pci compliance—love it, hate it, but don’t ignore it (11ntcpci)
DESCRIPTION
TRANSCRIPT
PCI Compliance –Love it, Hate it, but Don’t Ignore it11NTCpci
Stephen J. Michaele
Session EvaluationEach entry via text or web is a chance to win
great NTEN prizes throughout the day!
Session Evaluations Powered By:
TEXTText <Insert Session
Hashtag Here> to 69866.
ONLINEUse <Insert Session Hashtag Here> at
http://nten.org/ntc/eval
• The PCI DSS Standard
– What is it? Who are major actors in the process?
• The Scope of the PCI Standard
– How to get started
• Common Myths of PCI
• Developing a Process to Achieve Compliance
– The PCI Prioritized Approach
• Beyond PCI Compliance – What’s Next
• Wrap Up and Final Questions
Agenda
• PCI DSS = Payment Card Industry Data Security Standards
• Developed by the PCI Standards Security Council
What is PCI DSS?
“The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of the PCI Data Security Standard and other standards that increase
payment data security.”
http://www.pcisecuritystandards.org
SSC, QSA, ASV…Who’s in Charge Here?
Level 1 Merchants Level 2 Merchants Level 3 Merchants Level 4 Merchants
Card Brands
•Track compliance
• Issue fines and
incentives
Security Standards Council
•Creates and
promotes standard
•Certifies auditors
Card-Issuing Banks
Acquiring Banks
•Process transactions
•Gather compliance
reports
Qualified Security Assessors
•Audit merchants
•Report to acquiring
banks
Approved Scan Vendors
•Scan merchants
•Report to acquiring
banks
Source: InformationWeek – PCI and the Circle of Blame
How Much Are You Willing to Risk?
Some researchers are reporting that approximately 77% of
people say they would stop shopping at stores that suffer
data breaches.
How Secure are You?
OR
Requirements for Merchant Levels and the PCI DSS
Level/Tier
MerchantCriteria
ValidationRequirements
1 Merchants processing over 6 millionVisa transactions annually (all channels)
• Annual Report on Compliance by QSA• Quarterly network scan by ASV• Attestation of Compliance Form
2 Merchants processing 1 million to 6 million Visa transactions annually(all channels)
• Annual Self-Assessment Questionnaire• Quarterly network scan by ASV• Attestation of Compliance Form
3 Merchants processing 20,000 to 1 million Visa transactions annually
• Annual SAQ• Quarterly network scan by ASV• Attestation of Compliance Form
4 Merchants processing less than 20,000 Visa transactions annually
• Annual SAQ recommended• Quarterly network scan by ASV• Compliance validation requirements set by
acquirer
Source: Individual Card Company Websites
Selecting an SAQ – Five Types
SAQ Description
A Card-not-present (e-commerce or mail/telephone-order)) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage.
C-VT Merchants using only web-based virtual terminals, no electronic cardholder storage
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
D All other merchants not included in descriptions for SAQ types A though C above, and all service providers defined by a payment brand as eligible to complete an SAQ.
The Card Authorization Process
1. A customer purchases a product or service from your store
2. The payment gateway encrypts data and securely sends it through the payment processing network
3. The transaction is reviewed for authorization or decline, and the results are sent back through the Payflow payment gateway
4. Your customer receives a confirmation receipt and you fulfill the order
5. Once the transaction is processed, funds are transferred from the customer’s bank account to your merchant bank
Source: http://www.paypal.com
What is the Scope of the PCI Standard?
Source: Information Supplement – PCI DSS Wireless Guideline
Process
Store
Transmit
• Build and Maintain a Secure Network– Install and maintain a firewall configuration to protect data (18)
– Do not use vendor-supplied defaults for system passwords and other security parameters (11)
• Protect Cardholder Data– Protect stored cardholder data (22)
– Encrypt transmission of cardholder data across open, publicnetworks (3)
• Maintain a Vulnerability Management Program– Use and regularly update anti-virus software or programs (3)
– Develop and maintain secure systems and applications (34)
PCI DSS is a Comprehensive Standard Containing Technology, Process, and Monitoring Requirements
• Implement Strong Access Control Measures– Restrict access to cardholder data by business need-to-know (9)
– Assign a unique ID to each person with computer access (20)
– Restrict physical access to cardholder data (26)
• Regularly Monitor and Test Networks– Track and monitor all access to network resources and cardholder
data (23)
– Regularly test security systems and processes (9)
• Maintain an Information Security Policy– Maintain a policy that addresses information security for
employees and contractors (44)
PCI DSS is a Comprehensive Standard Containing Technology, Process, and Monitoring Requirements
• One vendor and product will make us compliant
• Outsourcing card processing makes us compliant
• PCI compliance is an IT project
• PCI will make us secure
• PCI is unreasonable; it requires too much
• PCI requires us to hire a Qualified Security Assessor
• We don’t take enough credit cards to be compliant
• We completed a SAQ so we’re compliant
• PCI makes us store cardholder data
• PCI is too hard
Ten Common Myths of PCI DSS
https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf
The Compliance Process Will Force You to Address Security Issues at a Detailed Level
Automated Scans are a Valuable Tool for Monitoring and Maintaining Secure Systems
• Assign a project manager and build a team
– IT, Finance, HR, Legal, etc.
• Assume you’ll need some budget dollars to help address compliance issues
• Hold regularly scheduled meetings
• Track progress on closing compliance items at an individual item level and produce status reports
• Build accountability into your ongoing processes
Manage Achieving PCI Compliance as a Major Cross-Functional Effort
• Support for the initiative within individual groups
– Communication about it’s importance and value
– Participation in and support for the ongoing review processes
• Become aware of security issues
– Question potential vendors and partners on their compliance with PCI standards
– Reengineer processes to be more secure
– Share data on a need to know basis
– Classify and label information appropriately
– If there’s a question about data security don’t guess at the answer ask someone who knows
• Question your people
– We’re searching for credit card data in paper or electronic form, if you’ve got it let us know about it so it can be appropriately protected
Solicit Participation – What Do You Need FromYour Organization
• What are the existing processes you know about (and what don’t you know)?
• Existing web forms?
• Email system?
• On local desktops and laptops? Excel files, Word docs, CSV files, PDF Reports…
• On your network?
Where is the Credit Card Data?
1. Remove sensitive authentication data and limit data retention.
2. Protect the perimeter, internal, and wireless networks.
3. Secure payment card applications.
4. Monitor and control access to your systems.
5. Protect stored cardholder data.
6. Finalize remaining compliance efforts, and ensure all controls are in place.
PCI Prioritized Approach
Source: The Prioritized Approach to Pursue PCI DSS Compliance
PCI Prioritized Approach Example
Source: The Prioritized Approach to Pursue PCI DSS Compliance
• Tighter physical security (badges, camera surveillance for server rooms and central storage rooms)
• Tighter access controls to information resources (strong passwords frequently changed, no shared accounts, access to data more closely logged)
• Paper storage of data limited based upon business requirements (two years) – stored data inventoried, older data securely disposed
• More formalized information access and security policies requiring annual reviews and signoffs
• Additional review of third party agreements when payments are being accepted on our behalf
• Background checks for personnel with access to credit card data (including IT, finance, customer service, etc.)
What Changes Did Personnel See?
PCI Compliance Isn’t an Activity But a Process
PCI Compliance
Plan
Do
Study (Test)
Act
Lifecycle Process for Changes to PCI DSS
Source: https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf
• Massachusetts Data Security Law 201 CMR 17.00 –Standards for the Protection of Personal Information of Residents of the Commonwealth– Pertains to anyone that owns or licenses personal information about
a resident of Massachusetts
– Personal information defined as last name, first name (or initial) in combination with SSN, driver’s license number, or financial information (credit/debit card, financial account info, etc.)
• States are considering more of these laws
• Be prepared to secure all personal information
What’s On the Horizon?
1. PCI DSS is not an International, Federal, or State law but rather it's an information security standard developed by the PCI Security Standards Council (see http://www.pcisecuritystandards.org).
2. Any business that stores, processes, or transmits credit card data is responsible for complying with the standard.
3. Compliance and enforcement of the standard is mandated by the various payment card brands (VISA, MC, AMEX, etc.). This includes the assessment of any fines or penalties associated with a security breach of the data.
4. The easiest route of compliance is to not store, process, or transmit credit card data - outsource everything related to credit card processing (this is often an unrealistic approach).
5. If you must handle credit card data you should seek to: centralize it, protect it, and monitor access to it.
Recapping: 10 Things You Should Now Know About PCI Compliance
6. There are five different Self-Assessment Questionnaires (SAQ) ranging from simple to extremely complex based upon how a business handles credit card data.
7. At its most complex level, the standard covers twelve requirement areas in six major categories of compliance and 200+ individual questions. A defined set of information security standards, policies, and procedures is a major component of the compliance process (and often one of the most difficult to implement).
8. In order to be compliant you must be compliant with every individual requirement and pass automated security scans of eCommerce systems handling credit card data.
9. You need to be as concerned about your business processes as you are about technology processes in order to be compliant.
10.Compliance and security is an ongoing process not a single project.
Recapping: 10 Things You Should Now Know About PCI Compliance
• PCI Security Standards Council Website: http://www.pcisecuritystandards.org
• Individual Payment Card Brand Websites/Email Addresses:– American Express: http://www.americanexpress.com/datasecurity or
EMail: [email protected]
– VISA: http://www.visa.com/cisp or Email: [email protected]
– MasterCard: http://www.mastercard.com/sdp or Email: [email protected]
– Discover: http://discovernetwork.com/fraudsecurity/disc.html or Email: [email protected]
– JCB: http://www.jcb-global.com/english/pci/index.html or Email: [email protected]
Where Can You Get Help and More Info
• 2009 Verizon Data Breach Investigations Report –http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
• SANS Institute (SysAdmin, Audit, Network, Security) –http://www.sans.org
Where Can You Get Help and More Info
• My Coordinates
– Email: [email protected]
– Phone: (732) 548-6100 x19
– LinkedIn: www.linkedin.com/in/smichaele
– Website: www.csystemsllc.net
We Can Keep the Conversation Going