PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Transcription

1 cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015

2 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing credit card security. Merchants and processors who accepted multiple brands of cards needed to have a separate compliance program for each. Visa's Cardholder Information Security Program MasterCard's Site Data Protection American Express' Data Security Operating Policy Discover's Information Security and Compliance JCB's Data Security Program

3 Overview PCI DSS Now The major card brands have joined together to create a single compliance standard for all organizations that store, transmit, or process card data. This Data Security Standard (DSS) is administered and maintained by the Payment Card Industry (PCI) Security Standards Council.

4 Lifecycle Changes to PCI DSS 4

5 PCI DSS Timeline Version 1.0 December 15, 2004 Version 1.1 September 6, 2006 Version 1.2 October 1, 2008 Version 2.0 October 2010 Version 3.0 November 2013 Version 3.1 April

6 The Basics Your Credit Card

7 The Basics What is Card Data

8 The Basics How Card Processing Works Cardholder Customer purchasing goods either as a Card Present or Card Not Present transaction Receives the payment card and bills from the issuer Issuer Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard & Visa) Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB) Merchant Organization accepting the payment card for payment during a purchase Acquirer Bank or entity the merchant uses to process their payment card transactions Receive authorization request from merchant and forward to Issuer for approval Provide authorization, clearing, and settlement services to merchants Acquirer is also called: Merchant Bank ISO (sometimes) independent sales organization Payment Brand Amex, Discover, JCB Never Visa or MasterCard

9 The Basics Authorization 9

10 The Basics Clearing 10

11 The Basics Settlement 11

12 PCI Merchant Levels Merchant Level Merchant Definition Compliance Level 1 Level 2 Level 3 Level 4 More than 6 million V/MC transactions annually across all channels, including e-commerce 1,000,000 5,999,999 V/MC transactions annually 20,000 1,000,000 V/MC e-commerce transactions annually Less than 20,000 e-commerce V/MC transactions annually, and all merchants across channel up to 1,000,000 VISA transactions annually Annual Onsite PCI Data Security Assessment, Quarterly Network Scans, Annual External and Internal Penetration Testing Annual Self Assessment Questionnaire, Quarterly Network Scans, Annual External and Internal Penetration Testing Annual Self Assessment Questionnaire, Quarterly Network Scans, Annual External and Internal Penetration Testing Annual Self Assessment Questionnaire, Quarterly Network Scans, Annual External and Internal Penetration Testing

13 Complying with PCI Compliance and Certification Every organization that stores, processes, or transmits credit card data needs to comply with all DSS standards. Depending on the type and size of the organization you must annually certify compliance utilizing either a self assessment questionnaire (SAQ) or independent third party review and Report on Compliance (ROC).

14 PCI DSS Self Assessment Questionnaire (SAQ) The PCI DSS SAQ consists of two components: 1. Questions corresponding to the PCI DSS requirements Appropriate to service providers and merchants 2. Attestation of Compliance Organization certification of eligibility to perform and have performed the appropriate Self Assessment. The correct Attestation will be packaged with the SAQ selected. 14

15 Types of Self Assessment Questionnaires There are eight SAQ categories: ACard not present (e commerce or mail/telephone order) merchants, all cardholder data functions outsourced. This would never apply to face to face merchants. BImprint only merchants with no electronic cardholder data storage, or standalone, dial out terminal merchants with no electronic cardholder data storage C VT Merchants using only web based virtual terminals, no electronic cardholder data storage C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

16 Types of Self Assessment Questionnaires P2PE Merchants who have implemented a validated Point to Point Encryption Solution that is listed on the PCI SSC website (Not applicable to e commerce channels) A EP E commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchants systems or premises. (applicable only to e commerce channels) B IP Merchants using only standalone, PTS approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. 16

17 How to Scope a PCI DSS Assessment 17

18 How to Scope a PCI DSS Assessment 18

19 Overview PCI DSS Digital Dozen

20 Which SAQ??? 20

21 PCI DSS Build & Maintain a Secure Network 1 Default password lists: us.org/ default password

22 PCI DSS Protect Cardholder Data 2 Minimize storage Implement data retention and disposal policies Do NOT store sensitive authentication data Mask displayed PAN Render PAN unreadable where stored Protect cryptographic keys ADDITION: NEVER send unprotected PAN by end user messaging ( , chat, IM, etc )

23 PCI DSS Maintain Vulnerability Mgmt Program 3 Use anti virus Secure software development and change control Secure build checklists: CIS offers vendor neutral hardening resources Microsoft Security Checklists us/library/dd aspx PA DSS certified applications will have an Implementation Guide

24 PCI DSS Implement Strong Access Controls 4 Principle of minimum access and least privilege Unique IDs ( NO shared IDs) Long/strong passwords, password controls, strong authentication Password protected screen saver time outs (15 min) Limit and monitor physical access Secure storage and tracking of media

25 PCI DSS Regularly Monitor and Test Networks 5 Process, system, and application logging Secure the audit logs Review and retain audit logs Regular testing: Quarterly*: Wireless testing & Vulnerability scanning Annual*: Penetration testing IDS/IPS and File integrity monitoring

26 6 PCI DSS Maintain Information Security Policy

27 What can you do today towards PCI Compliance? Implement strong Information Security Policies and Procedures Enforce Segregation of Duties Controls Prevent Security loopholes; enable firewalls; configure IDS/IPS devices properly; minimize and isolate cardholder data storage Ensure safe web browsing and usage policies Completion of a Self Assessment Questionnaire as gap assessment Test systems and processes to validate they behave as expected Scrutinize your vendor management policies, procedures, and current state Proper Remote Access for staff & Vendors User Awareness Training is CRITICAL Strong Software Change & Patch Management Controls Re evaluate Payment Processes

28 Understand Where Your Data Lives Develop data flow diagrams Payment/data flow Where static data resides Who is mining data and for what purposes Understand how the back up system works

29 Cost of Non Compliance The cost of non compliance Specifically for PCI compliance, acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively. For prohibited data storage, acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner If you suffer a breach, you automatically become Level 1 with all of it s more stringent compliance requirements More than $200/ compromised record

30 Cost of a Data Breach

31 DSS 3.0 to DSS 3.1 Highlighted Changes Clarification the standard was updated to clarify that PCI DSS applies to ANY entity that stores, processes or transmits account data. Clarification the standard changed reference from financial institutions to acquirers, issuers. Clarification Changed reference from protecting cardholder data to protecting account data. Clarification Specified that password must be changed at least once every 90 days and that inactive accounts must be removed/disabled within 90 days. Clarification Storage of sensitive authentication data is not permitted after authorization. 31

32 DSS 3.0 to DSS 3.1 The BIG change In section the updated standard Removed SSL as an example of a secure technology. Added note that SSL and early TLS are no longer considered to be strong cryptography and cannot be used as a security control after June 30, Impact: All transmissions of cardholder data such as web server traffic or secure file transfers will no longer be able to use SSL. In addition, any internal solutions such as secure communications from Point of Sale (POS) systems to payment switches will also no longer be allowed to use SSL. Remote login, console access, and web based interfaces over SSL will no longer be permitted. 32

33 Open Discussion and Questions

34 PCI DSS Definitions Lots of Acronyms: ASV: Approved Scanning Vendor Vendor certified by PCI Standards Council to have vulnerability scanning tool/engine that meets DSS requirements CDE: Cardholder Data Environment Possesses cardholder data or sensitive authentication data QSA: Qualified Security Assessor Vendor certified by PCI Standards Council to perform PCI annual audit ROC: Report on Compliance Document to be submitted for annual compliance requirement SAQ: Self Assessment Questionnaire 5 Versions: A, B, C, C VT, and D

35 PCI DSS Definitions ADDITION Lots of Acronyms: PAN: Primary Account Number Cardholder Data PAN Cardholder name Expiration date Service Code Sensitive Authentication Data PA DSS Full magnetic strip or chip data, CAV2/CVC2/CVV2/CID, PINs DSS for Payment Applications

36 2013 CliftonLarsonAllen LLP Information technology and business are becoming inextricably interwoven. I don t think anybody can talk meaningfully about one without talking about the other. -Bill Gates cliftonlarsonallen.com twitter.com/ CLA_CPAs facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 36

37 Thank You Steve Christensen CIA,CRMA Manager, Information Security CliftonLarsonAllen, LLP (mobile)