Download to read offline
Uploaded byMike Shelah
Pci compliance overview earth link business
The document discusses Payment Card Industry Data Security Standard (PCI-DSS) compliance. It was established in 2004 to reduce credit card fraud and requires businesses that accept credit cards to follow security standards. There are six control objectives and over 280 audit procedures companies must pass to be compliant. Non-compliance can result in fines and loss of the ability to accept credit cards. The document outlines the steps businesses should take to achieve and maintain PCI compliance, including validating compliance through audits or scans, addressing security issues, ongoing employee training, and using a compliance partner.
More Related Content
Pci compliance overview earth link business
- 1. What is PCICompliance? Definition – Payment Card Industry Data Security Standard (PCI-DSS) Set up in 2004 by Visa, MasterCard, American Express, Discover, and JCB to reduce the risk of credit card theft and transfer liability to merchants Requires mandatory adoption by all businesses that store, process, transmit credit/debit card data 6 Control Objectives 6 Control Objectives 12 Core Requirements 280+ Audit Procedures
- 2. I don’t needto be compliant because… “…I don’t process many credit cards.” “…I don’t store credit card information.” “…I’m not a major brand retailer.” PCI DSS is complex, and applies to all merchants who accept credit cards Many misconceptions about PCI DSS OR I’m compliant because… “ …My POS systems are compliant” “…I have firewalls in place” “…I’ve passed an ASV scan” “…I’ve implemented the basic requirements”
- 3. If you cannotanswer yes to the three questions below, you are NOT PCI Compliant Have ALL employees completed a PCI Certified security awareness training program upon hire and annually thereafter? Have all employees read and signed a formal security policy? Can you demonstrate that all remote access from you, your employees or vendors incorporate 2-factor authentication? 1 2 3 A recent survey by Gartner, Inc. found that 18 percent of respondents admitted to not being PCI- compliant
- 4. Timeline: What happensif I am breached? Timing Action Day 1 Notification of breach Stop taking credit cards Monitor for PR/social impact Day 5 Complete forensic audit Contact a Qualified Security Assessor (QSA) Day 7 Obtain remediation proposals Day 10 to Day 40-180 Execute remediation plan Replace credit cards Disclose breach Address brand impact Possible reclassification as Level 1
- 5. What’s the likelihoodand risk of breach? Average per location direct cost of a data breach, excludes indirect costs such as damage to brand $80K Small businesses will suffer a credit card breach in the next 24 months1 in 6 Breaches originate from organized criminal groups98% Average days between intrusion and detection 174 97% of U.S. incidents are brick & mortar merchants 91% of U.S. breach events occurred at small merchants
- 6. Data Breach CostBreakdown • ~$20,000 for an internal forensic audit • $50 per breached card for reissuance • Up to $500,000 in regulatory compliance violation fines • Payment of transactions held back from merchant processor • Damage to brand/lost revenue • Loss of credit privileges/credit impact What’s the financial impact to my business?
- 7. What are therequirements for PCI Compliance? 1 2 3 4 5 6 Build and Maintain a Secure Network Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy 1. Install and maintain a firewall configuration to protect data. 2. Do not use vendor-supplied defaults for system passwords or other security parameters 3. Protect stores data 4. Encrypt transmission of cardholder data and sensitive information across public networks 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 1. Maintain a policy that addresses information security 280 specific requirements under the 12 levels
- 8. LEVEL CRITERIA On-Site Security Audit Self- Assessment Quest- ionnaire (SAQ) Network Authorized VendorScan (ASV) 1 Any merchant processing more than 6 million transactions per year Required Annually Required Quarterly 2 Any merchant processing 1 to 6 million transactions per year Required Annually Required Quarterly 3 Any merchant processing 20,000 to 1 million transactions per year Required Annually Required Quarterly 4 All other merchants, not in Levels 1, 2 or 3 Required Annually Required Quarterly What do I need to do to validate PCI compliance? •4 merchant levels based on volume of transactions •Validation requirements vary based on level
- 9. How to ProactivelyProtect Your Business from Breach Step 1: Establish Financial Protection Step 2: Validate PCI Compliance Step 3: Achieve Compliance Step 4: Maintain Compliance
- 10. Step 1: FinanciallyProtect Your Business Acquire adequate breach protection for each store location to help cover direct costs in the event of a breach For as little as $1 per day per location, this can cover the costs of: •Forensic audit and consultation with a Qualified Security Assessor (QSA) •Replacement of credit cards and related expenses •Fines and penalties incurred
- 11. Step 2: ValidatePCI Compliance PCI compliance must be validated on an ongoing Have each block build (start with On-Site Security Audit)
- 12. Step 3: AchievePCI compliance Address gaps identified during the validation process Up to 280 requirements depending on your environment Common issues: • Outdated Firewalls • Insecure Remote Access • Weak security configurations • Operating system flaws • Lack of staff training • Flawed security policies • Poor change control procedures
- 13. Step 4: MaintainCompliance • Conduct on-going PCI Training for employees including cashiers, IT staff • Document and enforce security policies • Conduct regular assessments and network scans for all locations, and remediate gaps • Identify and work closely with a PCI Compliance Partner who can help
- 14. PCI ComplianceValidation Service for Level 2-4 merchants Provides $100,000 in breach protection per location Includes Web-based tools for: Wizard-based Self Assessment Questionnaire (SAQ) Authorized Scan Vendor (ASV) scanning Task Management and Reporting Security Policy Templates PCI eLearning (cashier, IT and owner) Powered by ANX eBusiness Protect Your Business & Validate PCI Compliance with EarthLink
- 15.
Editor's Notes
- #2 What exactly is PCI compliance and does it really matter? In a nutshell, it’s a required way to reduce the risk of credit card theft and YES, unlike many requirements out there, it really does matter. There’s a lot of confusion and mis information about PCI compliance. To begin, let’s address who it applies to…..the answer….every business, large or small, that accepts a credit card must be PCI compliant. If you’re a small restaurant owner and haven’t heard about PCI compliance from your bank yet, you will….and sooner rather than later. In the early days of PCI compliance, the banks focused on inspecting compliance with the largest retailers…those with more than 1 million credit card transactions in year. However, since smaller victims are the preferred target, banks are spending more time and effort to inspect the level of PCI compliance with small businesses like restaurants. We’re getting calls from many restaurants who received a letter from the bank asking them for a copy of their PCI self-assessment questionnaire. Other banks are placing a “PCI non-compliance” fee on the monthly statement until the restaurant proves their compliance. PCI compliance is NOT a government regulation. However, don’t let that convince you that it doesn’t have teeth. It does! All the credit card companies and banks adhere to PCI compliance. And the rules, fines, and pass through costs are very real. Another misconception out there is WHO is accountable for PCI compliance. It’s not equipment vendors. If there’s a breach, 100% of the accountability is passed to the business owner. So you might be wondering, does PCI compliance really work? In other words, if you’re PCI compliant, can you still get breached? The answer is YES. However, statistics clearly show that being PCI compliant significantly reduces the chance that your business will be a victim. The standard does a great job of addressing vulnerabilities. Becoming PCI compliant really means that you’re paying serious attention to security. And when you’re paying serious attention, the risk of becoming a victim is greatly diminished.
- #3 Credit card companies and merchant banks shifted the risk of data breach to the merchants through the introduction of PCI DSS. PCI DSS applies to all entities involved in credit card processing. Most merchants have no idea that the PCI requirements exist. The market is filled with inaccurate information and myths around PCI requirements and compliance. Achieving and maintaining PCI compliance is an arduous process.
- #4 Examples of just a few of the 250+ control requirements that are part of PCI DSS
- #5 You will be notified by the Secret Service, your merchant bank or credit card company that your business is the suspected site of a data breach. Once notified, you will be required to: Immediately stop taking credit cards. Pay for a forensic audit. Implement the remediation actions outlined in the forensic audit. Work with a Qualified Security Assessor to demonstrate PCI Compliance. PCI – minimum requirements to be secure- low hanging fruit
- #6 The effects of credit card breach on small business are truly daunting. To begin, the average direct cost of a data breach is $80,000. Those costs include forensic analysis, fines, and credit card replacement. It’s no surprise then that 70% of breached businesses don’t survive a year after a major incident. What IS somewhat surprising is that some estimates put the risk of suffering a major data breach at 1 in 6 over the next 24 months. To put that in another perspective, a business is far more likely to suffer a data breach than a fire. 98% of breaches originate from organized criminal groups. In other words, it’s not teenagers sitting in their parents basement doing the breaches. It’s criminals across the world looking to make money. It’s what they do for living. And they work at it 365 days of the year. And when they steal credit card information, there’s a well organized underground market to sell stolen information. The average days between intrusion and detection is 174. Businesses are breached and don’t realize it until considerable damage is done. It’s also a very under reported crime.
- #8 As for the PCI requirements themselves, think of them as layers to on an onion. At first glance, it doesn’t seem like much. There are just 6 control objectives which are build and maintain a secure network, 2 protect cardholder data, 3, maintain a vulnerability management program, 4, implement strong access control measures, 5, monitor and test networks, and 6, maintain an information security policy. Not bad, right?…well, then those objectives than turn into 12 requirements which are commonly referred to as the “the digital dozen”. 12 is still a management number. Where it becomes overwhelming for most restaurant owners is when you dive into the annual self assessment questionnaire. In order to address the digital dozen, the business owner must answer over 200 detailed questions. And many of those questions are of the technical variety. It’s no wonder then, why the vast majority of businesses are not PCI compliant. They simply underestimate how long it will take and the resources required to fully meet the requirement. Within 12 levels, breaks down into 280 requirements. All based on the SAQ.
- #9 SAQ – depends on how you answer. E.g. do you store credit cards? Eliminates some of the 280 requirements. How do I determine my merchant level? Credit card processor can tell you how they have categorized you. Isolate your POS network Don’t store data, all data is encrypted Weak security configurations Operating system flaws where levels of encryption much lower than industry standards
- #13 Note: There are no “levels” of compliance, you’re either compliant, or you’re not What you’re required to do depends on you environment, e.g. do you store credit cards?