Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Transcription

1 Payment Card Industry (PCI) Data Security Standard (DSS) Compliance SIFMA June 13, 2012 EisnerAmper Consulting Services Group

2 Overview of EisnerAmper Fifth fhlargest accounting firm in the Metro New York area Offices in New York City, Long Island, Westchester, New Jersey and Pennsylvania Nearly 1,200 employees including 170 Partners Services include: Financial Statement Audits Tax Compliance & Planning Accounting Consulting Internal Audit & Risk Management Pension Audits Private Wealth Advisory 2

3 What is the PCI DSS? Security standard designed by the payment card industry to enhance cardholder data security Consumer trust Transfer of financial risk to merchants Comprehensive security baseline of 12 general and 280+ detailed requirements All entities that store, process, or transmit payment py card data are required to comply with PCI DSS 3

4 What is the PCI DSS? PCI Security Standards Council (SSC) is responsible for administering, revising, managing, and promoting adoption of PCI DSS Not a law Worldwide standard Independent d of other security frameworks 4

5 Scope of a PCI DSS Assessment Cardholder data environment comprised of people, processes and technology that store, process, or transmit payment card data Compliance efforts increase with: Number of system components Number of applications Flat network design Number of manual processing locations Third parties that process, store, or transmit payment card data on behalf of an organization must be PCI compliant 5

6 The PCI Data Security Standard Goals Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Miti Maintain an If Information 12. Maintain i a policy that taddresses information security for employees and Security Policy contractors 6

7 Key Requirements of PCI DSS Et Extensive policy Secure coding practices documentation and code review for Strong data encryption custom written for stored data applications i Wireless Security Internal/external vulnerability scans Application logging Internal/external Collection and penetration testing management of system generated logs Need to know Security Awareness 7

8 Key Requirements of PCI DSS Compliance requirements depend don transaction ti volume 6MM+ [Level 1] Report on Compliance (ROC) Qualified Security Assessor (QSA) Internal Security Assessor (ISA) Assessor on site 1MM 6MM [Level 2] Self Assessment Questionnaire (SAQ) Internal Security Assessor Qualified Security Assessor All merchants Quarterly external vulnerability scans by Approved Scanning Vendor (ASV) Attestation of Compliance (AOC) < 1MM [Level 3, 4] Self Assessment Questionnaire Visa currently permits; MasterCard will on 6/30/12 MasterCard will require ISA, QSA optional 6/30/12 8

9 Self Assessment Questionnaires (SAQs) Five SAQs for different types of merchants Yes/No Checklists Includes automated and manual procedures Number of detailed compliance requirements vary SAQ A B C VT C Description Number of Requirements Card not present (e commerce or mail/telephone order) merchants, all cardholder data functions outsourced. This would never apply to face to face 13 merchants. Imprint only merchants or stand alone terminal merchants with no electronic cardholder data storage Merchants using only web based b virtual lterminals, no electronic cardholder data storage Merchants with POS systems connected to the Internet, no electronic cardholder data storage D All other merchants (not included above), and all service providers defined by a payment brand as eligible to complete an SAQ 286 9

10 Important Considerations PCI DSS a standard, not guidance PCI assessments are strictly pass /fail Reduce scope to relieve compliance burden Outsource Minimize/centralizei i Segment network Tk Tokenize Compensating controls often necessary Hosted environments compliance 10

11 Compliance with PCI DSS Each payment brand responsible for enforcement: Organization s merchant bank Brand specific compliance rules Penalties for non compliance: Increased transaction processing costs Revocation of payment card processing Reputational risk 11

12 Privacy Regulations and Statutes European Data Privacy Directive i (1995) Gramm Leach Bliley Act (1999) SEC s Regulation S P (2000) California state law regarding data breaches (2003) Massachusetts regulations regarding information security ( ) US Red Flag Rules (2010) Payment Card Industry Standards (2006) HIPAA (1996)/HITECH (2010) Acts Fiduciary Duty Common Law FTC Enforcement 12

13 Personally Identifiable Information (PII) 13

14 PCI DSS and US State Privacy Laws Personally identifiable ifi information i (PII) Payment card data is a subset of PII One worldwide standard vs. 47 state laws Breach notification Not a PCI requirement Financial liability likely to exceed card brands penalties, fines 14

15 PCI DSS and US State Privacy Laws Pi Privacy policy Not a PCI DSS requirement Written Information Security Program (WISP) Information security manager Implementation Requirements overlap PCI DSS PCI DSS more detailed, prescriptive 15

16 Privacy Impact and Risk Assessment Privacy program will vary depending on size, complexity, type of business, and risk posture. Personal information collected by your organization: classification of data assets Purpose for collection and retention How secured and shared with third parties 16

17 Business Challenges Project sponsorship lacks a natural champion Crosses functional units (IT, Finance, Legal, Operations) Crosses geographies Compliance validation an event, security an ongoing g process Bank Scrutiny Payment brands were initially focused on Level 1. They have now increased their scope to Levels 2 and 3 17

18 Questions? 18

19 Thank You. John Fodera, Partner David Stein, Manager EisnerAmper LLP is an independent member firm of PKF International Limited