7/19/2011
1
PCI Compliance 101: Payment Card
Industry BasicsIndustry BasicsData Security Standards Compliance
Wednesday, July 20, 20112:00 pm – 3:00 pm EDT
This complimentary webinar is brought to you by ASAE-Endorsed Business Solutions and Chase Paymentech.
Your Presenter:With 29 years of experience in the Information Technology (IT) industry and 14 years of Information Security management experience, David Wallace serves as Group Manager for Chase Paymentech’s Security Standards Compliance team. In his role, Wallace is responsible for p pmanaging data security compliance for Chase Paymentech’s merchant portfolio and advising merchants about the Payment Card Industry (PCI) security standards.
Prior to joining Chase Paymentech, Wallace gained invaluable experience serving in information security management roles with companies such as NationsBank, Sabre Holdings/Travelocity, Pilgrim’s Pride and Perot Systems. In addition to his professional experience, Wallace has earned several industry certifications, including Certified Information Systems Security Professional in 1999, Certified Information Security Manager in 2004, and Certified Information Systems Auditor in 2008. He is also a frequent speaker at regional, national and international information security conferences including
David A. Wallace
Group Manager, Security Standards national and international information security conferences including
the RSA Conference and Computer Security Institute Conference.
Wallace spent his undergraduate years attending Louisiana State University in Shreveport, La., where he studied business administration and management information systems. He earned a master’s degree in business administration from Southern Methodist University in Dallas, Texas in 2003.
Security Standards Compliance
2
7/19/2011
2
Polling Question
How PCI compliant is your organization?
1. I don’t know2. We’re know what merchant level we are 3. We have worked on the PCI assessment
and network scan
How PCI compliant is your organization?
4. We are fully PCI compliant
3
Wh t i PCI?
Agenda
• What is PCI?• Payment Brand Requirements• Getting Started• Resources
Q• Questions
4
7/19/2011
3
What is “PCI”?
5
What is PCI?
• A collective term used to refer to theo Payment Card Industry Security Standards Councilo Payment Card Industry Security Standards Council
(PCI SSC)o Data security standards developed and maintained by
this entity• Applies to any system that stores, processes or
transmits cardholder data as part of authorization or settlement of a member brand credit debit or gift cardsettlement of a member brand credit, debit, or gift card transaction
6
7/19/2011
4
PCI Security Standards Council The Organization
Mission — Formed in 2004 by five major payment brands to enhance cardholder data securitybrands to enhance cardholder data security20 member advisory board with 600+ participating organizations
• Merchants• Issuers• Acquirers
I d d t S i O i ti (ISO )• Independent Service Organizations (ISOs)• Third Party Service Providers• Debit Payment Networks• Product Manufacturers
7
• The PCI SSC manages the -o Payment Card Industry Security Standards for:
Scope of PCI Security Standard Council
o Payment Card Industry Security Standards for:• Merchants• Payment Application software developers• Hardware manufacturers
o Accreditation for:Assessors• Assessors
• Scanning Vendors• Forensic Investigators• PED Evaluation Labs
8
7/19/2011
5
PCI Security Standards
• The PCI Data Security Standard (PCI DSS)o Applies to any entity that stores, processes, and/or transmits cardholder datao 12 Requirement covering technical and operational system componentso 12 Requirement covering technical and operational system components
• The Payment Application Data Security Standards (PA-DSS)o Applies to developers and integrators of applications involved in authorization or
settlement or a card transaction. o Governs these applications that are sold, distributed or licensed to third parties.
• The PIN Transaction Security (PTS)o Applies to manufacturers who specify and implement device characteristics and
management for personal identification number (PIN) entry terminals used for payment card financial transactions.
9
PCI Security Standards Council Accreditations
Type PCI SSC Designation Activity
Assessors Internal Security Assessor Merchant resource certified to validateAssessors Internal Security Assessor (ISA)
Merchant resource certified to validate compliance of PCI DSS
Qualified Security Assessor (QSA)
Independent third party certified to validate compliance of PCI DSS
Payment Application Qualified Security Assessor (PA-QSA)
Independent third party certified to evaluate compliance of Payment Applications to the PA DSS
ScanningVendors
Approved Scanning Vendor (ASV)
Independent third party accredited to perform network vulnerability scanVendors (ASV) network vulnerability scan
ForensicsInvestigators
PCI Forensics Investigator (PFI)
Independent third party accredited to perform forensics investigation in the event of suspected cardholder data breach
PED Laboratories
PCI Recognized Laboratory Independent third party certified to validate compliance of PIN Transaction Security Standards
10
7/19/2011
6
PCI DSS Applicability
• The PAN is the defining factor in PCI DSSo Applies if PAN is stored, process or transmittedpp , po If card holder name, expiration date and/or service code are
stored, processed or transmitted with PAN – all must be protected
• PCI DSS represents the minimum o May be enhanced by other regulations and standards
11
Who Can Assess PCI DSS?
Merchant Level Validation Requirements Frequency
R t C li (ROC) O it Annually
Level 1Report on Compliance (ROC) ‐ Onsite Assessment performed by QSA or ISA
Network Scans by ASV
Annually
Quarterly
Level 2Self‐Assessment Questionnaire (SAQ) performed by ISA or QSA
Network scans by ASV
Annually
Quarterly
Self‐Assessment Questionnaire (SAQ) AnnuallyLevel 3
Self Assessment Questionnaire (SAQ)
Network scans by ASV
Annually
Quarterly
Level 4Self‐Assessment Questionnaire (SAQ)
Network scans by ASV
Annually
Quarterly
12
7/19/2011
7
P t B dPayment Brand Requirements
13
Payment Brand Data Security Programs
• Mandate compliance with PCI Standards for entities storing, processing, or transmitting cardholder datastoring, processing, or transmitting cardholder data
• Define deadlines for adoption and penalties for non-compliance
• Serve as an origination point for new PCI standards• May differ from brand to brand
– And in some cases from region to region
• Some more active than others
14
7/19/2011
8
Visa/MasterCard Merchant PCI Levels
Merchant LevelLevel 4
Fewer than 20,000 ecommerce or fewer than 1 million total transactions within one card brand within a 12 month period
Level 3Between 20,000 and 1 million Visa or MC ecommerce transactions
in a 12 month period
Level 2Level 2Between 1 and 6 million Visa or MC transactions in a 12 month
period
Level 1Over 6 million Visa or MC Transactions in a 12 month period
15
PCI DSS Validation Requirements (USA)
16
7/19/2011
10
Payment Application Data Security Standard (PA-DSS)
• PA-DSS applies to payment applications sold, distributed, or licensed to third parties.
• A Payment Application o Runs on a commercial
operating system like Windows or LinuxWindows or Linux
o Stores, processes or transmits cardholder data as part of authorization or settlement.
19
Scope of PA-DSS
• PA-DSS includeso POS Software (Micros, Radiant, Squirrel, etc.)( q )o E-Commerce Shopping Cartso Middlewareo Web Based Payment Applicationso ATM
• Ensures a payment application contains PCI DSS-required features and functionsDSS required features and functions
• MasterCard REQUIRES all merchants using in-scope payment applications to use Validated Payment Applications by June 30, 2012.
20
7/19/2011
11
• Validated devices designed to resist attackScope of the evaluation to include:
PIN Transaction Standard (PTS)
• Scope of the evaluation to include:– POS PED devices– Encrypting PIN Pads– Unattended Payment Terminals (Kiosks)
• Visa requires all merchants to use PTS-validated devices by June 30, 2010
E f t ti b i J 30 2012– Enforcement action begins June 30, 2012
• Visa requires all attended PTS devices to use Triple DES (TDES) keys by June 30, 2012
21
2011 Key Dates for PCI Compliance
22
7/19/2011
12
Getting Started
23
Where to Start?• Determine your Merchant PCI Level
– Notification from your acquirery q• Level 1 & 2 – must use QSA or ISA• Level 3 & 4 – can self assess• All Levels must use an ASV for a quarterly network
scan (Does not apply to SAQ A, B, or C-VT)
• Know the card brand specific requirements– For the brands you accept– And the regions within which you operate
• Select and review the appropriate Self Assessment Questionnaire (SAQ)
24
7/19/2011
13
Your Environment
• Determine what system components are governed by PCI DSS– Systems, applications, and networks that store, process and/or
transmit cardholder datatransmit cardholder data
• Gather the resources– Documentation
• Policies, records, operational procedures, network diagrams, etc– Personnel
• IT, business operations, security, HR, etc.
• Examine the compliance of system components in scopeCan you isolate your cardholder data processing to reduce your– Can you isolate your cardholder data processing to reduce your scope?
– Can you meet all the key controls?• If not, can compensating controls, technologies, and or processes be
used to meet spirit of the requirement?
25
The Prioritized Approach – Simply
• Six Milestones:1. Remove sensitive authentication data and
limit data retention. If you don’t need it, don’t store it
2. Protect the perimeter, internal, and wireless networks. Secure the perimeter
3. Secure payment card applications. Use secure applications
4. Monitor and control access to your ysystems.
5. Protect stored cardholder data6. Finalize remaining compliance efforts, and
ensure all controls are in place
26
7/19/2011
14
Resources
27
Additional Resources
Chase Paymentech www.chasepaymentech.com
Merchant Center www.chasepaymentech.com/merchantcenterp yCardholder Data Security www.chasepaymentech.com/datasecurity
PCI Security Standards Council www.pcisecuritystandards.org
Validated Payment Applications www.pcisecuritystandards.org/security_standards/vpaPTS Certified devices www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.htmlSelf-Assessment Questionnaires https://www.pcisecuritystandards.org/merchants/self_assessment_form.phpPrioritized Approach https://www.pcisecuritystandards.org/education/prioritized.shtml
MasterCard Site Data Protection Program http://www.mastercard.com/us/merchant/security/sdp program.html
28
g p y p_p g
TrustWave www.trustwave.com
Portal: Level 4 Merchant Portal www.trustwave.com/level4pciFree Risk Profile - referral code: http://chasepaymentech.riskprofiler.net
welcomechasepay
7/19/2011
15
Questions?
David A. Wallace
G M S it St d d C liGroup Manager, Security Standards ComplianceChase Paymentech
www.chasepaymentech.com/asae
Thanks for joining us! Go beyond the basics of PCI, and register for:
PCI Compliance 102:Small Steps to Big Changes
September 28, 20112:00 pm – 3:00 pm ET
www.asaecenter.org/calendar