PCI DSS. Payment Card Industry Data Security Standard.

Transcription

1 PCI DSS Payment Card Industry Data Security Standard

2 What Is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands.the standard designed to enhance cardholder data security. Regardless of their size, organizations that process payment card information must be PCI DSS compliant. To secure business and increase customer confidence, achieving PCI DSS compliance is a clear indicator of protection when handling sensitive customer data. American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. formed PCI SSC (PCI Security Standard Council) in 2006, responsible for administering, revising, managing, and promoting adoption of PCI DSS. Risk Management $80K % 1in6 98% Is the average direct cost of a data breach Average days between intrusion and detection Breached Business are out of business within one year of the attack Small businesses will suffer a credit card breach in the next 24 months Breaches originate from organized criminal groups Risk has many interpretations, and is often used to describe dangers or threats to a particular person, environment, or business. Understanding risk includes understanding of the different elements and how they fit together. For example, considerations from a business perspective may include: What are the different types of threats to the organization? What are the organization s assets that need protecting from the threats? How vulnerable is the organization to different threats? What is the likelihood that a threat will be realized? What would be the impact if a threat was realized? How can the organization reduce the likelihood of a threat being realized, or reduce the impact if it does occur? Who Has to Comply? PCI DSS applies to: + Merchants + Service Providers (TPPs, gateways) + Systems (Hardware, software) That: + Stores cardholder data + Transmits cardholder data + Processes cardholder data Non-Compliant and Suffer a Breach? Acquirers may ask merchants to cease credit cards transactions Forensic audit QSA team on-site to determine cause of breach Can take days to complete remediation actions Merchant is responsible for all costs. $80-100K average Breaches are public knowledge; brand image tarnished PCI DSS is mandatory for entities processing, transmitting or storing cardholder data. This could include acquirers, banks, service providers such as payment gateway, data centers & merchants.

3 Standards & Requirements The consolidation of individual payment card brand s security programs offers the best available framework to guide better protection of cardholder data resulting a comprehensive security baseline of 6 Control Objective 12 Core Requirements ~375 ~375 Audit Procedures Compliance requirements apply to the entire cardholder data environment comprised of people, processes and technology that store, process, or transmit payment card data. Build and maintain a Secure Network Protect Cardholder Data Maintain Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain information Security Policy Requirements Firewall Management Vendor Default Controls Data Protection Data Transmission Encryption Anti-virus Control System & Application Security Data Access Control Personal Access Control Physical Access Control Data & Network Access Controls Security testing Information Security Policy How to Comply? PCI DSS provides a baseline of technical and operational controls that work together to provide a defense-indepth approach to the protection of cardholder data. Risk assessments provide valuable information to help organizations determine whether additional controls are necessary to protect their sensitive data and other assets. In order to achieve compliance with the PCI DSS, an organization must meet all applicable PCI DSS requirements. Merchants Level & Validation PCI compliance categorized compliance level depends on the number of annually. Understanding which PCI compliance level applies to your business is the first step in assuring that your PCI compliance audits will be as simple as possible. Transac"on Volume Onsite QSA Audit Self Assessment Questionnaire (SAQ) Authorized Scanning Vendor (ASV) scan Security Awareness training Policy Review and Acceptance >6mio 1 6 Mio 20K 1 Mio All other merchant Level By a QSA/ISA Compliance Roadmap The PCI Security Standards Council recognizes the TÜV Rheinland Group as a QSAC (Qualified Security Assessors Company). To fully leverage cardholder data security through PCI DSS compliance, ask our experts. We will be glad to help your organization reach full compliance the standards and regulations for safe and secure credit card transactions. Collect Review Improve Measures Renew

4 Compliance Management PCI DSS version 3 intends to make compliance to be a continuous process, a business-as-usual approach. Maintaining compliance throughout the year is a demanding task involving oversight over hundreds of documents and approvals. In order to simplify this process, a GRC tool has been developed, which reduces time and complexity to review, process and inform compliance status. PCM is a one-stop portal to manage documentation, role assignment, workflow alerts, escalation, audit readiness on a continuous basis. Vulnerability Assessment and Penetration Test Vulnerability Assessment focuses on IT Infrastructure, Network and Application: Whitebox Penetration Test done by involving your IT Staff to monitor and evaluate the work and results of the audit. The audit is done from within the agency or evaluated institution. Blackbox Penetration Test not involved your IT Staff. The Audit is done from outside agencies or evaluated institution, the test is generally done with published web application for the enterprise, vendor and client. Test Target: Network components Servers incl. database. Applications Segmentation interface Results of Audit: Executive Summary Technical Report Solution and Remedial Methodology Reference Quarterly & Annual Schedules OSSTMM (Open Source Security Testing Methodology Manual ISSAF (Information System Security Assessments Framework) NIST SP (National Institute of Standards and Technology) OWASP Testing Guide (Open Web Application Security Project). PCI DSS (PCI Data Security Standard) Internal and External Vulnerability Assessments needs to be performed quarterly A clean ASV scan report is mandatory every quarter to comply with PCI DSS. Workflow would be set up to perform quarterly schedule the scans. Internal and External Penetration Tests need to be performed annually

5 Services Gap Analysis Identify non-compliance issues Discover vulnerabilities Explore segmentation potential Draw up a detailed compliance plan Training Holding trainings/workshops on PCI compliance, attack vectors, Policies/ SOPs/Forms, vendor management, Risk assessment, Incident Response, Business Continuity Remediation & Consulting Minimizing CHDE footprint Documentation development On-site/Off-site support Mitigating risks All requirements covered Compliance Audit PCI DSS compliance assessment, real time dashboard. Report on Compliance (RoC), Attestation of Compliance (AOC), Testmark, Certificate or validation of Self Assessment Questionnaire (SAQ). Vulnerability Assessment Internal and external vulnerability assessment and penetration testing; and ASV scan Compliance Management GRC tool with PCI DSS workflow alert, documentation, role assignments, review and dashboard. Deployed on-site with migration support. Test Mark Information Security Service Portfolio

6