PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH

Transcription

1 PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH

2 PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH How do I -know if I m compliant? -what do I do to become compliant? -how do I know if the fee(s) I m being charged are protecting me?

3 TOP 10 IDENTITY THEFTS WHAT STARTED ALL THIS? -Heartland Payment Systems TJX Companies U.S. Department of Veterans Affairs Card Systems Veterans Laptop With Personal Data Stolen Bank of New York Mellon Certegy TD Ameritrade CheckFree Hannaford Bros. Chain million adults victims in 2009 (up 12%) $54 billion lost (up 12.5%)

4 A program like PCI is very hard to implement; it asks busy people to do difficult, inconvenient things for obscure reasons, all in the middle of tough economic times.

5 Say What? -CISP means Cardholder Information Security Program -PCI means Payment Card Industry -DSS means Data Security Standard -PCI-ASV means PCI Approved Scanning Vendor -PA-DDS means Payment Application Vendor (software, etc.) -PCI-SSC means PCI Security Council -PCI-PED means PIN Entry Debit -P2PE means point to point encryption -SPVA means Secure POS Vendor Alliance

6 Lifecycle for Changes to PCI DSS and PA-DSS The standard is managed by the PCI Security Standards Council (PCI SSC). Changes to the PCI standards follow a defined 36-month lifecycle with eight stages Stage 1: Standards Published -occurs in October of Year 1 after the Council s annual Community Meetings Stage 2: Standards Effective- occurs on January 1 of Year 1. Stage 3: Market Implementation -occurs throughout Year 1 Stage 4: Feedback Begins -occurs during November to March of Year 2. Stage 5: Old Standards Retired -occurs on December 31 of Year 2. Stage 6: Feedback Review -occurs during April through August of Year 2. Stage 7: Draft Revisions -occurs during November through April of Year 3. Stage 8: Final Review -occurs during May through July of Year 3.

7 PCI SECURITY STANDARDS COUNCIL ENTERS NEXT PHASE OF DATA SECURITY STANDARDS DEVELOPMENT Version 2.0 of PCI DSS and PA-DSS effective January 1, 2011 WAKEFIELD, Mass., January 05, 2011 The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS) today announced the start of phase two of the standards development lifecycle, with version 2.0 of the PCI DSS and PA-DSS formally made effective on January 1, Stakeholders may begin using version 2.0 as the basis for their payment security programs as of this date.

8 Don t let your IT person, CPA or Attorney tell you that you don t need PCI! Don t worry I got everything under control! Oh-yeah you gonna sign a P.G?

9 Card Compromise Trends Over 1,000 breach events reported in 2008, resulting in over 285 million compromised records. Stolen laptops, tapes, servers, etc. Most notable in 08 - Hannaford Grocery Chain: 4.2 million records compromised resulting in over 1,800 reported cases of fraud. Employee error and sloppy internal handling of sensitive information are substantial causes of security breaches Source: Source: Verizon Business Data Breach Report* ControlScan, Inc Proprietary and Confidential

10 Card Compromise Trends Criminals are becoming more organized and sophisticated A new brand of criminals, known as Carders Carding Forum Websites, dedicated to the resale of large volumes of sensitive data, creating a new black market Organized crime was responsible for over 90% of the 285 million records compromised in 2008* Former Carding Forum Tutorials and hacking tools Postings to buy/sell stolen data Downloadable code for phishing attacks Source: Verizon Business Data Breach Report Source: DOJ Data Breaches: What the Underground World of Carding Reveals ControlScan, Inc Proprietary and Confidential

11 Card Compromise Trends Hackers had another big year in 2009, continuing to attack business of all sizes. ControlScan, Inc Proprietary and Confidential

12 Card Compromise Trends Basic vigilance can combat many of the common vulnerabilities Storage of prohibited data Poorly coded Web applications (Gartner reports two-thirds of Web apps contain exploitable vulnerabilities) Unpatched systems Mis-configured firewalls and remote access applications Lack of security awareness sloppy handling of sensitive data ControlScan, Inc Proprietary and Confidential

13 Merchant Levels Level / Tier Merchant Criteria 1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2 Merchants processing 1 million to 6 million Visa transactions annually (all channels) 3 Merchants processing 20,000 to 1 million Visa e- commerce transactions annually 4 Merchants processing less than 20,000 Visa e- commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually ControlScan, Inc Proprietary and Confidential

14 Characteristics of Level 4 Merchants All Merchants are Not Created Equal Highly vulnerable: Level 4 merchants account for over 85% of compromise events Underserved: 6,000,000+ Level 4 merchants compared to 326 Level 1 merchants Most have little or no technical expertise: No IT or security staff available to manage the compliance process Lack of education Minimal security awareness training Susceptible to social engineering attacks ControlScan, Inc Proprietary and Confidential

15 The Consequences A Level 4 Data Breach typically has a significant financial and operational impact on a small merchant. In some cases, it could shut down a small business. Costs may include: Forensics audit costs: $8,000 to $20,000 Card replacement costs: generally between $3 and $10 per card Brand damage: Hard to quantify but at the end of the day, this could be the most damaging consequence to a business Compliance fines: Currently range from $5,000 to $250,000 depending on the size of the breach and the nature of the offense that led to the compromise ControlScan, Inc Proprietary and Confidential

16 The Good News For B2B Merchants is MOTO Merchants Suffer Less Then 3% of CC Security Breaches

17 If a salesperson calls or stops in your office and tells you that your cc terminal, POS, gateway, etc. is non compliant show them the door! Almost all equipment is compliant especially dialup terminals which can t be hacked for identity theft

18 Fines and Fees When are fines typically levied? Not meeting PCI Compliance by the specified date Cardholder data compromise when not PCI compliant CREDIT CARD COMPANIES ACQUIRER (MERCHANT BANK) SERVICE PROVIDER (PROCESSOR/ISO) MERCHANT ControlScan, Inc Proprietary and Confidential

19 Come on wid me-yah won t have to pay nuttin extra!

20 Common Merchant Objections Can I switch to a new processor who doesn t require compliance? All Acquirers are responsible for ensuring that all of their merchants comply with the PCI Data Security Standard (DSS) requirements; therefore, all processors are required by the card brands to implement a PCI compliance program. What happens if I do not comply? Merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur. Many acquiring banks are issuing fines for merchants who do not comply with PCI. For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk of facing these extremely unpleasant and costly consequences. Why haven t I heard anything from the card brands regarding PCI compliance? The individual card brands are requiring that the Merchant Banks/Processors implement individual PCI compliance programs to educate merchants on compliance and ensure that they meet PCI compliance requirements. They require that all Merchant Banks/Processors have a plan in place to ensure their merchants obtain and maintain compliance with the standard. Most of the breaches you hear of in the news are large retailers, but many people do not realize that over 80% of compromises occur at small merchant locations. ControlScan, Inc Proprietary and Confidential

21 Oh No! Scan my Computer? They re going to look at all my stuff?

22

23 For More Info Go To org/index.php