IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER
Size: px
Start display at page:

Download "IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER"

Transcription

1 July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD

2 PCI DSS for Merchants The Payment Card Industry Data Security Standard (PCI DSS) 1. What is PCI DSS and does it apply to my organization? PCI DSS are initials that stand for the Payment Card Industry Data Security Standard. It is an evolving information security standard that is defined by the Payment Card Industry Security Standards Council and it applies to any organization which processes, stores, or transmits credit cardholder information from MasterCard, Visa, American Express, Discover, and JCB. It should be noted that compliance to the PCI DSS is mandated by the payment card brands and not by the PCI Security Standards Council. 2. Is PCI Compliance a Law? The short answer is no. The long answer is that while it is not currently a federal law, there are state laws that are already in effect (and some that may go into effect) to force components of the PCI Data Security Standard (PCI DSS) into law. In addition, there is a big push by legislatures and industry trade associations to enact a federal law around data security and breach notification (Young, 2009, 1). 3. As a merchant, what does my organization need to do to become PCI DSS Compliant? The answer depends on your merchant level. Your merchant level is based on the transaction volume that is defined by the payment brand and determined by either your service provider or acquirer. It is the responsibility of either your service provider or acquirer to ensure your organization complies with the PCI Data Security Standard and a letter is normally provided to the merchant that discloses the corresponding merchant level. The charts provided on the next two pages help to define the various merchant levels and their respective payment brand validation requirements. 2

3 While you should contact the payment brand on validation and merchant levels, as of the writing of this white paper, the card brands have defined the following 4 merchant levels and validation requirements: Payment Brand Merchant Levels (Does not include Visa Europe): Level American Express 1 over 2.5 million American Express card or any merchant that American Express otherwise deems a Level 1. Discover JCB MasterCard Visa, Inc. over 6 million card on the Discover Network. Any Merchant Discover determines to be a Level 1. over 1 million JCB International, or compromised merchants. over 6 million total combined MasterCard and Maestro. Merchants that have experienced an account data compromise. over 6 million Visa (all channels), or global merchants identified as Level 1 by any Visa region. 2 50,000 to 2.5 million American Express or any merchant that American Express otherwise deems a Level 2. 3 less than 50,000 American Express. Merchants required by another payment brand to validate and report as a Level 1. 1 million to 6 million card transactions annually on the Discover network. Merchants required by another payment brand to validate as a Level 2 merchant. 20,000 to 1 million card-not-present only on the Discover network. Merchants required by another payment brand to validate and report as a Level 3 merchant. 4 N/A All other Discover Network merchants less than 1 million JCB International. N/A N/A Any merchant that MasterCard deems a Level 1. Any merchant meeting the Level 1 criteria of Visa. Merchants with greater than 1 million but less than or equal to 6 million total combined MasterCard and Maestro transactions annually. Any merchant meeting the Level 2 criteria of Visa. Merchants with greater than 20,000 combined MasterCard and Maestro e-commerce but less than or equal to 1 million total combined MasterCard and Maestro ecommerce. Any merchant meeting the Level 3 criteria of Visa. All other MasterCard merchants 1 million to 6 million Visa transactions annually (all channels). 20,000 to 1 million Visa e-commerce. less than 20,000 Visa e-commerce and all other merchants processing up to 1 million Visa. (Note. The data in column 2 are adapted from (Note. The data in column3 are adapted from ) (Note. The data in column 4 are adapted from ) (Note. The data in column 5 are adapted from ) (Note. The data in column 6 are adapted from ) 3

4 Merchant Validation Requirements: Level American Express 1 assessment by QSA or internal auditor if signed by an officer of the merchant company. Discover JCB MasterCard Visa assessment by QSA or merchant s internal auditor. assessment by QSA. assessment by QSA. (Effective 30 June, 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.) assessment by QSA. (At regional discretion, level 1 merchants may be allowed to validate using internal audit) Quarterly Network Scans Attestation of Compliance form. 2 scan at Merchant discretion. (Effective 30 June, 2011, Level 2 merchants that choose to complete and annual selfassessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual selfassessment questionnaire.) (For Canada, all SAQ s must be reviewed by a QSA.) scan Attestation of Compliance form 3 (Recommended) 4 N/A Compliance Validation is at discretion of acquirer. To Validate: Annual Self N/A N/A scan scan Compliance Validation is at discretion of acquirer. To Validate: Annual Self scan scan Questionnaire recommended scan (Recommended) (Note. The data in column 2 are adapted from (Note. The data in column3 are adapted from ) (Note. The data in column 4 are adapted from ) (Note. The data in column 5 are adapted from ) (Note. The data in column 6 are adapted from ) 4

5 From the information in the tables above you can see that organizations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self- Questionnaire (SAQ). Additionally, in some regions these SAQs still require signoff by a QSA for submission. Validation and reporting of PCI DSS compliance can be confusing. For this reason it is always best to engage a PCI Qualified Security Assessor (QSA) company. Regardless if you re organization is subject to an on-site assessment or you just need to complete an SAQ, chances are that we have seen your challenge somewhere else and in some variation. At 1 st Secure IT, we have been put through a stringent training and testing protocol to ensure that we understand every facet of the PCI standard and we want to be true partners in securing your organizations payment environment. 4. What is a PCI Self Questionnaire? Level 1 and (as of 30 June 2011) Level 2 merchants are required to have an independent review of their processes and systems by a Qualified Security Assessor (QSA) company (like 1 st Secure IT). However, Level 3 and Level 4 can instead complete a self-assessment questionnaire. It sounds easy, but smaller merchants that do not have an IT department or who are not technical may have a difficult time filling out the PCI Self Questionnaire (SAQ). An analogy would be giving your 18 year old child their first IRS form 1040EZ; they could complete the form but it would take quite some time and when done, it might contain mistakes that ultimately could result in a fine. The annual PCI Self Questionnaire must be filled out favorably in order for your organization to be considered PCI DSS Compliant. Unfortunately, if you attest to your organization s compliance to all of PCI DSS requirements and this is found not to be the case, then your organization can be fined. 1 st Secure IT offers an annual comprehensive Self Questionnaire walk through service for Level 3 and 4 merchants at an affordable price. PCI DSS compliance is important and 1 st Secure IT will give you peace of mind in knowing that your organization s Self Questionnaire is filled out truthfully and favorably. 5

6 5. There are six different Self- Questionnaire forms. Which SAQ form do I need to complete? As a merchant, the SAQ form that you need to fill out will depend on how you process credit card data. Ultimately it is your service provider or acquiring bank that determines the SAQ form that is required. However, the following table describes the various validation types and the corresponding form. SAQ Validation Type Description Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. Imprint-only merchants with no electronic cardholder data storage, or standalone, dial out terminal merchants with no electronic cardholder data storage. Merchants using only web-based virtual terminals, no electronic cardholder data storage Merchants with payment application systems connected to the Internet, no electronic cardholder data storage All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ. Merchants who process cardholder data only via hardware payment terminals included in a validated and PCI SSC-listed PCI Point to Point Encryption (P2PE) solution. SAQ FORM A B C-VT C D P2PE- HW (Note. The data in the above table is adopted from ) 6. What are the PCI DSS requirements? PCI DSS comprises the following twelve requirements and six goals (Mayock, 2010, 7): Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. 6

7 Maintain a Vulnerability Management Program Requirement 5: Use and regularly update antivirus software. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security. 7. What are the risks for merchants that are non-compliant with PCI-DSS? If and when a data breach occurs, the merchant is the entity held primary responsible for the breach. The fines are passed on from the credit card companies, to the acquirer/processor, to the ISOs, ending with the merchant who is held accountable for the full cost of the breach. Only if a merchant is not able to assume these costs are the fees covered by the upper tiers in this structure, generally after the merchant in question has declared bankruptcy 8. How large are the fines if I am not PCI compliant? If you are not PCI-compliant and have a credit card data breach, you are at risk for hefty fines, including but not limited to: Cost of forensic audit Cost of the fraudulent charges made Additional fines by the Payment Card Industry (PCI), generally $50 for every credit card breach Punitive legal costs in the event of a lawsuit Merchants affected by data breaches have already experienced fines in the upwards of $100, I understand the need for paperwork certification. But what is the purpose of the scanning? There are numerous ways your publicly facing system can be breached, and a scanning helps detect the specific areas of vulnerability in your system. The PCI DSS requires that external vulnerability scanning be performed by an Approved Scanning Vendor (ASV) on a quarterly basis. 7

8 10. What do I need to do to get a scheduled scanning? 1 st Secure can schedule and setup the scanning process for your website and / or data systems. We have partnered with an Approved Scanning Vendor (ASV) and can assist you in completing every step the scanning process. 11. What happens during a "scan"? Once you have contracted with 1 st Secure IT, we will schedule the scanning process with our Approved Scanning Vendor (ASV). The ASV will scan your systems in order to determine the vulnerable areas in your website and / or data systems. After each scan, you will receive a report as to what technical vulnerabilities need to be addressed, if applicable, and their level of urgency. If vulnerabilities are discovered during the scanning process and then are subsequently re-mediated, the scanning process can be repeated at no additional cost. The scanning is done through your IP address and is non invasive as to not disrupt the day-to-day functioning of your website and data system. About the author Mark Akins ([email protected]) is a senior security consultant for 1 st Secure IT and a United States veteran. Mark has been providing professional computer-related services since 1992 and in addition to specializing in IT Security and the auditing of secure access to network systems and data based on standards compliance, he holds several industry certifications including PCI QSA, CISSP, CISA, CTT, MCSE, and MCNE. About 1 st Secure IT, LLC 1st Secure IT, LLC is a global information systems security firm that provides high end and specialized consulting services and products. Through numerous engagements, 1st Secure IT has developed a profound understanding of the various Data Security Standards (PCI DSS, EI3PA, SOX and HIPAA). Additionally, we have a proven ability to assess, audit, and review an organization's compliance to those standards while providing a repository of proven methods, knowledge, ideas, tools and best practices. Visit us on the web at References Mayock, P. (2010). PCI compliance: A best defense against hackers Retrieved June 8 th, 2010, from Young, F. (2009). Is PCI Compliance a Law? Should it be? Retrieved June 8 th, 2010, from 8

9 Disclaimer 1 st Secure IT, LLC makes no representations or warranties with respect to the contents or use of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Trademarks * All third-party trademarks are property of their respective owner. Copyright st Secure IT, LLC. All rights reserved. Unless permitted by law, no part of this publication may be reproduced or photocopied without the express written consent of 1 st Secure IT, LLC. 1 st Secure IT, LLC 9900 West Sample Road, Suite 339 Coral Springs, FL Prepared By Mark Akins [email protected] x120 9

Similar documents
2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information