PCI Compliance: Protection Against Data Breaches

Transcription

1 Protection Against Data Breaches Get Started Now: to learn more.

2 The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013) compromising over 630 million records, which is approximately double the population of the United States. In 2014, there have been 368 information security breaches (that were announced) totaling nearly 11 million records. That s more than two data breaches per day. The Target stores breach alone affected approximately 110 million records. Data breach losses are not only felt by credit card companies, but also by merchants and most importantly, by valued customers. Companies that experience data breaches suffer huge financial impacts. The average financial impact to a business that has been breached is 5 million dollars. In addition, a company pays about $90 for each data record that s been compromised. Merchants that experienced data breaches also suffered hits to their reputation, and the impact of a data breach on a company s reputation may negatively affect their revenue, profits and stock price. As the result of a data breach, credit card companies may also prohibit a merchant s acceptance of credit cards, making it difficult to accept customer payments. There have even been cases where breached companies have faced civil and criminal charges, and individual careers may also be negatively impacted by a data breach. Needless to say, the real victims of data breaches are customers/ cardholders. The impact to the customer is exposing their personal information, which may result in consumer scams, phishing, web scams, social engineering attacks and identify theft. Whitepaper: PCI Compliance: 2

3 PCI Compliance: A Brief History For many years, credit card companies fought diligently against fraud and stolen assets. In 2005, the Federal Trade Commission (FTC) received more than 685,000 complaints of fraud and identity theft that totaled more than $680 million in stolen assets. Nearly all of these losses stemmed from data breaches associated with credit cards. As a result, each of the major credit card companies developed its own information security program for merchants. However, this created a significant burden on merchants, since companies that accepted Visa, MasterCard, Discover and American Express had to conform to four different information security standards, each with different requirements and reporting. To solve this problem, the credit card companies came together and created the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of requirements designed to ensure that all companies that process, store or transmit credit cards maintain a secure environment. The objective of PCI DSS is to protect cardholder data and facilitate the broad adoption of consistent data security measures globally. Whitepaper: PCI Compliance: 3

4 PCI Applicability PCI applies to all organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. Said another way, if any customer ever pays a merchant directly using a credit card or debit card, then the PCI DSS requirements apply to that merchant. PCI DSS Requirements Whether the transaction occurs in a brick and mortar store or online, from physical Point of Sale devices to virtualized servers, PCI DSS mandates that organizations are responsible for the security of their customers cardholder data. For PCI DSS compliance requirements, there are four levels of merchants based on the number of credit card transactions a company performs annually. Based on the level of the merchant, there are different PCI requirements that must be met. For those merchants that perform fewer than 6 million credit card transactions annually (Levels 2-4) the merchant is required to fill out part or all of the Self-Assessment Questionnaire, a document outlining specific requirements that need to be met to achieve and maintain compliance. Whitepaper: PCI Compliance: 4

5 Self-Assessment Questionnaire The Self-Assessment Questionnaire (SAQ) is an online tool to assist merchants in self-evaluating their compliance with the PCI DSS. The SAQ includes questions on a company s information security infrastructure, policies and procedures. In addition to the Self-Assessment Questionnaire, merchants must complete an Attestation of Compliance which is an affirmation of the merchant s compliance with the PCI DSS requirements and security assessment procedures. The Attestation of Compliance puts your name on the line and makes you responsible for compliance and for all the statements made in the questionnaire. There are different versions of the SAQ based on the way merchants accept and process credit cards. Below is a diagram that illustrates the different ways merchants accept and process credit cards. For example, it doesn t make sense to require a merchant that only accepts physical cards with carbon copy paper to comply with requirements for online and electronic capture and processing. Within the SAQ there are 12 separate PCI Requirements sections each made up of many sub-requirements. Whitepaper: PCI Compliance: 5

6 Objective Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy PCI DSS Requirements 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security PCI DSS Versions Given the increasing sophistication of hackers and other bad actors, the PCI DSS compliance standards have been updated over the years: Version 1 - December 2004 Version September 2006 (to provide clarification and minor revisions to version 1.0) Version October 2008 Version October 2010 (is active for merchants and service providers from January 1, 2011 to December 31, 2014) Version (was released in November 2013 and is active from January 1, 2014 to December 31, 2016) Whitepaper: PCI Compliance: 6

7 What s New in PCI DSS 3.0 PCI DSS 3.0 helps organizations focus on security, not compliance, by making payment security a part of day-to-day operations. By raising security standards and making PCI DSS compliance the status quo, organizations can monitor the effectiveness of their security controls and maintain their PCI DSS compliant environment. Given that, the changes in PCI 3.0 can be classified into four main categories: 1. Increased Education and Awareness: The new guidance includes recommendations on best practices for implementing security and encourages greater education and training, specifically in the areas of password management and enduser security awareness training. 2. Greater Flexibility: Previous PCI DSS versions sometimes wouldn t allow for alternate solutions that would mitigate the same threat. PCI 3.0 allows merchants to understand the intent behind each requirement (with suggestions on how to mitigate the threat), but leaves it open for alternatives that make sense. While some solutions are more black and white than others (such as the need for a firewall), other requirements such as password management may have multiple options to achieve the same level of security and compliance. 3. Security as a Shared Responsibility: The concept of shared responsibility for security is outlined, and guidelines are provided to show where security responsibilities should fall when multiple organizations are responsible for various parts of the network and security infrastructure. 4. Monitor Controls Continuously: Conducting periodic reviews of the network and having routine audits will ensure issues and failures are addressed quickly. This will eliminate the once a year check-box mentality and help reinforce that security reviews should be an ongoing process. Third-Party Service Providers Merchants are increasingly turning to third-party service providers to assist with storing, processing and transmitting cardholder data and to manage components of their systems such as routers and firewalls. As a result, one of the focus areas of PCI DSS 3.0 is security as a shared responsibility. To address this issue, the PCI Security Standards Council recently released the Third-Party Security Assurance Information Supplement, which is designed to help merchants and their service providers better understand their respective roles in securing card data. The Third-Party Security Assurance document includes information on how to implement a robust third-party assurance program focused on clearly delegating and monitoring security responsibilities. Areas to review when working with third-party service providers include: Shared responsibility may mean that a service provider is fulfilling certain PCI requirements but only for the services or devices they re providing. The merchant or other third party may still be responsible for that same requirement on other devices, systems, or areas of the network. A vendor may state that they re responsible for a particular PCI requirement, but that may be contractually breached by the merchant if they request changes to the service or perform some action that terminates the vendor s responsibility. If a service provider states they are helping a merchant meet part or all of a particular PCI requirement, the merchant needs to ensure there isn t some part of that requirement that remains the responsibility of the merchant or another provider. This is at the heart of shared responsibility. Clear lines of responsibility must be drawn, documented and disseminated to appropriate personnel to conform to PCI 3.0 requirements. Overall, the merchant remains responsible for their information security and needs to ensure that their employees and vendors follow policies and procedures that keep in force all service level agreements and contractual responsibilities. In other words, the merchant is responsible for third-party oversight. Whitepaper: PCI Compliance: 7

8 Protection Against Data Breaches Managed PCI 3.0 Solutions from MegaPath With PCI 3.0, continuous compliance and continuous monitoring are essential to reduce the risk of a data breach. However, this presents merchants with many operational challenges, including having fully-trained security personnel performing continuous monitoring of every network element that gathers, stores, transmits, or processes payment card data. Contact MegaPath With MegaPath s Security-as-a-Service model, we continuously monitor and analyze your network, eliminating the need for you to hire network security personnel. In addition, MegaPath s Security Operations Center personnel are experts in the identification of security threats and responses to security alerts, and also provide daily log reviews and reporting (per site). MegaPath also works with customers on quarterly security audits and quarterly external vulnerability scans, with corresponding reports to document PCI compliance. MegaPath also offers Managed Broadband Access, Managed Security, Managed Remote Access and Managed WiFi to address compliance gaps. MegaPath has a long history with PCI DSS and was the first communications service provider to achieve PCI compliance and has maintained compliance ever since. Summary PCI DSS 3.0 can be summarized fairly concisely. Security and compliance auditing should not be a once a year practice but rather a daily practice with processes, policies and procedures that follow best practices and use appropriate tools to ensure information security integrity. If you keep your systems and network secure, that will naturally result in appropriate compliance. Treating PCI compliance like a once a year event is not keeping with the spirit of PCI DSS 3.0 and is setting your organization up for a potential information security breach. Information security should be part of the daily culture and routine of an organization. Employees should feel like information security practices are part of the DNA of an organization and senior management should reinforce the importance of daily security practices. If you implement PCI 3.0 as a business as usual process by implementing security methodology as a required daily practice, PCI DSS 3.0 compliance will be a snap. Data Breach charts and statistics from idtheftcenter.org 8