You Know You Need PCI Compliance Help When…

You Know You Need PCI
Compliance Help When…
Presented By:
Peter Spier
Manager Professional Services
Fortrex Technologies
Jim Raub
Senior Director of Information Security and Compliance
PAETEC Holding Corporation
© 2010. All rights reserved.

• Instructor Biographies
• Background On Fortrex
• Background on PAETEC
• Overview of the PCI DSS
• 3 Challenges
• Common Scenarios
• Time to Seek Help
• Compliance Roles
• Assessment Preparation
• PCI DSS 2.0
Agenda

Instructor Biography
• Peter Spier is President of the ISACA Western
New York Chapter and Manager Professional
Services at Fortrex Technologies (www.fortrex.com)
based in Frederick, Maryland.
• Certifications include: CISSP, CISM, PMP, QSA,
PA-QSA, ITILFv3, and CSF Assessor
• Masters degree from Syracuse University School of
Information Studies
• 15 years of experience

Instructor Biography
• Jim Raub is Sr. Director, Information Security and
Compliance at PAETEC (www.paetec.com) based in
Fairport, NY.
• Current Certifications include: CISSP, CISA, &
CTM. Past certifications from Cisco, Microsoft,
Informix, CompTIA and others.
• Bachelors degree, Summa cum Laude, from Syracuse
University, with coursework towards Masters at
University of Rochester
• 35 years of experience in management, consulting,
security, software development, IT infrastructure,
networks, and database administration

Background on Fortrex
General Facts
• IT Security, Operational Risk and
Governance Consulting
• Founded in 1997
• Headquarters in Frederick, Maryland
• Privately Held
• Approaching 1,000 Customers
 Baltimore to Alaska to Guam
• Broad Industry Coverage
• QSA, PA-QSA & ASV
• Abundance of References
Integrity, Excellence,
Empowerment, Teamwork and
Thankfulness

Background on PAETEC
Caring Culture, Open
Communication, Unmatched
Service, Personalized Solution
General Facts
• Founded in 1998
• Headquarters in Fairport, New York
• Publicly Traded (Nasdaq: PAET)
• Serving over 84 of the top 100
Metropolitan Statistical Areas (MSAs) in the
U.S. with personalized communications
solutions
• Core offerings include data, voice, and
Internet communications services
• Value-added solutions encompass data
center colocation, communications
management software, equipment, security
and financing programs

Overview of the PCI DSS
Reviewing PCI DSS Compliance Requirements For The First Time Can Be A Daunting Task
The “Dirty Dozen”
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

Challenge #1
Are you a Merchant or a Service Provider?

Merchants Defined
• Merchant - Any entity that accepts payment cards
bearing the logos of any of the five members of PCI
SSC (American Express, Discover, JCB, MasterCard or
Visa) as payment for goods and/or services.

Service Providers Defined
• Service Provider - Business entity that is not a payment
card brand member or a merchant directly involved in the
processing, storage, transmission, and switching or
transaction data and cardholder information or both.
o This also includes companies that provide services to
merchants, services providers or members that control or
could impact the security of cardholder data.
 Examples include managed service providers that provide managed
firewalls, IDS and other services as well as hosting providers and
other entities.
 Entities such as telecommunications companies that only provide
communication links without access to the application layer of the
communication link are excluded

When Merchants
Are Also Service Providers
• A merchant that accepts payment cards as
payment for goods and/or services can also be a
service provider, if the services sold result in
storing, processing, or transmitting cardholder
data on behalf of other merchants or service
providers.
 For example, an ISP is a merchant that accepts payment
cards for monthly billing, but also is a service provider if
it hosts merchants as customers

Challenge #2
What compliance level are you?

Merchant
Compliance Levels
Level Visa MasterCard Discover
American
Express
JCB
1
Merchants processing
over 6 million Visa
transactions annually
(all channels) or
Global merchants
identified as Level 1
by any Visa region
•Any merchant that has suffered
a hack or an attack that resulted
in an account data compromise
•Any merchant having greater
than six million total combined
MasterCard and Maestro
•Any merchant meeting the
Level 1 criteria of Visa
•Any merchant that MasterCard,
in its sole discretion, determines
should meet the Level 1
merchant requirements to
minimize risk to the system
•All merchants processing a total
of more than 6 million card
transactions annually on the
Discover network.
•Any merchant Discover, in its
sole discretion determines should
meet the Level 1 compliance
validation and reporting
requirements
•All merchants required by
another payment brand to validate
and report their compliance as a
Level 1 merchant
2.5 million
American
Express Card
transactions or
more per year; or
any Merchant
that has had a
data incident; or
any Merchant
that American
Express
otherwise deems
a Level 1
One million
JCB
transactions
or more per
year
2
1 million to 6 million
Visa transactions
annually (all
channels)
•Any merchant with greater than
one million but less than or
equal to six million total
combined MasterCard and
Maestro transactions annually
•Any merchant meeting the
Level 2 criteria of Visa
•All merchants processing a total
of 1 million to 6 million card
transactions annually on the
Discover network.
•All merchants required by
another payment brand to validate
and report their compliance as a
Level 2 merchant
50,000 to 2.5
million American
Express Card
transactions per
year
Less than
one million
JCB
transactions
per year

Merchant
Compliance Levels
American
Express
JCB
3
20,000 to 1 million Visa
e-commerce transactions
annually
•Any merchant with greater than 20,000
combined MasterCard and Maestro e-
commerce transactions annually but less
than or equal to one million total
combined MasterCard and Maestro
ecommerce transactions annually
•Any merchant meeting the Level 3
criteria of Visa
•All merchants
processing a total of
20,000 to 1 million
card-not-present only
on the Discover
network
•All merchants
required by another
payment brand to
validate and report
their compliance as a
Level 3 merchant
Less than 50,000
American
Express Card
transactions per
year
N/A
4
Merchants processing less
than 20,000 Visa e-
commerce transactions
annually and all other
merchants processing up
to 1 million Visa
All other merchants All other merchants N/A N/A

Service Provider
Compliance Levels
American
Express
JCB
1
VisaNet processors or any
service provider that stores,
processes and/or transmits
over 300,000 Visa
•All TPPs
•All DSE’s that store, transmit, or
process greater than 300,000 total
combined MasterCard and Maestro
All TPPs All TPPs All TPPs
2
Any service provider that
stores, processes and/or
transmits less than 300,000
Visa transactions annually
Includes all DSE’s that store,
transmit, or process less than
300,000 total combined MasterCard
and Maestro transactions annually
N/A N/A N/A

Challenge #3
What requirements apply?

Merchant
Reporting Requirements
American
Express
JCB
1
•Annual Report on
Compliance (“ROC”) by
Qualified Security
Assessor (“QSA”)
•Quarterly network scan
by Approved Scan
Vendor (“ASV”)
•Attestation of
Compliance Form
•Annual On-site
Assessment1
by Approved Scan
Vendor (“ASV”)
•All merchants processing a total of more
than 6 million card transactions annually
on the Discover network.
•Any merchant Discover, in its sole
discretion determines should meet the
Level 1 compliance validation and
reporting requirements
•All merchants required by another
payment brand to validate and report their
compliance as a Level 1 merchant
2.5 million
American Express
Card transactions
or more per year; or
any Merchant that
has had a data
incident; or any
Merchant that
American Express
otherwise deems a
Level 1
One
million
JCB
transaction
s or more
per year
2
•Annual Self-Assessment
Questionnaire (“SAQ”)
by ASV
•Attestation of
Compliance Form
•On-site Assessment (At
Merchant Discretion)
•Annual Self-Assessment
Questionnaire (“SAQ”)2
by Approved Scan
Vendor (“ASV”)
•All merchants processing a total of 1
million to 6 million card transactions
annually on the Discover network.
50,000 to 2.5
million American
Express Card
transactions per
year
Less than
one
million
JCB
transaction
s per year
1 Effective 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI
DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.
2 Effective 30 June 2011, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant
training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may,
at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.

Merchant
American
Express
JCB
3
•Annual SAQ
by ASV
•Attestation of
Compliance Form
•Annual SAQ
by ASV
•All merchants processing a total of 20,000
to 1 million card-not-present only
transactions annually on the Discover
network
Less than 50,000
American Express
Card transactions
per year
N/A
4
•Annual SAQ
recommended
by ASV if applicable
•Compliance validation
requirements set by
acquirer
•Annual SAQ
by ASV
All other merchants N/A N/A

Service Provider
American
Express
JCB
1
•Annual On-site
security assessment by
QSA
•Quarterly network
scans by ASV.
•Annual On-site
security assessment by
QSA
scans by ASV.
•Annual On-site security
assessment by QSA (or internal
auditor if signed by officer of
Service provider). OR Annual
Self-Assessment Questionnaire
D
•Quarterly network scans by
ASV
•Annual On-site
security assessment
by QSA (or internal
auditor if signed by
officer of Service
provider).
scans by ASV.
•Annual On-
site security
assessment by
QSA
•Quarterly
network scans
by ASV.
2
•Annual SAQ
scan by ASV
•Annual SAQ
scan by ASV
N/A N/A N/A

Realization
• Each card brand’s transaction-driven tiering and
corresponding requirements differs from one
brand to the other
• For Self Assessment Questionnaire (SAQ)
merchants, if you employ more than one
transaction type, you’re obligated to use SAQ D
• For Level 2 Service Providers, you’re obligated
to use SAQ D
• SAQ D is the long one…

Suppose
• You have bandwidth to spare
• Your internal audit personnel possess broad and
deep compliance framework experience
• A team member has successfully completed a
PCI DSS compliance assessment in the past
When should you consider bringing in expert
assistance from the outside?

When Compliance Looks Easy
• Familiar with ISO:27001?
• Spoken with a colleague who indicated that their
SAQ was a simple matter of checking all the
‘Yes’ boxes and signing it?
• PCI DSS can be mapped to other frameworks,
but its focus is explicitly cardholder data security
• Compliance is never as easy as just checking all
the ‘Yes’ boxes

When You Receive An E-mail
Identifying Still Another Data Repository
• Unidentified data repositories can:
o Threaten momentum
o Lower morale
o Derail compliance efforts.
• Late-in-the-game discoveries might cause you to:
o Miss your target dates
o Incur unforeseen penalties
o Require re-work to remediate issues
• Recommendation: Identify all payment flows through a
combination of both human and automated means
o Surveys
o Interviews
o Data analytics

When You Are Not Certain Where
Your Cardholder Data Environment Begins Or Ends
• Does an unsolicited customer email automatically
bring a system into the Cardholder Data
Environment (CDE)?
• If an end-user chooses to record a call and save it
to local or LAN file, is the PC or fileserver in
scope?
• If the CDE firewall allows insecure protocols, is the
scope reduced?
• Is a workstation part of the CDE if it is used only
to key in the Payment Account Number (PAN) to a
hosted application through an encrypted channel?

When You Re-Read The Same
Requirement And Interpret It In Yet Another Way
• Read the PCI DSS?
• Attended seminars?
• Poured over various forum threads and blog
postings?
• Was that requirement really non-applicable?
• Does your planned compensating control truly go
above and beyond the rigor and intent of the
original requirement?
• Is your “business justification” for leaving open a
particular port or protocol sufficient?

Time To Seek Help
• Good counsel may at first seem to be in abundance,
but identifying the appropriate resource to provide
accurate direction is critical
• A different business’s compliance approach
probably does not apply to your own environment
• You can not simply repeat last year’s response
• It probably does take an expert to address the “low
hanging fruit”
• Consulting a QSA prior to an assessment may prove to
be the shortest path to achieving compliance

Suggested Compliance Roles
•Audit
•Complete Self Assessment Questionnaire or Level 1 or 2
assessment
•Periodic review of controls
•Governance
•Compliance oversight
•Policy development and distribution
•Coordination of organizational business units
•Security Operations
•Management and monitoring of controls
•Internal vulnerability scanning and/or penetration testing
•Log Review
•Incident Response
•System Administration
•Account and authentication management
•Access control management
•Configuration management
•Application Developers
•Development and Testing
•Code review
•Revision control
•Database Administrators
•Record management
•Access control management
•Project Managers
•Assessment and validation planning
•Stakeholder coordination and reporting
•Resource scheduling
•Reporting
•Senior Management
•Report On Compliance review
•Sign Attestation Of Compliance
•Qualified Security Assessors
•On-site assessment
•Validation
•Report On Compliance creation
•Submission to the payment brands
•Countersign Attestation Of Compliance
•Approved Scanning Vendors
•External quarterly vulnerability scans

Assessment Preparation
Scope
•Scope of the cardholder data environment is defined as all system components which
transmit, process, or store cardholder data.
•Limiting the scope of the cardholder data environment may reduce the scope of
assessment and ongoing compliance efforts.
•Scope reduction strategies may include:
•Network Segmentation
•Tokenization
•All systems receiving cardholder data directly and performing tokenization are in scope
•End-to-End Encryption
•All systems receiving cardholder data directly and performing encryption are in scope

Network Segmentation
Unsegmented Segmented

Tokenization

End-to-End Encryption

Prioritized Approach Methodology
•Roadmap of compliance activities based on risk associated with storing, processing, and/or
transmitting cardholder data.
•Assists in prioritization of efforts to achieve compliance
•Establishes milestones
•Lowers the risk of cardholder data breaches sooner in the compliance process
•Helps acquirers to objectively measure compliance activities and risk reduction by
merchants, service providers, and others
•Pragmatic approach that allows for “quick wins”
•Supports financial and operational planning
•Promotes objective and measurable progress indicators
•Suitable for merchants who choose an on-site assessment or use SAQ D.

Milestone Goals
1
Remove sensitive authentication data and limit data retention. This milestone targets a key
area of risk for entities that have been compromised. Remember – if sensitive authentication data
and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If
you don’t need it, don’t store it.
2
Protect the perimeter, internal, and wireless networks. This milestone targets controls for
points of access to most compromises – the network or a wireless access point.
3
Secure payment card applications. This milestone targets controls for applications,
application processes, and application servers. Weaknesses in these areas offer easy prey for
compromising systems and obtaining access to cardholder data.
4
Monitor and control access to your systems. Controls for this milestone allow you to detect
the who, what, when, and how concerning who is accessing your network and cardholder data
environment.
5
Protect stored cardholder data. For those organizations that have analyzed their business
processes and determined that they must store Primary Account Numbers, Milestone Five targets
key protections mechanisms for that stored data.
6
Finalize remaining compliance efforts, and ensure all controls are in place. The intent of
Milestone Six is to complete PCI DSS requirements and finalize all remaining related policies,
procedures, and processes needed to protect the cardholder data environment.

PCI DSS 2.0
Requirement
Reason for
Change
Change Category
Introduction
Clarify Applicability of
PCI DSS and cardholder
data.
Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN.
Align language with PTS Secure Reading and Exchange of Data (SRED)
module.
Clarification
Scope
Ensure all locations of
cardholder data are
included in scope of PCI
DSS assessments
Clarify that all locations and flows of cardholder data should be identified and
documented to ensure accurate scoping of cardholder data environment.
Guidance
Introduction
and Various
Provide guidance on
virtualization.
Expanded definition of system components to include virtual components.
Updated requirement 2.2.1 to clarify intent of “one primary function per
server” and use of virtualization.
Guidance
1
Further clarification of
the DMZ.
Provide clarification on secure boundaries between internet and card holder
data environment.
Clarification
3.2
Clarify applicability of
PCI DSS to Issuers or
Issuer Processors.
Recognize that Issuers have a legitimate business need to store Sensitive
Authentication Data.
Clarification

PCI DSS 2.0
(Continued)
Requirement
Reason for
Change
Change Category
3.6
Clarify key management
processes.
Clarify processes and increase flexibility for cryptographic key changes, retired
or replaced keys, and use of split control and dual knowledge.
Clarification
6.2
Apply a risk based
approach for addressing
vulnerabilities.
Update requirement to allow vulnerabilities to be ranked and prioritized
according to risk.
Evolving
Requirement
6.5
Merge requirements to
eliminate redundancy and
Expand examples of
secure coding standards
to include more than
OWASP.
Merge requirement 6.3.1 into 6.5 to eliminate redundancy for secure coding for
internal and Web-facing applications.
Include examples of additional secure coding standards, such as CWE and
CERT.
Clarification
12.3.10
Clarify remote copy,
move, and storage of
CHD.
Update requirement to allow business justification for copy, move, and storage
of CHD during remote access.
Clarification

Thank You.

You Know You Need PCI Compliance Help When…

More Related Content

What's hot

Similar to You Know You Need PCI Compliance Help When…

More from Rochester Security Summit

Recently uploaded

You Know You Need PCI Compliance Help When…