Embed Size (px)
DESCRIPTION
An introduction to PCI compliance and data security standard. Including attestation requirements, PCI merchant levels, reporting requirements.
Citation preview
Payment Card Industry Introduction for Local Governments
Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+
Maze & Associates, Director (925) [email protected]
www.LearnSecurity.org
www.linkedin.com/in/donaldehester
www.facebook.com/group.php?gid=245570977486
Introduction
Updates to this presentation and other resources available on: www.LearnSecurity.org Log into the Classrooms section and look under Free Courses
Updates to this presentation and other resources available on: www.LearnSecurity.org Log into the Classrooms section and look under Free Courses
The Problem
Albert Gonzalez, 28
With accomplices, he was involved in data breaches of most of the major data breaches: Heartland, Hannaford Bros., 7-Eleven, T.J. Maxx, Marshalls, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Dave & Busters, Boston Market, Forever 21, DSW and others.
Who is behind data breaches?
• 70% from external agents• 48% caused by insiders• 11% implicated business partners• 27% involved multiple parties
Source:
Are they PCI Compliant?
Source:
Highest IT Priorities for 20101. Security of data, code & communications / data security &
document retention / security threats2. Connectivity / wireless access / high speed Internet connections /
voice and data3. Backup solutions/ disaster recovery/ business continuity4. Secure electronic collaboration with clients – client portals5. Paperless workflow/ paperless technology/ electronic
workpapers6. Laptop security / encryption7. Small business software / Office 2010 / Windows 78. User mobility/ mobile computing/ mobile devices9. Tax software/ electronic transmittals of tax forms/ modern e-file10. Server virtualization and consolidation
Source: AICPA’s 21th Annual Top Technology Initiatives survey
1, 2, 3, 4 & 6 are all PCI related
Players• Acquirer (Merchant Bank)
– Bankcard association member that initiates and maintains relationships with merchants that accept payment cards
• Hosting Provider– Offer various services to merchants and
other service providers.• Merchant
– Provides goods and services for compensation
• Cardholder– Customer to whom a card is issued or
individual authorized to use the card
Card Brand
Acquirer
Hosting Provider
Merchant
Cardholder
Players
• Card Brand– Issue fines– Determine compliance
requirements
• PCI Security Standards Council– Maintain standards for PCI– Administer ASV & QSA
• Qualified Security Assessors– Certified to provide annual audits
• Approved Scanning Vendor– Certified to provide quarterly
scans
Card Brands PCI SSC
QSA ASV
PCI Council Standards
American Express, DSOP
Discover Network, DISC
Master Card, SDP
Visa, CISP
PCI Data Security Standard
What does the PCI Council do?
• Own and manage PCI DSS, including maintenance, revisions, interpretation and distribution
• Define common audit requirements to validate compliance
• Manage certification process for security assessors and network scanning vendors
• Establish minimum qualification requirements• Maintain and publish a list of certified assessors
and vendors
Website
https://www.pcisecuritystandards.org/
What are the Standards?
• PCI DSS: PCI Data Security Standard– Overall standard, applies to all
• PA DSS: Payment Application Data Security Standard– Supporting standard for payment applications
• PTS (was PED): PIN Transaction Security Standard– Supporting standard for PIN entry devices– Supporting standard for unattended payment
terminals (UPT)
PCI DSS
The Payment Card Industry Data Security Standard 6 Objectives (Goals) 12 Sections (Requirements) 194 Controls
PCI DSS
Standard Lifecycle
Who must comply?
• With PCI DSS– Any organization the processes, stores or transmits credit
card information. • With PA DSS
– Payment application developers– Merchants will be required to use only compliant
applications by July 2010.• With PTS
– Manufactures of PIN entry devices– Merchants will be required to use only compliant
hardware by July 2010.– MasterCard PTS to incorporate into PCI SSC April 30, 2010
PCI Compliance
• This includes: • Organizations who only use paper based
processing• Organizations who outsource the credit
card processing• Organizations that process credit cards in
house
Is PCI law?The PCI DSS was developed by the
payment card brands Compliancy is compulsory if a merchant
wishes to continue processing payment card transactions
However, some States have enacted legislation that has made PCI compliance the law
What if we are a small organization?
• “All merchants, whether small or large, need to be PCI compliant.
• The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.”– PCI SSC
Level 4 Merchants
• Each Merchant Bank is responsible for having a plan to move level 4 merchants into compliance
• In September 2010 Wells Fargo sent out a letter stating they will now start charging merchants who are not PCI compliant
Cost?• What happens when there is a data
breach?– Depends if the merchant can reach safe
harbor.
What’s Safe Harbor?
Incident
Evaluation
Safe Harbor
$$$$$$
Safe Harbor Notes:
• For a merchant to be considered compliant, any Service Providers that store, process or transmit credit card account data on behalf of the merchant must also be compliant.
• The submission of compliance validation documentation alone does not provide the merchant with safe harbor status.
Outside the Safe Harbor
• Losses of cardholders• Losses of banks• Losses of card brands
– Fines from the Card brands– Possible restrictions on process credit cards– Cost of forensic audit
FinesMerchants may be subject to fines by the card associations if deemed non-compliant. For your convenience fine schedules for Visa and MasterCard are outlined below.
http://www.firstnationalmerchants.com/ms/html/en/pci_compliance/pci_data_secur_stand.html
PCI DSS
The Payment Card Industry Data Security Standard 6 Objectives (Goals) 12 Sections (Requirements) 194 Controls
PCI DSS
Create Needed Policies
• What policies do you currently have that address PCI related issues
• Create needed policies• See section 12 of the PCI DSS• You will need to create additional subordinate
policies, procedures or administrative directives for specific PCI control requirements
• Every PCI DSS control should be documented in some policy, procedure, administrative directive, SOP or schedule
Policies
• Start implementing the data security standard starting with policies
• Start with high level polices– “The City shall not store PAN (Credit Card
Numbers) electronically or physically. Employees shall be trained on PCI standard annually. Background checks will be performed on all staff with access to credit card information.”
Policy Examples
• “The City shall develop procedures to ensure that information security and privacy best practices are followed to include compliance with all laws or contractual requirements.”
• “The City shall adopt information security and privacy procedures based on industry standards such as NIST and PCI security standards.”
PII Policy
• If you already have a policy for handling confidential information or personally identifiable information add credit card information to confidential information or PII.
Merchant Levels
Merchant levels are determined by the annual number of transactions not the dollar amount of the transactions.
Merchant Level E-commerce transactions All other transactionsLevel 1 Over 6 million annually Over 6 million annuallyLevel 2 1 to 6 million annually 1 to 6 million annuallyLevel 3 20,000 to 1 million annually N/ALevel 4 Up to 20,000 annually Up to 1 million annually
Validation Requirements
Merchant Level QSA Audit Quarterly Network Scans
Self-Assessment Questionnaire
Level 1 Yes Yes -
Level 2 * Yes Yes
Level 3 - Yes Yes
Level 4 - Yes Yes
Separate and distinct from the mandate to comply with the PCI DSS is the validation of compliance whereby entities verify and demonstrate their compliance status.* Starting 12-31-2010 MasterCard will require Annual QSA Audits for Level 2 Merchants
Continuous Process
• “PCI DSS compliance is much more than a “project” with a beginning and end – It’s an ongoing process of assessment, remediation and reporting” - PCI SSC
Assess
ReportRemediate
Continuous Process
• Many of the PCI requirements have specific time interval requirements
• Create a schedule for time based requirements
• Some organizations already have ‘maintenance calendars’ for these type of actions
Common Findings
• Clients think they are compliant– Because they do quarterly networks scans– Because they filled out the SAQ– Because they have too few transactions
• Reality– Validation is not compliance– Compliance is an ongoing process– PCI DSS is required for all merchants,
regardless of the number of transactions
Common Findings• Payment card information on paper• No network segmentation• Logging Access• Shared Passwords• Verifying compliance of outsourced
processing• No one is assigned responsibility• Not aware of PAN storage in
application
PCI Pitfalls• PCI will not make an
organization’s network or data secure
• PCI DSS focuses on one type of data: payment card transactions
• The organization runs the risk of focusing on one class of data to the detriment of everything else
