framework (CSF) 2.0 Workshop
byBachir Benyammi
 
PPT
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
PPTX
Security models for security architecture
byVladimir Jirasek
 
PDF
Cybersecurity domains-map-3.0
byOscar Ferreira
 
PDF
PCI DSS v4 - ControlCase Update Webinar Final.pdf
byControlCase
 
PPTX
Security Operation Center - Design & Build
bySameer Paradia
 
PDF
Programme de cybersécurité : Implementer le framework NIST CSF en entreprise
byEyesOpen Association
 
PPTX
Security Baselines and Risk Assessments
byPriyank Hada
 
PDF
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Why ISO27001 For My Organisation
byVigilant Software
 
PDF
Building Security Operation Center
byS.E. CTS CERT-GOV-MD
 
PPTX
Project plan for ISO 27001
bytechnakama
 
PDF
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PCI DSS 3.2
byKimberly Simon MBA
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PCI DSS for Pentesting
byn|u - The Open Security Community
 
Introduction to NIST Cybersecurity Framework
byTuan Phan
 
IT Audit Methodologies
bySALIH AHMED ISLAM
 
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
(Old version) My Gap analysis results between ISO27001: 2022 and 2013 version.
byJS
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
byBachir Benyammi
 
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
Security models for security architecture
byVladimir Jirasek
 
Cybersecurity domains-map-3.0
byOscar Ferreira
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
byControlCase
 
Security Operation Center - Design & Build
bySameer Paradia
 
Programme de cybersécurité : Implementer le framework NIST CSF en entreprise
byEyesOpen Association
 
Security Baselines and Risk Assessments
byPriyank Hada
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Why ISO27001 For My Organisation
byVigilant Software
 
Building Security Operation Center
byS.E. CTS CERT-GOV-MD
 
Project plan for ISO 27001
bytechnakama
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 

Similar to 1. PCI Compliance Overview

PDF
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
byMiminten
 
PDF
PCI Compliance: What You Need to Know
bySasha Nunke
 
PPTX
Payment Card Industry Introduction 2010
byDonald E. Hester
 
PPTX
Introduction to PCI APR 2010
byDonald E. Hester
 
PPT
Evolution Pci For Pod1
byAmanda Squires@Pod1
 
DOC
Cisp Payment Application Best Practices
byguestcc519e
 
PDF
Protecting Payment Card Data Wp091010
byErik Ginalick
 
PDF
Tripwire pci basics_wp
byEdward Lam
 
PPT
Vormetric data security complying with pci dss encryption rules
byVormetric Inc
 
PDF
Payment card industry data security standard 1
bywardell henley
 
PPT
Chameleon PCI Presentation
bychristoboshoff
 
PDF
The Smart Approach To Pci DSS Compliance – Braintree White Paper
byBen Rothke
 
PDF
PCI What When AISA Sydney 2009
byJason Edelstein
 
PPT
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
byMelanie Beam
 
PPT
eCommerce Summit Atlanta Mountain Media
byeCommerce Merchants
 
PDF
Adventures in PCI Wonderland
byMichele Chubirka
 
PDF
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
byRapid7
 
PPTX
The Easy WAy to Accept & Protect Credit Card Data
byTyler Hannan
 
PDF
PCI Compliance What Does This Mean For the Australian Market Place 2007
byJason Edelstein
 
PDF
PCI Compliance Overview
byLawPay
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
byMiminten
 
PCI Compliance: What You Need to Know
bySasha Nunke
 
Payment Card Industry Introduction 2010
byDonald E. Hester
 
Introduction to PCI APR 2010
byDonald E. Hester
 
Evolution Pci For Pod1
byAmanda Squires@Pod1
 
Cisp Payment Application Best Practices
byguestcc519e
 
Protecting Payment Card Data Wp091010
byErik Ginalick
 
Tripwire pci basics_wp
byEdward Lam
 
Vormetric data security complying with pci dss encryption rules
byVormetric Inc
 
Payment card industry data security standard 1
bywardell henley
 
Chameleon PCI Presentation
bychristoboshoff
 
The Smart Approach To Pci DSS Compliance – Braintree White Paper
byBen Rothke
 
PCI What When AISA Sydney 2009
byJason Edelstein
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
byMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
byeCommerce Merchants
 
Adventures in PCI Wonderland
byMichele Chubirka
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
byRapid7
 
The Easy WAy to Accept & Protect Credit Card Data
byTyler Hannan
 
PCI Compliance What Does This Mean For the Australian Market Place 2007
byJason Edelstein
 
PCI Compliance Overview
byLawPay
 

1. PCI Compliance Overview

  • 1.
    Why it‘s importantto your business PCI COMPLIANCE
  • 2.
    What is PCI In2004 the Pament Card Industry Data Security Standard (PCI-DSS) was created by the 4 major credit cards brands – Visa, MasterCard, Discover and American Express. In 2006 JCB joined these four to form the PCI Security Standards Council (PCI SSC), establishing additional security standards and updating the existing ones. Ensure you are compliant so you avoid costly security breaches that can include: 100% responsibility for cardholder losses Card brand fines up to $500,000 per incident Forensic investigations expenses as high as $100,000 IT Compliance Consulting 2
  • 3.
    Terminology of Who’sWho Visa and MasterCard are made up of Member organisations who can be either Acquirers, Issuers or both Acquirers are the Members of the Visa or MasterCard organisations which handle Merchants Issuers are the Members of the Visa or MasterCard organisations that issue the cards to Cardholders Merchants are those entities who “accept” card transactions Cardholders are consumers like you and me Service Providers are the entities that provide any service requiring the processing, storing or transport of card information on behalf of any of the above IT Compliance Consulting 3
  • 4.
    Who must comply ThePayment Card Industry Data Security Standards (PCI-DSS) apply to all members, merchants and service providers that store, process or transmit cardholder data Additionally, these security requirements apply to all system components which are defined as any network component, server or application included in, or connected to, the cardholder data environment Although compliance is universally required, compliance validation requirements can vary By classification: Service Providers (entities that process, store, or transmit cardholder data on behalf of other entities) have stronger validation requirements than Merchants By size: Entities that process larger volumes have stronger validation requirements than those who process smaller volumes IT Compliance Consulting 4
  • 5.
    Responsibilities MasterCard is responsiblefor certifying products and companies capable of fulfilling the scanning requirements These are referred to Approved Scanning Vendors (ASVs) Visa is responsible for training and certifying companies and individuals capable of fulfilling the on-site audit requirements Such companies are called Qualified Security Assessors (QSAs) The other PCI organisations are contributors to the standards IT Compliance Consulting 5
  • 6.
    Data in Scope CardholderData PAN (Primary Account Number) Cardholder Name Card verification code (CVV, CVC) Expiration Date Apart from the cardholder name, all other data must be protected when stored in any form, electronic or paper Authentication Data Referred to as Track Data (1 or 2) Three elements Full Magnetic Strip Data CVV2/CVC2/CID2 (Security Code) PIN / PIN Block None of this data can ever be stored after authorization IT Compliance Consulting 6
  • 7.
    Cardholder Data: StorageGuidelines Data Element Storage Protection permitted required Primary Account Number (PAN) Yes Yes Cardholder Name* Yes Yes* Cardholder Data Service Code* Yes Yes* Expiration Date Yes Yes* Sensitive Magnetic Stripe No N/A Authentication Data CVV2/CVC2/CID2 No N/A PIN / PIN Block No N/A * These data elements must be protected if stored in conjunction with the PAN IT Compliance Consulting 7
  • 8.
    Protect your Businessand your Customers With data security compromises on the rise, it is more important than ever to take measures to safeguard your customers and your business Criminals or “hackers” can pose a risk to your business both on-site and remotely, making it necessary to implement procedures to protect your sensitive data, whether it is stored in a file cabinet or on a computer The largest breach in history – 94 million card numbers stolen in 2007, occured at TJ Max, a large US clothing retailer. They agreed to pay $60 million to card networks to settle complaints 11 TJ-Max Hackers were caught, coming from the US, Ukraine, China, Estonia and Belarus 70 % of all database breaches are internal IT Compliance Consulting 8
  • 9.
    What are thecosts of a security breach? The cost associated with a compliance failure or data breach can be very expensive for any merchant or service provider, especially a small or medium sized business owner. These costs include: Forensic investigation of computer or point of sale systems: $10,000 - $20,000 Replacement cards for breached accounts: $20-$30 per card Card Association fines for non-compliance with the PCI Standard, up to $500,000 Loss of business reputation and customer loyalty, and potentially credit card acceptance IT Compliance Consulting 9
  • 10.
    Common excuses aftera security breach I thought my IT Department was taking care of that I thought we had a secure website with a firewall I didn’t know my filing cabinets had to be secured I didn’t know 70% of all database breaches are internal I thought outsourcing to a vendor relieved me of the responsibility My bank never mentioned anything about PCI to me The merchant agreement with the bank didn’t specifically indicate we would be responsible for fines IT Compliance Consulting 10
  • 11.
    Compliance-Validation-Attestation Compliance - Adherence to the standard Applies to every merchant/ service provider regardless of volume Applies to both technical and business practices Validation - Verification that merchant/ service provider is compliant with the standard Depends upon type of card capture method(s) utilized Two types of Validation Self-Assessment Questionnaire (SAQ) Annually – applies to every merchant Vulnerability Scanning Quarterly – applies if external-facing IP addresses are involved (Web and POS Software). Must be performed by a Qualified Scanning Vendor (QSV) Attestation - Providing proof of validation to card processor Card processor reports to Visa and MasterCard Attest whenever requested by the card processor IT Compliance Consulting 11
  • 12.
    Card Capture Channels Card Present Card Not Present Card can be swiped Card cannot be swiped • All Credit Cards • All Credit Cards • Pin based debit cards with the • Debit cards with the Visa/ Visa/ MasterCard logo MasterCard logo Face to Face transactions Remote transactions • Through the Internet • Mail / Telephone Order (MOTO) • Interactive Voice Response (IVR) Requirements to be followed are determined primarily by the card capture method being utilized IT Compliance Consulting 12
  • 13.
    Do’s to becomePCI Compliant Build and maintain a secure network Protect cardholder data Segregation of duties by department Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy IT Compliance Consulting 13
  • 14.
    Don'ts to stayPCI compliant Transmitting credit card numbers unsecured by Fax E‐mail Text message Instant messaging Storing of audio recordings of CVV, CVC, etc. Storing of full Magnetic Stripe track data - one of the most ‐ common violations of PCI‐DSS) Storing CVV2/CVC2/CID2 anytime after the transaction has been authorized Forgetting about paper copies and disk drives in multifunctional printers IT Compliance Consulting 14
  • 15.
    Easy Improvements Store LessData Don’t store cardholder data unless there is a compelling business reason to do so Determine where credit card data exists in your organization, what it is used for and why it is needed Eliminate “shadow databases” (Excel worksheets, etc.) View online reports, don’t download them (downloading = storing) Ensure your systems don’t store magnetic stripe data by default Retaining of CVV2/ CVC2/ CID2 data and PIN subsequent to authorization is never allowed Better Access Controls Limit cardholder data only to employees with “need to know” Segment databases and networks – thereby limiting scope of PCI Implement requirements specified in the Standard, as identified in the annual Self Assessment Questionnaire (SAQ) Establish formal written Policies and Procedures IT Compliance Consulting 15
  • 16.
    Compliance Levels ofMerchants Quarterly Self-Assessment Network Security Vulnerability Scan Questionaire Scan (Penetr. test)* Level 1 Required, in addition to Not Required Required > 6 million transactions or annual on-site (annually) previously compromised certification Level 2 Required Required Required > 1 million transactions (annually) (annually) Level 3 Required Required Required > 20K e-commerce txs. (annually) (annually) Level 4 Required Recommended Recommended < 20K e-commerce txs. (annually) (annually) < 1 million total txs. * External facing IP addresses, that only store cardholder data IT Compliance Consulting 16
  • 17.
    Compliance Levels ofService Providers Quarterly Self-Assessment Network Security Vulnerability Scan Questionaire Scan (Penetr. test)* Level 1 Required, in addition to Not Required Required All processors and annual (annually) payment gateways on-site certification Level 2 Required, in addition to Required Required Not level 1 and stores, annual *** (annually) processes or transmits on-site certification more than 1 million txs. ** Level 3 Required Required Recommended Not level 1 and stores, (annually) processes or transmits less than 1 million txs. * External facing IP addresses, that only store cardholder data ** On-site certification required only by MasterCard as of 2011 *** Required annually only by VISA IT Compliance Consulting 17
  • 18.
    Service Providers It isthe responsibility of the merchant to utilize compliant service providers If the service provider is not compliant, then the merchant is not compliant Any fines for breaches pertain to the merchant not to the service provider Examples of Service Providers Gateway and Web Hosting Backup Storage and IT Infrastructure PCI Requirement 12.8 applies, requiring merchant to “manage” the service provider: Maintaining a “written agreement” specifying the service provider’s responsibility for compliance Performing due diligence to ensure PCI compliance prior to engagement Monitoring the service provider’s compliance status Monitoring the Service Provider Some vendors are registered as compliant by Visa or MC. The merchant should obtain “evidence” of compliance from vendor (e.g. Report on Compliance –RoC) Merchant cannot answer SAQ truthfully if requirements are not met IT Compliance Consulting 18
  • 19.
    PCI DSS Structure Is made up of six key sections: Build and maintain a secure network Protect cardholder data Maintain a vulnerability management Program Implement strong control measures Regularly monitor and test networks Maintain aninformation security policy Each section has a set of Requirements, for example: Build and maintain a secure network Requirement 1: Install and maintain a firewall configuration to protect data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. IT Compliance Consulting 19
  • 20.
    PCI DSS Structure,Continued Each Requirement has a rationale and a set of subrequirements specified for review, e.g. Requirement 1: Install and maintain a firewall configuration to protect data Firewalls are computer devices that control computer traffic allowed into a company’s network from the outside, as well as traffic into more sensitive areas within a company’s internal network. All systems need to be protected from unauthorized access from the Internet, whether for e-commerce, employees’ Internet-based access via desktop browsers, or employees’ email access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network Requirement 1.1 Establish firewall configuration standards that include: 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration 1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks 1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the Intranet IT Compliance Consulting 20
  • 21.
    Building and Maintaininga Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Internet firewall security needs to be installed and functional on all computers, payment applications and POS systems using IP connectivity, including those with a dial up connection to the internet Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters. Passwords should be personalized for all users. All unnecessary services should be disabled IT Compliance Consulting 21
  • 22.
    Protecting Cardholder Data Requirement3: Protect stored cardholder data. Do not store the contents of the track data from the magnetic stripe on the credit card or the CVV or CVC information (3 digit code on the back on the card) post authorization Only store cardholder account information that is essential to your business. Hard copies of reports and paper receipts must be placed in a secured area and shredded when discarded. Implement a policy on how long data will be stored for and why (i.e. business or legal purposes) Requirement 4: Encrypt transmission of cardholder data across open or public networks. Databases and files containing payment card information must be encrypted. Encryption software is required for systems using internet connectivity for transmission of cardholder information IT Compliance Consulting 22
  • 23.
    Maintaining a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Install and maintain updated anti-virus software on all computers and servers. The number one reason for hacker fraud is Trojan or Backdoor virus intrusion Requirement 6: Develop and maintain secure systems and applications. Check with your software supplier to ensure you are using the latest version. You can also verify if your software and version are included on the PCI Security Standards Council’s Validated Payment Application list Old technology and software is an open invitation for hackers. Don’t take for granted that your supplier has informed you of possible vulnerabilities or updates. Remember it is you that will be subject to fines if your business is compromised IT Compliance Consulting 23
  • 24.
    Implementing Strong AccessControl Measures Requirement 7: Restrict access to cardholder data on a need-to-know basis. Complex passwords should always be used to limit access to cardholder information Requirement 8: Assign a unique ID to each person with computer access. Ensure each employee has a unique user name and password to restrict access to computers and transaction systems’ data. Make sure you update passwords when any employee leaves who had access to cardholder data Requirement 9: Restrict physical access to cardholder data IT Compliance Consulting 24
  • 25.
    Regularly Monitoring andTesting Networks/ Maintaining an Information Security Policy Requirement 10: Track and monitor all access to network resources and cardholder data as well as to network resources (i.e. computers and transaction systems). You must be able to show proof of tracking Requirement 11: Regularly test security systems and processes. Document a policy for testing of security systems and processes. You must be able to show proof of testing of your internet security and policy processes Requirement 12: Maintain a policy that addresses information security. Document and maintain an enforceable policy that details safeguarding of payment card information IT Compliance Consulting 25
  • 26.
    PCI-DSS relative toother standards PCI-DSS Consistency of controls SOX 404 GLBA SR Expertise required HIPAA SR ISO 17799-2000 Generic Prescriptive IT Compliance Consulting 26
  • 27.
    Milestones for PrioritizingPCI DSS Compliance efforts The Prioritized Approach includes six milestones. The list below summarizes the high-level goals and intentions of each milestone. 1. Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication and other cardholder data is not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it! 2. Protect the perimeter, internal and wireless networks. This milestone targets controls for points of access to most compromises – the network or a wireless access point IT Compliance Consulting 27
  • 28.
    Milestones for PrioritizingPCI DSS Compliance efforts cont. 3. Secure payment card applications. This milestone targets controls for applications, application processes and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data 4. Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when and how concerning who is accessing your network and cardholder data environment IT Compliance Consulting 28
  • 29.
    Milestones for PrioritizingPCI DSS Compliance efforts cont. 5. Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, milestone five targets key protections mechanisms for that stored data 6. Finalize remaining compliance efforts and ensure all controls are in place. The intent of milestone six is to complete PCI DSS requirements and finalize all remaining related policies, procedures and processes needed to protect the cardholder data environment IT Compliance Consulting 29
  • 30.
    On-site Assessment Is adetailed audit against the PCI Data Security Standard Potentially targets all systems and networks that store, process and/ or transmit cardholder information Includes review of contractual relationships, but not assessment of the Third Parties themselves Must be performed using an offering from a Visa certified Qualified Security Assessor (QSA) such as Trustwave Biggest difficulties in having on-site reviews are the initial scoping and the subsequent cost of correction to compliant levels The QSA provides a report on compliance when compliant, for submission to the Acquirer. Interim reports may be asked for by the Acquirer IT Compliance Consulting 30
  • 31.
    On-site Review Practicalities Makesure you scope correctly The appropriate placement of a stateful firewall can reduce the scope dramatically If not compliant, it will be necessary to submit planning information on how compliance will be achieved This will be monitored and policed both by your QSA and Acquirer It may be possible to use compensating controls to meet a requirement Must be controls over and above what is already specified, and Must meet the intent of the requirement At the discretion of the QSA and must be agreed to by the Acquirer IT Compliance Consulting 31
  • 32.
    PCI DSS ControlEvaluation The PCI Security Audit Procedures give some guidance on what will be checked for. An example of this can be seen by: 6.3.7 Review of custom code prior to release to production or customers, to identify any potential coding vulnerability Testing procedure 6.3.7.a - Obtain and review written policies to confirm they dictate that code reviews are required, and must be performed by individuals other than the originating author of the code 6.3.7.b - Confirm that code reviews are occurring for new code as well as after code changes IT Compliance Consulting 32
  • 33.
    Tokenization This newtechnology replaces sensitive cardholder data (the PAN in particular) with a randomized token that represents the data. Tokenization eliminates the storage of actual cardholder data and brings the following benefits: Scope reduction by allowing fewer system components to have access to real card holder data – the most significant benefit Cardholder data security can be improved when data encryption is combined with tokenization Avoids the complexity of key management requirements when replacing encryption IT Compliance Consulting 33
  • 34.
    Network Security Scanning TargetsInternet facing devices, systems and applications including routers and firewalls servers and hosts (including virtual) Applications May not have any severity 3 or greater issues: 5 (Urgent) - Trojan Horses, file read and write exploits, remote command execution 4 (Critical) - Potential Trojan Horses, file read exploit 3 (High) - Limited exploit IT Compliance Consulting 34
  • 35.
    Security Incident Plan Requirementsof: Card Association Rules Requirement number 12 of the PCI DSS OSC’s policy -“Merchant Cards Security Incident Plan” Basic points Must have a formal plan Applies to both technology and paper breaches Acquirer must be notified in all cases – immediately Card associations take into consideration timeliness of reporting when determining fines for breach IT Compliance Consulting 35
  • 36.
    Limit Personnel Accessto Restricted Data Background checks must be performed prior to hiring for any positions with unrestricted access to cardholder data (not necessary for cashier level personnel with access to only one card at a time) All personnel involved in credit card transactions must attend security training annually Physical and logical access only granted on a ‘need to know’ basis IT Compliance Consulting 36
  • 37.
    FAQ‘s Q: Am IPCI compliant if my point-of-sale system is compliant? A: No. PCI compliance goes beyond the hardware or software used for payment card processing. You are expected to be compliant to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS contains 12 requirements addressing 6 core principles for network architecture, cardholder data protection, vulnerability management, access controls, network security and information security policies. These include items such as policies for storing reports/receipts, physical access to data, passwords, etc. Using a validated payment application and/ or an PCI approved PIN Entry Device (PED) may aide in reducing scope of potential areas requiring attention. However, to be considered PCI compliant, you must validate your compliance by completing and passing the PCI SAQ and network vulnerability scans (if applicable) IT Compliance Consulting 37
  • 38.
    FAQ’s Q: As amerchant, I did not sign anything saying I would be compliant; therefore, I don’t need to be A: The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. The regulations signed when you open an account at the bank state that the VISA regulations have to be adhered to. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit card data Q: Who needs to comply with the PCI DSS? A: ALL organizations, regardless of size or number of transactions, that process, store or transmit cardholder data must comply with the PCI DSS. Essentially, all merchants with a Merchant Identification number (MID) and all service providers that touch cardholder data are required to comply with the PCI DSS. IT Compliance Consulting 38
  • 39.
    PCI Glossary CISP -Visa’s Cardholder Information Security Program SDP - MasterCard’s Site Data Protection Program PCI SSC - Payment Card Security Standards Council PCI DSS - Payment Card Industry Data Security Standard * PCI PA-DSS - PCI Payment Application Data Security Standard* PTS - PIN Transaction Security Standard * QSA - Qualified Security Assessor (e.g., Trustwave) ASV - Approved Scanning Vendor (e.g., Trustwave) SAQ - Self Assessment Questionnaire (A, B, C, or D) * Note: Three separate standards can apply IT Compliance Consulting 39