PCI Compliance 101: Payment Card. Your Presenter: 7/19/2011. Data Security Standards Compliance. Wednesday, July 20, :00 pm 3:00 pm EDT

Transcription

1 PCI Compliance 101: Payment Card Industry Basics Data Security Standards Compliance Wednesday, July 20, :00 pm 3:00 pm EDT This complimentary webinar is brought to you by ASAE-Endorsed Business Solutions and Chase Paymentech. Your Presenter: With 29 years of experience in the Information Technology (IT) industry and 14 years of Information Security management experience, David Wallace serves as Group Manager for Chase Paymentech s Security Standards Compliance team. In his role, Wallace is responsible for managing data security compliance for Chase Paymentech s merchant portfolio and advising merchants about the Payment Card Industry (PCI) security standards. David A. Wallace Group Manager, Security Standards Compliance Prior to joining Chase Paymentech, Wallace gained invaluable experience serving in information security management roles with companies such as NationsBank, Sabre Holdings/Travelocity, Pilgrim s Pride and Perot Systems. In addition to his professional experience, Wallace has earned several industry certifications, including Certified Information Systems Security Professional in 1999, Certified Information Security Manager in 2004, and Certified Information Systems Auditor in He is also a frequent speaker at regional, national and international information security conferences including the RSA Conference and Computer Security Institute Conference. Wallace spent his undergraduate years attending Louisiana State University in Shreveport, La., where he studied business administration and management information systems. He earned a master s degree in business administration from Southern Methodist University in Dallas, Texas in

2 Polling Question How PCI compliant is your organization? 1. I don t know 2. We re know what merchant level we are 3. We have worked on the PCI assessment and network scan 4. We are fully PCI compliant 3 Agenda What is PCI? Payment Brand Requirements Getting Started Resources Questions 4 2

3 What is PCI? 5 What is PCI? A collective term used to refer to the o Payment Card Industry Security Standards Council (PCI SSC) o Data security standards developed and maintained by this entity Applies to any system that stores, processes or transmits cardholder data as part of authorization or settlement of a member brand credit, debit, or gift card transaction 6 3

4 PCI Security Standards Council The Organization Mission Formed in 2004 by five major payment brands to enhance cardholder data security 20 member advisory board with 600+ participating organizations Merchants Issuers Acquirers Independent d Service Organizations (ISOs) Third Party Service Providers Debit Payment Networks Product Manufacturers 7 Scope of PCI Security Standard Council 8 The PCI SSC manages the - o Payment Card Industry Security Standards for: Merchants Payment Application software developers Hardware manufacturers o Accreditation for: Assessors Scanning Vendors Forensic Investigators PED Evaluation Labs 4

5 PCI Security Standards The PCI Data Security Standard (PCI DSS) o Applies to any entity that stores, processes, and/or transmits cardholder data o 12 Requirement covering technical and operational system components The Payment Application Data Security Standards (PA-DSS) o Applies to developers and integrators of applications involved in authorization or settlement or a card transaction. o Governs these applications that are sold, distributed or licensed to third parties. The PIN Transaction Security (PTS) o Applies to manufacturers who specify and implement device characteristics and management for personal identification number (PIN) entry terminals used for payment card financial transactions. 9 PCI Security Standards Council Accreditations Type PCI SSC Designation Activity Assessors Internal Security Assessor Merchant resource certified to validate (ISA) compliance of PCI DSS Qualified Security Assessor (QSA) Payment Application Qualified Security Assessor (PA-QSA) Approved Scanning Vendor (ASV) Independent third party certified to validate compliance of PCI DSS Independent third party certified to evaluate compliance of Payment Applications to the PA DSS Independent third party accredited to perform network vulnerability scan Scanning Vendors (ASV) network vulnerability scan Forensics Investigators PED Laboratories 10 PCI Forensics Investigator (PFI) PCI Recognized Laboratory Independent third party accredited to perform forensics investigation in the event of suspected cardholder data breach Independent third party certified to validate compliance of PIN Transaction Security Standards 5

6 PCI DSS Applicability The PAN is the defining factor in PCI DSS o Applies if PAN is stored, process or transmitted o If card holder name, expiration date and/or service code are stored, processed or transmitted with PAN all must be protected PCI DSS represents the minimum o May be enhanced by other regulations and standards 11 Who Can Assess PCI DSS? Merchant Level Validation Requirements Frequency Level 1 Level 2 Level 3 Level 4 Report on Compliance (ROC) Onsite Annually Assessment performed by QSA or ISA Network Scans by ASV Quarterly Self Assessment Questionnaire (SAQ) performed by ISA or QSA Network scans by ASV Self AssessmentQuestionnaire (SAQ) Network scans by ASV Self Assessment Questionnaire (SAQ) Network scans by ASV Annually Quarterly Annually Quarterly Annually Quarterly 12 6

7 Payment Brand Requirements 13 Payment Brand Data Security Programs Mandate compliance with PCI Standards for entities storing, processing, or transmitting cardholder data Define deadlines for adoption and penalties for noncompliance Serve as an origination point for new PCI standards May differ from brand to brand And in some cases from region to region Some more active than others 14 7

8 Visa/MasterCard Merchant PCI Levels Merchant Level Level 4 Fewer than 20,000 ecommerce or fewer than 1 million total transactions within one card brand within a 12 month period Level 3 Between 20,000 and 1 million Visa or MC ecommerce transactions in a 12 month period Level 2 Between 1 and 6 million Visa or MC transactions in a 12 month period Level 1 Over 6 million Visa or MC Transactions in a 12 month period 15 PCI DSS Validation Requirements (USA) 16 8

9 Self Assessment Questionnaire Types 17 Non-Compliance Penalties (USA) 18 9

10 Payment Application Data Security Standard (PA-DSS) 19 PA-DSS applies to payment applications sold, distributed, or licensed to third parties. A Payment Application o Runs on a commercial operating system like Windows or Linux o Stores, processes or transmits cardholder data as part of authorization or settlement. Scope of PA-DSS PA-DSS includes o POS Software (Micros, Radiant, Squirrel, etc.) o E-Commerce Shopping Carts o Middleware o Web Based Payment Applications o ATM Ensures a payment application contains PCI DSS-required features and functions MasterCard REQUIRES all merchants using inscope payment applications to use Validated Payment Applications by June 30,

11 PIN Transaction Standard (PTS) Validated devices designed to resist attack Scope of the evaluation to include: POS PED devices Encrypting PIN Pads Unattended Payment Terminals (Kiosks) Visa requires all merchants to use PTSvalidated devices by June 30, 2010 Enforcement action begins June 30, 2012 Visa requires all attended PTS devices to use Triple DES (TDES) keys by June 30, Key Dates for PCI Compliance 22 11

12 Getting Started Where to Start? Determine your Merchant PCI Level Notification from your acquirer Level 1 & 2 must use QSA or ISA Level 3 & 4 can self assess All Levels must use an ASV for a quarterly network scan (Does not apply to SAQ A, B, or C-VT) Know the card brand specific requirements For the brands you accept And the regions within which you operate Select and review the appropriate Self Assessment Questionnaire (SAQ) 12

13 Your Environment Determine what system components are governed by PCI DSS Systems, applications, and networks that store, process and/or transmit cardholder data Gather the resources Documentation Policies, records, operational procedures, network diagrams, etc Personnel IT, business operations, security, HR, etc. Examine the compliance of system components in scope Can you isolate your cardholder data processing to reduce your scope? Can you meet all the key controls? If not, can compensating controls, technologies, and or processes be used to meet spirit of the requirement? 25 The Prioritized Approach Simply Six Milestones: 1. Remove sensitive authentication data and limit data retention. If you don t need it, don t store it 2. Protect the perimeter, internal, and wireless networks. Secure the perimeter 3. Secure payment card applications. Use secure applications 4. Monitor and control access to your systems. 5. Protect stored cardholder data 6. Finalize remaining compliance efforts, and ensure all controls are in place 26 13

14 Resources 27 Additional Resources Chase Paymentech Merchant Center Cardholder Data Security PCI Security Standards Council Validated Payment Applications PTS Certified devices Self-Assessment Questionnaires Prioritized Approach MasterCard Site Data Protection Program p_program.html TrustWave Portal: Level 4 Merchant Portal Free Risk Profile - referral code: welcomechasepay

15 Questions? David A. Wallace Group Manager, Security Standards d Compliance Chase Paymentech david.wallace@chasepaymentech.com Thanks for joining us! Go beyond the basics of PCI, and register for: PCI 102 Webinar September 28, :00 pm 3:00 pm ET 15