PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Transcription

1 2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com

2 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing credit card security. Merchants and processors who accepted multiple brands of cards needed to have a separate compliance program for each. Visa's Cardholder Information Security Program MasterCard's Site Data Protection American Express' Data Security Operating Policy Discover's Information Security and Compliance JCB's Data Security Program

3 Overview PCI DSS Now The major card brands have joined together to create a single compliance standard for all organizations that store, transmit, or process card data. This Data Security Standard (DSS) is administered and maintained by the Payment Card Industry (PCI) Security Standards Council.

4 Exercise Who needs to comply with PCI? 1. Do you accept CC or Debit payment in-person? Yes/No 2. Do you accept CC or Debit payment over the phone? Yes/No 3. Do you accept CC or Debit payment via a website? Yes/No 4. Do you accept CC or Debit payment through the mail? Yes/No 5. Do you store or process Cards for someone else? Yes/No

5 Who needs to comply - Continued If you answered Yes to any of the previous questions your organization is required to comply with all PCI Data Security Standards! PCI security standards apply to all entities that store, process or transmit cardholder data. Note: your liability for PCI compliance also extends to third parties involved with your process flow, so you must also confirm that they are compliant.

6 Who needs to comply - Continued Compliance vs. Certification Although every organization that answered Yes needs to comply with the standards, some organizations must also annually certify compliance utilizing a self assessment questionnaire (SAQ) or independent third party review and Report on Compliance (ROC).

7 PCI Merchant Levels Merchant Level Merchant Definition Compliance Level 1 Level 2 Level 3 Level 4 More than 6 million V/MC transactions annually across all channels, including e-commerce 1,000,000 5,999,999 V/MC transactions annually 20,000 1,000,000 V/MC e-commerce transactions annually Less than 20,000 e-commerce V/MC transactions annually, and all merchants across channel up to 1,000,000 VISA transactions annually Annual Onsite PCI Data Security Assessment, Quarterly Network Scans, Annual External and Internal Penetration Testing Annual Self Assessment Questionnaire, Quarterly Network Scans, Annual External and Internal Penetration Testing Annual Self Assessment Questionnaire, Quarterly Network Scans, Annual External and Internal Penetration Testing Annual Self Assessment Questionnaire, Quarterly Network Scans, Annual External and Internal Penetration Testing

8 PCI Service Provider Levels Service Provider Level Level 1 Service Provider Definition VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year. Compliance Annual Onsite PCI Data Security Assessment, Quarterly Network Scans, Annual External and Internal Penetration Testing, Quarterly Wireless Testing* Level 2 Any service provider that stores, processes and/or transmits less than 300,000 transactions per year. Annual Self Assessment Questionnaire, Quarterly Network Scans, Annual External and Internal Penetration Testing, Quarterly Wireless Testing*

9 Self Assessment or Qualified Security Assessor? Qualified Security Assessor (QSA) companies are organizations that have been qualified by the Council to have their employees assess compliance to the PCI DSS standard. Qualified Security Assessors are employees of these organizations who have been certified by the Council to validate an entity s adherence to the PCI DSS.

10 PCI DSS Self-Assessment Questionnaire (SAQ) The PCI DSS SAQ is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organizations in self-evaluating compliance with the PCI DSS, and you may be required to share it with your acquiring bank. There are multiple versions of the PCI DSS SAQ to meet various business scenarios. Each SAQ includes a series of yes-or-no questions about your security posture and practices. The SAQ allows for flexibility based on the complexity of a particular merchant s or service provider s business situation. The SAQ validation type is not correlated with a merchant s classification or risk level. 10

11 PCI DSS Self-Assessment Questionnaire (SAQ) The PCI DSS SAQ consists of two components: 1. Questions corresponding to the PCI DSS requirements Appropriate to service providers and merchants 2. Attestation of Compliance Organization certification of eligibility to perform and have performed the appropriate Self-Assessment. The correct Attestation will be packaged with the SAQ selected. 11

12 Types of Self Assessment Questionnaires There are five SAQ categories: A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

13 PCI Self Assessment Questionnaires (SAQs) SAQ INSTRUCTIONS & GUIDELINES Which SAQ do I complete? SAQ A Outsourced all CHD SAQ B Imprint or standalone dial-out terminate only SAQ C-VT Virtual terminals only SAQ C Internet-connected payment application SAQ D All other merchants and service providers Card-not-present, all cardholder data (CHD) functions outsourced Imprint or standalone, dial-out terminals only, no electronic CHD storage Web-based virtual terminals only, no electronic CHD storage POS or payment system connected to Internet, no electronic CHD storage All other merchants and all service providers eligible to complete an SAQ Card-not-present only No CHD on any systems or premises, all outsourced Third parties are PCI DSS compliant No CHD over Internet Only paper is retained No electronic storage of CHD Imprint machine or standalone dial-out terminals only Dial-out terminals not connected to any other systems Dial-out terminals not connected to the Internet, connected via phone line to your processor or acquirer No CHD over Internet Only paper is retained No electronic storage of CHD Third party hosted virtual terminal only, accessed by an Internetconnected web browser Merchant computer not connected to any other systems within environment Isolated in a single location, not connected to other locations or systems within environment (can be achieved with network segmentation) Virtual terminal solution provided and hosted by PCI DSS validated service provider No software installed or hardware attached to merchant computer that captures or stores CHD No other electronic transmission of CHD Only paper is retained No electronic storage of CHD POS or payment system and Internet on same device and/or same local area network (LAN) Payment application system/internet device not connected to any other systems Single store location Only paper is retained No electronic storage of CHD POS vendor provides secure support NO NO NO NO NO Is this my merchant type? Is this my merchant type? Is this my merchant type? Is this my merchant type? YES YES YES YES SAQ A (13 questions) and Attestation SAQ B (29 questions) and Attestation SAQ C-VT (51 questions) and Attestation SAQ C (40 questions) and Attestation SAQ D (288 questions) and Attestation NAVIGATING PCI DSS Understanding the Intent of the Requirements

14 Overview PCI DSS Digital Dozen 2015 CliftonLarsonAllen LLP

15 PCI DSS Build & Maintain a Secure Network 1 Default password lists: default password

16 PCI DSS Protect Cardholder Data 2 Minimize storage Implement data retention and disposal policies Do NOT store sensitive authentication data Mask displayed PAN Render PAN unreadable where stored Protect cryptographic keys ADDITION: NEVER send unprotected PAN by end user messaging ( , chat, IM, etc )

17 PCI DSS Maintain Vulnerability Mgmt Program 3 Use anti-virus REALLY??? Secure software development and change control Secure build checklists: CIS offers vendor-neutral hardening resources Microsoft Security Checklists PA-DSS certified applications will have an Implementation Guide

18 PCI DSS Implement Strong Access Controls 4 Principle of minimum access and least privilege Unique IDs ( NO shared IDs) Long/strong passwords, password controls, strong authentication Password protected screen saver time outs (15 min) Limit and monitor physical access Secure storage and tracking of media

19 PCI DSS Regularly Monitor and Test Networks 5 Process, system, and application logging Secure the audit logs Review and retain audit logs Regular testing: Quarterly*: Wireless testing & Vulnerability scanning Annual*: Penetration testing IDS/IPS and File integrity monitoring

20 PCI DSS Maintain Information Security Policy 6

21 What can you do today towards PCI Compliance? - Implement strong Information Security Policies and Procedures - Enforce Segregation of Duties Controls - Prevent Security loopholes; enable firewalls; configure IDS/IPS devices properly; minimize and isolate cardholder data storage - Ensure safe web browsing and usage policies - Completion of a Self Assessment Questionnaire as gap assessment - Test systems and processes to validate they behave as expected - Scrutinize your vendor management policies, procedures, and current state Proper Remote Access for staff & Vendors User Awareness Training is CRITICAL Strong Software Change & Patch Management Controls Re-evaluate Payment Processes

22 Understand Where Your Data Lives Develop data flow diagrams Payment/data flow Where static data resides Who is mining data and for what purposes Understand how the back up system works

23 Cost of Non-Compliance The cost of non-compliance Specifically for PCI compliance, acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively. For prohibited data storage, acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner If you suffer a breach, you automatically become Level 1 with all of it s more stringent compliance requirements More than $200/ compromised record

24 Cost of a Data Breach 2015 CliftonLarsonAllen LLP

25 Summary Store, Process, or Transmit Determine Level and SAQ type Prioritized Approach Leverage other compliance activities Understand where your data is

26 Open Discussion and Questions 2015 CliftonLarsonAllen LLP

27 PCI DSS - Definitions Lots of Acronyms: ASV: Approved Scanning Vendor Vendor certified by PCI Standards Council to have vulnerability scanning tool/engine that meets DSS requirements CDE: Cardholder Data Environment Possesses cardholder data or sensitive authentication data QSA: Qualified Security Assessor Vendor certified by PCI Standards Council to perform PCI annual audit ROC: Report on Compliance Document to be submitted for annual compliance requirement SAQ: Self Assessment Questionnaire 5 Versions: A, B, C, C-VT, and D

28 PCI DSS Definitions - ADDITION Lots of Acronyms: PAN: Primary Account Number Cardholder Data PAN Cardholder name Expiration date Service Code Sensitive Authentication Data PA-DSS Full magnetic strip or chip data, CAV2/CVC2/CVV2/CID, PINs DSS for Payment Applications

29 Thank You Information technology and business are becoming inextricably interwoven. I don t think anybody can talk meaningfully about one without talking about the other. -Bill Gates

30 2013 CliftonLarsonAllen LLP 2015 CliftonLarsonAllen LLP Steve Christensen, CIA,CRMA Manager, Information Security CliftonLarsonAllen, LLP (mobile) cliftonlarsonallen.com twitter.com/ CLA_CPAs facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 30