SlideShare uma empresa Scribd logo

1. PCI Compliance Overview

O
okrantz

High level overview of what PCI Compliance is about, whom and what it affects.

1 de 39
Why it‘s important to your business PCI COMPLIANCE
What is PCI In 2004 the Pament Card Industry Data Security Standard (PCI-DSS) was created by the 4 major credit cards brands – Visa, MasterCard, Discover and American Express. In 2006 JCB joined these four to form the PCI Security Standards Council (PCI SSC), establishing additional security standards and updating the existing ones. Ensure you are compliant so you avoid costly security breaches that can include: 100% responsibility for cardholder losses Card brand fines up to $500,000 per incident Forensic investigations expenses as high as $100,000 IT Compliance Consulting 2
Terminology of Who’s Who Visa and MasterCard are made up of Member organisations who can be either Acquirers, Issuers or both Acquirers are the Members of the Visa or MasterCard organisations which handle Merchants Issuers are the Members of the Visa or MasterCard organisations that issue the cards to Cardholders Merchants are those entities who “accept” card transactions Cardholders are consumers like you and me Service Providers are the entities that provide any service requiring the processing, storing or transport of card information on behalf of any of the above IT Compliance Consulting 3
Who must comply The Payment Card Industry Data Security Standards (PCI-DSS) apply to all members, merchants and service providers that store, process or transmit cardholder data Additionally, these security requirements apply to all system components which are defined as any network component, server or application included in, or connected to, the cardholder data environment Although compliance is universally required, compliance validation requirements can vary By classification: Service Providers (entities that process, store, or transmit cardholder data on behalf of other entities) have stronger validation requirements than Merchants By size: Entities that process larger volumes have stronger validation requirements than those who process smaller volumes IT Compliance Consulting 4
Responsibilities MasterCard is responsible for certifying products and companies capable of fulfilling the scanning requirements These are referred to Approved Scanning Vendors (ASVs) Visa is responsible for training and certifying companies and individuals capable of fulfilling the on-site audit requirements Such companies are called Qualified Security Assessors (QSAs) The other PCI organisations are contributors to the standards IT Compliance Consulting 5
Data in Scope Cardholder Data PAN (Primary Account Number) Cardholder Name Card verification code (CVV, CVC) Expiration Date Apart from the cardholder name, all other data must be protected when stored in any form, electronic or paper Authentication Data Referred to as Track Data (1 or 2) Three elements Full Magnetic Strip Data CVV2/CVC2/CID2 (Security Code) PIN / PIN Block None of this data can ever be stored after authorization IT Compliance Consulting 6
Cardholder Data: Storage Guidelines Data Element Storage Protection permitted required Primary Account Number (PAN) Yes Yes Cardholder Name* Yes Yes* Cardholder Data Service Code* Yes Yes* Expiration Date Yes Yes* Sensitive Magnetic Stripe No N/A Authentication Data CVV2/CVC2/CID2 No N/A PIN / PIN Block No N/A * These data elements must be protected if stored in conjunction with the PAN IT Compliance Consulting 7
Protect your Business and your Customers With data security compromises on the rise, it is more important than ever to take measures to safeguard your customers and your business Criminals or “hackers” can pose a risk to your business both on-site and remotely, making it necessary to implement procedures to protect your sensitive data, whether it is stored in a file cabinet or on a computer The largest breach in history – 94 million card numbers stolen in 2007, occured at TJ Max, a large US clothing retailer. They agreed to pay $60 million to card networks to settle complaints 11 TJ-Max Hackers were caught, coming from the US, Ukraine, China, Estonia and Belarus 70 % of all database breaches are internal IT Compliance Consulting 8
What are the costs of a security breach? The cost associated with a compliance failure or data breach can be very expensive for any merchant or service provider, especially a small or medium sized business owner. These costs include: Forensic investigation of computer or point of sale systems: $10,000 - $20,000 Replacement cards for breached accounts: $20-$30 per card Card Association fines for non-compliance with the PCI Standard, up to $500,000 Loss of business reputation and customer loyalty, and potentially credit card acceptance IT Compliance Consulting 9
Common excuses after a security breach I thought my IT Department was taking care of that I thought we had a secure website with a firewall I didn’t know my filing cabinets had to be secured I didn’t know 70% of all database breaches are internal I thought outsourcing to a vendor relieved me of the responsibility My bank never mentioned anything about PCI to me The merchant agreement with the bank didn’t specifically indicate we would be responsible for fines IT Compliance Consulting 10
Compliance-Validation-Attestation Compliance - Adherence to the standard Applies to every merchant/ service provider regardless of volume Applies to both technical and business practices Validation - Verification that merchant/ service provider is compliant with the standard Depends upon type of card capture method(s) utilized Two types of Validation Self-Assessment Questionnaire (SAQ) Annually – applies to every merchant Vulnerability Scanning Quarterly – applies if external-facing IP addresses are involved (Web and POS Software). Must be performed by a Qualified Scanning Vendor (QSV) Attestation - Providing proof of validation to card processor Card processor reports to Visa and MasterCard Attest whenever requested by the card processor IT Compliance Consulting 11
Card Capture Channels Card Present Card Not Present Card can be swiped Card cannot be swiped • All Credit Cards • All Credit Cards • Pin based debit cards with the • Debit cards with the Visa/ Visa/ MasterCard logo MasterCard logo Face to Face transactions Remote transactions • Through the Internet • Mail / Telephone Order (MOTO) • Interactive Voice Response (IVR) Requirements to be followed are determined primarily by the card capture method being utilized IT Compliance Consulting 12
Do’s to become PCI Compliant Build and maintain a secure network Protect cardholder data Segregation of duties by department Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy IT Compliance Consulting 13
Don'ts to stay PCI compliant Transmitting credit card numbers unsecured by Fax E‐mail Text message Instant messaging Storing of audio recordings of CVV, CVC, etc. Storing of full Magnetic Stripe track data - one of the most ‐ common violations of PCI‐DSS) Storing CVV2/CVC2/CID2 anytime after the transaction has been authorized Forgetting about paper copies and disk drives in multifunctional printers IT Compliance Consulting 14
Easy Improvements Store Less Data Don’t store cardholder data unless there is a compelling business reason to do so Determine where credit card data exists in your organization, what it is used for and why it is needed Eliminate “shadow databases” (Excel worksheets, etc.) View online reports, don’t download them (downloading = storing) Ensure your systems don’t store magnetic stripe data by default Retaining of CVV2/ CVC2/ CID2 data and PIN subsequent to authorization is never allowed Better Access Controls Limit cardholder data only to employees with “need to know” Segment databases and networks – thereby limiting scope of PCI Implement requirements specified in the Standard, as identified in the annual Self Assessment Questionnaire (SAQ) Establish formal written Policies and Procedures IT Compliance Consulting 15
Compliance Levels of Merchants Quarterly Self-Assessment Network Security Vulnerability Scan Questionaire Scan (Penetr. test)* Level 1 Required, in addition to Not Required Required > 6 million transactions or annual on-site (annually) previously compromised certification Level 2 Required Required Required > 1 million transactions (annually) (annually) Level 3 Required Required Required > 20K e-commerce txs. (annually) (annually) Level 4 Required Recommended Recommended < 20K e-commerce txs. (annually) (annually) < 1 million total txs. * External facing IP addresses, that only store cardholder data IT Compliance Consulting 16
Compliance Levels of Service Providers Quarterly Self-Assessment Network Security Vulnerability Scan Questionaire Scan (Penetr. test)* Level 1 Required, in addition to Not Required Required All processors and annual (annually) payment gateways on-site certification Level 2 Required, in addition to Required Required Not level 1 and stores, annual *** (annually) processes or transmits on-site certification more than 1 million txs. ** Level 3 Required Required Recommended Not level 1 and stores, (annually) processes or transmits less than 1 million txs. * External facing IP addresses, that only store cardholder data ** On-site certification required only by MasterCard as of 2011 *** Required annually only by VISA IT Compliance Consulting 17
Service Providers It is the responsibility of the merchant to utilize compliant service providers If the service provider is not compliant, then the merchant is not compliant Any fines for breaches pertain to the merchant not to the service provider Examples of Service Providers Gateway and Web Hosting Backup Storage and IT Infrastructure PCI Requirement 12.8 applies, requiring merchant to “manage” the service provider: Maintaining a “written agreement” specifying the service provider’s responsibility for compliance Performing due diligence to ensure PCI compliance prior to engagement Monitoring the service provider’s compliance status Monitoring the Service Provider Some vendors are registered as compliant by Visa or MC. The merchant should obtain “evidence” of compliance from vendor (e.g. Report on Compliance –RoC) Merchant cannot answer SAQ truthfully if requirements are not met IT Compliance Consulting 18
PCI DSS Structure Is made up of six key sections: Build and maintain a secure network Protect cardholder data Maintain a vulnerability management Program Implement strong control measures Regularly monitor and test networks Maintain aninformation security policy Each section has a set of Requirements, for example: Build and maintain a secure network Requirement 1: Install and maintain a firewall configuration to protect data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. IT Compliance Consulting 19
PCI DSS Structure, Continued Each Requirement has a rationale and a set of subrequirements specified for review, e.g. Requirement 1: Install and maintain a firewall configuration to protect data Firewalls are computer devices that control computer traffic allowed into a company’s network from the outside, as well as traffic into more sensitive areas within a company’s internal network. All systems need to be protected from unauthorized access from the Internet, whether for e-commerce, employees’ Internet-based access via desktop browsers, or employees’ email access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network Requirement 1.1 Establish firewall configuration standards that include: 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration 1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks 1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the Intranet IT Compliance Consulting 20
Building and Maintaining a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Internet firewall security needs to be installed and functional on all computers, payment applications and POS systems using IP connectivity, including those with a dial up connection to the internet Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters. Passwords should be personalized for all users. All unnecessary services should be disabled IT Compliance Consulting 21
Protecting Cardholder Data Requirement 3: Protect stored cardholder data. Do not store the contents of the track data from the magnetic stripe on the credit card or the CVV or CVC information (3 digit code on the back on the card) post authorization Only store cardholder account information that is essential to your business. Hard copies of reports and paper receipts must be placed in a secured area and shredded when discarded. Implement a policy on how long data will be stored for and why (i.e. business or legal purposes) Requirement 4: Encrypt transmission of cardholder data across open or public networks. Databases and files containing payment card information must be encrypted. Encryption software is required for systems using internet connectivity for transmission of cardholder information IT Compliance Consulting 22
Maintaining a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Install and maintain updated anti-virus software on all computers and servers. The number one reason for hacker fraud is Trojan or Backdoor virus intrusion Requirement 6: Develop and maintain secure systems and applications. Check with your software supplier to ensure you are using the latest version. You can also verify if your software and version are included on the PCI Security Standards Council’s Validated Payment Application list Old technology and software is an open invitation for hackers. Don’t take for granted that your supplier has informed you of possible vulnerabilities or updates. Remember it is you that will be subject to fines if your business is compromised IT Compliance Consulting 23
Implementing Strong Access Control Measures Requirement 7: Restrict access to cardholder data on a need-to-know basis. Complex passwords should always be used to limit access to cardholder information Requirement 8: Assign a unique ID to each person with computer access. Ensure each employee has a unique user name and password to restrict access to computers and transaction systems’ data. Make sure you update passwords when any employee leaves who had access to cardholder data Requirement 9: Restrict physical access to cardholder data IT Compliance Consulting 24
Regularly Monitoring and Testing Networks/ Maintaining an Information Security Policy Requirement 10: Track and monitor all access to network resources and cardholder data as well as to network resources (i.e. computers and transaction systems). You must be able to show proof of tracking Requirement 11: Regularly test security systems and processes. Document a policy for testing of security systems and processes. You must be able to show proof of testing of your internet security and policy processes Requirement 12: Maintain a policy that addresses information security. Document and maintain an enforceable policy that details safeguarding of payment card information IT Compliance Consulting 25
PCI-DSS relative to other standards PCI-DSS Consistency of controls SOX 404 GLBA SR Expertise required HIPAA SR ISO 17799-2000 Generic Prescriptive IT Compliance Consulting 26
Milestones for Prioritizing PCI DSS Compliance efforts The Prioritized Approach includes six milestones. The list below summarizes the high-level goals and intentions of each milestone. 1. Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication and other cardholder data is not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it! 2. Protect the perimeter, internal and wireless networks. This milestone targets controls for points of access to most compromises – the network or a wireless access point IT Compliance Consulting 27
Milestones for Prioritizing PCI DSS Compliance efforts cont. 3. Secure payment card applications. This milestone targets controls for applications, application processes and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data 4. Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when and how concerning who is accessing your network and cardholder data environment IT Compliance Consulting 28
Milestones for Prioritizing PCI DSS Compliance efforts cont. 5. Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, milestone five targets key protections mechanisms for that stored data 6. Finalize remaining compliance efforts and ensure all controls are in place. The intent of milestone six is to complete PCI DSS requirements and finalize all remaining related policies, procedures and processes needed to protect the cardholder data environment IT Compliance Consulting 29
On-site Assessment Is a detailed audit against the PCI Data Security Standard Potentially targets all systems and networks that store, process and/ or transmit cardholder information Includes review of contractual relationships, but not assessment of the Third Parties themselves Must be performed using an offering from a Visa certified Qualified Security Assessor (QSA) such as Trustwave Biggest difficulties in having on-site reviews are the initial scoping and the subsequent cost of correction to compliant levels The QSA provides a report on compliance when compliant, for submission to the Acquirer. Interim reports may be asked for by the Acquirer IT Compliance Consulting 30
On-site Review Practicalities Make sure you scope correctly The appropriate placement of a stateful firewall can reduce the scope dramatically If not compliant, it will be necessary to submit planning information on how compliance will be achieved This will be monitored and policed both by your QSA and Acquirer It may be possible to use compensating controls to meet a requirement Must be controls over and above what is already specified, and Must meet the intent of the requirement At the discretion of the QSA and must be agreed to by the Acquirer IT Compliance Consulting 31
PCI DSS Control Evaluation The PCI Security Audit Procedures give some guidance on what will be checked for. An example of this can be seen by: 6.3.7 Review of custom code prior to release to production or customers, to identify any potential coding vulnerability Testing procedure 6.3.7.a - Obtain and review written policies to confirm they dictate that code reviews are required, and must be performed by individuals other than the originating author of the code 6.3.7.b - Confirm that code reviews are occurring for new code as well as after code changes IT Compliance Consulting 32
Tokenization This new technology replaces sensitive cardholder data (the PAN in particular) with a randomized token that represents the data. Tokenization eliminates the storage of actual cardholder data and brings the following benefits: Scope reduction by allowing fewer system components to have access to real card holder data – the most significant benefit Cardholder data security can be improved when data encryption is combined with tokenization Avoids the complexity of key management requirements when replacing encryption IT Compliance Consulting 33
Network Security Scanning Targets Internet facing devices, systems and applications including routers and firewalls servers and hosts (including virtual) Applications May not have any severity 3 or greater issues: 5 (Urgent) - Trojan Horses, file read and write exploits, remote command execution 4 (Critical) - Potential Trojan Horses, file read exploit 3 (High) - Limited exploit IT Compliance Consulting 34
Security Incident Plan Requirements of: Card Association Rules Requirement number 12 of the PCI DSS OSC’s policy -“Merchant Cards Security Incident Plan” Basic points Must have a formal plan Applies to both technology and paper breaches Acquirer must be notified in all cases – immediately Card associations take into consideration timeliness of reporting when determining fines for breach IT Compliance Consulting 35
Limit Personnel Access to Restricted Data Background checks must be performed prior to hiring for any positions with unrestricted access to cardholder data (not necessary for cashier level personnel with access to only one card at a time) All personnel involved in credit card transactions must attend security training annually Physical and logical access only granted on a ‘need to know’ basis IT Compliance Consulting 36
FAQ‘s Q: Am I PCI compliant if my point-of-sale system is compliant? A: No. PCI compliance goes beyond the hardware or software used for payment card processing. You are expected to be compliant to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS contains 12 requirements addressing 6 core principles for network architecture, cardholder data protection, vulnerability management, access controls, network security and information security policies. These include items such as policies for storing reports/receipts, physical access to data, passwords, etc. Using a validated payment application and/ or an PCI approved PIN Entry Device (PED) may aide in reducing scope of potential areas requiring attention. However, to be considered PCI compliant, you must validate your compliance by completing and passing the PCI SAQ and network vulnerability scans (if applicable) IT Compliance Consulting 37
FAQ’s Q: As a merchant, I did not sign anything saying I would be compliant; therefore, I don’t need to be A: The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. The regulations signed when you open an account at the bank state that the VISA regulations have to be adhered to. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit card data Q: Who needs to comply with the PCI DSS? A: ALL organizations, regardless of size or number of transactions, that process, store or transmit cardholder data must comply with the PCI DSS. Essentially, all merchants with a Merchant Identification number (MID) and all service providers that touch cardholder data are required to comply with the PCI DSS. IT Compliance Consulting 38
PCI Glossary CISP - Visa’s Cardholder Information Security Program SDP - MasterCard’s Site Data Protection Program PCI SSC - Payment Card Security Standards Council PCI DSS - Payment Card Industry Data Security Standard * PCI PA-DSS - PCI Payment Application Data Security Standard* PTS - PIN Transaction Security Standard * QSA - Qualified Security Assessor (e.g., Trustwave) ASV - Approved Scanning Vendor (e.g., Trustwave) SAQ - Self Assessment Questionnaire (A, B, C, or D) * Note: Three separate standards can apply IT Compliance Consulting 39

Recomendados

PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Kriangkrai Chumsaktrakul
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 

Recomendados

PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Kriangkrai Chumsaktrakul
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfControlCase
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Veritis Group, Inc
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration TestingNetwork Intelligence India
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access ManagementHitachi ID Systems, Inc.
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New PerspectiveWen-Pai Lu
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 BenefitsDejan Kosutic
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management ComplianceControlCase
 
Building Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementBuilding Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementGovernment Technology Exhibition and Conference
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementComputer Aid, Inc
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationVISTA InfoSec
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptgealehegn
 

Mais conteúdo relacionado

Mais procurados

French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfControlCase
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Veritis Group, Inc
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New PerspectiveWen-Pai Lu
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management ComplianceControlCase
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationVISTA InfoSec
 

Mais procurados (20)

French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdf
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices 
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management Compliance
 
Building Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementBuilding Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access Management
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organization
 

Semelhante a 1. PCI Compliance Overview

pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptgealehegn
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminardlinehan2
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
PCI DSS Training compliance training for companies
PCI DSS Training compliance training for companiesPCI DSS Training compliance training for companies
PCI DSS Training compliance training for companiesgealehegn
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfssuserbcc088
 
The Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White PaperThe Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White PaperBen Rothke
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wpEdward Lam
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National CertificationMark Pollard
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS SlidecastRobertXia
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1wardell henley
 

Semelhante a 1. PCI Compliance Overview (20)

Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminar
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
PCI DSS Training compliance training for companies
PCI DSS Training compliance training for companiesPCI DSS Training compliance training for companies
PCI DSS Training compliance training for companies
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfpci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdf
 
The Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White PaperThe Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White Paper
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
 
Pcitf iiw10
Pcitf iiw10Pcitf iiw10
Pcitf iiw10
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
 

1. PCI Compliance Overview

  • 1. Why it‘s important to your business PCI COMPLIANCE
  • 2. What is PCI In 2004 the Pament Card Industry Data Security Standard (PCI-DSS) was created by the 4 major credit cards brands – Visa, MasterCard, Discover and American Express. In 2006 JCB joined these four to form the PCI Security Standards Council (PCI SSC), establishing additional security standards and updating the existing ones. Ensure you are compliant so you avoid costly security breaches that can include: 100% responsibility for cardholder losses Card brand fines up to $500,000 per incident Forensic investigations expenses as high as $100,000 IT Compliance Consulting 2
  • 3. Terminology of Who’s Who Visa and MasterCard are made up of Member organisations who can be either Acquirers, Issuers or both Acquirers are the Members of the Visa or MasterCard organisations which handle Merchants Issuers are the Members of the Visa or MasterCard organisations that issue the cards to Cardholders Merchants are those entities who “accept” card transactions Cardholders are consumers like you and me Service Providers are the entities that provide any service requiring the processing, storing or transport of card information on behalf of any of the above IT Compliance Consulting 3
  • 4. Who must comply The Payment Card Industry Data Security Standards (PCI-DSS) apply to all members, merchants and service providers that store, process or transmit cardholder data Additionally, these security requirements apply to all system components which are defined as any network component, server or application included in, or connected to, the cardholder data environment Although compliance is universally required, compliance validation requirements can vary By classification: Service Providers (entities that process, store, or transmit cardholder data on behalf of other entities) have stronger validation requirements than Merchants By size: Entities that process larger volumes have stronger validation requirements than those who process smaller volumes IT Compliance Consulting 4
  • 5. Responsibilities MasterCard is responsible for certifying products and companies capable of fulfilling the scanning requirements These are referred to Approved Scanning Vendors (ASVs) Visa is responsible for training and certifying companies and individuals capable of fulfilling the on-site audit requirements Such companies are called Qualified Security Assessors (QSAs) The other PCI organisations are contributors to the standards IT Compliance Consulting 5
  • 6. Data in Scope Cardholder Data PAN (Primary Account Number) Cardholder Name Card verification code (CVV, CVC) Expiration Date Apart from the cardholder name, all other data must be protected when stored in any form, electronic or paper Authentication Data Referred to as Track Data (1 or 2) Three elements Full Magnetic Strip Data CVV2/CVC2/CID2 (Security Code) PIN / PIN Block None of this data can ever be stored after authorization IT Compliance Consulting 6
  • 7. Cardholder Data: Storage Guidelines Data Element Storage Protection permitted required Primary Account Number (PAN) Yes Yes Cardholder Name* Yes Yes* Cardholder Data Service Code* Yes Yes* Expiration Date Yes Yes* Sensitive Magnetic Stripe No N/A Authentication Data CVV2/CVC2/CID2 No N/A PIN / PIN Block No N/A * These data elements must be protected if stored in conjunction with the PAN IT Compliance Consulting 7
  • 8. Protect your Business and your Customers With data security compromises on the rise, it is more important than ever to take measures to safeguard your customers and your business Criminals or “hackers” can pose a risk to your business both on-site and remotely, making it necessary to implement procedures to protect your sensitive data, whether it is stored in a file cabinet or on a computer The largest breach in history – 94 million card numbers stolen in 2007, occured at TJ Max, a large US clothing retailer. They agreed to pay $60 million to card networks to settle complaints 11 TJ-Max Hackers were caught, coming from the US, Ukraine, China, Estonia and Belarus 70 % of all database breaches are internal IT Compliance Consulting 8
  • 9. What are the costs of a security breach? The cost associated with a compliance failure or data breach can be very expensive for any merchant or service provider, especially a small or medium sized business owner. These costs include: Forensic investigation of computer or point of sale systems: $10,000 - $20,000 Replacement cards for breached accounts: $20-$30 per card Card Association fines for non-compliance with the PCI Standard, up to $500,000 Loss of business reputation and customer loyalty, and potentially credit card acceptance IT Compliance Consulting 9
  • 10. Common excuses after a security breach I thought my IT Department was taking care of that I thought we had a secure website with a firewall I didn’t know my filing cabinets had to be secured I didn’t know 70% of all database breaches are internal I thought outsourcing to a vendor relieved me of the responsibility My bank never mentioned anything about PCI to me The merchant agreement with the bank didn’t specifically indicate we would be responsible for fines IT Compliance Consulting 10
  • 11. Compliance-Validation-Attestation Compliance - Adherence to the standard Applies to every merchant/ service provider regardless of volume Applies to both technical and business practices Validation - Verification that merchant/ service provider is compliant with the standard Depends upon type of card capture method(s) utilized Two types of Validation Self-Assessment Questionnaire (SAQ) Annually – applies to every merchant Vulnerability Scanning Quarterly – applies if external-facing IP addresses are involved (Web and POS Software). Must be performed by a Qualified Scanning Vendor (QSV) Attestation - Providing proof of validation to card processor Card processor reports to Visa and MasterCard Attest whenever requested by the card processor IT Compliance Consulting 11
  • 12. Card Capture Channels Card Present Card Not Present Card can be swiped Card cannot be swiped • All Credit Cards • All Credit Cards • Pin based debit cards with the • Debit cards with the Visa/ Visa/ MasterCard logo MasterCard logo Face to Face transactions Remote transactions • Through the Internet • Mail / Telephone Order (MOTO) • Interactive Voice Response (IVR) Requirements to be followed are determined primarily by the card capture method being utilized IT Compliance Consulting 12
  • 13. Do’s to become PCI Compliant Build and maintain a secure network Protect cardholder data Segregation of duties by department Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy IT Compliance Consulting 13
  • 14. Don'ts to stay PCI compliant Transmitting credit card numbers unsecured by Fax E‐mail Text message Instant messaging Storing of audio recordings of CVV, CVC, etc. Storing of full Magnetic Stripe track data - one of the most ‐ common violations of PCI‐DSS) Storing CVV2/CVC2/CID2 anytime after the transaction has been authorized Forgetting about paper copies and disk drives in multifunctional printers IT Compliance Consulting 14
  • 15. Easy Improvements Store Less Data Don’t store cardholder data unless there is a compelling business reason to do so Determine where credit card data exists in your organization, what it is used for and why it is needed Eliminate “shadow databases” (Excel worksheets, etc.) View online reports, don’t download them (downloading = storing) Ensure your systems don’t store magnetic stripe data by default Retaining of CVV2/ CVC2/ CID2 data and PIN subsequent to authorization is never allowed Better Access Controls Limit cardholder data only to employees with “need to know” Segment databases and networks – thereby limiting scope of PCI Implement requirements specified in the Standard, as identified in the annual Self Assessment Questionnaire (SAQ) Establish formal written Policies and Procedures IT Compliance Consulting 15
  • 16. Compliance Levels of Merchants Quarterly Self-Assessment Network Security Vulnerability Scan Questionaire Scan (Penetr. test)* Level 1 Required, in addition to Not Required Required > 6 million transactions or annual on-site (annually) previously compromised certification Level 2 Required Required Required > 1 million transactions (annually) (annually) Level 3 Required Required Required > 20K e-commerce txs. (annually) (annually) Level 4 Required Recommended Recommended < 20K e-commerce txs. (annually) (annually) < 1 million total txs. * External facing IP addresses, that only store cardholder data IT Compliance Consulting 16
  • 17. Compliance Levels of Service Providers Quarterly Self-Assessment Network Security Vulnerability Scan Questionaire Scan (Penetr. test)* Level 1 Required, in addition to Not Required Required All processors and annual (annually) payment gateways on-site certification Level 2 Required, in addition to Required Required Not level 1 and stores, annual *** (annually) processes or transmits on-site certification more than 1 million txs. ** Level 3 Required Required Recommended Not level 1 and stores, (annually) processes or transmits less than 1 million txs. * External facing IP addresses, that only store cardholder data ** On-site certification required only by MasterCard as of 2011 *** Required annually only by VISA IT Compliance Consulting 17
  • 18. Service Providers It is the responsibility of the merchant to utilize compliant service providers If the service provider is not compliant, then the merchant is not compliant Any fines for breaches pertain to the merchant not to the service provider Examples of Service Providers Gateway and Web Hosting Backup Storage and IT Infrastructure PCI Requirement 12.8 applies, requiring merchant to “manage” the service provider: Maintaining a “written agreement” specifying the service provider’s responsibility for compliance Performing due diligence to ensure PCI compliance prior to engagement Monitoring the service provider’s compliance status Monitoring the Service Provider Some vendors are registered as compliant by Visa or MC. The merchant should obtain “evidence” of compliance from vendor (e.g. Report on Compliance –RoC) Merchant cannot answer SAQ truthfully if requirements are not met IT Compliance Consulting 18
  • 19. PCI DSS Structure Is made up of six key sections: Build and maintain a secure network Protect cardholder data Maintain a vulnerability management Program Implement strong control measures Regularly monitor and test networks Maintain aninformation security policy Each section has a set of Requirements, for example: Build and maintain a secure network Requirement 1: Install and maintain a firewall configuration to protect data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. IT Compliance Consulting 19
  • 20. PCI DSS Structure, Continued Each Requirement has a rationale and a set of subrequirements specified for review, e.g. Requirement 1: Install and maintain a firewall configuration to protect data Firewalls are computer devices that control computer traffic allowed into a company’s network from the outside, as well as traffic into more sensitive areas within a company’s internal network. All systems need to be protected from unauthorized access from the Internet, whether for e-commerce, employees’ Internet-based access via desktop browsers, or employees’ email access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network Requirement 1.1 Establish firewall configuration standards that include: 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration 1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks 1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the Intranet IT Compliance Consulting 20
  • 21. Building and Maintaining a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Internet firewall security needs to be installed and functional on all computers, payment applications and POS systems using IP connectivity, including those with a dial up connection to the internet Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters. Passwords should be personalized for all users. All unnecessary services should be disabled IT Compliance Consulting 21
  • 22. Protecting Cardholder Data Requirement 3: Protect stored cardholder data. Do not store the contents of the track data from the magnetic stripe on the credit card or the CVV or CVC information (3 digit code on the back on the card) post authorization Only store cardholder account information that is essential to your business. Hard copies of reports and paper receipts must be placed in a secured area and shredded when discarded. Implement a policy on how long data will be stored for and why (i.e. business or legal purposes) Requirement 4: Encrypt transmission of cardholder data across open or public networks. Databases and files containing payment card information must be encrypted. Encryption software is required for systems using internet connectivity for transmission of cardholder information IT Compliance Consulting 22
  • 23. Maintaining a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Install and maintain updated anti-virus software on all computers and servers. The number one reason for hacker fraud is Trojan or Backdoor virus intrusion Requirement 6: Develop and maintain secure systems and applications. Check with your software supplier to ensure you are using the latest version. You can also verify if your software and version are included on the PCI Security Standards Council’s Validated Payment Application list Old technology and software is an open invitation for hackers. Don’t take for granted that your supplier has informed you of possible vulnerabilities or updates. Remember it is you that will be subject to fines if your business is compromised IT Compliance Consulting 23
  • 24. Implementing Strong Access Control Measures Requirement 7: Restrict access to cardholder data on a need-to-know basis. Complex passwords should always be used to limit access to cardholder information Requirement 8: Assign a unique ID to each person with computer access. Ensure each employee has a unique user name and password to restrict access to computers and transaction systems’ data. Make sure you update passwords when any employee leaves who had access to cardholder data Requirement 9: Restrict physical access to cardholder data IT Compliance Consulting 24
  • 25. Regularly Monitoring and Testing Networks/ Maintaining an Information Security Policy Requirement 10: Track and monitor all access to network resources and cardholder data as well as to network resources (i.e. computers and transaction systems). You must be able to show proof of tracking Requirement 11: Regularly test security systems and processes. Document a policy for testing of security systems and processes. You must be able to show proof of testing of your internet security and policy processes Requirement 12: Maintain a policy that addresses information security. Document and maintain an enforceable policy that details safeguarding of payment card information IT Compliance Consulting 25
  • 26. PCI-DSS relative to other standards PCI-DSS Consistency of controls SOX 404 GLBA SR Expertise required HIPAA SR ISO 17799-2000 Generic Prescriptive IT Compliance Consulting 26
  • 27. Milestones for Prioritizing PCI DSS Compliance efforts The Prioritized Approach includes six milestones. The list below summarizes the high-level goals and intentions of each milestone. 1. Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication and other cardholder data is not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it! 2. Protect the perimeter, internal and wireless networks. This milestone targets controls for points of access to most compromises – the network or a wireless access point IT Compliance Consulting 27
  • 28. Milestones for Prioritizing PCI DSS Compliance efforts cont. 3. Secure payment card applications. This milestone targets controls for applications, application processes and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data 4. Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when and how concerning who is accessing your network and cardholder data environment IT Compliance Consulting 28
  • 29. Milestones for Prioritizing PCI DSS Compliance efforts cont. 5. Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, milestone five targets key protections mechanisms for that stored data 6. Finalize remaining compliance efforts and ensure all controls are in place. The intent of milestone six is to complete PCI DSS requirements and finalize all remaining related policies, procedures and processes needed to protect the cardholder data environment IT Compliance Consulting 29
  • 30. On-site Assessment Is a detailed audit against the PCI Data Security Standard Potentially targets all systems and networks that store, process and/ or transmit cardholder information Includes review of contractual relationships, but not assessment of the Third Parties themselves Must be performed using an offering from a Visa certified Qualified Security Assessor (QSA) such as Trustwave Biggest difficulties in having on-site reviews are the initial scoping and the subsequent cost of correction to compliant levels The QSA provides a report on compliance when compliant, for submission to the Acquirer. Interim reports may be asked for by the Acquirer IT Compliance Consulting 30
  • 31. On-site Review Practicalities Make sure you scope correctly The appropriate placement of a stateful firewall can reduce the scope dramatically If not compliant, it will be necessary to submit planning information on how compliance will be achieved This will be monitored and policed both by your QSA and Acquirer It may be possible to use compensating controls to meet a requirement Must be controls over and above what is already specified, and Must meet the intent of the requirement At the discretion of the QSA and must be agreed to by the Acquirer IT Compliance Consulting 31
  • 32. PCI DSS Control Evaluation The PCI Security Audit Procedures give some guidance on what will be checked for. An example of this can be seen by: 6.3.7 Review of custom code prior to release to production or customers, to identify any potential coding vulnerability Testing procedure 6.3.7.a - Obtain and review written policies to confirm they dictate that code reviews are required, and must be performed by individuals other than the originating author of the code 6.3.7.b - Confirm that code reviews are occurring for new code as well as after code changes IT Compliance Consulting 32
  • 33. Tokenization This new technology replaces sensitive cardholder data (the PAN in particular) with a randomized token that represents the data. Tokenization eliminates the storage of actual cardholder data and brings the following benefits: Scope reduction by allowing fewer system components to have access to real card holder data – the most significant benefit Cardholder data security can be improved when data encryption is combined with tokenization Avoids the complexity of key management requirements when replacing encryption IT Compliance Consulting 33
  • 34. Network Security Scanning Targets Internet facing devices, systems and applications including routers and firewalls servers and hosts (including virtual) Applications May not have any severity 3 or greater issues: 5 (Urgent) - Trojan Horses, file read and write exploits, remote command execution 4 (Critical) - Potential Trojan Horses, file read exploit 3 (High) - Limited exploit IT Compliance Consulting 34
  • 35. Security Incident Plan Requirements of: Card Association Rules Requirement number 12 of the PCI DSS OSC’s policy -“Merchant Cards Security Incident Plan” Basic points Must have a formal plan Applies to both technology and paper breaches Acquirer must be notified in all cases – immediately Card associations take into consideration timeliness of reporting when determining fines for breach IT Compliance Consulting 35
  • 36. Limit Personnel Access to Restricted Data Background checks must be performed prior to hiring for any positions with unrestricted access to cardholder data (not necessary for cashier level personnel with access to only one card at a time) All personnel involved in credit card transactions must attend security training annually Physical and logical access only granted on a ‘need to know’ basis IT Compliance Consulting 36
  • 37. FAQ‘s Q: Am I PCI compliant if my point-of-sale system is compliant? A: No. PCI compliance goes beyond the hardware or software used for payment card processing. You are expected to be compliant to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS contains 12 requirements addressing 6 core principles for network architecture, cardholder data protection, vulnerability management, access controls, network security and information security policies. These include items such as policies for storing reports/receipts, physical access to data, passwords, etc. Using a validated payment application and/ or an PCI approved PIN Entry Device (PED) may aide in reducing scope of potential areas requiring attention. However, to be considered PCI compliant, you must validate your compliance by completing and passing the PCI SAQ and network vulnerability scans (if applicable) IT Compliance Consulting 37
  • 38. FAQ’s Q: As a merchant, I did not sign anything saying I would be compliant; therefore, I don’t need to be A: The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. The regulations signed when you open an account at the bank state that the VISA regulations have to be adhered to. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit card data Q: Who needs to comply with the PCI DSS? A: ALL organizations, regardless of size or number of transactions, that process, store or transmit cardholder data must comply with the PCI DSS. Essentially, all merchants with a Merchant Identification number (MID) and all service providers that touch cardholder data are required to comply with the PCI DSS. IT Compliance Consulting 38
  • 39. PCI Glossary CISP - Visa’s Cardholder Information Security Program SDP - MasterCard’s Site Data Protection Program PCI SSC - Payment Card Security Standards Council PCI DSS - Payment Card Industry Data Security Standard * PCI PA-DSS - PCI Payment Application Data Security Standard* PTS - PIN Transaction Security Standard * QSA - Qualified Security Assessor (e.g., Trustwave) ASV - Approved Scanning Vendor (e.g., Trustwave) SAQ - Self Assessment Questionnaire (A, B, C, or D) * Note: Three separate standards can apply IT Compliance Consulting 39