pci compliance seminar

PCI DSS Education & Compliance

Seminar

Many card accepting businesses have felt the pain associated with a network penetration and data breach. It can happen to you! Learn how the bad guys are doing their dirty work and how you can protect your business! David Frick, Phil Kluge and Jesse Snyder are Co-Founders of Transaction, Resources, Inc. (TRI) TRI offers innovative payment processing solutions to merchants by combining the latest technologies with a passion for customer service and competitive rates. Transaction Resources, Inc., doing business as TRI, is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA.

http://www.acclaimimages.com/usepolicy.html

2

What is PCI DSS?

• Payment Card Industry Data Security Standard

3

Is There a Single Standard for the Payment Card Industry?

• Yes, this program was established through a collaboration between Visa, MasterCard, American Express, JCB, Discover and Diners to create a single standard

4

To Whom Does PCI DSS Apply?

“PCI DSS compliance is required of

all merchants

and service providers

that store, process, or transmit Visa cardholder data.

The program applies to

all payment channels,

including retail (brick-and-mortar), mail/telephone order, and

e-commerce” no matter the size of the business

All Merchants

5

How is Compliance Achieved?

• Adherence to the requirements laid out under PCI DSS.• Identification and remediation of vulnerabilities through the

compliance validation process

6

Why Were the PCI Data Security Standards Established?

• Cyber crime is growing in diversity and sophistication

• Integrated POS Systems are increasingly targeted

– Frequently, magnetic stripe data is stolen from log files as opposed to traditional databases

– Sensitive data is often unknowingly stored leading to risk

– Hackers are targeting centralized servers with Internet connectivity, not just e-commerce merchants

7

What are the Account Data Compromise Impacts?

• Counterfeit cards and fraud• Significant chargeback risk • Penalties, fines, losses • Negative media coverage• Damage to reputation• Re-issuance and monitoring of cards• Impacts to consumer confidence• Potential of new legislation

8

SCENARIO:

Merchant A is storing track data in its server. Fraudster hacks into the system and steals cardholder track data. Fraudster creates counterfeit plastics from stolen cardholder data and these plastics are subsequently used at Merchant A, B, C, and D

QUESTIONS:

Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant A?

Fraud Loss Example

9

SCENARIO:

Merchant A is storing track data in its server. Fraudster hacks into the system and steals cardholder track data. Fraudster creates counterfeit plastics from stolen cardholder data and these plastics are subsequently used at Merchant A, B, C, and D

QUESTIONS:

Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant A?

Fraud Loss Example

Yes

10

Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant B, C, or D?

Fraud Loss Example

11

Is Merchant A liable for losses that result from use of the counterfeit cards at Merchant B, C, or D?

Merchant A may become liable for the fraud losses which occurred from the compromised cards at Merchants B, C, and D through the compliance case process

Fraud Loss Example

Yes

12

EXAMPLE:

500,000 cards stolen. 10,000 cards used fraudulently at each of Merchant B, C, and D = 10,000 x 3 Merchants = 30,000 cards

COMPLIANCE CASE PROCESS:

30,000 cards x $500 average ticket = $15,000,000

In addition, Merchant A will be responsible for fines and monitoring expenses

Fraud Loss Example

13

Example of Monetary Loss to Businesses

• 6 Credit Cards compromised– Level 4 Merchant

– $36,000

14



– $36,000

• 40 Million Credit Cards compromised– Service Provider

– Put out of business

15



– $36,000



• Laptop Stolen with card data– Level 4 merchant

– $110,000

16



– $36,000



• Laptop Stolen with card data– Level 4 merchant

– $110,000

• More Level 4 Merchants are compromised than any other group!

17

Fraud Costs

• Lost Goods & Services• Investigation Costs• Card Re-issuance• Fines

18

Merchant Classifications

• Level 1– All Channels– >6MM Visa or MC transactions per year

• Level 2– All Channels

• 1MM to 6MM Visa or MC transactions per year• Level 3

– 20,000 - 999,999 e-commerce Visa or MC transactions per year• Level 4

– <20,000 Visa or MC e-commerce transactions per year or– <1MM non-e-commerce transactions Visa or MC transaction per

year

19

What is a Compromise?

Incidents involving an electronic or physical breach of cardholder information and/or card data

20

Types of Breaches

Electronic Breach: Data vulnerability in transit and storage, application-level attacks via web servers or websites, private key mismanagement and unauthorized access to encryption keys, identity and access related to user ID/ password based security, misconfigurations and other administrative network performance problems

Physical Breach: Physical theft of documents or equipment (e.g., cardholder receipts, files, PC’s, POS terminals, etc.)

Skimming: Capturing magnetic stripe data using an external device (e.g., a card reader or pad attached to an ATM or POS terminal) to create counterfeit cards

21

Common Vulnerabilities

1) Inappropriate data storage (e.g. full track, CVV2, PIN blocks)

2) Insecure wireless

3) Vendor default settings and passwords (PC Anywhere is extremely vulnerable)

4) Lack of network segmentation (POS system on PC with external internet)

5) Unnecessary and vulnerable services on servers

6) Missing or Outdated Security Patches

22

PCI DSS Basic Requirements

Build and Maintain a Secure NetworkBuild and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data

2. Do not use vendor-supplied defaults for systems passwords and

other security parameters

Protect Cardholder DataProtect Cardholder Data

3. Protect Stored Data

4. Encrypt transmission of cardholder data and sensitive

information across public networks

23


Maintain a Vulnerability Management ProgramMaintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement Strong Access Control MeasuresImplement Strong Access Control Measures

7. Restrict access to data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

24


Regularly Monitor and Test NetworksRegularly Monitor and Test Networks

10. Track and monitor all access to network resources

and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security PolicyMaintain an Information Security Policy

12. Maintain a policy that addresses information

security that all employees are informed of

and adhere to

25

What Does Each Merchant Need to Provide to Their Credit Card Processing Bank?

• Complete and validate an Annual PCI Self-Assessment Questionnaire

• Complete Quarterly Network Scans to check your systems for

vulnerabilities

• Do annual penetration testing to test that your systems are hacker-

resistant

• Ensure that these security scans are performed by a qualified

independent scan vendor

26

Safe Harbor

• Safe harbor provides members protection from fines and compliance exposure in the event a merchant or service provider experiences a compromise. To attain safe harbor status:

• A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation

• A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance

• It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise

27

Keeping your Business Compliant

• DO NOT STORE TRACK, PIN OR CVV2 / CVC2 data.

• Educate your employees on PCI DSS Compliance and associated

risks

• Ensure your third party POS vendors are PCI DSS compliant (anyone touching your data for any purpose)

• Utilize a Qualified Data Security Assessment Firm

28

Websites for More Information

• www.visa.com/cisp • sdp.mastercardintl.com for compliance tips and PCI DSS

requirements• www.pcisecuritystandards.org • www.transactionresources.com/pci/

pci compliance seminar

Economy & Finance