An introduction to PCI compliance and data security standard. Including attestation requirements, PCI merchant levels, reporting requirements. Steps to Document PCI Cardholder Data Environment CDE and to work toward compliance.

2. Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+
Director, Maze & Associates
University of San Francisco / San Diego City College
Los Positas College / @One
www.LearnSecurity.org | www.linkedin.com/in/donaldehester | www.facebook.com/LearnSec | www.twitter.com/sobca
DonaldH@MazeAssociates.com
6/11/2014 © 2011 Maze & Associates 2

3. Updates to this presentation and other resources available on:
www.LearnSecurity.org
Log into the Classrooms section and look under Free Courses

4. PCI Introduction
6/11/2014 © 2011 Maze & Associates 4

5. The Problem
Albert Gonzalez, 28
With accomplices, he was involved in data breaches of most of the major
data breaches:
Heartland, Hannaford Bros., 7-Eleven, T.J. Maxx, Marshalls, BJ’s Wholesale
Club, OfficeMax, Barnes & Noble, Sports Authority, Dave & Busters, Boston
Market, Forever 21, DSW and others.

6. Who is behind data breaches?
• 70% from external agents
• 48% caused by insiders
• 11% implicated business partners
• 27% involved multiple parties
Source:

7. Data Loss Trends
Number of incidents per year.
Source:

8. Data Loss Trend
Source:

9. Are they PCI Compliant?
Source:

10. Highest IT Priorities for 2010
1. Security of data, code & communications / data security &
document retention / security threats
2. Connectivity / wireless access / high speed Internet connections /
voice and data
3. Backup solutions/ disaster recovery/ business continuity
4. Secure electronic collaboration with clients – client portals
5. Paperless workflow/ paperless technology/ electronic
workpapers
6. Laptop security / encryption
7. Small business software / Office 2010 / Windows 7
8. User mobility/ mobile computing/ mobile devices
9. Tax software/ electronic transmittals of tax forms/ modern e-file
10. Server virtualization and consolidation
Source: AICPA’s 21th Annual Top Technology Initiatives survey
1, 2, 3, 4 & 6 are all PCI related

11. Players
• Acquirer (Merchant Bank)
– Bankcard association member that initiates
and maintains relationships with merchants
that accept payment cards
• Hosting Provider
– Offer various services to merchants and
other service providers.
• Merchant
– Provides goods and services for
compensation
• Cardholder
– Customer to whom a card is issued or
individual authorized to use the card
Card Brand
Acquirer
Hosting
Provider
Merchant
Cardholder

12. Players
• Card Brand
– Issue fines
– Determine compliance
requirements
• PCI Security Standards Council
– Maintain standards for PCI
– Administer ASV & QSA
• Qualified Security Assessors
– Certified to provide annual audits
• Approved Scanning Vendor
– Certified to provide quarterly
scans
Card
Brands
PCI SSC
QSA
ASV

13. PCI Council Standards

14. What does the PCI Council do?
• Own and manage PCI DSS, including
maintenance, revisions, interpretation and
distribution
• Define common audit requirements to
validate compliance
• Manage certification process for security
assessors and network scanning vendors
• Establish minimum qualification requirements
• Maintain and publish a list of certified
assessors and vendors

15. Website
https://www.pcisecuritystandards.org/

16. What are the Standards?
• PCI DSS: PCI Data Security Standard
– Overall standard, applies to all
• PA DSS: Payment Application Data Security
Standard
– Supporting standard for payment applications
• PTS (was PED): PIN Transaction Security
Standard
– Supporting standard for PIN entry devices
– Supporting standard for unattended payment
terminals (UPT)

17. PCI DSS
 The Payment Card Industry Data Security
Standard
 6 Objectives (Goals)
 12 Sections (Requirements)
 194 Controls

18. PCI DSS

19. Standard Lifecycle

20. Who must comply?
• With PCI DSS
– Any organization the processes, stores or transmits
credit card information.
• With PA DSS
– Payment application developers
– Merchants will be required to use only compliant
applications by July 2010.
• With PTS
– Manufactures of PIN entry devices
– Merchants will be required to use only compliant
hardware by July 2010.
– MasterCard PTS to incorporate into PCI SSC April 30,
2010

21. PCI Compliance
• This includes:
• Organizations who only use paper based
processing
• Organizations who outsource the credit
card processing
• Organizations that process credit cards in
house

22. Is PCI law?
 The PCI DSS was developed by the
payment card brands
 Compliancy is compulsory if a merchant
wishes to continue processing payment
card transactions
 However, some States have enacted
legislation that has made PCI compliance
the law

23. What if we are a small
organization?
• “All merchants, whether small or
large, need to be PCI compliant.
• The payment brands have collectively
adopted PCI DSS as the requirement
for organizations that process, store
or transmit payment cardholder
data.”
– PCI SSC

24. Level 4 Merchants
• Each Merchant Bank is responsible for
having a plan to move level 4 merchants
into compliance
• In September 2010 Wells Fargo sent out
a letter stating they will now start
charging merchants who are not PCI
compliant

25. Cost?
• What happens when there is a data
breach?
– Depends if the merchant can reach safe
harbor.

26. What’s Safe Harbor?
Incident Evaluation
Safe
Harbor
$$$$$$

27. Safe Harbor Notes:
• For a merchant to be considered
compliant, any Service Providers that
store, process or transmit credit card
account data on behalf of the merchant
must also be compliant.
• The submission of compliance validation
documentation alone does not provide
the merchant with safe harbor status.

28. Outside the Safe Harbor
• Losses of cardholders
• Losses of banks
• Losses of card brands
– Fines from the Card brands
– Possible restrictions on process credit cards
– Cost of forensic audit

29. Fines
Merchants may be subject to fines by the card associations if deemed non-
compliant. For your convenience fine schedules for Visa and MasterCard are
outlined below.
http://www.firstnationalmerchants.com/ms/html/en/pci_compliance/pci_data_secur_stand.html

30. PCI DSS
 The Payment Card Industry Data Security
Standard
 6 Objectives (Goals)
 12 Sections (Requirements)
 194 Controls

31. PCI DSS

32. Create Needed Policies
• What policies do you currently have that
address PCI related issues
• Create needed policies
• See section 12 of the PCI DSS
• You will need to create additional
subordinate policies, procedures or
administrative directives for specific PCI
control requirements
• Every PCI DSS control should be
documented in some policy, procedure,
administrative directive, SOP or schedule

33. Policies
• Start implementing the data security
standard starting with policies
• Start with high level polices
– “The City shall not store PAN (Credit Card
Numbers) electronically or physically.
Employees shall be trained on PCI standard
annually. Background checks will be
performed on all staff with access to credit
card information.”

34. Policy Examples
• “The City shall develop procedures to
ensure that information security and
privacy best practices are followed to
include compliance with all laws or
contractual requirements.”
• “The City shall adopt information
security and privacy procedures based on
industry standards such as NIST and PCI
security standards.”

35. PII Policy
• If you already have a policy for handling
confidential information or personally
identifiable information add credit card
information to confidential information
or PII.

36. Merchant Levels
Merchant levels are determined by the annual
number of transactions not the dollar amount
of the transactions.
Merchant Level E-commerce transactions All other transactions
Level 1 Over 6 million annually Over 6 million annually
Level 2 1 to 6 million annually 1 to 6 million annually
Level 3 20,000 to 1 million annually N/A
Level 4 Up to 20,000 annually Up to 1 million annually

37. Validation Requirements
Merchant Level QSAAudit Quarterly Network
Scans
Self-Assessment
Questionnaire
Level 1 Yes Yes -
Level 2 * Yes Yes
Level 3 - Yes Yes
Level 4 - Yes Yes
Separate and distinct from the mandate to comply
with the PCI DSS is the validation of compliance
whereby entities verify and demonstrate their
compliance status.
* Starting 12-31-2010 MasterCard will require Annual
QSA Audits for Level 2 Merchants

38. Continuous Process
• “PCI DSS compliance is much more than a
“project” with a beginning and end – It’s an
ongoing process of assessment,
remediation and reporting” - PCI SSC
Assess
ReportRemediate

39. Continuous Process
• Many of the PCI requirements have
specific time interval requirements
• Create a schedule for time based
requirements
• Some organizations already have
‘maintenance calendars’ for these type
of actions

40. Common Findings
• Clients think they are compliant
– Because they do quarterly networks scans
– Because they filled out the SAQ
– Because they have too few transactions
• Reality
– Validation is not compliance
– Compliance is an ongoing process
– PCI DSS is required for all merchants,
regardless of the number of transactions

41. Common Findings
• Payment card information on paper
• No network segmentation
• Logging Access
• Shared Passwords
• Verifying compliance of outsourced
processing
• No one is assigned responsibility
• Not aware of PAN storage in
application

42. PCI Pitfalls
• PCI will not make an
organization’s network or data
secure
• PCI DSS focuses on one type of
data: payment card transactions
• The organization runs the risk of
focusing on one class of data to
the detriment of everything else

43. 10 Steps to PCI Compliance
6/11/2014 © 2011 Maze & Associates 46

44. Action Items
• Document how your organization stores,
processes or transmits credit card information
• Determine your merchant level
• Determine your validation requirements
– Contact your merchant banks and acquirers
• Determine your SAQ validation type
• Find an ASV for compliance network
vulnerability scans
– Perform at least quarterly scans
• Annually fill out your SAQ
– turn in and/or keep on file

45. 10 Steps to Document
Cardholder Environment
1. Determine Merchant Level (number of
transactions)
2. List all Merchant Banks and Acquirers
3. List all outsourced processors, ASPs and third party
processors
4. Document all Payment Applications
5. Document all PEDs used (Point of Interaction)
6. List all physical locations that CHD is processed,
stored or transmitted
7. List all electronic storage of CHD
8. Document electronic transmission
9. Document policies that address PCI requirements
10. Implement applicable PCI DSS controls

46. Step 1: Determine Merchant Level
• List the number of all credit card
transactions for all Merchant Banks and
Acquirers
• List by card brand as well
• Determine your merchant level based on
total annual credit card transactions
• Number is based on the aggregate
number of transactions for a DBA
Note: Merchant levels are defined by the Card Brands and determined
by the Acquirer based on transaction volume.

47. Step 2: Document Acquirers
• List all Acquirers, Merchant Banks and/or
Acquiring Banks
• Included card brands when they act as
acquirer, e.g. Amex, Discover, JCB
• Would never be Visa or MasterCard
• They determine your merchant level and
reporting requirements

48. Step 2: Document Acquirers
• Contact Information
– Address
– Phone Number
• Incident Response Team
• Website
– Monitor for changes in requirements
• Any notes or document conversations
you have with them

49. Step 3: Determine Service
Providers
• A Service Provider is an business or
entity that is directly involved in the
processing, storage, transmission, and
switching of transaction data and/or
card holder data (CHD)
• Any service provider that has control or
could have a security impact on CHD

50. Example of Service Providers
• Transaction Processors
• Customer Service
• Call Centers
• Payment Gateways
• Credit Reporting
• External Sales
• Remittance Processing
• Card Embossing
Companies
• Information security
providers
• Offsite Data Storage
Providers

51. Manage Service Providers
• Maintain a list of service providers
• Maintain agreements that hold service
providers responsible for security of CHD
– Include reporting and breach notification
• Have a process to validate new service
providers before they become service
providers
• Have a program to monitor service
provider compliance at least annually

52. Step 4: Document
Payment Applications
• List all payment applications
• Document the business use of the
applications
• Determine if the application is compliant
• Determine if the application stores CHD
• Check PCI website for list of approved
applications

53. Action Items
• Contact the vendor, make sure payment
applications are PA DSS complaint or will
be.
• Contact your PIN device supplier, make
sure you have compliant PIN Entry
Devices.
https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.ht
ml
https://www.pcisecuritystandards.org/security_standards/vpa/

54. Payment Applications
• In house
applications
– SDLC controls
– Code reviews
– Application
firewalls
– OWASP

55. Step 5: Document PED
• List all Points of Interaction (POI)
– List all PIN Entry Devices (PED)
– List all Point of Interaction devices
– List all Unattended Payment Terminals
(UPT)
– List all Point of Sale (POS) devices
• Document compliance for those devices
currently required to be PCI compliant

57. PED
• PIN Entry Device
– Scope of the standard increasing
• PIN Transaction Security (PTS)
– Will include
• UPT (Unattended Payment Terminals)
• POI (Point of Interaction)
• POS (Point of Sale Devices)
– Standard addresses the vendors who make
devices
– Merchants must use approved devices

58. Step 6: Physical CHD
• List all physical locations that PAN is processed,
stored or transmitted
– Paper,
– Receipts,
– Imprints,
– Carbon Copies
– Locations of backup media
• Document Retention Period
– Justify with business need
• Document Destruction Policy

59. Step 7: Electronic Data Storage
• List all electronic storage of CHD
• Document business reason for storing
and retention period
• Requirements in PCI DSS
– Encryption
– Access Controls and Audit logs
– Never permitted to store full track data

60. Cardholder Data
Data Element Storage
Permitted
Protection
Required
PCI DSS 3.4
Cardholder
Data
Primary Account
Number (PAN)
Yes Yes Yes
Cardholder Name Yes Yes No
Service Code Yes Yes No
Expiration Date Yes Yes No
Sensitive
Authentication
Data
Full Magnetic
Stripe Data
No N/A N/A
CVC2 / CVV2 / CID /
CAV2
No N/A N/A
PIN / PIN Block No N/A N/A

61. Places to look for CHD
• Electronic Image Files
• SANS
• Fax Servers
• Scan Archive
• Pinter Spool
• Laser Fiche
• Log Files
• Audio Recording:
customer service call
recordings
• Voicemail
• Email Server/Archive
• Backup Media
• Copier Scanner Cache
• Data bases
Perform a search for CHD every 6 months

62. Unknown Storage
• Fax Machine and Copy Machines may
store CHD
http://www.youtube.com/watch?v=iC38D5am7go

63. Step 8: Document Data
Transmission
• Not only do you need to know where you
data is stored but you also need to know
where it travels
• Create a Data Flow diagram
– Diagram with CHD flow superimposed over
network diagram
• Evaluate flow every 6 months or more
often if there has been a change
• Helps to determine the PCI scope and aids
in determining network segmentation

64. Document Data Flow
• With a network diagram document the
flow of credit card information
(transmission)
• Locate any places the information might
be stored along the data path (storage)

65. Step 9: Create Needed Policies
• What policies do you currently have that
address PCI related issues
• Create needed policies
• See section 12 of the PCI DSS
• You will need to create additional
subordinate policies, procedures or
administrative directives for specific PCI
control requirements
• Every PCI DSS control should be
documented in some policy, procedure,
administrative directive, SOP or schedule

66. Step 10: Document PCI DSS

67. PCI DSS
 The Payment Card Industry Data Security
Standard
 6 Objectives (Goals)
 12 Sections (Requirements)
 194 Controls

68. PCI DSS

69. PII Policy
• If you already have a policy for handling
confidential information or personally
identifiable information add credit card
information to confidential information
or PII.

70. PCI DSS
• Start implementing the data security
standard starting with policies
• Start with high level polices
– “The City shall not store PAN (Credit Card
Numbers) electronically or physically.
Employees shall be trained on PCI standard
annually. Background checks will be
performed on all staff with access to credit
card information.”

71. PCI DSS
• Use the prioritized approach to
implement the most important controls
first.

72. Document Compliance
• Determine if all PEDs are PCI compliant
• Determine if all payment applications are
PCI compliant
• Determine if all 3rd party processors and 3rd
parties are PCI compliant
• Obtain documentation from each
• Annually renew documentation from 3rd
parties
• Annually check payment application and
PED list