2. Introductions
• About Sean
– Senior IT Assurance and Security Consultant
– PCI Credentials: QSA and PCIP
– @SeanDGoodwin
– Slides can be found at: https://goo.gl/ptREac
2
3. Disclaimers
• While I am a QSA, I am not your QSA
• Your Acquiring Bank (or Card Brands) have the final
say on your compliance requirements
• There is no “perfect” compliance plan, these tips are
based on my experiences
3
4. 4
Today’s Agenda
• History
• Why now?
• Common misconceptions
• Compliance vs. Validation
• PCI DSS
• How to get started
• Data flow analysis
• Lower cost of compliance
• Penalties, fines and costs associated with non-
compliance
5. 5
PCI DSS History
• Payment Card Industry Data Security Standard (PCI DSS)
is a standard for credit card data security
• Established in 2004 by the major payment card brands –
Visa, MasterCard, American Express, Discover and JCB
• First major revision in 2006
• Contains series of more than 280 security controls
designed to protect credit card data.
6. 6
Why now?
• Banks and payment processors are asking corporate
clients to give validation and assurance on PCI DSS
compliance
• POS Device Hacks in Healthcare on the rise
– (2016 Verizon Data Breach Report)
• Attackers are focusing on corporate systems due to
flat networks and siloed business units
7. Why now?
• Typical business lines with possible PCI DSS
exposure:
– Food services
– Parking
– Gift shops
– Fundraising/Development Office
– Retail Centers
– Pharmacies / ER
7
8. 8
Misconceptions about PCI DSS
• HIPAA/GLBA/SOX compliance means PCI DSS
compliance
• PCI DSS is only a recommendation, not a requirement
• Passing an Approved Scanning Vendor (ASV) scan
means PCI DSS compliance
• Process low number of credit cards so I don’t have to be
compliant with all rules
• Don’t store credit card information, so I don’t have to be
compliant
9. Misconceptions about PCI DSS
• I use PayPal/Authorize.NET therefore I don’t have to
be compliant
• PCI only applies to eCommerce merchants
• I use a PA-DSS certified application so I am
compliant
• PCI is vague with room for interpretation
9
10. Merchant vs. Service Provider
• Business entity that is not a payment brand, directly involved in
the processing, storage, or transmission of cardholder data on
behalf of another entity. This also includes companies that
provide services that control or could impact the security of
cardholder data.
• Any entity that accepts payment cards bearing the logos of any
of the five members of PCI SSC (American Express, Discover,
JCB, MasterCard or Visa) as payment for goods and/or
services. Note that a merchant that accepts payment cards as
payment for goods and/or services can also be a service
provider
10
11. Merchant Levels
Level Criteria Requirements
1 Over 6 million Visa or MasterCard
transactions in a 12-month
period
• Onsite Assessment and
Report on Compliance
(ROC) performed by QSA
• Quarterly network scans by
ASV
2 Between 1 and 6 million Visa or
MasterCard transactions in a 12
month period
• Onsite Assessment and
either a ROC or Self-
Assessment Questionnaire
(SAQ) completed by QSA or
ISA
• Quarterly network scans by
ASV
3 Between 20,000 and 1 million
Visa or MasterCard e-commerce
transactions in a 12 month
period
• Self-Assessment
Questionnaire (SAQ)
• Quarterly network scans
4 Less than 20,000 ecommerce or
less than 1 million transactions
with one card brand in a 12
month period
• Self-Assessment
Questionnaire (SAQ)
• Quarterly network scans
11
13. PCI DSS Standard 3.2
13
• Six Goals
1. Build and Maintain a Secure Network and Systems
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy
15. How to Comply with PCI DSS
• Determine Scope
– Determine which system components and networks are in
scope for PCI DSS
• Assess
– Examine the compliance of system components in scope
following the testing procedures for each PCI DSS
requirement
• Report
– Assessor and/or entity completes required documentation
(e.g. SAQ or ROC), including documentation of all
compensating controls
• Corrective Action Plan (CAP)
15
16. PCI Scoping Questions
• Where are we taking credit card and transaction data
information?
• How are we taking the credit card information?
• Where are we storing the credit card information?
• Can we eliminate or centralize the processing of
credit card data?
• Do we have an accurate and up-to-date asset
inventory and POS inventory?
• Identify all system components that are located in or
connected to the CDE
• CDE is comprised of People / Process / Technology
16
17. PCI Data Flows
• Card-not-present
– MOTO (Mail order/telephone order)
• Card-present POS
– Point of Sale, includes swipe device on mobile phone or
tablet
• eCommerce transactions
– Web-based
17
18. Inventory of POS Devices
• Make and model of device
• Location of device (e.g. shop or office where device
is in use)
• Serial number of device
• General description of device (e.g. counter-top pin-
entry device)
• Information about any security seals, labels, hidden
markings, etc. that can help identify if device has
been tampered with
18
19. Inventory of Merchant Vendors
• Have you outsourced storage, processing, or
transmission of Card Holder Data (CHD) to third party
providers?
• What is the role of each service provider?
• Has all of the appropriate due diligence been
performed on each service provider?
• Are the service providers PCI compliant?(ROC) Do
they have a current SOC report?
• Is there someone in the organization responsible for
these contracts?
19
20. 20
Lowering the cost of compliance
• Network Segmentation reduces
- Scope
- Cost of the assessment
- Cost and difficulty of implementing and
maintaining compliance
• P2PE – Point to Point encryption
• Eliminate the unnecessary storage of cardholder data
• If you don’t need it, get rid of it!
21. Merchant Based Vulnerabilities
• Point-of-sale devices
• Mobile devices, personal computers or servers
• Wireless hotspots
• Web shopping applications
• Paper-based storage systems
• The transmission of cardholder data to service
providers
• Remote access connections
21
22. Common Problem Areas
• Cafeteria
• Business Office / Fundraising
• Phone Payments
• Gift shops
22
23. Anatomy of an Audit
• Physical walkthroughs
• Interviewing key stakeholders/business units
• Understanding PCI contractual obligations
• Observing process and procedures
23
24. 24
Penalties, Fines and Costs
• Not levied by PCI Security Council
– Fines levied by card associations
– Against merchant bank, which passes fines on to merchant
• Fines for security breach
– Visa - Up to $500,000 per occurrence
– MC - Up to $500,000 per occurrence
• Amount of fines dependent upon
– Number of card numbers stolen
– Circumstances surrounding incident
– Whether Track Data was stored or not
– Timeliness of reporting incident
25. Who will need to be involved?
• Finance
• Compliance
• IT infrastructure
• Security
• PCI Steering Committee!!
25
26. Where to Start
• PCI DSS Prioritized Approach
1. Remove sensitive authentication data and limit data
retention.
2. Protect systems and networks, and be prepared to respond
to a system breach.
3. Secure payment card applications.
4. Monitor and control access to your systems.
5. Protect stored cardholder data.
6. Finalize remaining compliance efforts, and ensure all
controls are in place
• PCI Document Library
– https://www.pcisecuritystandards.org/document_library
26
27. 27
Thank you!
QUESTIONS?
Sean D. Goodwin, CISA, PCIP, QSA
Senior IT Assurance and Security Consultant
Wolf & Company, P.C.
SDGoodwin@wolfandco.com
@SeanDGoodwin
SeanDGoodwin.com