Payment Card Industry Data Security Standard (PCI DSS)

Transcription

1 Payment Card Industry Data Security Standard (PCI DSS) WARNING: Your company may be in noncompliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage, costly fines and even loss of the ability to accept and process credit cards. Credit card breaches happen regularly to unprepared merchants around the country. Two high-profile examples illustrate how these breaches can balloon: 1 From July 2005 to January 2007, discount retailer TJX Companies, Inc. suffered the largest computer data breach in corporate history. The incident affected more than 45 million credit and debit cards and cost the company an estimated $256 million in lawsuits, computer system improvements, security upgrades, fraud monitoring and other claims. Information on at least 451,000 customers, including Social Security and driver s license numbers, was exposed to identity theft. In January 2009, Robert Baldwin, Heartland Payment Systems president and CFO, stated that intruders had access to Heartland s system for longer than weeks in late Tech security experts said the breach could set a record. With more than 100 million transactions per month, Heartland may yet discover that several months worth of transactions were captured. Although six years and multiple deadlines have passed since the standard was devised, as of March 2008, only an estimated 77 percent of Level 1 merchants (those with more than 6 million annual transactions) and 61 percent of lower-volume merchants had fully validated their systems to demonstrate compliance. Additionally, many more merchants believe they are in compliance when, in fact, they are not. They have either not taken steps to validate their compliance or have misinterpreted the requirements, and therefore are failing to protect their systems from security breaches correctly. Given the risks associated with data breaches, and the fact that most validations are performed by self-assessment, this is an issue internal audit departments should take more seriously. 1 Computerworld, TJX data breach: At 45.6M card numbers, it s the biggest ever, by Jaikumar Vijayan, March 29, 2007, at and USA Today, Hackers breach Heartland Payment credit card system, by Byron Acohido, at heartland-credit-card-security-breach_n.htm.

2 This white paper provides an overview of what auditors need to know about PCI DSS compliance and why it should be an important initiative for internal audit. It spells out the steps firms should take to protect their interests. PCI DSS Background Originally, MasterCard, Visa and other card brands absorbed losses from security breaches on their own. Then, around 2000, MasterCard and Visa implemented programs to control and reduce those losses. The two programs eventually merged their standards in an attempt to unify the industry. In December 2004, the expanded PCI DSS was adopted by MasterCard and Visa, as well as American Express, Diners Club, Discover Card and JCB. Since September 2006, PCI DSS has been administered by the PCI Security Standards Council. The standards undergo regular revision; PCI DSS 1.2 was released on September 25, The standards are not laws or regulations. Rather, they are established through contractual obligations between the card brands and merchant banks that acquire and process the transactions on behalf of merchants. However, the data security requirements effectively flow down to merchants, who agree in their merchant card processing agreements to comply. PCI DSS is much more prescriptive and specific than regulatory requirements such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and state breach notification laws. For example, while the federal privacy laws are objective-based and require actions like risk assessments, PCI DSS imposes 248 individual requirements on merchants and service providers. Compliance and Validation Requirements The standards apply to all merchants and service providers regardless of industry or size that store, process or transmit cardholder data. Compliance is mandatory, but what is critical to understand is that compliance validation procedures differ depending on the merchant or service provider s category level. The table in the following section summarizes four levels of status as defined by American Express and Visa. Note that each level has different validation requirements. Understanding the Scope of a Validation In almost every case, breaches are traceable to merchants that have failed to comply with the PCI DSS requirements. Other than not validating processes at all, the most common error involves companies that perform the self-assessment questionnaire using a narrow scope. Information technology (IT) organizations also tend to assume some controls are in place when they actually are not or they misinterpret the requirements. The result is management s perception that they are compliant, when the reality may be far different. Getting the scope right is critical to an accurate validation. Companies must keep in mind that PCI DSS applies to all of their systems, including: All external connections into the merchant network All connections to and from the authorization and settlement environment (e.g., routers, switches, firewalls, web servers and wireless connections) Any cardholder data repositories, including those outside of the authorization and settlement environment (such as document images and voice recordings) All systems connected to any of the above Protiviti 2

3 Visa Criteria American Express Criteria Required Validation Action Level 1 Any merchant that processes over 6 million Visa, or: Any merchant that processes more than 2.5 million American Express Card transactions per year, or: American Express/Visa Annual on-site audit and quarterly scans required Was compromised in the past year, regardless of acceptance channel Has suffered a hack or attack that resulted in an account data compromise Has had a data incident Is otherwise deemed a Level 1 merchant by American Express Has been identified by any other payment card brand as Level 1 Is determined by Visa, at its sole discretion, to meet Level 1 merchant requirements Level 2 Any merchant processing between 1 million and 6 million Visa transactions per year Any merchant processing 50,000 to 2.5 million American Express Card American Express/Visa Quarterly scans required Visa Annual selfassessment questionnaire Level 3 Any merchant processing 20,000 to 1 million Visa e-commerce Any merchant processing fewer than 50,000 American Express Card American Express Quarterly scans strongly recommended Visa Annual selfassessment questionnaire and quarterly scans required Level 4 Any merchant processing fewer than 20,000 Visa e-commerce and all other merchants processing up to 1 million Visa N/A Visa Annual selfassessment questionnaire and quarterly scans may be required Protiviti 3

4 Effectively, merchants and service providers must either segment their PCI-affiliated devices from the rest of their network or validate their entire network. This is an area of frequent misunderstanding by merchants. The following guidelines clarify how the audit scope, selfassessment questionnaire and scans should be interpreted: In a nonsegmented or flat network, all devices are in scope for audit and scans. The entire network needs to comply with PCI DSS requirements. In a segmented network, only devices within the discrete PCI segment are in scope and need to comply with PCI DSS audit requirements. Establishing proper segmentation is critical to being able to use the method to reduce your scope. Steps to Compliance and Proper Validation The following steps are a brief overview of what auditors can do to assess their company s compliance with PCI DSS and remediate potential risks. Step 1: Perform a Scope and Gap Analysis The first step is to perform a scope and gap analysis of your systems and networks. This will determine if your configuration properly segments PCI data from externally accessible systems and the rest of the internal network. The gap assessment should then cover all of the PCI requirements within the appropriate scope. Although self-assessment questionnaires have recently been vastly improved to address all PCI controls, organizations should still refer to the PCI audit procedures document when carrying out the gap analysis to ensure the requirements are properly interpreted. As with any internal audit, it is important that the auditor independently validate compliance to the standard, since IT performed the initial assessment and may not believe there are any gaps. Determining your scope and gaps will assist in determining what might need to be remedied and how best to approach the remediation process. Step 2: Reduce the Storage of Cardholder Data Remove cardholder data from as many locations as possible. Typically, merchants store information that may include cardholder data for much longer than the business requires. By removing this information entirely, you may reduce your scope and actual risk. Step 3: Segment Your PCI Network One of the best ways to reduce risk and the PCI scope is to separate the PCI systems from other internal systems with a proper segmentation, including a firewall. Auditors need to work closely with their IT departments to ensure PCI DSS requirements are properly understood and implemented. Step 4: Implement Other Ways to Limit the Scope Other methods can be used to reduce the scope. The most common is PAN (primary account number) truncation (first six and last four digits only), or hashing. Since a truncated or hashed PAN is not considered cardholder data, it does not need to be protected and is not in the PCI scope. In addition, auditors can recommend specific process and procedural changes that mitigate the risk. However, these compensating controls must be above and beyond the requirements in the standard and also meet the intent and rigor of the original requirement. Protiviti 4

5 Internal audit should keep in mind that companies often fail the validation process because of problems in key areas such as: Lack of or weak encryption processes Lack of documentation on process design, testing and support evidence Lack of network documentation and architecture Outdated equipment that is unable to support the strong authentication (no telnet or unencrypted admin access) and logging required Penalties for Noncompliance and Safe Harbor Penalties and deadlines are established by individual card brand, but they usually include fines, higher transaction rates, and the risk of the card brand revoking the merchant s ability to accept the card. In the event of a serious security breach, fines of up to $500,000 can be levied for each instance of noncompliance. Most of the time these fines are not the most expensive result of a breach. The Ponemon Institute found that the average cost of a breach in 2008 was $202 per lost record. Merchants and service providers can obtain safe harbor from penalties only if they are in full compliance with PCI DSS at the time of the breach, as demonstrated during a forensic investigation. The entity must have validated full compliance prior to the compromise. Neither submission of a report on compliance nor a self-assessment questionnaire alone will provide a merchant safe harbor status. Taking Validation Seriously In short, compliance with PCI DSS is an absolute requirement for all merchants and service providers. If the company is still not validating at all, or has validated based on incorrect interpretations or assumptions, action must be taken immediately to address the severe risk of a data security breach. Protiviti 5

6 About Protiviti Protiviti ( is a global business consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. We help solve problems in finance and transactions, operations, technology, litigation, governance, risk, and compliance. Our highly trained, results-oriented professionals provide a unique perspective on a wide range of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East. Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. For additional information about the issues reviewed in this white paper or Protiviti s services, please contact: Scott Laliberte Managing Director scott.laliberte@protiviti.com Jeffrey Sanchez Managing Director jeffrey.sanchez@protiviti.com 2009 Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.