Project Title slide Project: PCI. Are You At Risk?

Blank slide

Project Title slide

Project: PCI

Are You At Risk?

Agenda

Agenda

•Are You At Risk? Video

•What is the PCI SSC?

•What are the requirements of the PCI DSS?

•What Steps Can You Take?

•Available Services – Total PCI

•Q & A

Disclaimer

Disclaimer

•CRS is providing this information as a service to its customers

•Information provided is not intended to be an assessment of a customer’s current compliance status

•CRS is not a QSA and therefore will never indicate to a customer that they are PCI compliant.

•It is the merchant’s responsibility to comply with PCI DSS

• The content of this seminar is sincerely intended to provide our customers an overview of the PCI DSS.

•Please don’t shoot the messenger.

Terms

Terms, Acronyms, and Definitions

•PCI SSC - Payment Card Industry Security Standards Council

•PCI DSS - Payment Card Industry Data Security Standard

•PCI PA-DSS – Payment Card Industry Payment Application Data Security Standard

•PCI PTS - Payment Card Industry Pin Transaction Security

•QSA – Qualified Security Assessor

•ASV – Approved Scanning Vendor

•QIRA – Qualified Incident Response Assessor

•ROC – Report Of Compliance

Validated vs compliant

PCI DSS requires the use of compliant payment

applications. Developers pay to get their

applications validated as being compliant. They

then also pay the PCI SSC to get their validated

applications listed on the website. A payment

application may be compliant but not validated

or listed. To protect yourself, the developer of

your version of the payment application should

provide a ROC (report of compliance) produced

by a PA-QSA if their version is not listed on the

validated applications website.

Ten myths

Ten Common Myths of PCI DSS

1. One vendor and product will make us compliant 2. Outsourcing card processing makes us compliant 3. PCI compliance is an IT project

4. PCI will make us secure

5. PCI is unreasonable, it requires too much

6. PCI requires us to hire a Qualified Security Assessor 7. We don’t take enough credit cards to be compliant 8. We completed a SAQ so we’re compliant

9. PCI makes us store cardholder data

10.PCI is too hard

FACTA vs PCI DSS

PCI DSS is not a federal or state mandate, it is a contractual obligation between the merchant and the acquiring banks that represent the

card brands.

FACTA is a federal law and covers many

aspects of credit. Masking of the cardholder

account number and expiration date is part of

FACTA but also a requirement of PCI DSS

Compliance deadlines

Merchant levels

All merchants who accept credit cards as payment are qualified by four merchant levels

As defined by Visa (The other brands are similar)

• Level 1 – Any merchant processing over 6 million Visa transactions per year

• Level 2 – Any merchant processing 1 million to 6 million Visa transactions per year

• Level 3 – Any merchant processing 20,000 to 1 million Visa e-commerce transactions per year

• Level 4 – Any merchant processing less an 20,000 e- commerce transactions, and all other merchants processing less than 1 million transactions per year

Cardholder data storage requirement

Cardholder Data Storage Requirement

1. Build and maintain a secure network 2. Protect cardholder data

3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks

6. Maintain an information security policy

There are six categories of requirements

There Are Twelve Main Requirements

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

10.Track and monitor all access to network resources and cardholder data

11.Regularly test security systems and processes

12.Maintain a policy that addresses information security

185 sub requirements But there are over

185 sub requirements

Things you can do about the 12 requirements

 1 - Install and maintain a firewall configuration to protect cardholder data

 CRS typically provides a router/firewall that is configured to block common intrusion methods

 CRS cannot monitor what or how you use the internet that may compromise your firewall

 There are services available that can monitor activity through the firewall and prevent malicious intrusion.

Things you can do about the 12 requirements

 2 - Do not use vendor-supplied defaults for system passwords and other security parameters

 CRS has for some time delivered systems with vendor supplied default passwords removed or changed to unique passwords

 This requirement is not the same as requirement 8 which requires a unique ID for each user of the system

 CRS can review system passwords for products supplied by CRS

 This is an included service with a software maintenance plan

 Since there can be multiple vendors providing system components, each vendor should be consulted.

Things you can do about the 12 requirements

 3 - Protect stored cardholder data

 Make sure your system is configured to mask the primary account number and expiration date

 PIN based debit must now use PCI PTS validated devices

 If using stand alone payment terminals, merchant copies of paper receipts must be securely stored

Things you can do about the 12 requirements

 4 - Encrypt transmission of cardholder data across open, public networks

 Validated payment applications meet this requirement

 Wireless networks that are part of the payment

environment must not use WEP encryption after March 1, 2009

 Public wireless networks must not be part of the payment environment

Things you can do about the 12 requirements

 5 - Use and regularly update anti-virus software

 Know how to verify that anti-virus software is active and up to date.

 CRS can show you how to do this if the anti-virus is provided by CRS

 Make sure you renew your subscription before expiration

 All workstations with operating systems that are vulnerable to viruses need to be protected

 Anti-virus subscription may be included in some managed network security solutions

Things you can do about the 12 requirements

 6 - Develop and maintain secure systems and applications

 CRS recommends that Microsoft Windows operating systems have the automatic update feature enabled where available.

 CRS also strongly encourages customers to keep current with their software and hardware.

Things you can do about the 12 requirements

 7 - Restrict access to cardholder data by business need-to- know

 Only users that need access to credit card transaction data should be granted access to such data through permissions

Things you can do about the 12 requirements

 8 - Assign a unique ID to each person with computer access

 Make sure that each user of your system has a unique ID and password

 Do not allow users to share their ID or password

 Do not assign users administrator privileges unless they need them

 Do not use remote support connections that don’t use dual factor authentication

 Make sure you remove inactive user accounts at least every 90 days

 Change user passwords every 90 days

 Use strong passwords

Things you can do about the 12 requirements

 9 - Restrict physical access to cardholder data

 If possible, locate payment application server in a locked room with limited access.

 If payment application server must be located in the open, keep it in a locked cabinet

 If keeping it in a locked cabinet is not appropriate, secure the PC to a counter and provide video

surveillance as a means of documenting physical access

 It is recommended that routers also be located in secure areas

Things you can do about the 12 requirements

 10 - Track and monitor all access to network resources and cardholder data

 CRS doesn’t monitor log entries.

 CRS does not review logs

 Other than hard drive backup strategies, CRS does not provide log archiving.

 There are managed network services available that do these things.

Things you can do about the 12 requirements

 11 - Regularly test security systems and processes

 CRS does not provide network vulnerability scans as we are not an ASV

 There are services available that do these scans

Things you can do about the 12 requirements

 12 - Maintain a policy that addresses information security

 Most acquiring banks and card processors have

resources available to the merchant to develop these policies.

Highlighted requirements are the only ones the POS or Payments Application vendors address

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

10.Track and monitor all access to network resources and cardholder data

11.Regularly test security systems and processes

12.Maintain a policy that addresses information security

SAQ validation types

Self Assessment Questionnaire Validation Types

What’s the price of not complying?

•VISA - since 2005 more than 80% of the instances of data breaches involve small businesses.

•Contractual penalties and/or sanctions including fines up to $500,000 per incident and revocation of a

company's right to accept or process credit card transactions.

•Computer Security Institute - Average reported loss for an individual company in 2006 was $167,713— not including liability in civil suits (lawyers, court fees, etc.).

•Gartner Group estimates data breaches cost $140 per customer.

What’s The Price Of Not Complying?

Typical events in a breach investigation

• Merchant contact by card brand, their acquirer, or the Secret Service

• Forensic investigation by a Qualified Incident Response Assessor (QIRA)

• Recommended remediation

• Meeting with acquiring bank brand leading the investigation

• Penalty assessment

Some Typical Events

In A Breach Investigation

Activities in a forensic investigation

•Secret Service or FBI begin criminal investigation and will likely confiscate equipment to investigate hard drives

•QIRA will examine locations and interview staff

•Measure security to the PCI-DSS Standard

•Security logs and system images examined

•Cost of investigation likely to exceed $20,000

Likely Activities

In a Forensic Investigation

Penalty assessment

•Card brand notifies the merchant of their decision regarding penalties

•Potential fine of $500K (It can be lower)

•May be responsible for card replacement fees $50-75 per card

•Potential mandate to provide card monitoring for the victims ($5-15 / per month for every card)

•Prohibited to process credit cards, also referred to as the

―death penalty‖

•If allowed to continue accepting credit cards, immediate change to Level 1 status

•Must have annual compliance audits by a QSA

Penalty Assessment

Problem never goes away

The Problem Never Goes Away

•Damage to reputation

•Internet stories are always there

•Affected customers never forget

•If stolen cards are used (even months

or years after a breach) the merchant

will still be liable for the charges

Website Links

Website Links to Additional Information

Link for the PCI DSS v1.2

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml Link for all of the Self Assessment Questionnaires

https://www.pcisecuritystandards.org/saq/index.shtml List of validated payment applications

https://www.pcisecuritystandards.org/security_standards/vpa/

Prioritized Approach for DSS 1.2

https://www.pcisecuritystandards.org/education/prioritized.shtml