Why Is Compliance with PCI DSS Important?

Similar documents
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Becoming PCI Compliant

PCI Compliance. Top 10 Questions & Answers

PCI Data Security Standards

PCI Compliance Overview

PCI Compliance Top 10 Questions and Answers

North Carolina Office of the State Controller Technology Meeting

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PCI DSS Compliance Information Pack for Merchants

Project Title slide Project: PCI. Are You At Risk?

PCI DSS. CollectorSolutions, Incorporated

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

Sales Rep Frequently Asked Questions

Your Compliance Classification Level and What it Means

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry - Achieving PCI Compliance Steps Steps

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Technical breakout session

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Payment Card Industry Data Security Standard (PCI DSS) Compliance Guide for Merchants

Adyen PCI DSS 3.0 Compliance Guide

Josiah Wilkinson Internal Security Assessor. Nationwide

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Payment Card Industry Data Security Standard

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

npc npc NPC PCI Program Protecting Your Business from Card Data Breaches

How To Protect Your Business From A Hacker Attack

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Frequently Asked Questions

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Achieving PCI Compliance for Your Site in Acquia Cloud

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

PCI DSS Gap Analysis Briefing

Merchant guide to PCI DSS

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Understanding the SAQs for PCI DSS version 3

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

PCI: It Never Ends. Why?

PCI Compliance for Healthcare

University of Sunderland Business Assurance PCI Security Policy

So you want to take Credit Cards!

A PCI Journey with Wichita State University

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015

June 19, Bobbi McCracken, Associate Vice Chancellor Financial Services. Subject: Internal Audit of PCI Compliance.

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Payment Card Industry Data Security Standards.

PAI Secure Program Guide

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

PCI Standards: A Banking Perspective

Appendix 1 Payment Card Industry Data Security Standards Program

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

PCI DSS v3.0 SAQ Eligibility

npc npc NPC PCI Program Protecting Your Business from Card Data Breaches

Payment Card Industry (PCI) Data Security Standard

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

PCI DSS Presentation University of Cincinnati

Office of Finance and Treasury

Payment Card Industry Data Security Standards Compliance

Achieving Compliance with the PCI Data Security Standard

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Credit Card Handling Security Standards

SecurityMetrics Introduction to PCI Compliance

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

Transcription:

Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These compromises cover the full spectrum of organizations, from the very small to very large merchants and service providers. A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including: 1. Regulatory notification requirements, 2. Loss of reputation, 3. Loss of customers, 4. Potential financial liabilities (for example, regulatory and other fees and fines), and 5. Litigation. Post-mortem compromise analysis has shown common security weaknesses that are addressed by PCI DSS, but were not in place in the organizations when the compromises occurred. PCI DSS was designed and includes detailed requirements for exactly this reason to minimize the chance of compromise and the effects if a compromise does occur. Investigations after compromises consistently show common PCI DSS violations, including but not limited to: Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised entities are unaware that their systems are storing this data. Inadequate access controls due to improperly installed merchant POS systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3) Default system settings and passwords not changed when system was set up (Requirement 2.1) Unnecessary and insecure services not removed or secured when system was set up (Requirements 2.2.2 and 2.2.4) Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the web site (Requirement 6.5) Missing and outdated security patches (Requirement 6.1) Lack of logging (Requirement 10)

Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems) (Requirements 10.6, 11.2, 11.4 and 11.5) Poorly implemented network segmentation resulting in the cardholder data environment being unknowingly exposed to weaknesses in other parts of the network that have not been secured according to PCI DSS (for example, from unsecured wireless access points and vulnerabilities introduced via employee e-mail and web browsing) (Requirements 1.2, 1.3 and 1.4) There are a number of departments on campus that process credit cards. The PCI/DSS standards have placed additional responsibilities on department in connection with their acceptance of payment cards. Step 1 Questions to ask about your organization Has anyone ever conducted an assessment and if so review the documentation? Has the acquiring bank ever asked for a SAQ or you to have a complete Security assessment performed on your PCI/DSS environment? Do you currently understand how your organization stores, process, or transmit cardholder data? Have you contacted your point of sale or acquiring bank to ask what is required from your organization for PCI/DSS? If you answered no you should contact the acquiring bank and point of sale vendor asking what is required on your behalf to be PCI/DSS complaint. Steps 2 decide if you may conduct a self-assessment or need to hire a Qualified Security Assessor. Before you can select a SAQ we need to identify the Applicable Merchant and Service Provider Level 1, 2, 3 or 4. All merchants will fall into a service provider level based on their transaction volume of 12 months. Search the VISA and MasterCard to verify what merchant level your organization falls under or contact you acquiring bank. Determine your merchant level from the following urls. http://www.mastercard.com/us/company/en/whatwedo/determine_merchant.html http://usa.visa.com/merchants/protect-your-business/cisp/merchant-pci-dss-compliance.jsp If your organizations level are 2,3, or 4 you may continue to perform and annual PCI/DSS selfassessment (SAQ) Once again confirm with your acquiring bank what is required from you originations if you have not done already

The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the PCI DSS SAQ to meet various scenarios. This document has been developed to help organizations determine which SAQ best applies to them. The PCI DSS SAQ is a validation tool for merchants and service providers not required to submit an on- site data security assessment Report on Compliance (ROC) per the PCI DSS Requirements and Security Assessment Procedures, and as may be required by your acquirer or payment brand. Please consult your acquirer or payment brand for details regarding PCI DSS validation requirements. The PCI DSS SAQ consists of the following components: 1. Questions correlating to the PCI DSS requirements, appropriate for service providers and merchants: See Selecting the SAQ and Attestation that Best Apply to Your Organization in this document. 2. Attestation of Compliance: The Attestation is your self-certification that you are eligible to perform and have actually performed a PCI DSS self-assessment. Step 3 if you are using Point of Sale (POS) software contact the vendor ask the following questions before conducting a Self-assessment 1. If you are a merchant, ask your POS vendor about the security of your system, with the following suggested questions: a. Is my POS software validated to the Payment Application Data Security Standard (PA- DSS)? (Refer to PCI SSC s list of Validated Payment Applications.) b. Does my POS software store magnetic stripe data (track data) or PIN blocks? If so, this storage is prohibited, so how quickly can you help me remove it? c. Does my POS software store primary account numbers (PANs)? If so, this storage must be protected, so how is the POS protecting this data? d. Will you document the list of files written by the application with a summary of the content of each file, to verify that the above-mentioned, prohibited data is not stored? e. Does your POS system require me to install a firewall to protect my systems from unauthorized access? f. Are complex and unique passwords required to access my systems? Can you confirm that you do not use common or default passwords for mine as well as other merchant systems you support?

g. Have default settings and passwords been changed on the systems and databases that are part of the POS system? h. Have all unnecessary and insecure services been removed from the systems and databases that are part of the POS system? i. Do you access my POS system remotely? If so, have you implemented appropriate controls to prevent others from accessing my POS system, such as using secure remote access methods and not using common or default passwords? How often do you access my POS device remotely and why? Who is authorized to access my POS remotely? j. Have all the systems and databases that are part of the POS system been patched with all applicable security updates? k. Is the logging capability turned on for the systems and databases that are part of the POS system? l. If prior versions of my POS software stored track data, has this feature been removed during current updates to the POS software? Was a secure wipe utility used to remove this data? Step 4 choosing a SAQ Use the table to gauge, which SAQ applies to your organization, and then review the detailed descriptions to ensure you meet all the requirements for that SAQ. SAQ A B C-VT C D Description Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. Imprint-only merchants with no electronic cardholder data storage, or standalone, dialout terminal merchants with no electronic cardholder data storage Merchants using only web-based virtual terminals, no electronic cardholder data storage Merchants with payment application systems connected to the Internet, no electronic cardholder data storage All other merchants not included in descriptions for SAQ types A through C above, and All service providers defined by a payment brand as eligible to complete an SAQ. Scroll to page 9 to discover which SAQ best applies to your organization https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.1.pdf Once you have selected a SAQ download the SAQ form to be completed and start your assessment

https://www.pcisecuritystandards.org/security_standards/documents.php Consider the following guidance and recommendations 1. Cardholder data if you don t need it, don t store it! a. Payment brand rules allow for the storage of Personal Account Number (PAN), expiration date, cardholder name, and service code. b. Take inventory of all the reasons and places you store this data. If the data doesn t serve a valuable business purpose, consider eliminating it. c. Think about whether the storage of that data and the business process it supports are worth the following: i. The risk of having the data compromised. ii. The additional PCI DSS efforts that must be applied to protect that data. iii. The ongoing maintenance efforts to remain PCI DSS compliant over time. 2. Cardholder data if you do need it, consolidate and isolate it. You can limit the scope of a PCI DSS assessment by consolidating data storage in a defined environment and isolating the data through the use of proper network segmentation. For example, if your employees browse the Internet and receive e-mail on the same machine or network segment as cardholder data, consider segmenting (isolating) the cardholder data onto its own machine or network segment (for example, via routers or firewalls). If you can isolate the cardholder data effectively, you may be able to focus your PCI DSS efforts on just the isolated part rather than including all your machines. 3. Compensating Controls Compensating controls may be considered for most PCI DSS requirements when an organization cannot meet the technical specification of a requirement, but has sufficiently mitigated the associated risk through alternative controls. If your company does not have the exact control Specified in PCI DSS but has other controls in place that satisfy the PCI DSS definition of compensating controls (see Compensating Controls in your applicable SAQ Appendix and the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms document at www.pcisecuritystandards.org), your company should do the following: m. Respond to the SAQ question as YES and in the Special column, note the use of each compensating control used to satisfy a requirement. n. Review Compensating Controls in Appendix B of the applicable SAQ, and document

the use of compensating controls by completing the Compensating Controls Worksheet in Appendix C of the SAQ. o. Complete a Compensating Controls Worksheet for each requirement that is met with a compensating control. p. Submit all completed Compensating Controls Worksheets, along with your completed SAQ and/or Attestation, according to instructions from your acquirer or payment brand. PCI/DSS mandatory requirements https://www.pcisecuritystandards.org/ It is prohibited to store credit card numbers on any computer, server or database. This included Excel unless encrypted Keep payment card data secure and confidential Restrict access to card data to those who need to know Document containing cardholder data must be kept in a secure environment (I.E locked safe) Email is not approved way to transmitted credit card data Sanitize account numbers on paper documents Manual swipes or imprinters are not authorized for use Computer systems that process payment card, must be behind a firewall Use and update anti virus software Do not use vendor-supplies passwords Assign a unique ID to each person with computer access Computers systems that process payment cars must have the ability to monitor and track access to network resources and card holder data For your (POI) point of interaction / terminals do you perform network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity s network is not a PCI DSS requirement. However, it is strongly recommended

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information