Blank slide
Project Title slide
Project: PCI
Are You At Risk?
Agenda
Agenda
•Are You At Risk? Video
•What is the PCI SSC?
•What are the requirements of the PCI DSS?
•What Steps Can You Take?
•Available Services – Total PCI
•Q & A
Disclaimer
Disclaimer
•CRS is providing this information as a service to its customers
•Information provided is not intended to be an assessment of a customer’s current compliance status
•CRS is not a QSA and therefore will never indicate to a customer that they are PCI compliant.
•It is the merchant’s responsibility to comply with PCI DSS
• The content of this seminar is sincerely intended to provide our customers an overview of the PCI DSS.
•Please don’t shoot the messenger.
Terms
Terms, Acronyms, and Definitions
•PCI SSC - Payment Card Industry Security Standards Council
•PCI DSS - Payment Card Industry Data Security Standard
•PCI PA-DSS – Payment Card Industry Payment Application Data Security Standard
•PCI PTS - Payment Card Industry Pin Transaction Security
•QSA – Qualified Security Assessor
•ASV – Approved Scanning Vendor
•QIRA – Qualified Incident Response Assessor
•ROC – Report Of Compliance
Validated vs compliant
PCI DSS requires the use of compliant payment
applications. Developers pay to get their
applications validated as being compliant. They
then also pay the PCI SSC to get their validated
applications listed on the website. A payment
application may be compliant but not validated
or listed. To protect yourself, the developer of
your version of the payment application should
provide a ROC (report of compliance) produced
by a PA-QSA if their version is not listed on the
validated applications website.
Ten myths
Ten Common Myths of PCI DSS
1. One vendor and product will make us compliant 2. Outsourcing card processing makes us compliant 3. PCI compliance is an IT project
4. PCI will make us secure
5. PCI is unreasonable, it requires too much
6. PCI requires us to hire a Qualified Security Assessor 7. We don’t take enough credit cards to be compliant 8. We completed a SAQ so we’re compliant
9. PCI makes us store cardholder data
10.PCI is too hard
FACTA vs PCI DSS
PCI DSS is not a federal or state mandate, it is a contractual obligation between the merchant and the acquiring banks that represent the
card brands.
FACTA is a federal law and covers many
aspects of credit. Masking of the cardholder
account number and expiration date is part of
FACTA but also a requirement of PCI DSS
Compliance deadlines
Merchant levels
All merchants who accept credit cards as payment are qualified by four merchant levels
As defined by Visa (The other brands are similar)
• Level 1 – Any merchant processing over 6 million Visa transactions per year
• Level 2 – Any merchant processing 1 million to 6 million Visa transactions per year
• Level 3 – Any merchant processing 20,000 to 1 million Visa e-commerce transactions per year
• Level 4 – Any merchant processing less an 20,000 e- commerce transactions, and all other merchants processing less than 1 million transactions per year
Cardholder data storage requirement
Cardholder Data Storage Requirement
1. Build and maintain a secure network 2. Protect cardholder data
3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks
6. Maintain an information security policy
There are six categories of requirements
There Are Twelve Main Requirements
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10.Track and monitor all access to network resources and cardholder data
11.Regularly test security systems and processes
12.Maintain a policy that addresses information security
185 sub requirements But there are over
185 sub requirements
Things you can do about the 12 requirements
1 - Install and maintain a firewall configuration to protect cardholder data
CRS typically provides a router/firewall that is configured to block common intrusion methods
CRS cannot monitor what or how you use the internet that may compromise your firewall
There are services available that can monitor activity through the firewall and prevent malicious intrusion.
Things you can do about the 12 requirements
2 - Do not use vendor-supplied defaults for system passwords and other security parameters
CRS has for some time delivered systems with vendor supplied default passwords removed or changed to unique passwords
This requirement is not the same as requirement 8 which requires a unique ID for each user of the system
CRS can review system passwords for products supplied by CRS
This is an included service with a software maintenance plan
Since there can be multiple vendors providing system components, each vendor should be consulted.
Things you can do about the 12 requirements
3 - Protect stored cardholder data
Make sure your system is configured to mask the primary account number and expiration date
PIN based debit must now use PCI PTS validated devices
If using stand alone payment terminals, merchant copies of paper receipts must be securely stored
Things you can do about the 12 requirements
4 - Encrypt transmission of cardholder data across open, public networks
Validated payment applications meet this requirement
Wireless networks that are part of the payment
environment must not use WEP encryption after March 1, 2009
Public wireless networks must not be part of the payment environment
Things you can do about the 12 requirements
5 - Use and regularly update anti-virus software
Know how to verify that anti-virus software is active and up to date.
CRS can show you how to do this if the anti-virus is provided by CRS
Make sure you renew your subscription before expiration
All workstations with operating systems that are vulnerable to viruses need to be protected
Anti-virus subscription may be included in some managed network security solutions
Things you can do about the 12 requirements
6 - Develop and maintain secure systems and applications
CRS recommends that Microsoft Windows operating systems have the automatic update feature enabled where available.
CRS also strongly encourages customers to keep current with their software and hardware.
Things you can do about the 12 requirements
7 - Restrict access to cardholder data by business need-to- know
Only users that need access to credit card transaction data should be granted access to such data through permissions
Things you can do about the 12 requirements
8 - Assign a unique ID to each person with computer access
Make sure that each user of your system has a unique ID and password
Do not allow users to share their ID or password
Do not assign users administrator privileges unless they need them
Do not use remote support connections that don’t use dual factor authentication
Make sure you remove inactive user accounts at least every 90 days
Change user passwords every 90 days
Use strong passwords
Things you can do about the 12 requirements
9 - Restrict physical access to cardholder data
If possible, locate payment application server in a locked room with limited access.
If payment application server must be located in the open, keep it in a locked cabinet
If keeping it in a locked cabinet is not appropriate, secure the PC to a counter and provide video
surveillance as a means of documenting physical access
It is recommended that routers also be located in secure areas
Things you can do about the 12 requirements
10 - Track and monitor all access to network resources and cardholder data
CRS doesn’t monitor log entries.
CRS does not review logs
Other than hard drive backup strategies, CRS does not provide log archiving.
There are managed network services available that do these things.
Things you can do about the 12 requirements
11 - Regularly test security systems and processes
CRS does not provide network vulnerability scans as we are not an ASV
There are services available that do these scans
Things you can do about the 12 requirements
12 - Maintain a policy that addresses information security
Most acquiring banks and card processors have
resources available to the merchant to develop these policies.
Highlighted requirements are the only ones the POS or Payments Application vendors address
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10.Track and monitor all access to network resources and cardholder data
11.Regularly test security systems and processes
12.Maintain a policy that addresses information security
SAQ validation types
Self Assessment Questionnaire Validation Types
What’s the price of not complying?
•VISA - since 2005 more than 80% of the instances of data breaches involve small businesses.
•Contractual penalties and/or sanctions including fines up to $500,000 per incident and revocation of a
company's right to accept or process credit card transactions.
•Computer Security Institute - Average reported loss for an individual company in 2006 was $167,713— not including liability in civil suits (lawyers, court fees, etc.).
•Gartner Group estimates data breaches cost $140 per customer.
What’s The Price Of Not Complying?
Typical events in a breach investigation
• Merchant contact by card brand, their acquirer, or the Secret Service
• Forensic investigation by a Qualified Incident Response Assessor (QIRA)
• Recommended remediation
• Meeting with acquiring bank brand leading the investigation
• Penalty assessment
Some Typical Events
In A Breach Investigation
Activities in a forensic investigation
•Secret Service or FBI begin criminal investigation and will likely confiscate equipment to investigate hard drives
•QIRA will examine locations and interview staff
•Measure security to the PCI-DSS Standard
•Security logs and system images examined
•Cost of investigation likely to exceed $20,000
Likely Activities
In a Forensic Investigation
Penalty assessment
•Card brand notifies the merchant of their decision regarding penalties
•Potential fine of $500K (It can be lower)
•May be responsible for card replacement fees $50-75 per card
•Potential mandate to provide card monitoring for the victims ($5-15 / per month for every card)
•Prohibited to process credit cards, also referred to as the
―death penalty‖
•If allowed to continue accepting credit cards, immediate change to Level 1 status
•Must have annual compliance audits by a QSA
Penalty Assessment
Problem never goes away
The Problem Never Goes Away
•Damage to reputation
•Internet stories are always there
•Affected customers never forget
•If stolen cards are used (even months
or years after a breach) the merchant
will still be liable for the charges
Website Links
Website Links to Additional Information
Link for the PCI DSS v1.2
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml Link for all of the Self Assessment Questionnaires
https://www.pcisecuritystandards.org/saq/index.shtml List of validated payment applications
https://www.pcisecuritystandards.org/security_standards/vpa/
Prioritized Approach for DSS 1.2
https://www.pcisecuritystandards.org/education/prioritized.shtml