PCI DSS for IT Providers The rules and impact on MSPs and VARs

For PCI DSS Version 3.0

#webclinic

What is PCI DSS? • Payment Card Industry Data

Security Standard

• Enforced by PCI Security Standard Council

• Council formed by the five major card brands shown

#webclinic

What’s the goal?

• Cardholder data: – Primary account number – Cardholder name – Expiration date – Service code

• Sensitive authentication data:

– Full track data (from magnetic strip) – CAV2 / CVC2 / CVV2 / CID – PIN blocks

• Protect cardholder data and sensitive auth. data

#webclinic

What does it cover? • All components of the “cardholder data environment”

• Includes all people, processes, and

technology that handle cardholder data

• Examples: – Payment card readers, POS systems, PCs – Firewalls, routers, switches, servers – Purchased and custom applications

#webclinic

The Threat is Real • Top motivation of cyber

threats: money

• POS malware is proliferating

• Retailers large and small are being breached

Source: 2014 Verizon Data Breach Investigation Report

#webclinic

Who has to comply?

• Merchants • Processors • Financial institutions • Service providers

• Anyone who stores, processes, or transmits

cardholder data

#webclinic

What about MSPs and VARs?

• Must comply internally if you accept payment cards • Must conform services to comply for clients • Our Recommendation: Find a compliance expert

#webclinic

Clients need your expertise

Offer new products and services for compliance Security is more than “compliance”, so offer enhanced protection

PCI DSS = Opportunity for IT Providers

#webclinic

• Failure to comply could cost you:

Customer confidence Sales and revenue Reputation, brand damage Malpractice lawsuits Fines and penalties Cost of reissuing cards

PCI DSS = Potential trap for IT Providers

#webclinic

Penalties for Noncompliance

• Card brands can issue fines of $5,000 to $100,000 per month

• Higher transaction fees

• Many small victims go out of

business – Cost of breach can include containment,

forensic investigation, legal fees, audits, card replacement

#webclinic

What are the rules? • Build and Maintain a Secure Network and Systems

– 1. Install and maintain a firewall configuration to protect cardholder data – 2. Do not use vendor-supplied defaults for system passwords and other

security parameters • Protect Cardholder Data

– 3. Protect stored cardholder data – 4. Encrypt transmission of cardholder data across open, public networks

• Maintain a Vulnerability Management Program

– 5. Protect all systems against malware and regularly update anti-virus software or programs

– 6. Develop and maintain secure systems and applications

#webclinic

What are the rules? • Implement Strong Access Control Measures

– 7. Restrict access to cardholder data by business need to know – 8. Identify and authenticate access to system components – 9. Restrict physical access to cardholder data

• Regularly Monitor and Test Networks

– 10. Track and monitor all access to network resources and cardholder data

– 11. Regularly test security systems and processes • Maintain an Information Security Policy

– 12. Maintain a policy that addresses information security for all personnel

#webclinic

How do I comply? • Ask your merchant acquirer to walk

you though the steps

• Small merchants typically must : 1. Complete a self assessment

questionnaire (SAQ) 2. Sign attestation of compliance 3. Send required documents to the

merchant acquirer

#webclinic

How do I comply? • Required documents include:

1. Vulnerability scan results 2. Security policy 3. Network diagram

#webclinic

Vulnerability scans • External scan of network

• Required by PCI DSS • Results based on settings and

condition of firewall • Performed by merchant acquirer or

approved vendor – Examples: SecurityMetrics; Trustwave

#webclinic

About Calyptix

Calyptix makes network security easy for small and medium networks. Our all-in-one solution, AccessEnforcer, delivers advanced protection in a simple platform. Learn more: Calyptix.com

info@calyptix.com 704-971-8989

#webclinic

Calyptix Resources

• PCI DSS for IT Providers: 4 steps for compliance – http://www.calyptix.com/pci-dss-it-providers-4-steps-for-compliance/

• PCI DSS and AccessEnforcer

– http://www.calyptix.com/pci-dss-accessenforcer/

• PCI DSS: Easier and cheaper compliance with SAQs

– http://www.calyptix.com/2014/07/pci-dss-make-compliance-easier-and-cheaper/

#webclinic

Additional Resources • Requirements and Security Assessment Procedures:

– https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

• Report on Compliance Reporting Template – https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_ROC_Reporting_Te

mplate.pdf

• Attestation of Validation – https://www.pcisecuritystandards.org/documents/PA-

DSS_Attestation_of_Validation_v3_0.docx • Glossary of Terms, Abbreviations, and Acronyms:

– https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3.pdf

#webclinic

Additional Resources • Understanding the SAQs for PCI DSS v3.0 https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf

• Self-Assessment Questionnaires – A – https://www.pcisecuritystandards.org/documents/SAQ_A_v3.docx

– B – https://www.pcisecuritystandards.org/documents/SAQ_B_v3.docx

– C – https://www.pcisecuritystandards.org/documents/SAQ_C_v3.docx

– D (Merchant) https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.docx

– D (Service Provider)

https://www.pcisecuritystandards.org/documents/SAQ_D_v3_ServiceProvider.docx