PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates

Transcription

1 PCI-DSS Compliance Ron Dinwiddie Chief Technology Officer J. Spargo & Associates

2 Agenda What is PCI Compliance Why is PCI Important How does this impact me? Becoming PCI Compliant JSA PCI Strategy Risk for Non-compliance Additional Resources Conclusion/QA 2

3 What is PCI Compliance A set of requirements defined by the Payment Card Industry designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. Created by the PCI Security Standards Council Enforced by the Banking Industry

4 Why is PCI Important Associations are obligated to ensure PCI compliance due to their banking relationships just as those banks are required to ensure PCI compliance direct to the card associations such as Visa or MasterCard. Ability to accept a particular card brand is in jeopardy if PCI compliance is non-existent in their payment environment. Ensures safe handling of sensitive cardholder data. Greater integrity across the entire payment card industry.

5 How does this impact me? In what ways do I accept payment? Card Present v. Card Not Present How do I currently collect payment information? Mail manual forms Website How do I store the payment information? Desk Filing cabinet Closet Computer Server How do I archive payment information (or destroy it)?

6 Becoming PCI Compliant Determine your merchant level Based on the number of transactions Level 1 - processing over 6M Visa transactions per year. Level 2 - processing 1M to 6M Visa transactions per year. Level 3 - processing 20,000 to 1M Visa e-commerce transactions per year. Level 4 - processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.

7 Becoming PCI Compliant Review PCI requirements Based on your merchant level what are your requirements? Onsite Audits SAQ Self Assessment Questionnaire System Scans Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program (anti-virus) Implement Strong Access Control Measures Regularly Monitor and Test Networks

8 Becoming PCI Compliant Obtain a Qualified Security Assessor Conduct Audits (if necessary) Conduct System Scans Evaluate SAQ Survey Approximately 350 questions to establish compliance Provide Certification

9 Vendors and PCI compliance Ensure that all vendors (that process credit cards) are also PCI compliant Who is the key POC for PCI with that organization? Confirm when they had their last scan of their systems Request scanning report Obtain PCI certificate from Vendor (or proof of PCI certification) Website PCI Certificate widget

10 JSA PCI Strategy Trustwave JSA uses Trustwave as our QSA for certification and scanning of all public facing systems. Business Practices Analyze Assessment, penetration testing, incident response, vulnerability scanning, code review. Protect Unified threat management (firewall, IPS, gateway anti-virus), SSL certificates, education, log management, intrusion detection and prevention, secure , data loss prevention. Validate Report on compliance, web site seal, compliance certificate Define security practices for payment information in the office Authorized access Secured areas in the office and onsite Storage practices in the office and onsite Destruction policies for historical records

11 Risks of Non Compliance Damage to their brand/reputation Investigation costs Remediation costs Fines & fees Non-compliance (each brand issues separate fines) Card Re-issuance Fees Fraud loss Ongoing (Level 1) compliance audits Victim notification costs Financial loss Data loss Chargebacks for fraudulent transactions Operations disruption Sensitive info disclosure Litigation Denial of service to customers Individual executives held liable Possibility of business closure

12 Examples of Breaches Global Payments Processing Center Breach announced April million card numbers at risk from breach Extent was undisclosed, but confirm cardholder names, addresses and social security numbers were not affected The record holder for the largest-ever breach is believed to be a 2008 attack on Heartland Payment Systems, in which an estimated 130 million customer accounts were compromised. Heartland eventually paid more than $110 million to Visa, MasterCard, American Express and other card associations to settle claims related to the breach. Citigroup Bank Breach announced May 2011 Approx. 360,000 accounts were breached Valve Software Online Game Software (Half-Life Series) Breach announced February 2012 Extent was personal information including encrypted credit card numbers and passwords.

13 Visa (CISP) Additional Resources MasterCard (SDP) PCI Security Standards Council Self Assessment Questionnaire Trustwave Your Merchant Acquirer 13

14 Conclusion and Q/A