PCI DSS Compliance - what you need to know

Transcription

1 PCI DSS Compliance - what you need to know

2 What is PCI DSS? PCI DSS Payment Card Industry Data Security Standard A set of rules laid out by the PCI Security Standards Council to protect card holder data (CHD) from unauthorised access We have Ofcom and ICO compliance standards, but there is no certification process, so why do we need PCI DSS Certification? Trust but Verify is phrase that has been used in various industries and political situations It is highly apt when you think of the PCI DSS regulations There is Trust that organisations are complying with PCI DSS To Verify to a third party that organisation is complying, there are a mixture of self-assessment and independent assessment processes

3 So what difference does it make if I m not certified? Business request proof that their service providers are certified Service providers often use their clients Merchant account Increasingly a pre-requisite on tenders Acquiring Banks are already required to ensure that their clients are complaint and they can only do this through certification Acquiring banks can withdraw services if they choose New applications refused without certification

4 Why is PCI DSS necessary? Key drivers for regulation and compliance Protecting consumers from payment card fraud Protecting organisations from exposure to liability Protecting brand reputation Protecting banking institutions Compliance with the PCI DSS standards should mean IT systems are secure and customer data, including the data provided when making payments also is secure

5 How do you gain certification? External Certification Compliance statuses are labelled Levels The criteria for these levels are determined by the supplying Merchant card provider External certification by a QSA (Qualified Security Assessor) Onerous Time consuming Expensive ASV = Approved Scanning Vendor

6 Types of certification External certification by a QSA Time consuming Costly So why would anyone do it?

7 Types of certification Self-Certification PCI DSS self-assessment process enables companies to formally declare their compliance status to anyone that asks Document known as Attestation of Compliance AoC Consists of a series of declarations about a business s card processing activities, their infrastructure and processes, and how they meet the PCI DSS standards Multiple Categories of Self Assessment Some more onerous than others Quicker Can be significantly less expensive Same PCI DSS standards need to be maintained!

8 Self-certification process

9 PCI DSS self-assessment categories

10 In the event of a card data loss, what difference would it make if I had achieved certification? What happens if a breach of card data occurs? Reputational loss Liability for the breach o Cost of the PCI forensic investigation o Fine by Merchant provider o Ultimate sanction removal of card processing facility o Cost of the fraud carried out on the breached cards Certification DOES provide Customer confidence Mandatory documentation for Merchant Provider and Business clients Certification DOES NOT provide Liability Protection

11 In the event of a card data loss, what difference would it make if I had achieved certification? Certification DOES NOT provide Liability Protection Self -certification does not shift liability away from the contact centre in any way. The liability to the merchant bank cannot be moved, but it can be covered by; External certification from a QSA who contractually offer indemnity Outsourcing the card data processing to a supplier that has themselves been Externally certified, and thus can provide an enforceable contract covering the liability

12 What is the easiest route to certification? Reduce the Scope of what needs to be evaluated for Certification Self-Certification Easiest process is SAQA if eligible Outsource entire card processing procedure Service provider must have achieved Level1 certification (Externally certified) Ensure liability is covered by the service provider contract

13 Why is scope so important? Scope generally refers to the Card Data Environment (CDE) Everything and everybody that comes into contact with the card data PCI DSS controls within the card data environment are very strict so reducing the scope is highly beneficial to the process and is inherently more secure

14 Understanding Scope Mandatory the CVV data not to be recorded Compensating Controls Redaction Encryption Not acceptable

15 What is the easiest route to certification? Certification can be achieved by moving the entire card collection process outside of the business, managed by an externally certified third party, then SAQA becomes a viable option

16 Conclusion Achieving PCI DSS certification is not a straight forward process, it takes time and investment, but it is a necessity. The work involved with meeting the standards is costly. The benefits far outweigh the cost of a breach. Certification is relatively inexpensive for most. Working with PCI DSS certified service providers enables businesses to give end customers the confidence that their financial information is being protected, employees the reassurance that they are not being inadvertently exposed to customer data, and organisations the ability to demonstrate that they care about customer experience and compliance

17