Online Compliance Program for PCI

Transcription

1 Appendix F Online Compliance Program for PCI Service Description for PCI Compliance Monitors 1. General Introduction Online Compliance Program Introduction Portal Access Self-assessment Questionnaire Vulnerability Scanning Support Service Level Objectives Optional Services... 8 November 2010 Page 1 of 8

2 OCP: Service Description for Compliance Monitors 2010 Verizon. All Rights Reserved. The Verizon and Verizon Business names and logos and all other names, logos and slogans identifying Verizon's products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. November 2010 Page 2 of 8

3 1. General Introduction The Payment Card Industry Data Security Standard (PCI DSS) was designed by the card payment brands (i.e. MasterCard, VISA, American Express, Discover, and JCB) to help protect cardholder data and reduce credit card fraud. The PCI Security Standards Council, the body that manages the PCI DSS, requires that any organization that transmits, processes, and/or stores credit card data be compliant with the requirements of the PCI DSS. The PCI DSS recognizes that security is a process, not a static implementation. It sets certain requirements regarding the security measures and controls that a merchant or payment service provider or other type of organization (called a cardholder data handler or CDH) that stores, processes and/or transmits cardholder data and information must have in place to comply with the standard. The card payment brands categorize merchants according to a risk profile level, and requirements for demonstrating PCI compliance vary according to that level. PCI Merchant levels range from 1 through 4 depending on the number of credit card transactions processed by the merchant on an annual basis. Merchant and Payment Service Provider level definitions can be reviewed on the card brand web sites. To help our customers fully understand the PCI DSS and its requirements and to assist them in meeting those requirements to achieve and maintain PCI compliance, we have developed two complementary offerings: Our Online Compliance Program (OCP) provides you with a comprehensive solution to manage toward compliance with your PCI DSS, including vulnerability scanning and self-assessment. Specifically to assist an acquiring bank, issuing bank or other type of organization (called PCI Compliance Monitors ) we have designed this offering to assist you as a PCI Compliance Monitor, in monitoring and managing your related merchant and/or service provider compliance in relation to PCI. Our PCI On-site Assessment service includes an on-site assessment and verification of the security measures and controls you have in place to protect the integrity of your infrastructure and cardholder data and information. This document describes the components of these services and the processes by which they are delivered. 2. Online Compliance Program 2.1 Introduction OCP is a comprehensive solution providing analytical tools that enable you to manage toward compliance with your PCI Data Security Standard. Depending on your risk profile and level, OCP includes the service components mentioned in the table below. November 2010 Page 3 of 8

4 Service Components High Risk Low Risk PSP Portal Self-assessment Questionnaire Vulnerability Scanning PCI Statement of Compliance Support Merchant: L1 PSP: L1 Merchant: L2, L3, L4 PSP: L2 Depending on your risk profile and level as determined by Visa/MasterCard, you may be required to have an annual on-site assessment performed by an independent assessor. Such on-site assessment is not included in your subscription to OCP, but we can provide our PCI On-site Assessment service as mentioned below. 2.2 Portal Access As part of OCP, you have access to the Verizon Partner Security Program (PSP) portal. This is a tool used to gauge and monitor compliance as well as to facilitate the quarterly PCI scanning process to identify vulnerabilities present on your Internet-visible infrastructure. Via the PSP portal, you can manage the quarterly vulnerability scan process and view scan results to recognize specific vulnerabilities and determine the remediation steps to be taken. Further, you can view your overall compliance according to your level and generate a PCI Statement of Compliance for use in demonstrating compliance to appropriate third parties. 2.3 Self-assessment Questionnaire The online PCI Self-assessment Questionnaire is a self-audit tool available within the OCP Dashboard that enables you to gather information on your environment in relation to your compliance with PCI requirements. Completion of the PCI Self-assessment Questionnaire is currently not required for Level 1 Merchants and Payment Service Providers. 2.4 Vulnerability Scanning For PCI compliance, most merchants are required to regularly, and at least quarterly, scan their infrastructure s external-facing IPs. OCP s vulnerability scanning service gauges your PCI compliance by making a snapshot evaluation of your network s security posture and enabling proactive detection of vulnerabilities exploitable from the Internet. From within the PSP Portal, you will provide information regarding the relevant range of your publicly addressable IP addresses and domains. For the purpose of ASV scanning, the PCI DSS requires vulnerability scanning of all externally accessible (Internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment as well as any externally facing system component that provides a path to the cardholder data environment. To validate scope, Verizon will run an initial discovery scan against the IP addresses and domains you provide prior to launching the vulnerability scan. We will contact you if the discovery scan returns other IP addresses and/or domains which may need to be included in your PCI scan scope. You are ultimately responsible for defining the appropriate scope of the external vulnerability scan. Following the discovery scan, Verizon will run vulnerability scans against the confirmed IP address range. Verizon will use commercially reasonable efforts to schedule vulnerability scans based during the scan window that you specify. You are responsible for providing scan scheduling options which will have minimum impact on your internal operations schedule. In most cases, the first step in the November 2010 Page 4 of 8

5 vulnerability scanning process is an initial scan to establish a vulnerability baseline, followed by subsequent scans to confirm that remediation actions have been successful. To assist in your quarterly scanning efforts, Verizon will support as many scans as are needed for you to demonstrate your compliance with the PCI DSS quarterly external scan requirement and produce the requisite quarterly PCI Scan Reports. When scanning is complete, detected vulnerabilities are classified by both CVSS (Common Vulnerability Scoring System) score and the level of severity according to the PCI Standard as shown in the following table. To be PCI Compliant in a given vulnerability scanning area, a scan must not contain high-level vulnerabilities, or any vulnerability that indicate features or configurations that are in violation of the PCI DSS. Vulnerabilities with a CVSS score of four or higher will be marked as non-compliant.. CVSS Score/Severity Level High Risk Medium Risk Low Risk Description To achieve a passing scan, these vulnerabilities must be corrected and the environment must be re-scanned after the corrections (with a report that shows a passing scan). Organizations should take a risk-based approach to correct these types of vulnerabilities, starting with the most critical ones (rated 10.0), then those rated 9, followed by those rated 8, 7, etc., until all vulnerabilities rated 4.0 through 10.0 are corrected. While passing scan results can be achieved with vulnerabilities rated 0.0 through 3.9, organizations are encouraged, but not required, to correct these vulnerabilities. Because vulnerability scanning is an automated network auditing service, and thus is agnostic to the specifics of your network infrastructure, it may report a False Positive Result. This is a vulnerability that is either nonexistent within your infrastructure or one that has been cured or mitigated by your use of an alternative solution or compensating controls. If you have reason to believe that a False Positive Result has occurred, you may contact our Service Desk to open a claim and request a false positive investigation. Vulnerabilities found to be false positives will be appropriately noted in the ASV Scan Report and will not negatively impact a merchant s PCI compliance status. However, the final determination of compliance resides with card payment brands (e.g. Visa/MasterCard). The results from the scan will be reported to you through the PSP portal together with, where available, remediation recommendations for each identified vulnerability. If an organization that is required to monitor your compliance status (such as your acquiring or issuing bank) also subscribes to OCP, your compliance status may also be reported to that organization through the PSP portal. However, we will not report your compliance status against requirements specific to that organization. 2.5 Support Should you need assistance, consult the Help section of the PSP portal. This section contains general guidance notes on the use of the OCP service. If online Help does not resolve your query, send a support service request to the Service Desk by or phone. The Service Desk operates on a 24x7x365 basis. To help resolve your support service request, the Service Desk will need the following information: contact details of the requester, including name, phone number, address and company name; a clear and concise description of the support service requested; November 2010 Page 5 of 8

6 specific error codes and/or messages, if any, and the impact on the ability to use the OCP service. For managing support service requests, we assign both impact severity and priority levels to each request in accordance with the following tables. The impact severity level is assigned according to how the issue effects your ability to use the OCP service, and the priority level is assigned according to urgency. Impact Severity Critical Description An issue that renders the OCP service unavailable or inoperable. Request for password or password reset to access the OCP Dashboard. High Low None An issue that significantly impacts the use of the OCP service. An issue that requires attention but does not significantly impact the use of the OCP service. An issue that does not influence the use of the OCP service Priority Critical to high Moderate Description Support service request to restore or regain access to OCP service. Support service request related to the correct functioning of the OCP service. Support request related to one or more vulnerabilities or possible threats preventing compliance. Low Support service request not covered by higher priorities. Request for information or interpretation assistance. Request for additional services such as consultancy. A four-tiered response structure Taking into account both impact severity and priority, Verizon Business manages your support issues at four response tier levels. These levels reflect ascending orders of difficulty, with Tier 1 being the lowest and Tier 4 being the highest. Each tier level is handled by Verizon Business specialists with different gradations of expertise and responsibility. Tier 1 specialists, adept in handling the most frequently encountered issues, are trained to respond with speed and effectiveness. Tiers 2 through 4 are staffed by analysts with correspondingly greater experience in analyzing and remedying complex and emerging OCP issues. Verizon Business analysts handle all support calls with the highest urgency, but since the issues dealt with on the upper tier levels are likely to be more challenging, responses and remedies are likely to take more time. Anticipated frequency of contact is explained in the following table: Response tier level Tier 1 Description acknowledgement within two hours of initial contact. Response and attempted resolution within four hours. November 2010 Page 6 of 8

7 Tier 2 acknowledgement within four hours. Progress update every 24 hours. 48 hours attempted resolution. Tier 3 Progress update every 24 hours until resolution. Five business days attempted resolution. Tier 4 Progress update every 24 hours until resolution. Five business days attempted resolution. Although an issue may escalate to higher response tier levels, you will always know who to contact throughout the resolution process. If your issue escalates to Tier 2, the person assigned to your case at that point will take charge of it and will remain your central contact until resolution. We will contact you by phone or as soon as your issue is resolved and will report important findings as they arise. You may contact Verizon Business at any time to check on our progress. Once we have addressed the escalated issue, or provided you with a work-around, your support service request will be deemed resolved and we will close the associated support ticket. If in handling of your support service request we ask you to provide us with additional information to help us resolve your request and you do not respond to such request within five days, we assume that you deem your support service request either resolved or no longer relevant and we will close the associated service ticket. Upon closure, you will receive a Service Desk closure report via that summarizes the support service request and the manner in which it has been resolved. 2.6 Service Level Objectives In delivering the service to you, we will use commercially reasonable efforts to meet the service levels indicated. The term business days means all days excluding Saturdays, Sundays and holidays. The following table summarizes the service levels for the OCP Service: OCP Service Components Service Level PSP Portal Availability 99.99% OCP Service Desk 24x7x365 Feature Release or Maintenance Window Notification One week in advance Within one (1) business day of customer s submission of a completed Customer Configuration Form within the PSP portal Scan Schedule Confirmation NOTE: Emergency or immediate scan requests should be submitted to Customer Support by phone and will be addressed as soon as reasonably possible. November 2010 Page 7 of 8

8 Scan Report Publication on PSP portal False Positive Claim Investigation A CSV file of scan results will be posted for Scan Customer review with one (1) business day of scan completion A draft PCI report will be posted for Scan Customer review with two (2) business days of scan completion. Investigation completed within five business days or less of claim submission NOTE: Service level includes time for Verizon analyst updating of PCI report based on claim findings. The service levels indicated exclude periods of scheduled or emergency maintenance and further exclude periods of unavailability due to force majeure or other events beyond our reasonable control. Considering the evolutive and complex nature of technology, some support service requests may require more time to be addressed and resolved than indicated. These Service Level Objectives provide targets only. Failure to meet any target will not result in a breach, penalty, credit or other compensation. 2.7 Optional Services In connection with your subscription to OCP, you may request us to further assist you with additional services. You may, for example, require additional assistance in remediation towards compliance with the PCI Standard. Please contact your Verizon Account Manager or Security Sales Consultant to obtain a quote for Professional Services. Such services shall be provided under a separate order. November 2010 Page 8 of 8