pci compliance seminar
DESCRIPTION
TRANSCRIPT
PCI DSS Education & Compliance
Seminar
Many card accepting businesses have felt the pain associated with a network penetration and data breach. It can happen to you! Learn how the bad guys are doing their dirty work and how you can protect your business! David Frick, Phil Kluge and Jesse Snyder are Co-Founders of Transaction, Resources, Inc. (TRI) TRI offers innovative payment processing solutions to merchants by combining the latest technologies with a passion for customer service and competitive rates. Transaction Resources, Inc., doing business as TRI, is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA.
2
What is PCI DSS?
• Payment Card Industry Data Security Standard
3
Is There a Single Standard for the Payment Card Industry?
• Yes, this program was established through a collaboration between Visa, MasterCard, American Express, JCB, Discover and Diners to create a single standard
4
To Whom Does PCI DSS Apply?
“PCI DSS compliance is required of
all merchants
and service providers
that store, process, or transmit Visa cardholder data.
The program applies to
all payment channels,
including retail (brick-and-mortar), mail/telephone order, and
e-commerce” no matter the size of the business
All Merchants
5
How is Compliance Achieved?
• Adherence to the requirements laid out under PCI DSS.• Identification and remediation of vulnerabilities through the
compliance validation process
6
Why Were the PCI Data Security Standards Established?
• Cyber crime is growing in diversity and sophistication
• Integrated POS Systems are increasingly targeted
– Frequently, magnetic stripe data is stolen from log files as opposed to traditional databases
– Sensitive data is often unknowingly stored leading to risk
– Hackers are targeting centralized servers with Internet connectivity, not just e-commerce merchants
7
What are the Account Data Compromise Impacts?
• Counterfeit cards and fraud• Significant chargeback risk • Penalties, fines, losses • Negative media coverage• Damage to reputation• Re-issuance and monitoring of cards• Impacts to consumer confidence• Potential of new legislation
8
SCENARIO:
Merchant A is storing track data in its server. Fraudster hacks into the system and steals cardholder track data. Fraudster creates counterfeit plastics from stolen cardholder data and these plastics are subsequently used at Merchant A, B, C, and D
QUESTIONS:
Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant A?
Fraud Loss Example
9
SCENARIO:
Merchant A is storing track data in its server. Fraudster hacks into the system and steals cardholder track data. Fraudster creates counterfeit plastics from stolen cardholder data and these plastics are subsequently used at Merchant A, B, C, and D
QUESTIONS:
Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant A?
Fraud Loss Example
Yes
10
Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant B, C, or D?
Fraud Loss Example
11
Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant B, C, or D?
Merchant A may become liable for the fraud losses which occurred from the compromised cards at Merchants B, C, and D through the compliance case process
Fraud Loss Example
Yes
12
EXAMPLE:
500,000 cards stolen. 10,000 cards used fraudulently at each of Merchant B, C, and D = 10,000 x 3 Merchants = 30,000 cards
COMPLIANCE CASE PROCESS:
30,000 cards x $500 average ticket = $15,000,000
In addition, Merchant A will be responsible for fines and monitoring expenses
Fraud Loss Example
13
Example of Monetary Loss to Businesses
• 6 Credit Cards compromised– Level 4 Merchant
– $36,000
14
Example of Monetary Loss to Businesses
• 6 Credit Cards compromised– Level 4 Merchant
– $36,000
• 40 Million Credit Cards compromised– Service Provider
– Put out of business
15
Example of Monetary Loss to Businesses
• 6 Credit Cards compromised– Level 4 Merchant
– $36,000
• 40 Million Credit Cards compromised– Service Provider
– Put out of business
• Laptop Stolen with card data– Level 4 merchant
– $110,000
16
Example of Monetary Loss to Businesses
• 6 Credit Cards compromised– Level 4 Merchant
– $36,000
• 40 Million Credit Cards compromised– Service Provider
– Put out of business
• Laptop Stolen with card data– Level 4 merchant
– $110,000
• More Level 4 Merchants are compromised than any other group!
17
Fraud Costs
• Lost Goods & Services• Investigation Costs• Card Re-issuance• Fines
18
Merchant Classifications
• Level 1– All Channels– >6MM Visa or MC transactions per year
• Level 2– All Channels
• 1MM to 6MM Visa or MC transactions per year• Level 3
– 20,000 - 999,999 e-commerce Visa or MC transactions per year• Level 4
– <20,000 Visa or MC e-commerce transactions per year or– <1MM non-e-commerce transactions Visa or MC transaction per
year
19
What is a Compromise?
Incidents involving an electronic or physical breach of cardholder information and/or card data
20
Types of Breaches
Electronic Breach: Data vulnerability in transit and storage, application-level attacks via web servers or websites, private key mismanagement and unauthorized access to encryption keys, identity and access related to user ID/ password based security, misconfigurations and other administrative network performance problems
Physical Breach: Physical theft of documents or equipment (e.g., cardholder receipts, files, PC’s, POS terminals, etc.)
Skimming: Capturing magnetic stripe data using an external device (e.g., a card reader or pad attached to an ATM or POS terminal) to create counterfeit cards
21
Common Vulnerabilities
1) Inappropriate data storage (e.g. full track, CVV2, PIN blocks)
2) Insecure wireless
3) Vendor default settings and passwords (PC Anywhere is extremely vulnerable)
4) Lack of network segmentation (POS system on PC with external internet)
5) Unnecessary and vulnerable services on servers
6) Missing or Outdated Security Patches
22
PCI DSS Basic Requirements
Build and Maintain a Secure NetworkBuild and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for systems passwords and
other security parameters
Protect Cardholder DataProtect Cardholder Data
3. Protect Stored Data
4. Encrypt transmission of cardholder data and sensitive
information across public networks
23
PCI DSS Basic Requirements
Maintain a Vulnerability Management ProgramMaintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control MeasuresImplement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
24
PCI DSS Basic Requirements
Regularly Monitor and Test NetworksRegularly Monitor and Test Networks
10. Track and monitor all access to network resources
and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security PolicyMaintain an Information Security Policy
12. Maintain a policy that addresses information
security that all employees are informed of
and adhere to
25
What Does Each Merchant Need to Provide to Their Credit Card Processing Bank?
• Complete and validate an Annual PCI Self-Assessment Questionnaire
• Complete Quarterly Network Scans to check your systems for
vulnerabilities
• Do annual penetration testing to test that your systems are hacker-
resistant
• Ensure that these security scans are performed by a qualified
independent scan vendor
26
Safe Harbor
• Safe harbor provides members protection from fines and compliance exposure in the event a merchant or service provider experiences a compromise. To attain safe harbor status:
• A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation
• A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance
• It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise
27
Keeping your Business Compliant
• DO NOT STORE TRACK, PIN OR CVV2 / CVC2 data.
• Educate your employees on PCI DSS Compliance and associated
risks
• Ensure your third party POS vendors are PCI DSS compliant (anyone touching your data for any purpose)
• Utilize a Qualified Data Security Assessment Firm
28
Websites for More Information
• www.visa.com/cisp • sdp.mastercardintl.com for compliance tips and PCI DSS
requirements• www.pcisecuritystandards.org • www.transactionresources.com/pci/
29