PCI DSS The Cost Of Non Compliance

April 29, 2008 Lewis Media Website Producer Learning Series1

PCI DSSThe Cost of Non-Compliance

Joseph FungApril 29, 2008

http://www.lewismedia.com/


Today’s Menu

• PCI Who and When• Impact and Risk• Mitigating the Risk



Part I: Who and When



The Payment Card Industry

PCI SSC - https://www.pcisecuritystandards.org

Part I: PCI Who & When

• Payment Card Industry (PCI) Security Standards Council – Founded in Dec 2004

• Develop and Maintain the PCI Data Security Standard (DSS)


http://en.wikipedia.org/wiki/Image:AmericanExpressLogo.png

http://en.wikipedia.org/wiki/Image:DiscoverNetworkAcceptanceMark.jpg

http://en.wikipedia.org/wiki/Image:JCB_Cards_logo.png

http://en.wikipedia.org/wiki/Image:MasterCardWorldwide.gif

http://en.wikipedia.org/wiki/Image:Visa_Logo.svg


Relationships


Payment Card Industry

Banks

Processors

Merchant(Website Owner)



The Timeline

• Sep 2006 PCI DSS Introduced• Jul 2007 Contracts Updated• Dec 2007 PCI DSS Compliance Required• Feb 2008 New Tools Launched

https://www.pcisecuritystandards.org/tech/saq.htm

• ~2010 Additional Requirements Enforced




Who is responsible?

Everyone assumes someone else is taking responsibility for education




Why are we here?

We want to give our clients the best advice possible.




Part II: Impact and Risk



Who needs to be compliant?

All Merchants.

Includes Brick & Mortar, Mail order and telephone order and e-commerce

Part II: Impact & Risk



Will this impact end consumers?No, not really.

Consumers are protected by many systems and vehicles – the end consumer is almost always right.




What is the value of compliance?• Demonstrate due diligence• Enhance confidentiality, integrity and

authenticity of data• Competitive edge: positive image

and enhanced trustworthiness• Safe Harbor from fees




What are the consequences?• Class Action Lawsuits• Insurance Claims• Cancelled Merchant Accounts• Card Provider Fines ($50K - $500K)• Government Fines ($5M - $20M)• Damaged Client Relationships




2 Example (Fictional) Stories

• Jim: Online store using OS Commerce• Kate: Consultant using MOTO




The Hitch:

Compliance is not easy….there are MANY bases to cover, and most companies do not have the resources for full compliance.

Next….reviewing those bases…







*These data elements must be protected if stored in conjunction with the PAN.

** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted).

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.




PCI DSS Overview

• 12 Requirements in 6 Groups• 3 particularly relevant to e-

commerce• 8 must be addressed by business

owner


https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf



Build and Maintain a Secure NetworkRequirement 1: Install and maintain

a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters




Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open,public networks




Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly

update anti-virus softwareRequirement 6: Develop and

maintain secure systems and applications




Implement Strong Access Control MeasuresRequirement 7: Restrict access to

cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data




Regularly Monitor and Test NetworksRequirement 10: Track and monitor

all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes




Maintain an Information Security PolicyRequirement 12: Maintain a policy

that addresses information security




Special Note on Hosting Providers• Per Requirement 12: All service

providers with access to cardholder data must adhere to the PCI DSS

• Hosting providers must pay special attention to their role in this. They must form traceable silos.




Making sense of it….

Although we are not responsible for our client’s PCI DSS compliance, there are things we can do to help.




Part III: Mitigating the Risk



PCI Requirement 3• Use autocomplete=”off”• Star out all but the last 4 digits• Never display the security code• Don’t store the CVV number• Encrypt using the mySql AES

encryption functions • Use TTL for displayed information




PCI Requirement 4

1. Always pass credit card information via SSL (that includes any information sent to the browser in the Admin side of things)

2. Have a qualified IT consultant secure any wireless networks (using VPNs over public wireless networks)




PCI Requirement 6

1. Enable automatic updates for software

2. Include scheduled maintenance as part of the project

3. User 3rd-party monitoring systems




PCI Requirement 7

1. Use software that allows you to restrict access to credit card information (or better yet, don’t store data).




PCI Requirement 10

1. Test the level of logging you can collect from your host (look for access logs and ssl access logs)




Best Practices1. Review the PCI DSS Requirements with

your clients that accept payment cards2. Visit the PCI SSC website quarterly, or

subscribe to RSS Feedhttps://www.pcisecuritystandards.org/pcissc_news.xml

3. Require service providers and third parties to demonstrate PCI compliance

4. Store less, better access control, understand the data flow




Best Practices contd…

5. Perform a thorough scoping project to determine all credit card data flows from transaction to billing

6. Update frequently: compliance is for a specific software version/product and valid for one year





7. Implement waiver/sign off on understanding PCI Compliance

8. Update processes frequently: compliance is for a specific business/feature and valid for one year





9. Automate log rotations and saving (some hosting providers delete automatically)

10.Maintain separate development, test, and production environments

11.Don’t rely on WEP protection (use WPA or WPA2)





12.Never send PANs over email13.Never send PANs over email14.Never send PANs over email




Bonus Best Practice…

15.Use the Self Assessment Questionnaire as the Gap Analysis, and talk to the client about the Ideals of PCI compliance before the Logistics. Aim to pass the belief, not just the checklist.


Get the questionnaire at https://www.pcisecuritystandards.org/tech/saq.htm



ConclusionReview PCI Standards

with your clients and let them know the risks.

They are obliged to comply, and we would all like to help them get there.




Questions/Comments?

Feel free to ask now or email me: [email protected]


Technology

PCI DSS The Cost Of Non Compliance