Credit Card Processing and Information Security: What You Need to Know Do you take payments by credit card, or do any of your clients? SofTECH member and information security consultant Hugh Deura discusses the security regulations (called PCI) surrounding credit card processing. He’ll explain the objectives of the existing regulations, and the practical steps businesses must take in order to comply. His discussion covers the 12 Myths of PCI compliance, along with the 12 Facts that set those myths straight. Hugh Deura has over 10 years of experience in information security and compliance. Hugh's blogs at DeuraInfoSec and helps clients comply with industry standards and regulations to succeed in information security with due diligence. Deura Information Security (DISC) was established in North Bay (Petaluma) California in 2002 and provides services in security risk assessment, designing new controls, and remediation processes to help businesses comply with industry regulations and standards.

1. Information Security & Compliance
How PCI DSS compliance is
relevant to small business
Presented by Hugh Deura
SofTech Meeting May 2009 San Rafael, CA
Mark Ginnebaugh, SofTech President
Deura Information Security Consulting
Hugh@DeuraInfoSec.com
www.DeuraInfoSec.com
Blog.DeuraInfoSec.com
http://www.linkedin.com/in/hdeura

2. Agenda
• When does PCI DSS apply?
• PCI DSS misconceptions
• Approach to PCI
• Q&A

3. When PCI Applies…
PCS (DSS)Payment Card Industry Data Security Standard
“PCI DSS compliance includes
merchants
and service providers who accept,
capture, store, transmit or
process credit and debit card data.”

4. PCI Six main objectives
• Buildand Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management
Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy

5. PCI 12 requirements
1: Install and maintain a firewall configuration to protect cardholder data
2: Do not use vendor-supplied defaults for system passwords and other security
parameters
3: Protect stored cardholder data
4: Encrypt transmission of cardholder data across open, public networks
5: Use and regularly update anti-virus software
6: Develop and maintain secure systems and applications
7: Restrict access to cardholder data by business need-to-know
8: Assign a unique ID to each person with computer access
9: Restrict physical access to cardholder data
10: Track and monitor all access to network resources and cardholder data
11: Regularly test security systems and processes
12: Maintain a policy that addresses information security

6. It does not apply to us
M1 - It does not apply to us, we are relatively
small company
F1 – The PCI DSS must be met by all
organizations that transmit, process or store
payment card data

7. PCI is a regulation or a
standard
M2 – PCI DSS is either a regulation or a
standard
F2 – It‘s neither a standard nor a regulation. It
is a contractual agreement between card
associations, the merchant banks and
merchants

8. We don’t have expertise to
address PCI compliance
M3 – We neither understand PCI and nor have
in house expertise to address compliance
F3 – PCI document clarify most of the questions
in business terms but get help to interpret
technical questions. Due care imply to
understand your requirements to comply and
protect your data

9. PCI has no ROI
M4 – PCI has no ROI and simply too much for a
small business
F4 – PCI address a baseline security for
payment card infrastructure and its ROI is a
total cost of ownership

10. Why bother
M5 – Why bother when some companies
get breached even though they were
compliant
F5 – PCI DSS compliance is not a onetime
process it is an ongoing process to
maintain it

11. Just fill out the questionnaire
M6 – PCI compliance cannot be that hard,
all we have to do is fill out the
questionnaires
F6 - Yes, on the questionnaires has to be
validated through scan. Vulnerabilities
need to be resolved before submitting
the report to merchant bank

12. My application & equipment
are compliant
M7 – My application and equipment are
PCI compliant
F7 – PCI DSS compliance apply to an
organization neither to an application nor
an equipment

13. PCI addresses the security of
the whole organization
M8 – PCI compliance addresses the
security of the whole organization
F8 – PCI DSS does not addresses the CIA
for the whole organization but only card
holder data security

14. Security breach will not affect
our business
M9 – Data breach will not affect the
business revenue
F9 – Become level 1 (cost of monitoring),
lose card acquiring ability, forensic
charges and fines

15. We don’t need PCI scanning
M10 – We don’t need to scan PCI assets
F10 – Quarterly scanning is mandatory for
all merchants (Level 1-4)

16. Merchant can use any
application
M11 – Merchants can use any application
to transmit, process and store PCI data
F11 – In fact, at beginning 2010,
merchants can only use payment
applications validated under the payment
application data security standard (PA-
DSS)

17. We have compensating
controls in place
M12 – We have compensating control in
place so we are covered
F12 – You still have to prove how well
compensating control covers the PCI
requirement. Compensating controls are
harder to do and cost more money in the
long run

18. Your Approach To PCI DSS
1. Understand your merchant level (1-4)
2. Review the applicable requirements
3. Identify the gap between your current and
required state
4. Implement changes to technology and policies!
5. Validate requirements and attest to it
6. Key: continue to maintain secure-thus-compliant
state!

19. Q&A
DISC
Hugh@DeuraInfoSec.com
(707) 332-7457
www.DeuraInfoSec.com