Embed Size (px)
Citation preview
Got Credit Cards?PCI Compliance for Small and Medium Companies
IntroductionAdam Taylor
• Vice President of Development at Essent Corporation
• Promotional Product Industry Specialist
• Working with Suppliers and Distributors for 15 years
• 2018 PPAI Technology Committee Appointee
The Big Questions to Ask
• What is in scope?
• Is it in compliance?
Table of Contents
• What is PCI and Why Should I Care?
• Scoping
• PCI Requirements
• How to Comply
Abstract/Goals
• New to PCI• Background of what PCI is
and why it’s important• Ideas of where to go next
• Veterans to PCI• Bring PCI Back to the
forefront• Reinforce Continued
Diligence• Learn something New
What is PCI Compliance?
• As an Industry we care about consumer product safety. PCI is about consumer safety of the payment card transaction
• Who does it impact?• All entities that store, process,
and/or transmit cardholder data
Poll: Who has started on their PCI Compliance Journey?
Poll: Who has completed it?
PCI Compliance is a Never-Ending Journey
PCI Compliance Journey
• It’s a never ending journey
• Make it part of your BAU culture
In The News
94 Million Records Stolen in 2006/2007
http://www.computerworld.com/article/2539588/security0/tjx-violated-nine-of-12-pci-controls-at-time-of-breach--court-filings-say.html
In The News
40 million credit and debit cards potentially compromised in 2013
https://www.nytimes.com/2014/09/20/business/ex-employees-say-home-depot-left-data-vulnerable.html
In The News
Data Breach Compromises 56 Million Credit Cards in 2014
https://www.computerworld.com/article/2487425/cybercrime-hacking/target-breach-happened-because-of-a-basic-network-segmentation-error.html
In The News
143 million accounts compromised in 2017
https://www.wired.com/story/equifax-breach-no-excuse/
Audience Participation!
Scenario Analysis & Scoping
System Topology
• Identify how Payment Card information gets into your organization
• Take a close look at that system that the Payment Card was entered into
• How is it connected in the network?
• What is the internet firewall?• What else is it connected to?
Audience Participation: Draw the way Payment Card data flows
through your ecosystem.
Lets take a look at some system examples.
Web Browser
3rd Party Website
Ecommerce Example #1
Database
Business Management
System
Payment Gateway Service
Web Browser
3rd Party Website
Ecommerce Example #2
Database
Business Management
System
Payment Gateway Service
On Premise BMS Processing
Database
Business Management
System
Payment Gateway Service
3rd Party Cloud Based BMS Processing
Database
Business Management
System
Payment Gateway Service
Cloud BMS
Reality Some of Us Face ...
Database
Business Management
System
Payment Gateway Service
Cloud BMS
Internet
Reality Most of Us Face …
Process Flow: Taking Payment Card Info by Phone• VOIP?
• Person answering phone takes the Payment Card info
• Person transfers to the Accounting Department and they repeat the process
Process Flow: Entering Payment Card Info into Your System• Employee gets the Payment
Card Information from the Buyer
• Employee is logged into their computer
• Employee is on the network• Employee opens the System• Employee enters the data on
the system and it’s sent over the network to processor
Process Flow:Brick and Mortar• End User walks to Kiosk
• End User hands card to Clerk
• Clerk enters Card into system
Or
• End User walks to Kiosk
• End User Inserts card into Terminal
Breaking down the 12 PCI Requirements
PCI Requirements: Firewall
Requirement #1
• Install and maintain a firewall configuration to protect cardholder data• ~22 requirements
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
PCI Requirements: Passwords
• Requirement #2 - Do not use vendor-supplied defaults for system passwords and other security parameters• ~12 requirements
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
PCI Requirements: Stored Data
• Requirement #3: Protect stored cardholder data• ~23 requirements
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
PCI Requirements: Encryption
• Requirement #4: Encrypt transmission of cardholder data across open, public networks• ~4 requirements
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
PCI Requirements: Antivirus
• Requirement #5: Protect all systems against malware and regularly update antivirus software or programs• ~6 requirements
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
PCI Requirements: Security
• Requirement #6 - Develop and maintain secure systems and applications• ~29 requirements
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
PCI Requirements: Access
• Requirement #7 - Restrict access to cardholder data by business need-to-know• ~10 requirements
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
PCI Requirements: Access ID
• Requirement #8 - Identify and authenticate access to system components• ~25 requirements
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
PCI Requirements: Physical Access
• Requirement #9 - Restrict physical access to cardholder data• ~27 requirements
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
PCI Requirements: Monitor
• Requirement #10 - Track and monitor all access to network resources and cardholder data• ~34 requirements
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
PCI Requirements: Testing
• Requirement #11 - Regularly test security systems and processes• ~17 requirements
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
PCI Requirements: Policy
• Requirement #12 - Maintain a policy that addresses information security for all personnel• ~41 requirements
2017 non-compliance attributed to data breach
Source: SecurityMetrics' Payment Card Industry Forensic Investigation
PCI Requirements Summary
• Sweet only 12 requirements!• I can start this in Q4 after I get everything else done
• OMG ~250 requirements!• I’ll never get that done, I don’t have time for that! I’m
just not going to start!
How to Comply: Prioritized Approach
https://www.pcisecuritystandards.org/document_library
Helps you identify and hit highest risk areas first for quick wins
• Phase 1 – 4%
• Phase 2 – 37%
• Phase 3 – 10%
• Phase 4 – 21%
• Phase 5 – 12%
• Phase 6 – 15%
How to Comply: Merchant Levels
• Merchant Levels• Level One: Over 6m Payment Card transactions per year
• QSA required• Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) • Quarterly network scan by Approved Scanning Vendor (ASV) • Penetration Test • Internal Scan • Attestation of Compliance Form
• Level Two: 1m to 6m Payment Card transactions per year• Level Three: 20k to 1m Payment Card transactions per year• Level Four: Under 20k Payment Card transactions a year
• Annual SAQ• Quarterly network scan by ASV• Attestation of Compliance Form• Additional requirements depending on SAQ type (e.g. Penetration Test, Internal
Scan)
How to Comply:The Self Assessment Questionnaire• SAQ
• Which is right for you?• Good news there’s a chart for that
SAQ
How to Comply: A 6-Step Process
ScopeDetermine which system components and networks are in scope for PCI DSS
Good news: You started this today!☺ 1
How to Comply: A 6-Step Process
AssessExamine the compliance of system components in scope following the testing procedures for each PCI DSS requirement.
Use the Prioritized Approach 2
How to Comply: A 6-Step Process
ReportAssessor and/or entity completes required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls
Know if you are eligible for SAQ, and what SAQ to do
3
How to Comply: A 6-Step Process
AttestComplete the appropriate Attestation of Compliance (AOC)
Sign off on the SAQ 4
How to Comply: A 6-Step Process
SubmitSubmit the SAQ, ROC, AOC and other requested supporting documentation such as ASV scan reports to the acquirer (for merchants) or to the payment brand/requestor (for service providers)
Send it out
5
How to Comply: A 6-Step Process
RemediateIf required, perform remediation to address requirements that are not in place, and provide an updated report.
Repair and report 6
Reference Links
• References• https://www.pcisecuritystandards.org/documents/PCIDSS_QR
Gv3_2.pdf?agreement=true&time=1506439109190
• https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1506629950439
• https://www.pcisecuritystandards.org/document_library
• Attach Prioritized Approach
• Attach Quick Guide
• PCI_DSS_V3-2
The Big Questions to Ask
• What is in scope?
• Is it in compliance?
Review
• What is PCI and Why Should I Care?
• Scoping
• PCI Requirements
• How to Comply
Thank You!Connect on LinkedIn! http://linkedin.com/in/adam-taylor-a8510b2
Please complete your session evaluation now to receive credit for session
attendance.
![Credit cards[1]](https://img.pdfslide.us/doc/110x75/5551b7f1b4c905ca7f8b4b8d/credit-cards1.jpg)
