PCI - Why You Need to be Compliant When Accepting Credit Card Payments. Agenda. Breaches in the Headlines. Breach Events & Commonalities

Transcription

1 PCI - Why Yu Need t be Cmpliant When Accepting Credit Card Payments Tuesday, March 27, 2012 Agenda Breach Events & Cmmnalities Evlutin f PCI PCI Requirements Risks f Nn-cmpliance Industry Initiatives t Mitigate Risk 2 Breaches in the Headlines 3

2 Behaviral Risk A survey f businesses in the US and Eurpe reveals activities that may put cardhlder data at risk: 81% stre payment card numbers 73% stre payment card expiratin dates 71% stre payment card verificatin cdes 57% stre custmer data frm the payment card magnetic stripe 16% stre ther persnal data Surce: Frrester Cnsulting: The State f PCI Cmpliance (cmmissined by RSA/EMC) 4 Breaking Dwn Breach Trends Surce: Verizn 2011 Data Breach Investigatins Reprt 5 PCI DSS Update Timeline

3 Scpe Wh/What is Impacted? PCI applies t all rganizatins r merchants, regardless f size r number f transactins, that accepts, transmits r stres any cardhlder data Includes Merchants, prcessrs, data hsting services, and sftware vendrs Cardhlder data envirnment includes the peple, prcesses, and technlgy that manage cardhlder data Any systems which cnnect t these systems, and thse which manage security related t these systems, is als cnsidered inscpe What is PCI Cmpliance? It s all abut merchants data security Payment Card Industry Data Security Standard (PCI DSS) is a set f best practices fr merchants, develped by the majr credit card cmpanies, t reduce card fraud and security breaches. PCI DSS includes requirements fr security management, plicies, prcedures, and ther measures that prtect custmer accunt data. PCI requirements are reviewed and revised n a bi-annual basis by the PCI Security Standards Cuncil (PCI SSC); they are nt a static set f requirements. Merchants whse equipment and practices d nt fllw PCI DSS requirements are cnsidered nn-cmpliant and are subject t ptentially larger fines if a security breach ccurs. Payment Applicatin Data Security Standard (PA DSS) PA DSS Defined Payment Applicatins refer bradly t all payment applicatins that stre, prcess, r transmit cardhlder data as part f authrizatin r settlement, where these payment applicatins are sld, distributed, r licensed t third parties. 1/1/2008 Prcessrs may nt bard new merchants utilizing knwn vulnerable payment applicatins, nr may they certify t their netwrk any f these applicatins. 10/1/2008 Newly barded Level 3 r 4 merchants must use PCI DSS r PA DSS cmpliant payment applicatins. 7/1/2011 Acquirers must ensure their merchants use nly PA DSS cmpliant payment applicatins Benefits Ensures prhibited data (full magnetic stripe, security cde, and PIN) are nt stred n payment devices, and that all ther data (PAN, expiratin date, and cardhlder name) is stred securely. Establishes security requirements addressing cmmn vulnerabilities, securing remte access and lgging activity. 9

4 Defining Merchant Validatin Levels PCI cmpliance requirements are determined based n a merchant s industry-defined level: Level Merchant Criteria Validatin Requirements 1 Any business-regardless f acceptance channel-that: Prcesses ver 6 millin Visa r MasterCard transactins per year Has suffered a hack r an attack that resulted in an accunt data cmprmise Visa r MasterCard determines shuld meet the Level 1 requirements Has been identified by any ther payment card brand as Level 1 Annual Reprt n Cmpliance ( ROC ) by Qualified Security Assessr ( QSA ) r internal auditr if signed by fficer f the cmpany Quarterly netwrk scan by Apprved Scan Vendr ( ASV ) Attestatin f Cmpliance Frm 2 Any business that prcesses 1 millin t 6 millin Visa r MasterCard transactins, regardless f acceptance channel 3 Any business that prcesses 20,000 t 1 millin Visa r MasterCard e-cmmerce transactins annually Annual Self-Assessment Questinnaire ( SAQ ) Quarterly netwrk scan by ASV Attestatin f Cmpliance Frm Annual SAQ Quarterly netwrk scan by ASV Attestatin f Cmpliance Frm 4 Any business that prcesses fewer than 20,000 Visa r MasterCard e-cmmerce transactins and all ther merchants prcessing fewer than 1 millin Visa r MasterCard transactins, regardless f acceptance channel Annual SAQ recmmended Quarterly netwrk scan by ASV if applicable Cmpliance validatin requirements set by acquirer Guiding Merchants t Validatin Cmpnents f PCI Validatin Self Assessment Questinnaire (SAQ) An intuitive, easy-t-use tl, even fr nline/cmputer nvices A picture-driven qualificatin step that helps merchants easily determine their Validatin Type Expert help text and real-life examples Scanning Netwrk vulnerability scans fr merchants that have external-facing IP addresses Web applicatin scans (crss-site scripting, SQL injectins and remte file inclusin) t find hles in Web-based applicatins Easy-t-understand reprts that detail the scan results and priritize vulnerabilities by severity Hands-n assistance t prvide remediatin guidance Attestatin f Cmpliance Scpe & results f scan if applicable List f any necessary remediatin steps States validatin f cmpliance The Security Scanning Prcess Taken frm the PCI DSS - currently n v2.0 Requires Vulnerability Scanning

5 Example Cntent Frm SAQ C-VTC 13 Merchants Respnsibilities fr PCI Cmpliance the Digital Dzen The Security Scanning Prcess Overview Part f the PCI cmpliance mandate requires that certain merchants have a quarterly netwrk security scan frm an apprved scanning vendr (ASV). A nn-invasive, autmated tl is used t check fr ptential security issues. Merchants must pass this scan every 90 days if: The merchant electrnically stres cardhlder data after authrizatin The merchant s card prcessing systems have any Internet cnnectivity Typical Scanning Prcess A typical validatin vendr will cnduct these scans and prvide dcumentatin t the merchants t reprt back their prcessr as required. Merchants generally will need t prvide all active IP addresses and/r dmains used in their business. Scanning will include: The netwrk security scan will identify any vulnerabilities in these systems and devices t allw the merchant t make the necessary fixes. It will nt be necessary fr the merchant t install any sftware n their systems, nr will denial-f-service attacks be perfrmed.

6 Cmmn Scanning Vendr Typical apprach t assisting in validatin: Netwrk vulnerability scans fr merchants that have external-facing IP addresses Web applicatin scans (crss-site scripting, SQL injectins and remte file inclusin) t find hles in Web-based applicatins Easy-t-understand reprts that detail the scan results and priritize vulnerabilities by severity Detailed instructins n hw t remediate identified vulnerabilities Internet ASV Scanners Internal Netwrk Firewall/ Perimeter Security Simple Steps t Breach Preventin Eliminate these cmmn vulnerabilities: Strage f prhibited data Missing and/r utdated security patches Prly cnfigured firewalls and remte access applicatins Unnecessary and insecure services nt remved at system set-up Lack f activity lgging r mnitring Lack f security awareness slppy handling f sensitive data Risks Assciated with Nn-cmpliance Pints t Emphasize t Merchants: PCI cmpliance is nw mandatry fr all merchants, including Level 4 smaller businesses Fines fr nn-cmpliant merchants that experience a data breach can be as high as $500,000 per ccurrence Nn-cmpliant merchants that experience a security breach are subject t: A mandatry frensic audit f their POS and business (even if just suspected f a breach) Victim ntificatin, card reissuance and chargeback csts Data lss and peratins disruptin Lss f privileges Damage t reputatin and brand Pssible business clsure Difficulty switching prcessrs

7 Cnsequences f Nn-cmpliance (cnt d) Fines can be assessed fr: Nt meeting PCI Cmpliance requirements by the specified date Cardhlder data cmprmise when nt PCI cmpliant FINE FINE FINE Criticism f the Current Industry Apprach 21

8 Industry Initiatives 23 Definitins PCI DSS Payment Card Industry Data Security Standards PCI SSC Payment Card Industry Security Standards Cuncil PA DSS Payment Applicatin Data Security Standards SAQ Self-assessment Questinnaire QSA Qualified Security Assessr ISV Integrated Sftware Vendr AOC Attestatin f Cmpliance PABP Payment Applicatin Best Practices CISP Cardhlder Infrmatin Security Practices ASV Apprved Scanning Vendr PAN Payment Accunt Number