PCI Compliance is More Than a Matter of Dollars (and Sense) Are Your Clients Properly Protected Against Lost or Stolen Data?

Transcription

1 PCI Compliance is More Than a Matter of Dollars (and Sense) Are Your Clients Properly Protected Against Lost or Stolen Data?

2 Overview Every electronic transaction creates an opportunity for unscrupulous activities to occur. When these activities are corrupted, the damage can be significant; ranging from a simple one-time illegal purchase by a clerk or waitress using a customer s credit information, to a full-blown identity theft using thousands (even millions) of people s stolen personal data. Neither situation is desirable or tolerable in the business community, especially when both can be prevented or curtailed with the implementation of industry-proven security best practices and the proper systems. That s why businesses that deal with credit transactions must remain particularly diligent, addressing each of the specific danger areas associated with processing. Without the proper security processes and technologies in place, their client data could be compromised or stolen, and the repercussions of a breach go much further than lost customer confidence. Lawsuits and financial restitution can be significant, especially if the activity is the result of the retailer not following well publicized best practices. In order to provide greater guidance to businesses that accept credit cards and ensure that their clients are properly protected, the major payment card organizations established a set of standards that have been implemented over the past few years. American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. came together to create the Payment Card Industry Data Security Standard (PCI DSS). These rules provide an actionable framework for securing payment card data, including deterrence, discovery and the appropriate response to breaches and other security-related events. PCI DSS version 2.0 (implemented January 1,, 2012) applies equally to all businesses that store, process or transmit bank cardholder data. Failure to comply with these rules can result in hefty penalties, regardless of a merchant s intent or lack of awareness. The latest version extends the implementation, feedback, review and revision processes to a three-year cycle (previously two-years), and updates key security provisions including firewall protection, password and key management, and related documentation. These standards impact a number of organizations that participate in retail operations, including merchants, payment card issuing banks, processors, developers and technology vendors. Of course, solution providers who support these businesses play a major part in PCI DSS, ensuring that their clients (as well as their end user customers) understand the systems and protection required to fulfill their obligations. 2

3 VARs and managed services providers have a tremendous opportunity with retailers, as long as they can offer solid guidance, implementation and support services needed to appropriately address these standards. The Basics of PCI DSS In order to help merchants navigate and better understand the conditions and implications of these standards, the PCI Security Standards Council has taken great pains to distribute the most critical information to everyone involved. Despite their efforts, the material can be cumbersome and hard for many retailers to comprehend. That s where solution providers can really excel, filtering out the critical details and offering sound advice to help merchants meet the compliance requirements that pertain to their particular organizations. Even though the PCI Security Standards Council developed the specific standards addressed in this paper, compliance is actually mandated by the individual payment card companies. Visa, MasterCard, American Express, Discover and JCB International each have their own specific requirements and compliance levels. While many of these are minor, solution providers need to understand the nuances of each to ensure their clients are aptly protected. For example, while PCI DSS compliance is divided into four general merchant categories, each credit card company may add their own stipulations to each. Solution providers who service the retail vertical need to not only understand the differences, but to ensure their clients payment processes adhere to those variations. The general PCI DSS categories include: Compliance level 1: Those who process more than 6,000,000 transactions per year, as well as those with a previous security violation/data breach or who have been listed as category 1 by a particular credit card company. This status requires yearly on-site reviews by an internal auditor, as well as a network scan by an approved scanning vendor (ASV). Compliance Level 2: Businesses with between 150,000 to 6,000,000 transactions per year. Merchants must complete an annual Self-Assessment Questionnaire (SAQ) and submit to a network scan using an approved scanning vendor. 3

4 Compliance Level 3: Retailers that process 20,000 to 150,000 transactions per year. Also requires annual completion of a SAQ and a network scan with an approved scanning vendor. Compliance Level 4: Merchants with less than 20,000 transactions per year. Same annual requirements as Level 2 and Level 3 merchants. Although they conduct the fewest transactions, Compliance Level 4 retailers make up approximately 99% of the businesses that process credit cards in the United States and typically have the least amount of IT support. The lack of a dedicated onsite IT security professional presents a serious risk for retailers, and a significant opportunity for solution providers with PCI DSS skills. With many businesses lessening their dependence on cash only policies, and others moving to cashless transactions, the focus on PCI DSS compliance is expected to intensify. Since every company that accepts credit must obey the standards, its prevalence presents a great new specialty practice opportunity for VARs and MSPs. Of course, the first thing solution providers need to know is the three critical steps in PCI DSS compliance. 1. PCI DSS compliance: 1. Assess: identify cardholder data, inventory the company s IT assets and business processes for payment card processing, and analyze each for security weaknesses. 2. Remediate: address perceived vulnerabilities and remove unneeded cardholder data. 3. Report: compile and submit remediation authentication records (if applicable), and provide compliance reports to each bank and payment card company they do business with. PCI DSS standards mirror the practices that security-oriented solution providers already employ, following industry practices to properly protect the data and infrastructure of their business customers. While some of the terms and acronyms used 4

5 by retailers and payment processing vendors may be unique, the basic processes and technologies required to secure their information and infrastructure don t differ significantly. 2. The Solution Provider Role (and Accountability) While PCI DSS can be complicated for the novice solution provider, the payment card industry understands the important part they play in compliance. To help those who build and support secure payment applications, the PCI Security Council created a number of compliance-related resources and programs. That includes the Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications to select from, along with Self-Assessment Questionnaires that allow merchants to authenticate their current security procedures. Compliance goes beyond credit card processing systems. It extends to the network, data storage infrastructure and any method involved in the management or transport of customer data, with responsibility falling on the merchant and those who support it. Solution providers who fail to implement PCI DSS compliant solutions may find themselves liable (at least in part) for any damages their clients and their customers suffer. Fines levied by banks and credit card institutions on noncompliant merchants can range from $5,000 to $500,000, and lawsuits from compromised end user data can push those costs much higher. To be successful in the retail vertical, solution providers just need to follow the six control objectives for PCI DSS: 1. Build and Maintain a Secure Network Install and maintain an effective firewall configuration to protect cardholder data Avoid vendor-supplied defaults for system passwords and related protection measures 2. Protect Cardholder Data Protect all stored cardholder data Encrypt transmission of cardholder data across open, public networks 3. Maintain a Vulnerability Management Program 5

6 Employ and update anti-virus software on a continual basis Develop and maintain secure systems and solutions 4. Implement Strong Access Control Measures Restrict access to cardholder data by business necessity Assign a unique identification to each person with system and network access Restrict physical access to cardholder data (door locks, alarms and other safeguards) 5. Regularly Monitor and Test Networks Track and monitor all access to networks, applications and cardholder data Regularly test system protection and processes 6. Maintain an Information Security Policy Maintain a policy that addresses data security To address the specific requirements of PCI DSS, providers need to validate every procedure and technology solution their clients use in electronic payments, from the card swipe device to their data storage policies. That attention to detail must also include a continual review of all vendor offerings, verifying that their data protection methods are effective and identifying (and fixing) potential vulnerabilities. The same diligence is required when it comes to evaluating cloud applications and offsite storage services. By ensuring that vendor offerings are PCI DSS compliant when properly implemented, and periodically validating those systems security settings, solution providers fulfill a big part of their responsibilities. Of course, they still need to work closely with suppliers to communicate potential risks, failures or other issues that could compromise the security of their clients data. 3. Concerns and Opportunities Related to PCI DSS Every new business practice comes with some risk. Solution providers who add a retail specialty to their portfolio have to pay careful attention to the specific hazards associated with credit transactions. Since the most important aspects of PCI DSS are data protection and network security, most channel professionals have at least the basic skills needed to support this market. 6

7 Understand the Language The hardest part for most new entrants is learning the industry vernacular, especially the terms relating to electronic payment processing. No solution provider should make their first retail sales call without a full understanding of chargebacks, acquirers and merchant agreements. The acronyms used in the payment processing world are abundant and critical to the success of a PCI DSS expertise, from CVC2 (Card Validation Code) and TID (Terminal Identification Number) to SDP (Site Data Protection) and EFT (Electronic Funds Transfer). Solution providers can overcome the language barrier by engaging in PCI-related vendor or industry training, or by hiring an experienced professional who can develop an internal education program. Each employee involved in the design, sales, implementation and support of payment processing solutions should be proficient in the terminology, with an understanding of how each affects their business clients and their end user customers. Keep the Proper Focus The number one goal of any PCI DSS solution is ensuring end-to-end security, from the moment a customer pulls out their credit or debit card until the card-holder data is fully erased from the system. For a brick-and-mortar retailer that protection includes every employee who touches (or sees) the payment card and/or the information it contains. Solution providers need to stress the importance of this PCI DSS aspect with their clients, and offer best practice tips to minimize risk. For example, by adding mobile card readers at restaurants, their patrons can swipe their own cards at their table, preventing unscrupulous employees from copying the information in back rooms (or anywhere out of eyesight). Other physical security measures that should be implemented include proper system lockdown with a separate PIN for each employee. That not only makes it difficult for unauthorized individuals to gain access to the system and cardholder data, but allows business to better track their employees activities. Solution providers need to pay attention to a number of factors for full PCI DSS compliance, but by focusing on two specific areas they can meet the vast majority of requirements: 7

8 1. Protect stored cardholder data 2. Encrypt transmission of cardholder data across open, public networks. By amending a retailer s onsite payment processes and implementing the proper security technologies, solution providers can begin to meet the PCI DSS requirements, but that still leaves serious gaps outside the business. Has the network been locked down, with effective access protection? Is cardholder data stored improperly onsite, and do they use effective and secure data backup and recovery systems? That s an area where VARs and MSPs can really help their customers meet full PCI DSS compliance, implementing a full solution (from terminal to network support) that addresses each industry best practice and rule. When building a comprehensive retail practice, solution providers must carefully evaluate each part of their portfolio, adding or replacing the products or services that don t ensure their success. For example, does their cloud backup and recovery vendor meet the control requirements of PCI DSS? Can their wireless solutions provide the proper network protection? If not, it s usually easy to build a more effective system, or replace the vendor with one that understands (and can address) the challenges of retail businesses. With ongoing updates and maintenance to these solutions, providers can play a key role in their clients day-to-day and long-term business practices. That s a sure way to build a successful retail IT practice. 4. Validation Another key aspect of PCI DSS compliance is the required reporting schedules. Credit card companies validate that retailers and their providers are abiding by the regulations on an annual basis, with the volume of transactions (and risk) determining the depth of that evaluation (as covered previously in The Basics of PCI DSS ). Along with requiring participating businesses to complete a self-assessment questionnaire, MasterCard and Visa perform on-site visits and network scans performed by authorized PCI compliance scanning vendors. Solution providers can assist merchants in preparing these reports, preparing the details, schematics and even the policies to be used to meet compliance. The information contained in PCI DSS Reports includes: Summary of findings: a general statement and details of the security assessment 8

9 Business information: business description, contacts, and provider/processor details Card payment infrastructure: network schematics, transaction flow diagram, terminal and POS (point of sale) solutions employed, wireless network details Third-party relationships: companies with access to cardholder data, such as solution providers, banking institutions and payment card vendors Achieving PCI DSS Compliance with Intronis Cloud Backup and Recovery Intronis Cloud Backup and Recovery can help VARs and MSPs meet PCI DSS compliance regulations with a solution that provides cloud and local backup and data recovery, proactive data security and reliable data retention and restoration. With Intronis, service providers can offer their clients complete data protection services with support for files and folders, Microsoft Exchange Information Store, Exchange mailbox, SQL, System State and VMware images. Backups are highly automated and enable fast and easy restores and are performed from a single management console. Protection of Card Holder Data: Encryption in Storage and Transfer The Intronis solution was developed with PCI DSS compliance regulations in mind, protecting against threats to consumer privacy. Intronis offers VARs and MSPs a configurable solution to help their customers conform to these critical compliances and alleviate the security risks associated with data loss and breaches. Intronis minimizes the threat of lost or stolen data during the transfer and storage of data across open networks with multiple layers of encryption. Intronis uses 256-bit AES local file encryption and secures data in transit using 128-bit encryption with SSL (Secure Socket Layers) technology. Data that is moved to the cloud is stored and replicated in dual military-grade, SSAE 16 Type 2 certified data facilities which are located on differing coasts for redundancy and security. Data centers have 24/7 biometric controlled security and surveillance, backup generators and redundant connections to the Internet. Data Retention Intronis features the most robust data retention settings in the industry, enabling VARs and MSPs to offer a PCI DSS compliant-ready solution. Intronis configures to fit 9

10 the needs of different file types, number of revisions needed and required length of storage time so the right historical data is retained for the right period of time. Once stored, data is never accessible without a private encryption key which is never stored on the Intronis servers, mitigating the risk of unauthorized data access. Data Recovery and Testing Providng a PCI compliance solution requires the MSP to have the ability to test and restore customer data. This process must be easy and reliable to ensure compliance. With Intronis, service providers can restore data directly back to the customer s server, guaranteeing that data is recovered quickly and accurately, without the need to connect to the computer remotely or be onsite at the customer facility Performing a test restore is just as easy. Restore back to the customer s production server or the MSPs office, the process to test a restore is fast and reliable. Summary PCI DSS compliance is one of the largest challenges facing merchants, though it s just one of the many barriers to success. By creating a cost-effective consultation and solution practice powered by Intronis cloud and local backup, VARs and MSPs can capture new business and quickly become a crucial part of their new clients operations. PCI DSS expertise is just one part of a successful retail IT solution provider practice. A vast majority of these establishments are SMBs, with little or no internal IT support, creating a comprehensive support opportunity for VARs and MSPs. With the right technology and industry knowledge, a solution provider can enjoy long-term success in the retail vertical. For More Information on Intronis To help your clients meet PCI DSS compliance regulations, start a free trial of Intronis Cloud Backup and Recovery. Visit or call For More Information on PCI DSS Specific compliance and level validation questions should be directed to the retailer s acquiring financial institution. Only that company s particular financial institution can assign them a validation level. For more information, contact: 10

11 American Express: Discover Financial Services: MasterCard Worldwide: Visa Inc.: Visa Europe: 11