PREPARING FOR THE NEW PCI DATA SECURITY STANDARDS

Transcription

1 PREPARING FOR THE NEW PCI DATA SECURITY STANDARDS

2 Vita Zeltser Locke Lord Louis Dienes Locke Lord Pat Hatfield Locke Lord Rebecca Perry Jordan Lawrence Associate Partner Partner Director Professional Services CIPP/US/G 2

3 PCI DISCUSSION WHAT TO EXPECT 1 Overview 2 Req Service Providers 4 Information Governance

4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS OVERVIEW Industry rules by PCI Security Standards Council; founded by major payment brands Baseline technical, operational requirements to protect cardholder data Applies to all entities involved in payment card process, including merchants and service providers Service Providers means all entities having access to cardholder data Penalties: by payment brands + under Merchant Agreements

5 VERSION 3.0 PCI DSS version 3.0 issued Nov, 2013; comply by Jan. 1, 2015 (or later for specific provisions) July 1, 2015 phase-in for service provider requirement Most changes technical clarifications; requirement relating to service providers key for lawyers Full text of PCI DSS 3.0 and Summary of Changes:

6 PCI DSS 12 REQUIREMENTS Build and Maintain a Secure Network and Systems 1. Install and maintain a Firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system Passwords and other security parameters

7 PCI DSS 12 REQUIREMENTS Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks

8 PCI DSS 12 REQUIREMENTS Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications

9 PCI DSS 12 REQUIREMENTS Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data

10 PCI DSS 12 REQUIREMENTS Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes

11 PCI DSS 12 REQUIREMENTS Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel, including a company s service providers

12 NOW LET S LOOK AT ONE REQUIREMENT IN MORE DEPTH: REQUIREMENT 12 Requirement 12: Maintain a Policy that addresses information security for all personnel.

13 WHAT ARE THE KEY OBJECTIVES IN REQUIREMENT 12? Maintain information about which PCI DSS requirements are managed by service providers and which are managed by the entity. Service providers to acknowledge responsibility for maintaining applicable PCI DSS requirements.

14 HOW DO REQUIREMENT 12 OBJECTIVES FIT INTO PCI DSS 3.0 OBJECTIVES? Education and awareness Increased flexibility Security as a shared responsibility

15 EDUCATION AND AWARENESS Lack of education and awareness around payment security, coupled with poor implementation and maintenance of the PCI Standards, gives rise to many of the security breaches happening today. Changes to PCI DSS will help drive education and build awareness internally and with business partners and customers.

16 INCREASED FLEXIBILITY Changes in PCI DSS focus on some of the most frequently seen risks leading to cardholder data compromise such as weak passwords and authentication methods, malware, and poor selfdetection providing added flexibility on ways to meet the requirements. This will enable organizations to take a more customized approach to addressing and mitigating common risks and problem areas. At the same time, more rigorous testing procedures for validating proper implementation of requirements will help organizations drive and maintain controls across their business.

17 SECURITY IS A SHARED RESPONSIBILITY Today s payment environment has become ever more complex, creating multiple points of access to cardholder data. Changes introduced with PCI DSS focus on helping organizations understand their entities PCI DSS responsibilities when working with different business partners to ensure cardholder data security.

18 REQUIREMENT Establish, publish, maintain, and disseminate a security policy. Review at least annually and (new) update after significant changes to the environment. Should be part of Written Information Security Policy ( WISP ).

19 REQUIREMENT 12 (CONT D) 12.2 Implement a risk-assessment process. Performed at least annually and upon significant changes to the environment, identifies critical assets, threats, and vulnerabilities, and results in a formal risk assessment. Should be part of WISP.

20 REQUIREMENT 12 (CONT D) 12.3 Develop usage policies for critical technologies and define proper use of these technologies. Develop policies. Should be part of WISP. A new testing procedure is required by Subsection : verify that a policy is implemented for disconnecting remote access sessions after a specific period of inactivity.

21 REQUIREMENT 12 (CONT D) 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. Should be part of WISP Assign to an individual or team information security management responsibilities. Should be part of WISP Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. Should be part of WISP.

22 REQUIREMENT 12 (CONT D) 12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.) Should be part of WISP.

23 REQUIREMENT 12 (CONT D) 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data. To be discussed in more detail shortly.

24 REQUIREMENT 12 (CONT D) 12.9 Additional requirement for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer s cardholder data environment. To be discussed in more detail shortly.

25 REQUIREMENT 12 (CONT D) Implement an incident response plan. Be prepared to respond immediately to a system breach. Should be part of WISP.

26 REQUIREMENTS 12.8 & 12.9 SERVICE PROVIDERS For the company s service providers, 2 categories of action required: 1. implement procedures for selecting and overseeing service providers 2. obligate each service provider to comply with PCI DSS These requirements apply to all service providers with access to cardholder data - not limited to only payment processors.

27 REQUIREMENT 12.8 PROCEDURES TO SELECT AND OVERSEE Maintain a list of service providers Execute written agreement with each service provider, that includes acknowledgement that the service provider is responsible for the security of cardholder data

28 REQUIREMENT 12.8 PROCEDURES TO SELECT AND OVERSEE (CONTINUED) Implement process for selecting and engaging service providers Implement program to monitor service providers PCI DSS compliance, at least annually Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity

29 REQUIREMENT 12.9 DUTIES TO IMPOSE ON EACH SERVICE PROVIDER Each service provider must acknowledge in writing it is subject to PCI DSS July 1, 2015 phase-in No specific words yet

30 REQUIREMENT 12.9 DUTIES TO IMPOSE ON EACH SERVICE PROVIDER (CONTINUED) Consider all the service providers having access to cardholder data, who will need to acknowledge Anticipate all the time it will take to get all service providers to acknowledge this some may be surprised, others may refuse (as some do with PII) See Requirement that requires company to identify each of these service providers

31 SHARED HOSTING SERVICE PROVIDERS Special requirements for shared hosting service providers Appendix A Essentially requires express procedures for logical/physical segregation of each entity s data on the shared hosting environment

32

33 DEVELOP A RECORDS INVENTORY 1 Identify Records 2 Tag Records 3 Storage & Movement

34 IDENTIFY RECORDS Accident/Incident Records Advertising Records Benefit Records Budget Records Contracts & Agreements Coupon Records Credit Approvals Customer Information Customer Orders Employee Medical Files Gift Card Functions Payment Records Sales Receipts

35 TAG RECORDS BUSINESS NEEDS SENSITIVITY REQUIREMENTS Cardholder Data Corporate Sensitive Government IDs Intellectual Property PII Bio Metric Patient Health Info. DOL PCI GLB HIPAA OSHA SEC State Privacy Laws

36 MOVEMENT & STORAGE

37

38

39

40

41

42 TAKE AWAYS? MEET OBLIGATIONS REDUCE RISKS REDUCE COSTS

43 TAKE AWAYS? Compliance with Req s 12.8 and 12.9 must be auditable Where and for whom there is a requirement, there needs to be a documented procedure

44 TAKE AWAYS? (CONTINUED) Expect push back and questions from the service providers ( Why are we obligated, we don t process your payments? ) Start early

45 Vita Zeltser Locke Lord Louis Dienes Locke Lord Pat Hatfield Locke Lord Rebecca Perry Jordan Lawrence Associate Partner Partner Director Professional Services