1

2011

PCI Compliance Fundamentals

2What is PCI Compliance?

• PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data.

– (American Express, Discover, JCB International, MasterCard, and Visa)• Security Management and Monitoring• Policies & Procedures• Network Architecture• Software design

• If you accept payment cards, you are required to be compliant with the PCI Data Security Standard.

• PCI – The Gold Standard– Compared to other standards the requirements are clearly defined

3The PCI Data Security Standard

4Why Is Compliance with PCI DSS Important?

• A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including:

– Regulatory notification requirements,

– Loss of reputation,

– Loss of customers,

– Potential financial liabilities (for example, regulatory and other fees and fines), and

– Litigation

5

Notify Clients and Provide Privacy Guard

Fines and Penalties from Card Brands and Acquiring Banks

Increased PCI audits and requirements for new controls

Potential costs to re-issue credit cards

Reputation Loss

$30 x 10,000 = $300,000

$50,000 to $500,000

$50,000 x 3 years = $150,000

10,000 accounts x $20 = $200,000

PRICELESS!

A hypothetical merchant has 10,000 card numbers and account holder information compromised.What is the potential financial impact to the merchant?

Economics of an Credit Card Breach – Source CoalFire

Estimates are based on actual incidents examined by Coalfire’s forensic team. Fees and services required vary by incident. For more information on potential costs and risk from credit card compromise, contact Coalfire (www.coalfiresystems.com)

6Why Is Compliance with PCI DSS Important?

• Investigations after compromises consistently show common PCI DSS violations, including but not limited to:

– Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised entities are unaware that their systems are storing this data.

– Inadequate access controls due to improperly installed merchant POS systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3)

– Default system settings and passwords not changed when system was set up (Requirement 2.1)

– Unnecessary and insecure services not removed or secured when system was set up (Requirements 2.2.2 and 2.2.4)

– Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the web site (Requirement 6.5)

– Missing and outdated security patches (Requirement 6.1)

– Lack of logging (Requirement 10)

– Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems) (Requirements 10.6, 11.2, 11.4 and 11.5)

– Poorly implemented network segmentation resulting in the cardholder data environment being unknowingly exposed to weaknesses in other parts of the network that have not been secured according to PCI DSS (for example, from unsecured wireless access points and vulnerabilities introduced via employee e-mail and web browsing) (Requirements 1.2, 1.3 and 1.4)

*Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0

7What are my organizations requirements?

8Self-Assessment Questionnaire?

A) Requirement Areas: 9 & 1213 Questions / requirements

B) Requirement Areas: 3,4,7,9 & 1229 Questions / requirements

C-VT) Requirement Areas: 1-7,9 & 12 51 Questions / requirements

C) Requirement Areas: 1-9,11 & 1280 Questions / requirements

D) Requirement Areas: 1-12286 Questions / requirements

Does your company store any cardholder data in electronic format?

*Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0

9Policies and ProceduresPCI requirement Policies/proceduresRequirement 1Install and maintain a firewall configuration toprotect cardholder data

Configuration standards, Change control approval and testing process, Firewall placement, Maintain current network diagram, Description of Roles & Responsibilities, Documentation and business justification of all ports, protocols and services, FW and Router review.

Requirement 2Do not use vendor supplied defaults for system passwords and other security Parameters

Pre-production modifications, Develop configuration hardening standards, Removing/disabling insecure/unnecessary services, protocols and functionality, One function per server, Encrypting all non-console access

Requirement 3Protect stored cardholder data

Limit duration of data retention, Secure deletion, Data types retained, Display masking, Safe storage, Encryption key management

Requirement 4Encrypt transmission of cardholder data acrossopen, public networks

Minimum encryption standards, Wireless standards

Requirement 5Use and regularly update anti-virus software or programs

Antivirus validation, current-actively running and generating logs,

Requirement 6Develop and maintain secure systems andapplications

Vulnerability identification, rank and management, Patching and patch validation, Secure application development and deployment, Change control, Code reviews

Requirement 7Restrict access to cardholder data by business need to know

Data control need-to-know requirements, Role-based access

Requirement 8Assign a unique ID to each person with computer access

Authentication and password management policies and procedures, Unique ID, user verification for password resets, Employee termination, Remove inactive users, Vendor access, length, duration, strength

Requirement 9Restrict physical access to cardholder data

Access control, Badge assignment, Visitors, Media access, distribution and destruction

Requirement 10Track and monitor all access to network resources and cardholder data

Daily log review, Exception handling, log retention and availability

Requirement 11Regularly test security systems and processes

Detect and identify wireless access points, Alerting, incident handling and response, IDS/IPS configuration and updates, Change control

Requirement 12Maintain a policy that addresses information security for employees and contractors

Information security policy, Risk assessment, Daily operational procedures, Usage policy, Personnel roles and responsibilities, monitoring & analysis, incident response and escalation plan, security awareness program

10Technologies

PCI requirement TechnologiesRequirement 1Install and maintain a firewall configuration toprotect cardholder data

Firewall (network and personal), Routers and Switches, File Integrity Monitoring

Requirement 2Do not use vendor supplied defaults for system passwords and other security Parameters

Vulnerability Scanning / Management, VPN

Requirement 3Protect stored cardholder data

Encryption, Backup / data retention

Requirement 4Encrypt transmission of cardholder data acrossopen, public networks

Encryption, VPN, Firewall, WAF, IDS/IPS

Requirement 5Use and regularly update anti-virus software or programs

Antivirus, File Integrity Monitoring, Log Management

Requirement 6Develop and maintain secure systems andapplications

Vulnerability Scanning / Management, Patch Management, WAF

Requirement 7Restrict access to cardholder data by business need to know

Firewall, VPN, Authentication, Application level access control

Requirement 8Assign a unique ID to each person with computer access

Multi-Factor Authentication, Application level access control, Firewall, VPN

Requirement 9Restrict physical access to cardholder data

PCI Certified Data Centers

Requirement 10Track and monitor all access to network resources and cardholder data

Log Management, SIM , SEIM, File Integrity Monitoring, NTP Service

Requirement 11Regularly test security systems and processes

Vulnerability Scanning, IDS/IPS, File Integrity Monitoring, Log Management

Requirement 12Maintain a policy that addresses information security for employees and contractors

Log Management, SIM , SEIM, IDS/IPS

11Ten Common Myths of PCI DSS

Myth 1 – One vendor and product will make us compliant

Myth 2 – Outsourcing card processing makes us compliant

Myth 3 – PCI compliance is an IT project

Myth 4 – PCI will make us secure

Myth 5 – PCI is unreasonable; it requires too much

Myth 6 – PCI requires us to hire a Qualified Security Assessor

Myth 7 – We don’t take enough credit cards to be compliant

Myth 8 – We completed a SAQ so we’re compliant

Myth 9 – PCI makes us store cardholder data

Myth 10 – PCI is too hard

*Source: PCI Security Standards Council

12Proven PCI management practices

• Limit the Scope of the PCI environment• PCI embedded in an overall security program• PCI compliant policies, procedures, and training• Monitoring and Reporting• Due diligence of your service provides, vendors• Work with a QSA

• PCI DSS General Tips and Strategies to Prepare for Compliance Validation1. Sensitive Authentication Data (includes the full track contents of the magnetic strip or

chip, card verification codes and values, PINs and PIN blocks:1. NEVER STORE THIS DATA

2. Ask your POS vendor about the security of your system3. Card holder data- if you don’t need it don’t store it!

1. Payment brand rules allow for the storage of Personal Account Number (PAN), expiration date, cardholder name, and service code.

4. Card holder data- if you do need it, consolidate and isolate it.5. Compensating Controls

*Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0