PCI Compliance –Love it, Hate it, but Don’t Ignore it11NTCpci

Stephen J. Michaele

Session EvaluationEach entry via text or web is a chance to win

great NTEN prizes throughout the day!

Session Evaluations Powered By:

TEXTText <Insert Session

Hashtag Here> to 69866.

ONLINEUse <Insert Session Hashtag Here> at

http://nten.org/ntc/eval

• The PCI DSS Standard

– What is it? Who are major actors in the process?

• The Scope of the PCI Standard

– How to get started

• Common Myths of PCI

• Developing a Process to Achieve Compliance

– The PCI Prioritized Approach

• Beyond PCI Compliance – What’s Next

• Wrap Up and Final Questions

Agenda

• PCI DSS = Payment Card Industry Data Security Standards

• Developed by the PCI Standards Security Council

What is PCI DSS?

“The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of the PCI Data Security Standard and other standards that increase

payment data security.”

http://www.pcisecuritystandards.org

SSC, QSA, ASV…Who’s in Charge Here?

Level 1 Merchants Level 2 Merchants Level 3 Merchants Level 4 Merchants

Card Brands

•Track compliance

• Issue fines and

incentives

Security Standards Council

•Creates and

promotes standard

•Certifies auditors

Card-Issuing Banks

Acquiring Banks

•Process transactions

•Gather compliance

reports

Qualified Security Assessors

•Audit merchants

•Report to acquiring

banks

Approved Scan Vendors

•Scan merchants

•Report to acquiring

banks

Source: InformationWeek – PCI and the Circle of Blame

How Much Are You Willing to Risk?

Some researchers are reporting that approximately 77% of

people say they would stop shopping at stores that suffer

data breaches.

How Secure are You?

OR

Requirements for Merchant Levels and the PCI DSS

Level/Tier

MerchantCriteria

ValidationRequirements

1 Merchants processing over 6 millionVisa transactions annually (all channels)

• Annual Report on Compliance by QSA• Quarterly network scan by ASV• Attestation of Compliance Form

2 Merchants processing 1 million to 6 million Visa transactions annually(all channels)

• Annual Self-Assessment Questionnaire• Quarterly network scan by ASV• Attestation of Compliance Form

3 Merchants processing 20,000 to 1 million Visa transactions annually

• Annual SAQ• Quarterly network scan by ASV• Attestation of Compliance Form

4 Merchants processing less than 20,000 Visa transactions annually

• Annual SAQ recommended• Quarterly network scan by ASV• Compliance validation requirements set by

acquirer

Source: Individual Card Company Websites

Selecting an SAQ – Five Types

SAQ Description

A Card-not-present (e-commerce or mail/telephone-order)) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.

B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage.

C-VT Merchants using only web-based virtual terminals, no electronic cardholder storage

C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.

D All other merchants not included in descriptions for SAQ types A though C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

The Card Authorization Process

1. A customer purchases a product or service from your store

2. The payment gateway encrypts data and securely sends it through the payment processing network

3. The transaction is reviewed for authorization or decline, and the results are sent back through the Payflow payment gateway

4. Your customer receives a confirmation receipt and you fulfill the order

5. Once the transaction is processed, funds are transferred from the customer’s bank account to your merchant bank

Source: http://www.paypal.com

What is the Scope of the PCI Standard?

Source: Information Supplement – PCI DSS Wireless Guideline

Process

Store

Transmit

• Build and Maintain a Secure Network– Install and maintain a firewall configuration to protect data (18)

– Do not use vendor-supplied defaults for system passwords and other security parameters (11)

• Protect Cardholder Data– Protect stored cardholder data (22)

– Encrypt transmission of cardholder data across open, publicnetworks (3)

• Maintain a Vulnerability Management Program– Use and regularly update anti-virus software or programs (3)

– Develop and maintain secure systems and applications (34)

PCI DSS is a Comprehensive Standard Containing Technology, Process, and Monitoring Requirements

• Implement Strong Access Control Measures– Restrict access to cardholder data by business need-to-know (9)

– Assign a unique ID to each person with computer access (20)

– Restrict physical access to cardholder data (26)

• Regularly Monitor and Test Networks– Track and monitor all access to network resources and cardholder

data (23)

– Regularly test security systems and processes (9)

• Maintain an Information Security Policy– Maintain a policy that addresses information security for

employees and contractors (44)

PCI DSS is a Comprehensive Standard Containing Technology, Process, and Monitoring Requirements

• One vendor and product will make us compliant

• Outsourcing card processing makes us compliant

• PCI compliance is an IT project

• PCI will make us secure

• PCI is unreasonable; it requires too much

• PCI requires us to hire a Qualified Security Assessor

• We don’t take enough credit cards to be compliant

• We completed a SAQ so we’re compliant

• PCI makes us store cardholder data

• PCI is too hard

Ten Common Myths of PCI DSS

https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf

The Compliance Process Will Force You to Address Security Issues at a Detailed Level

Automated Scans are a Valuable Tool for Monitoring and Maintaining Secure Systems

• Assign a project manager and build a team

– IT, Finance, HR, Legal, etc.

• Assume you’ll need some budget dollars to help address compliance issues

• Hold regularly scheduled meetings

• Track progress on closing compliance items at an individual item level and produce status reports

• Build accountability into your ongoing processes

Manage Achieving PCI Compliance as a Major Cross-Functional Effort

• Support for the initiative within individual groups

– Communication about it’s importance and value

– Participation in and support for the ongoing review processes

• Become aware of security issues

– Question potential vendors and partners on their compliance with PCI standards

– Reengineer processes to be more secure

– Share data on a need to know basis

– Classify and label information appropriately

– If there’s a question about data security don’t guess at the answer ask someone who knows

• Question your people

– We’re searching for credit card data in paper or electronic form, if you’ve got it let us know about it so it can be appropriately protected

Solicit Participation – What Do You Need FromYour Organization

• What are the existing processes you know about (and what don’t you know)?

• Existing web forms?

• Email system?

• On local desktops and laptops? Excel files, Word docs, CSV files, PDF Reports…

• On your network?

Where is the Credit Card Data?

1. Remove sensitive authentication data and limit data retention.

2. Protect the perimeter, internal, and wireless networks.

3. Secure payment card applications.

4. Monitor and control access to your systems.

5. Protect stored cardholder data.

6. Finalize remaining compliance efforts, and ensure all controls are in place.

PCI Prioritized Approach

Source: The Prioritized Approach to Pursue PCI DSS Compliance

PCI Prioritized Approach Example

Source: The Prioritized Approach to Pursue PCI DSS Compliance

• Tighter physical security (badges, camera surveillance for server rooms and central storage rooms)

• Tighter access controls to information resources (strong passwords frequently changed, no shared accounts, access to data more closely logged)

• Paper storage of data limited based upon business requirements (two years) – stored data inventoried, older data securely disposed

• More formalized information access and security policies requiring annual reviews and signoffs

• Additional review of third party agreements when payments are being accepted on our behalf

• Background checks for personnel with access to credit card data (including IT, finance, customer service, etc.)

What Changes Did Personnel See?

PCI Compliance Isn’t an Activity But a Process

PCI Compliance

Plan

Do

Study (Test)

Act

Lifecycle Process for Changes to PCI DSS

Source: https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

• Massachusetts Data Security Law 201 CMR 17.00 –Standards for the Protection of Personal Information of Residents of the Commonwealth– Pertains to anyone that owns or licenses personal information about

a resident of Massachusetts

– Personal information defined as last name, first name (or initial) in combination with SSN, driver’s license number, or financial information (credit/debit card, financial account info, etc.)

• States are considering more of these laws

• Be prepared to secure all personal information

What’s On the Horizon?

1. PCI DSS is not an International, Federal, or State law but rather it's an information security standard developed by the PCI Security Standards Council (see http://www.pcisecuritystandards.org).

2. Any business that stores, processes, or transmits credit card data is responsible for complying with the standard.

3. Compliance and enforcement of the standard is mandated by the various payment card brands (VISA, MC, AMEX, etc.). This includes the assessment of any fines or penalties associated with a security breach of the data.

4. The easiest route of compliance is to not store, process, or transmit credit card data - outsource everything related to credit card processing (this is often an unrealistic approach).

5. If you must handle credit card data you should seek to: centralize it, protect it, and monitor access to it.

Recapping: 10 Things You Should Now Know About PCI Compliance

6. There are five different Self-Assessment Questionnaires (SAQ) ranging from simple to extremely complex based upon how a business handles credit card data.

7. At its most complex level, the standard covers twelve requirement areas in six major categories of compliance and 200+ individual questions. A defined set of information security standards, policies, and procedures is a major component of the compliance process (and often one of the most difficult to implement).

8. In order to be compliant you must be compliant with every individual requirement and pass automated security scans of eCommerce systems handling credit card data.

9. You need to be as concerned about your business processes as you are about technology processes in order to be compliant.

10.Compliance and security is an ongoing process not a single project.

Recapping: 10 Things You Should Now Know About PCI Compliance

• PCI Security Standards Council Website: http://www.pcisecuritystandards.org

• Individual Payment Card Brand Websites/Email Addresses:– American Express: http://www.americanexpress.com/datasecurity or

EMail: American.Express.Data.Security@aexp.com

– VISA: http://www.visa.com/cisp or Email: cisp@visa.com

– MasterCard: http://www.mastercard.com/sdp or Email: sdp@mastercard.com

– Discover: http://discovernetwork.com/fraudsecurity/disc.html or Email: askdatasecurity@discover.com

– JCB: http://www.jcb-global.com/english/pci/index.html or Email: riskmanagement@jcbati.com

Where Can You Get Help and More Info

• 2009 Verizon Data Breach Investigations Report –http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

• SANS Institute (SysAdmin, Audit, Network, Security) –http://www.sans.org

Where Can You Get Help and More Info

• My Coordinates

– Email: smichaele@csystemsllc.net

– Phone: (732) 548-6100 x19

– LinkedIn: www.linkedin.com/in/smichaele

– Website: www.csystemsllc.net

We Can Keep the Conversation Going