1 Security standards PCI-DSS, HIPAA, FISMA, ISO End Point Corporation, Jon Jensen,
2 PCI DSS Payment Card Industry Data Security Standard There are other PCI standards beside DSS but this is the one that applies to any company taking or processing credit card information or developing or hosting software that does.
3 Merging 5 standards into one PCI was founded by Visa, MasterCard, American Express, JCB, and Discover. Before joining forces, they each had their own security standards.
4 Who s Who: Banks Visa and MasterCard are made up of Member organisations who can be either Acquirers or Issuers (or both). Acquirers handle Merchants. Issuers issue the cards to Cardholders.
5 Who s Who: The Rest of Us Merchants: those entities who accept card transactions. Cardholders: those trying to spend their money. Service Providers: those providing any service requiring the processing, storing or transport of card information on behalf of any of the above.
6 How PCI DSS is applied Externally: by regular remote Network Security Scan by an approved vendor. Internally: Self Assessment Questionnaires ask about compliance with each of the standard s requirements. Onsite: Very large merchants must have an annual onsite review and audit.
7 PCI DSS teeth Penalties can be passed on to Merchants and Service Providers through their contracts, including monetary charges and account cancellation (kiss of death to ecommerce providers).
8 PCI DSS Merchant Levels There are several Merchant Levels. In the past small merchants doing fewer than a certain number of transactions per year had less of a compliance burden. Now, the only difference is that very large merchants must have an annual onsite audit. For us, Merchant Levels don t matter.
9 Are we a Service Provider? No. We do not offer payment processing services to third parties on our own infrastructure. We offer development and hosting services for our clients, and some of them are Merchants. (None of them are Service Providers to third parties either.)
10 Network Security Scanning Typically automated and run daily. Targets Internet-facing: routers and firewalls servers and hosts applications
11 Scan reporting Scans report to the Merchant about issues found, categorizing on severity scale of 1 to 5: 1: informational 2: recommended changes 3: high, limited remote exploit causing risk 4: critical, potential remote data exposure 5: urgent, serious remote exploits
12 Scan remediation Severity levels 3-5 must be dealt with immediately, and confirmed solved by another scan. Merchants can have their accounts frozen or contracts canceled if they don t comply.
13 Self Assessment Questionnaire Don t expect to be quick. Is fairly large and has many, many questions that are not quick to find answers for. Mainly includes Yes/No/Not Applicable choices. Our clients are responsible. We can only help by answering some for them; many involve office network, host, and physical security, etc.
14 PCI DSS requirements Review the requirements documents yourself when you re helping a client. Good to know specifics.
15 PCI DSS reqs. in broad strokes No default passwords Disable unused services Secure wireless networks Regularly apply software updates Use firewalls Use anti-virus software where available Unique account for each user
16 PCI DSS reqs. in broad strokes Log all access attemps Audit logs Require minimum password strength Configure crypto well, e.g. https Train periodically Must document flow of cardholder data
17 Cardholder Data Can store: Primary Account Number (PAN), but must be encrypted or masked to first 6 + last 4 digits Cardholder name Service code (number on the magnetic stripe that specifies the acceptance requirements and limitations for magnetic stripe read transactions) Expiration date
18 Sensitive Authentication Data Cannot store, not even encrypted or masked: Full Track Data (magnetic stripe) Card security code (CAV2/CVC2/CVV2/CID) PIN/PIN block
19 Crypographic key custodians Don t store cardholder data unless absolutely necessary, even in encrypted form. (3.5) Keys must be rotated regularly (e.g. every few years). Must designate key custodians. Restrict access to keys to the fewest number of custodians necessary. Key custodians must sign a formal agreement of understanding.
20 Data Retention and Disposal Policies Limit data storage to what is necessary for as long as necessary. Document reasons for necessary. Securely delete data when no longer needed. Quarterly review systems to ensure nothing is being stored beyond what is specified.
21 PAN encryption + masking risk (3.4) It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity s environment, additional controls should be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
22 Code Reviews Required (6.3.2) Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code-review techniques and secure coding practices. Code-review results are reviewed and approved by management prior to release.
23 HIPAA Health Insurance Portability and Accountability Medical data Covers printed, spoken, and electronic forms. CDC incorporates HIPAA security standards.
24 3 types of security safeguards administrative physical technical
26 PHI, EPHI Protected health information. Electronic PHI. Any information that can be used to identify a patient whether living or deceased that relates to the patient s past, present, or future physical or mental health or condition, including healthcare services provided and payment for those services.
27 Personal Identifiers Patient names Telephone numbers Fax numbers Social Security numbers Vehicle identifiers addresses Web URLs and IP addresses
28 More Personal Identifiers Geographic subdivisions (smaller than state), including zip code! Dates, unless only the year is present!
29 Even more Personal Identifiers Names of relatives Full face photographs or images Healthcare record numbers Account numbers Biometric identifiers (fingerprints or voiceprints) Device identifiers Health plan beneficiary numbers Certificate/license numbers Any other unique number, code, or characteristic that can be linked to an individual.
30 HIPAA Enforcement Rule HHS issued the Final Rule regarding HIPAA enforcement and it took effect on March 16, The Enforcement Rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violation.
31 HIPAA Security Breach Fine A fine of $50,000 to the Hospice of North Idaho (HONI) was made for a potential HIPAA Security Rule breach affecting fewer than 500 people. Rachel Seeger, a spokeswoman for HHS, stated, HONI did not conduct an accurate and thorough risk analysis to the confidentiality of ephi as part of its security management process from 2005 through Jan. 17, This investigation was initiated with the theft from an employee s vehicle of an unencrypted laptop containing 441 patient records.
32 Breach Reporting Part of all security standards is reporting. Even just suspicions. Longstanding bad practices. Immediately. We keep a timestamped trail for reporting.
33 Breach reporting to... Simplified: I am End Point s Chief Privacy Officer, Chief Security Officer, and the equivalent responsible party for security in any of these standards. Report to me as a top priority. If you can t reach me right away, report to and
34 Reporting timeliness matters How quickly and responsibly we respond to breaches makes a huge difference in how the breach will be viewed and the consequences of it.
35 Public reporting See: https://www.endpoint.com/contact We offer a PGP public key and a reporting address that will go to the hosting team and anyone else who needs to know.
36 FISMA Federal Information Security Management Act of 2002 Applies to federal agencies and their contractors.
37 ISO/IEC 27001:2013 A specification for an information security management system. An international equivalent of some of the U.S. standards.
38 Compliance compatibility
39 Ongoing It s a process, not a destination.
40 Reference https://www.pcisecuritystandards.org/ org/wiki/federal_information_security_management_act_of_ com/pdf/insights_files/white_papers/information_security_white_paper. pdf
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft
ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire Overview This pre-implementation questionnaire is designed to provide the Boston College Internal Audit Department with a general understanding
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues August 16, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy
Payment Card Industry Security Standards Over the past years, a series of new rules and regulations regarding consumer safety and identify theft have been enacted by both the government and the PCI Security
BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy
Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA email@example.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The
Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
BROWN UNIVERSITY University Policy Accepting Credit Cards to Conduct University Business Purpose Brown University requires all departments that are involved with credit card handling to do so in compliance
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
CREDIT CARD PROCESSING POLICY AND PROCEDURES Note: For purposes of this document, debit cards are treated the same as credit cards. Any reference to credit cards includes credit and debit card transactions.
Payment Card Industry Data Security Standard (PCI DSS) WARNING: Your company may be in noncompliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage,
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson Overview What is PCI? MCCS Compliance PCI DSS Technical Requirements MCCS Information Security Policies
Top 10 PCI Concerns Jeff Tucker Sr. Security Consultant, Foundstone Professional Services About Jeff Tucker QSA since Spring of 2007, Lead for the Foundstone s PCI Services Security consulting and project
HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits
Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont
PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
Compliance TODAY July 2014 a publication of the health care compliance association www.hcca-info.org What s the key to successfully merging two large hospital systems? an interview with Michael R. Holper
USNH Payment Card Industry Data Security Standard (PCI DSS) Version 3 Administration and Department Policy Draft Revision 3/12/2013 1. Purpose. The purpose of this policy is to assist the University System
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
PCI DSS 101- The background you need for understanding the PCI DSS Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies www.nntws.com
How DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements DataSunrise, Inc. https://www.datasunrise.com Note: the latest copy of this document is available at https://www.datasunrise.com/documentation/resources/
PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566
2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR
PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW David Kittle Chief Information Officer Chris Ditmarsch Network & Security Administrator Smoker Friendly International / The Cigarette Store Corp
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260
Teleran PCI Customer Case Study Written by Director of Credit Card Systems for Large Credit Card Issuer Customer Case Study Summary A large credit card issuer was engaged in a Payment Card Industry Data
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
SecurityMetrics PCI Starter Kit Orbis Payment Services, Inc. 42 Digital Drive, Suite 1 Novato, CA 94949 USA Dear Merchant, Thank you for your interest in Orbis Payment Services as your merchant service
Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
How to Develop a PCI Compliance Program And Take a Step on the IG Career Path Andrew Altepeter Any organization that processes customer payment cards must comply with the Payment Card Industry s Data Security
1. Procedure Title: PCI Compliance Program COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6 2. Procedure Purpose and Effect: All Colorado State University departments that accept credit/debit
FINANCE AND TREASURY POLICIES AND PROCEDURES E071 CREDIT CARD PROCESSING & SECURITY POLICY PURPOSE The purpose of this policy is to establish guidelines for processing charges/credits on Credit Cards to
Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein