9/18/2015

1

Risk and Rewards For PCI DSS 3.1Compliance

What Risks Exist If I Don’t Become Compliant? What Do I Gain For Being Compliant ?

What Is PCI DSS?PCI DSS is an acronym for Payment Card Industry (PCI) Data Security Standards (DSS)

Started in 2002 with VISA CISP Program for protection of the Cardholder Data (CHD) and the Cardholder Data Environment (CDE)

Grew over the years to PCI DSS version 3.1 as of this presentation

Represents only the Five Card Brands BelowVISA (International and VISA Europe)Master CardDiscoverAmerican ExpressJCB

PCI covers logical data and physical data in all forms and formats

9/18/2015

2

QUIZ – True (T) or False (F)

1. I am a level 3 Merchant I do not need to Be PCI Compliant T F

2. I report on a SAQ and do not need to be compliant with all

of the requirements T F

3. My POS devices are fully managed by a Service Provider

so I do not need to worry about them as I contracted this

risk to them T F

4. I use Authorize.Net and PayPal for Credit Card Processing

so I do not have to be PCI Compliant T F

5. I am permitted to store the Security Code for my customers

as they have monthly recurring charges T F

6. I segmented my CDE from all other networks by use of a

firewall that requires all of the devices to pass through so this

CDE is the only segment In-Scope for PCI T F

Quiz Answers and PCI Facts

If you answered True for any of the six quiz questions you are incorrect as all six are False Statements

Your company obligated itself to maintain PCI Compliance by the contract to accept credit cards Proof of PCI DSS compliance is an annual requirement and the evidence must be gathered in that twelve month period – New evidence each yearYou cannot outsource your PCI compliance if any part of the data flows through the systems If you only have historic paper PCI data you must be PCI compliantIf you file with a SAQ the instructions explicitly explain you are required to be compliant with 100% of the requirements applicable to your Merchant activities

9/18/2015

3

What Does PCI Cover?

PCI DSS CoversPeople – All people that can or do interact with the CHD and/or the CDE

Process – All Processes that touch or impact the CHD

Technology – All Technologies that are used to Secure, Administer, Manage, or Touch the CDE and CHD

What Are the Six Goals and Twelve Requirements?

9/18/2015

4

PCI DSS 3.1 Has Future Date Requirements

The reasons for the future date is to allow you to have time to meet these requirements

Depending on the breaches that occur these future dated requirements could move to an earlier date

Example of this is the Liability Shift for POS Devices to be EMV Compliant. This date was originally set to 30 June 2016 but was moved to 01 October 2015

Yes, the Card Brands can do this and you are obligated by your contract to accept Credit Cards from one of the Five PCI Card Brands

What Are These “Future Date” Requirements for PCI DSS?

9/18/2015

5

How Many Total PCI DSS Requirements Exist

The Reporting Requirements for PCI DSS 3.0 has approximately 2,800 by line testing requirements covering Requirement 1 through Appendix A inclusive.

These requirements also have an Executive Summary Section that requires additional data like but not limited to:

Network DiagramsData FlowsList of in-scope LANs or VLANsList of out-of-scope LANs or VLANsList of HardwareList of SoftwareTesting for Primary Account Numbers (PAN) in plain textIncident Response Plan and complete testing annuallyVulnerability Scanning Quarterly based on your filing date

EMV Compliant POS Devices

Because you have EMV Compliant POS devices does not remove your company from being 100% compliant with ALL Applicable Requirements

Applicability to you means that the requirements that map to your activity with or to Cardholder Data are in scope for you

Applicability also means that if you use Service Providers you also have the responsibility for their actions on your behalf

9/18/2015

6

What Is PCI Cardholder Data?(CHD)

PCI CHD isFull Track Data ( Track 1, 2, and 3)

Full Primary Account Number (PAN)

Sensitive Authentication Data (SAD)

Where Can CHD Exist in Your Systems?

On Workstation

In Databases

On File Shares

On Backup Tapes

In Paper Reports and Spreadsheets

In Email

In Contract and Similar Records

In Written Notes in files stored in the Office and Off-Site

Other Locations you can identify

9/18/2015

7

What if the CHD is Old?

Old does not matter if it is CHD you are required to protect it, PAN, or remove it SAD

Old data is generally found in older DR tapes and Backups

In Older Emails

On Local Drives

On Receipts for Historic Stored Records

On the Hotel Folios

What Can You Save After Authorization?

Can SaveFull PAN Data if it is

EncryptedTokenizedTruncatedHashed

Note: If Hashed and Truncated are in same data set they must be protected as it is a trivial exercise to reconstruct the PAN with these two data points

NameExpiration Date (With PAN must be protected)

9/18/2015

8

What Cannot Be Saved After Authorization?

Can Not Save even if encryptedFull Track Data

Track 1Track 2Track 3

Security CodeCVVCVSOther 3 or 4 digits valueEven for recurring charges this CANNOT be saved

How Does SAD Get Into Your Data?

SAD comes to you in all forms including but not limited to:

Your request as part of the transaction or as part of the swipe or touchEmailSnail Mail (USPO – FedEx – DHL – Other)FAXVoiceWriting by staffElectronic messaging including but not limited to SMS, Tweets, etc.

9/18/2015

9

How to Reduce SAD

Place blockers on inbound and outbound email to prevent receipt or sending

Train staff not to write the SAD data

Ensure your applications securely wipe or do not save SAD after authorization

Train your customers not to send this data to you

Work with your processor or Acquirer to remove the need for this data for non face-to-face transaction

What if you Have SAD In Your Systems

This Data MUST be Removed

Removal is only possible by a Wiping Process for Electronic Data

This involves overwriting multiple times with sequential and random characterUSA Minimum iterations is three (3)Global Minimum iterations is seven (7)

What if You Cannot WipeData must be quarantined and removed from access except for emergencies like court orders

9/18/2015

10

What if you Have SAD In Your Physical Environment

Physical Copies with this data must be securely destroyed

Shredding with Cross Cut ShreddersBurningUsing Certified Third Parties for Secure Destruction

Note: If you use this you must at least annually observe this destructionYou must keep a record of your actionsYou MUST have a copy of their certification of secure destruction

What About PAN Data

PAN Data can be retained but only in specific formats

Encrypted

Truncated

Tokenized

HashedNote: If you have both truncated and Hashed values of PAN in the same database you have a PCI DSS issue as this is viewed as a trivial effort to convert to the full PAN

9/18/2015

11

Liability Shift-1 October 2015

The date had originally been set to 30 June 2016

VISA and MasterCard moved it forward to help prevent the losses sustained during the Christmas Season in 2014 and prior during high purchase times for face-to-face transactions

Yes, they know more transaction occur over the internet but this face-to-face loss is substantial and EMV compliant devices will help stop these losses

The Liability shift move all “Fraud Costs” to the Acquirer and to the Merchant for losses caused by fraudulent cards in card present transaction

What Does Liability Mean To My Business?

Liability ShiftThe Card Brands are pushing the liability to protect your environment and your customers data to you exclusivelyYou will be held accountable for your actions or lack their ofWhat if I can’t afford to make this change?

Contract Law – Contact the Card Brands and ask for relief –Ensure you have a plan for meeting this

Unknown if this will work and most likely will not work the closer you get to 1 October 015

How can the Card Brands do this?By Contract Law – Look at your contract to receive the card data it covers how you are to follow the requirements set forth at the time of an incident

9/18/2015

12

The Cost of Not Going to EMV Compliant POS Devices by

1 October 2015The Card Brands (VISA – MasterCard) have stated that as of 1 October 2015, if the merchant has not implemented “EMV” POS devices and a breach occurs, the full cost of the breach is carried by the merchant

Some of these costs areYour Individual LossesThe Processors LossesThe Acquirers LossesThe Card Brand LossesForensics CostsCard Replacement Costs for all that demand or require thisLitigation CostsFines and Penalties

Examples of Cost for Breach

Typical Cost for Breach ResponseForensics

$500.00 USD per hour from the time they are called until they complete and are back home (24*7)Generally this is 30 to 90 days of two or more Forensics specialists

Card ReplacementApproximately $15.00 USD per Card and due to recent cases it is replacing all of the cards for the customer not just the card having the fraud.Customers normally have 3 or more cardsIncludes ALL customers those breached and those that were not but in your systems

9/18/2015

13

Examples of Cost for Breach Continued

Litigation CostsOpen ended and can be applied through the total time permitted by the statute of limitationClass Actions SuitesJohn Doe Suites Your Cost, Card Brand Cost, Processor Costs, Other Cost for outside Attorneys and Legal Specialists – Generally in the Millions of Dollars

Fines and PenaltiesUp to $500,000 USD per occurrence

Occurrences are defined by the state laws and can be as small as each card – No enforcement to date of individual cards as a thresholdGenerally bundled to specific date ranges but still could result in more than one breach classification

Examples of Cost for Breach Continued

Processor and Acquirer LossesCost of their fines

Cost of legal needs in case of a lawsuit

Cost of frauds that occurred

Costs of reworking and purging of their systems

Potential forensics cost for them as a result of your actions

9/18/2015

14

Examples of Cost for Breach Continued

Litigation CostsFor ALL affected parties due to your lack of compliance

Note: In the US Litigation goes from day one through the end of the Statute of Limitations

Class Action Law Suits

Representation is each of the areas where a case is filed

This dollar value can exceed all of the other costs

OK What Else Bad Can Occur

You can be found outside the Due Diligence Practices and if this occurs the following may occur

You May be found Grossly NegligentThis finding can void any Cyber Insurance

This finding may prohibit the use of any other insurance like Executive Insurance

You may be individually found at faultIf this occurs your personal wealth is at risk

The Company can only represent one entity them or you and I suspect they will represent themselves

The business may be forced to close due to bankruptcy caused by the breach

9/18/2015

15

I Now Have EMV Complaint POS DevicesThe fact you have EMV Compliant POS devices puts you on the plus side of PCI Compliance

Having them does not make you PCI Compliant

Not using the EMV Compliant POS Devices as required in PCI DSS 3.1 will have you working outside PCI Compliance

You are required by your contract allowing you to accept Credit Cards to function fully (100%) PCI Compliant regardless of your Level

Merchant Levels

The VISA and Master Card Levels for Merchants are

Level 1 - 6,000,000 or more transactions per card brand per year

Level 2 – 1,000,000 to 6,000,000 transactions per card brand per year

Level 3 – 20,000 to 1,000,000 transactions per card brand per year

Level 4 – 1 to 20,000 transactions per card brand per year

9/18/2015

16

Service Provider Levels

Service Providers per VISA and MasterCard Levels are

Level 1 – over 300,000 cumulative transactions per card brand per year

Level 2 – under 300,000 cumulative transactions per card brand per year

Levels and Compliance

PLEASE NOTE:Regardless of your level you are required to be compliant with ALL (100%) PCI DSS Requirements applicable to you

Levels only address the methods of reporting the compliance and who can report this for you

Master Card specifically requires All Level 1 and Level 2 Merchants to use a QSA Firm or and ISA reporting to Internal Audit for the reporting regardless if the report is a Report on Compliance (RoC) or a Self Assessment Questionnaire (SAQ)

9/18/2015

17

I Have EMV Compliant POS Devices Now WhatHaving the compliant devices is step one of a many step process

PCI DSS 3.0 and now 3.1 have a specific requirement 9.9 that has a required “inspection” of these devices to detect tampering and/or substitution of the device

This is required to ensure the devices you are using are the ones you acquired and that they have not been tampered with

PCI DSS Requirement 9.9

PCI DSS 3.0 Requirement 9.9 Requires that all POS devices be “Periodically inspected”

For TamperingFor SubstitutionCovers all POS including P2PE, EMV, and Non EMV DevicesRequires you to take some form of activity to show compliance like the following

Document this inspection for evidence in case an issue comes Non enforced or not validated processes are not processes that will stand up in court

9/18/2015

18

“Oops” I Said Court

Yes, all of the PCI DSS Compliance Activities you do or do not do are designed to show the courts how compliant you were at the time of a breach

You have never had a breach-Are you 100% sure?

A Server, Room Clerk, Bar Tender, Room Service, Amenities like but not limited to SPA – Golf – Bikes –Retail, and Maid generally have access to a customers Credit Card at one time or another during their stay

Are you certain that any of the above have not taken one card for their own use? If they have, this is a breach and you just did not get detected as the breach point

I am Not Technical-How Can I Inspect a POS Device?

Requirement 9.9 does not require you to be technical

It does requires you to protect the POS Devices from tampering and/or substitution

To this end you can

Record and check the serial number of the POS devices to be sure you have the one that was installed

You can use tamper proof serialized seals on the seams of the POS to allow for an indication of tampering

Record the seal serial number as part of the inspection

9/18/2015

19

What Should You Do if the POS shows signs of Tampering or Substitution

Actions to takeStop the use of the deviceNotify Security and ITGather the inspection records to see when this could have occurredUnplug the device from the equipment it is attached tooRemove the devices from public and general staff accessReport this to the appropriate internal staff member for action

What You Should Not Do?

Do not reset the POS to its default settings by use of the reset input from the number pad

Do not reset the POS to its default settings by use of the reset button

Allow the POS device to stay in use

9/18/2015

20

How to Inspect?

What to Look For When You Are “Inspecting”Yes, it is a POS device

Is the Serial Number the Same?

Has it Been Unplugged?

Has The Case Been Opened?

A key for this inspection is to use a serialized “Tamper Proof Seal” to allow for proof of no tampering or substitution

You Convinced Me-I Must Have EMV Compliant POS Devices

You are not out of risk of being Non-Compliance with the PCI DSS Requirements

Having EMV POS devices is only one of the requirements

EMV devices does not remove any of the PCI DSS 2,800 requirements other than you have them

You must meet 100% of the applicable PCI requirements or you are not PCI compliant.

99% compliant is NOT COMPLIANT

9/18/2015

21

Now You Know The Risks-Where Are The Rewards?

You do in fact have rewards of becoming PCI Compliant beyond the certificate or notes from you processor you are compliant for that specific year

Yes, compliance must be validated annually

For those companies going from zero compliance to full compliance there is generally a Return on Investment (ROI)

ROI for PCI Compliance

These are real dollar savingsRefinement in the network to reduce bandwidth needsProcess driven change management leading to less down timeTrained staff that can better assist the customer faster allowing for faster sales with less reworkBetter use of technology assets requiring less assetsReduced footprint of PCI Data by scope reduction leading to lower cost of operation

9/18/2015

22

Now Its Your Time To Ask

PCI DSS Risk and Rewards

Thank You!

9/18/2015

23

Contact Data

Howard Glavin CPP, CISM, CRISC, PA_QSA, QSA, CTGA

Senior Vice President K3DES LLC

904.631.9204 – Mobile Phone

904.287.4433 – Home Office

904.287.2213 – FAX

Secur8ty – Skype ID