www.rackspace.co.uk

Rackspace Partner Network

1

Demystifying Payment Card Industry Data Security Standard

Compliance

Francis OfungwuManager of Security Strategy, Rackspace

www.rackspace.co.uk

www.rackspace.co.uk

Rackspace Partner Network

2

• What is PCI-DSS?

• Why Should My Business or Clients Be PCI-DSS Compliant?

• Penalties For Non-Compliance

• Penalties For Security Breaches

• Key Steps Towards PCI-DSS Compliance

• How Rackspace Can Help

• Rackspace’s PCI-DSS Position

• Questions

Agenda

www.rackspace.co.uk

Rackspace Partner Network

3

What is PCI-DSS?

www.rackspace.co.uk

www.rackspace.co.uk

Rackspace Partner Network

4

What is PCI-DSS?

According to the PCI Security Standards Council:

PCI-DSS is a set of comprehensive requirements for enhancing payment account data security.

• The standard was developed by the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa.

• The primary aim of the council was to help facilitate the broad adoption of consistent data security measures on a global basis.

• “PCI DSS should now be considered Business As Usual for any merchant accepting cards.” (HSBC PCI-DSS Merchant Guide-January 2008)

www.rackspace.co.uk

Rackspace Partner Network

5

Why Should My Business Be PCI-DSS Compliant?

www.rackspace.co.uk

www.rackspace.co.uk

Rackspace Partner Network

6

Why Should my Business or Clients be PCI-DSS Compliant?

If your business stores, processes, or transmits Cardholder data, there is a requirement to be PCI-DSS compliant.

This also includes service providers that provide services for merchants who process, store, or transmit Cardholder data.

Non-compliance to PCI-DSS could lead to:

• Loss of reputation

• Increased costs for accepting credit card transactions

• Substantial fines associated with security breaches and non-compliance

• Revocation of a merchant’s ability to accept credit card payments.

www.rackspace.co.uk

Rackspace Partner Network

7

Penalties for Non-Compliance

www.rackspace.co.uk

www.rackspace.co.uk

Rackspace Partner Network

8

Penalties for Non-Compliance

Penalties for non-compliance will depend on the card scheme.

Examples of non-compliance penalties are as follows:

Event Penalty (Euro)

Non-compliance after 30 days of notification letter

5,000 per incident of non-compliance

Non-compliance after 90 days of notification letter

10,000 per incident of non-compliance

Non-compliance after 120 days of notification letter

25,000 per incident of non-compliance

www.rackspace.co.uk

Rackspace Partner Network

9

Penalties For Security Breaches

www.rackspace.co.uk

www.rackspace.co.uk

Rackspace Partner Network

10

PENALTIES FOR SECURITY BREACHES

When there is a breach, the card scheme will require an independent forensic investigation. As with the penalties for non-compliance, penalties levied for security breaches will depend on the card schemes. For Example,

Number of compromised accounts

Penalty

0 – 19,999 25,000

20,000 – 99,999 100,000

100,000-199,999 200,000

200,000-299,999 300,000

300,000-399,999 400,000

400,000-499,999 500,000

>500,000 750,000

www.rackspace.co.uk

Rackspace Partner Network

11

Key Steps TowardsPCI-DSS Compliance

www.rackspace.co.uk

www.rackspace.co.uk

Rackspace Partner Network

12

Key Steps Towards PCI-DSS Compliance

• Contact your merchant bank

• Conduct a scoping exercise

• Review business processes

• Utilise the information on the PCI-SSC Website https://www.pcisecuritystandards.org/

• Engage a QSA (Qualified Security Assessor)

• Engage an ASV (Approved Scanning Vendor)

• Don’t rest on your laurels

www.rackspace.co.uk

Rackspace Partner Network

13

How Rackspace Can Help

www.rackspace.co.uk

www.rackspace.co.uk

Rackspace Partner Network

14

How Rackspace can help

The Rackspace PCI-DSS Toolbox:

Rackspace’s PCI Toolbox solution: Hardware, Software, and Services

• Managed Cisco Firewalls

• VPN System Management Access (included with all firewalls)

• Sophos/Symantec Anti-virus protection

• SSL Certificates

• Alert Logic Intrusion Detection Services (IDS)

• PCI ASV Network Scanning Service (included with IDS)

• Physical System Security (included with standard support)

• Patch Management Services (included with standard support)

www.rackspace.co.uk

Rackspace Partner Network

15

How Rackspace can help

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

• Fully Managed Cisco Firewalls • VPN System Management Access• Network Segmentation.

Requirement 2: Do not use vendor-supplied defaults for systems passwords and other security requirements.

Rackspace implements industry best practices in network device deployments to ensure system hardening specifications required by the standard are met.

www.rackspace.co.uk

Rackspace Partner Network

16

How Rackspace can help

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software.

Rackspace provides a Managed Anti-Virus solution that provides proactive protection against viruses, worms, Trojans, spyware and other malware.

Requirement 6: Develop and maintain secure systems and applications.

Rackspace provides a reliable, and flexible Managed Patching services to help maintain secure systems.

www.rackspace.co.uk

Rackspace Partner Network

17

Implement Strong Access Control Measures

Requirement 9: Restrict physical access to cardholder data

Rackspace physical security controls are based on the best practices set out in the

ISO/IEC 27002:2005 Information Security Standard. These controls include:

• Data centre access limited to Rackspace data centre technicians

• Biometric scanning for controlled data center access

• Security camera monitoring at all data centre locations

• 24x7 onsite staff provide additional protection against unauthorised entry

• Unmarked facilities to help maintain low profile

How Rackspace can help

www.rackspace.co.uk

Rackspace Partner Network

18

Regularly Monitor and Test Networks

Requirement 11: Regularly test security systems and processes

Rackspace offers an Intrusion Detection System (IDS) service that meets a number of sub-requirements set out in requirement 11 of the standard, including the requirement for PCI-SSC approved internal and external vulnerability scanning.

How Rackspace can help

www.rackspace.co.uk

Rackspace Partner Network

19

Rackspace’s PCI-DSS Position

www.rackspace.co.uk

www.rackspace.co.uk

Rackspace Partner Network

20

Rackspace’s PCI-DSS Position

On June 30, 2009, Visa USA accredited Rackspace Hosting as a Compliant Level 1 Payment Card Industry (PCI) Service Provider. The scope of Rackspace’s 2009 PCI Service Provider accreditation covers the following:

-Physical Security for:

- UK & US Data centres- U.S & U.K Offices

- Network Infrastructure (Routers & Switches)

- Rackspace employee access to Network Devices

www.rackspace.co.uk

Rackspace Partner Network

21

Summary

www.rackspace.co.uk

www.rackspace.co.uk

Rackspace Partner Network

22

Summary

•If you store, process, or transmit cardholder data then you have a requirement to be PCI-DSS compliant.

•There are penalties associated with non-compliance and data security breaches.

•Rackspace can help you and your clients drive PCI-DSS compliance through the PCI-DSS Toolbox.

•Review the information publically available on the PCI-SSC website. https://www.pcisecuritystandards.org/

www.rackspace.co.uk

Rackspace Partner Network

23

Questions

www.rackspace.co.uk