PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Similar documents
Project Title slide Project: PCI. Are You At Risk?

Credit Card Processing Overview

CardControl. Credit Card Processing 101. Overview. Contents

SecurityMetrics Introduction to PCI Compliance

Payment Card Industry Data Security Standards

PCI Compliance Top 10 Questions and Answers

Data Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

PCI Compliance. Top 10 Questions & Answers

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Josiah Wilkinson Internal Security Assessor. Nationwide

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI Compliance Overview

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Data Security Basics for Small Merchants

Frequently Asked Questions

The PCI DSS Compliance Guide For Small Business

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

Introduction to PCI DSS

Why Is Compliance with PCI DSS Important?

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Adyen PCI DSS 3.0 Compliance Guide

Becoming PCI Compliant

PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

PCI DSS Presentation University of Cincinnati

Two Approaches to PCI-DSS Compliance

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

PCI Compliance: How to ensure customer cardholder data is handled with care

Franchise Data Compromise Trends and Cardholder. December, 2010

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

PCI Compliance for Cloud Applications

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

Need to be PCI DSS compliant and reduce the risk of fraud?

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

PCI DSS Compliance Information Pack for Merchants

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Payment Card Industry Compliance Overview

PCI Requirements Coverage Summary Table

How To Protect Your Data From Being Stolen

An article on PCI Compliance for the Not-For-Profit Sector

PCI Requirements Coverage Summary Table

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

How To Protect Your Credit Card Information From Being Stolen

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

New PCI Standards Enhance Security of Cardholder Data

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

PCI DSS. CollectorSolutions, Incorporated

Accepting Payment Cards and ecommerce Payments

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Your Compliance Classification Level and What it Means

University of Virginia Credit Card Requirements

CREDIT CARD PROCESSING POLICY AND PROCEDURES

SecurityMetrics. PCI Starter Kit

Payment Card Industry Data Security Standards.

Payment Card Industry Data Security Standard

So you want to take Credit Cards!

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Credit Card Handling Security Standards

A PCI Journey with Wichita State University

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

La règlementation VisaCard, MasterCard PCI-DSS

Transcription:

PCI-DSS: A Step-by-Step Payment Card Security Approach Amy Mushahwar & Mason Weisz

The PCI-DSS in a Nutshell It mandates security processes for handling, processing, storing and transmitting payment card data. ALL merchants or merchant service providers that accept, transmit, or store any cardholder data must comply. This is a contractual standard. Payment processor contracts and merchant rules bind you to PCI-DSS compliance. The PCI-DSS acts as a floor, not a ceiling many PCI-compliant entities are breached. 2

Why is compliance important? It s the law in some states (i.e., Washington, Minnesota, Nevada and Massachusetts) Fines for non-compliance MasterCard: $25,000 $200,000 depending on # of past violations Visa: $5,000 $25,000/monthly depending on merchant s level American Express: 0.75% of each non-compliant transaction Discover: $20,000 $50,000 per violation plus up to $50,000 per month of non-compliance Fines for data breaches during non-compliance period MasterCard: $100,000 for each violation of a PCI requirement Visa: $500,000 per incident Chargebacks for fraudulent transactions Reputational harm Costs of investigating, remedying and litigating breaches 3

Lawsuits Abound Parties to litigation 4

PCI-DSS Myths A PA-DSS-compliant vendor will make us compliant. We outsource card processing, so PCI-DSS couldn t possibly apply. Outsourcing card processing makes us compliant. Becoming compliant with PCI-DSS is an IT project. PCI-DSS compliance makes us secure. We don t take enough cards to be subject to the PCI-DSS. 5

Be Aware of Other Payment Card Standards Payment Application Data Security Standard (PA DSS) Applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data and are used by third parties. PCI Personal Identification Number (PIN) Security Requirements Complete set of requirements for secure management, processing, and transmission of PIN data. Applies to online and offline transactions at ATMs and point-of-sale terminals. Card Brand Merchant Rules 6

What Rules Apply? Payment card data can be sent directly to the processor through a dedicated telephone circuit or VPN tunnel to minimize the PCI-DSS compliance. The PIN security rules also apply here at the Pin pad. Merchant card rules apply to identification and authorization when a customer uses a payment card. When a card is swiped on a point of sale (POS) terminal, the card data may be transmitted, processed or cached by the merchant, and PCI-DSS rules apply. Careful! Malware attacks have exploited centralized processing systems. 7

What Rules Apply? When a website connects to a payment processor, the PCI-DSS applies to the website, and the PA-DSS may apply for any payment applications. 8

What Rules Apply? Both the PCI-DSS and the PA-DSS can apply to mobile transactions. 9

Mobile Payments Find the requirements here: https://www.pcisecuritystandards.org/ documents/accepting_mobile_payments_ with_a_smartphone_or_tablet.pdf 10

What Rules Apply? For call centers, PCI-DSS call recordings and clean room rules apply to workers who receive 16-digit account numbers voiced over the phone. 11

The Different Levels of PCI Compliance 12

Six PCI-DSS Areas 1. Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 2. Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 13

Six PCI-DSS Areas 3. Maintain a Vulnerability Management Program Protect against malware and regularly update anti-virus software or programs Develop and maintain secure systems and applications 4. Implement Strong Access Control Measures Restrict access to cardholder data by business need-toknow Identify and authenticate access to system components Restrict physical access to cardholder data 14

Six PCI-DSS Areas 5. Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes 6. Maintain an Information Security Policy Maintain a policy that addresses information security for all personnel 15

How to Approach Compliance: An Overview Assemble the team and require ownership of the issue Interview personnel and conduct scans to locate cardholder data in your environment Emphasize security and risk, not just security Conduct data store analysis: decommissioning, encryption and tokenization Implement thoughtful network segmentation Implement policy and programmatic changes to your IT standards Conduct training and awareness activities 16

Prioritized Approach Tool 17

Data Store Analysis: Decommissioning Retire systems and databases with payment card information that are not needed or not actively in use Make sure data is securely erased if drives will be re-purposed or end-of-life drives are disposed 18

Data Store Analysis: Tokenization & Encryption Tokenization: Don t store PAN, if possible Encrypt Data in Motion: PCI-validated point-to-point encryption (P2PE) Encrypt Data at Rest: But encryption is not a magic bullet 19

Practice Point: Internal vs. External Vulnerability Scanning External: looks for holes in network firewalls where outsiders can get in (pen testing) Internal: operates inside business s firewalls to identify real and potential vulnerabilities inside the network Both are necessary! Pen testing is not enough! 20

Practice Point: Policy and Programmatic Changes to IT Standards Review your company s policies and procedures to ensure they are compliant with the PCI-DSS The technical requirements are considerable But there are many policy and programmatic requirements There are also technology requirements that must be documented Don t underestimate the time that policy, programmatic, and documentation requirements will take! We can provide attendees with a complimentary informal summary of these requirements 21

Incident Response Document and rehearse an IR plan before the breach. Central reporting point, monitored 24/7/365 Obligation to report a very broad range of events/conditions Universal awareness of reporting obligation Designated response team that preserves privilege Immediately contain the breach. Do not access compromised systems. Do not turn the compromised systems off or reboot. Preserve all evidence and logs. Document all actions taken, including dates and individuals involved. Block suspicious IPs from inbound and outbound traffic. Be on high alert and monitor all systems with cardholder data. 22

Incident Response: PCI Notice Issues Determine whether notice must or should be given: To your merchant bank card processors (review contract) To the payment card brands (rules vary) To others pursuant to law (e.g., regulators, individuals) Key questions include: What data was compromised, by whom, and how? Was the data encrypted, and was the encryption key breached? What is the risk of harm? Determine notice strategy, content and timing. Provide evidence of PCI-DSS, PA-DSS, or PIN Security compliance status to merchant bank card processor within 48 hours of the notification. Provide all compromised payment card accounts to your merchant bank card processor within 10 business days. 23

Post-Breach Card Brand Investigation Document the following: The facts of the breach and the method of its detection Remediation steps Chain of custody Card brands will notify you if hiring a PCI Forensic Investigator (PFI) is necessary. The payment card processor or any of the payment card brands may require validation of subsequent PCI compliance and incident remediation by a Qualified Security Assessor (QSA). 24

Amy Mushahwar amy@zwillgen.com 202 706 5206 Mason Weisz mason@zwillgen.com 347 454 4505 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information