DATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, Merit Member Conference

Transcription

1 2010 Merit Member Conference Compliance Steps for Organizations May 26, 2010 Payment Card Industry (PCI)

2 1 Welcome

3 2 Welcome Q & A We ll leave time to address questions during the last 15 minutes of the presentation. Presentation Slides Presentation materials are available via the conference website, or please contact the presenters after the session, and an updated electronic copy of the materials will be ed after the Conference

4 What is PCI PCI is a Data Security Standard (DSS) Governed by the Payment Card Industry (PCI) Security Council Made up of 12 requirements including standards for: Security management Policies and procedures Network architecture Software design Other critical protective measures Transcends Industry & traditional borders 3

5 Welcome Here s a message from the hackers they re going to leave us alone. They re looking for more of a challenge. 4

6 5 12 PCI Requirements Goals PCI DSS Requirements Validated by Self or Outside Assessment Build and Maintain a Secure Network 1. Install and maintain a firewall configura:on to protect cardholder data 2. Don t use vendor supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update an: virus sonware 6. Develop and maintain secure systems and applica:ons Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Informa:on Security Policy 12. Maintain a policy that addresses informa:on security

7 PCI for Education Organizations Business is business Do you accept, process, store, or transmit data? Do you have a responsibility to protect your customer data? Do hackers and identity thieves care where or how they get the data? Security transcends industry So does credit cards use Instances of identity theft continue to increase yearly in all industries Card companies to transfer costs onto noncompliant organizations Compliance is less expensive than noncompliance 6

8 7 Steps to Achieving PCI Compliance What is Cardholder Data? Sensitive Authentication Data full magnetic stripe, PIN data or card validation codes Personal Account Number (PAN) plus any of the following: Cardholder name Expiration date Service Code

9 Steps to Achieving PCI Compliance (cont.) Identify ALL cardholder data in your organization, consider: Electronic cardholder data residing in: Applications, databases, spreadsheets, s, files, copy machine hard drives, voice mails & calls that may (or may not) be recorded for accuracy, etc Hardcopy cardholder data residing in: desks, cabinets, trash, fax machines, copy machines, unlocked shred bins, etc Ignorance of location is no defense Vendors / 3rd Party Processors Don t forget your vendors If they aren t complaint, find someone who is 8

10 9 Steps to Achieving PCI Compliance Know your level: Definition (# of transactions annually) SAQ - Self Assessment Questionnaire Network Security Scan by an ASV On-site Audit by a QSA Level 1 More than 6 million N/A Required Quarterly Required Annually Level 2 1 to 6 million Required Annually Required Quarterly N/A Level 3 20,000 to 1 million Required Annually Required Quarterly N/A Level 4 All others Required Annually Required Quarterly N/A

11 10 Welcome

12 11 Steps to Achieving PCI Compliance (cont.) PCI a three step process: Completion of the proper Self Assessment Questionnaire (SAQ) Clean Report from your Approved Scanning Vendor (ASV) Delivery of your results to the card companies Step 1: Complete the proper SAQ SAQ Type Self-Assessment Questionnaire Description SAQ ID 1 Card not present (e commerce or mail/telephone order) merchants, all cardholder data func:ons outsourced. Does not apply to face to face merchants A 2 Imprint only merchants with no electronic cardholder data storage B 3 Stand alone terminal merchants, no electronic cardholder data storage B 4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage C 5 All other merchants (not including in Types 1 4) and all service providers defined by a payment card brand as eligible to complete a SAQ D

13 12 Steps to Achieving PCI Compliance (cont.) Step 2: ASV External Quarterly Scanning Confusion about the required types of Security Scanning External Quarterly Scan Internal Penetration and Scanning Web Application Penetration Review Wireless Security Review Define your scope advantages of a properly segmented network Step 3: Reporting Submit your completed SAQ and/or Attestation, along with any Compensating Controls Worksheets, according to instructions from your acquirer or payment brand.

14 13 Welcome

15 14 Risks & Penalties of Noncompliance Here is what organizations are telling us about PCI: It s just too expensive. We are just going to sit on this until we are forced to do something Data breaches cost organizations $202 per compromised customer record in 2008 a 40% increase since It is estimated a breach will cost on average of $500,000 in fines from the PCI Council. (this includes neither the cost of a forensic investigation, nor the fees resulting from civiłclass action lawsuit.) You could also lose the ability to use credit cards I trust everyone I work with, and everyone knows they have a responsibility to protect card holder data. PCI More than 88% of all cases in this year s study involved insider negligence (stats from the Ponemon Institute, 2009)

16 15 Costs of PCI Compliance Costs associated with obtaining and maintaining PCI compliance are significantly less than the cost of non compliance Currently think of PCI as insurance For now - no proactive compliance monitoring for lower level merchants If hacked while not compliant, no recourse Down the Road Think of PCI as a requirement Eventually, proactive compliance monitoring will work its way down the merchant levels

17 16 Common Mistakes Assuming that since their Payment Processor is compliant, they don t need to obtain PCI Compliance Submitting SAQ with No responses. Submitting SAQ with Yes responses which are incorrect. Allowing non-qualified individuals perform the required scanning and penetration testing. Not keeping gathered information for next year.

18 17 Welcome

19 In Conclusion Understand your responsibility / risks Know where cardholder data resides: Stored (electronic & hardcopy) Processed Transmitted PCI requires vigilance and annual updates requires a change in culture Remember: PCI is an organizational certification (not an IT certification) 18

20 19 Q&A Marvin Sauer Consulting Manager Kurtis VanderWal Security Assurance Senior Consultant

21 Thank you.