Blank slide
Project Title slide Project: PCI Are You At Risk?
Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services Total PCI Q & A
Disclaimer CRS is providing this information as a service to its customers Information provided is not intended to be an assessment of a customer s current compliance status Disclaimer CRS is not a QSA and therefore will never indicate to a customer that they are PCI compliant. It is the merchant s responsibility to comply with PCI DSS The content of this seminar is sincerely intended to provide our customers an overview of the PCI DSS. Please don t shoot the messenger.
Terms, Acronyms, and Definitions PCI SSC - Payment Card Industry Security Standards Council PCI DSS - Payment Card Industry Data Security Standard PCI PA-DSS Payment Card Industry Payment Application Data Security Standard Terms PCI PTS - Payment Card Industry Pin Transaction Security QSA Qualified Security Assessor ASV Approved Scanning Vendor QIRA Qualified Incident Response Assessor ROC Report Of Compliance
PCI DSS requires the use of compliant payment applications. Developers pay to get their applications validated as being compliant. They then also pay the PCI SSC to get their validated applications listed on the website. A payment Validated vs application may be compliant but not validated or listed. To protect yourself, the developer of your version of the payment application should provide a ROC (report of compliance) produced by a PA-QSA if their version is not listed on the validated applications website.
Ten Common Myths of PCI DSS 1. One vendor and product will make us compliant 2. Outsourcing card processing makes us compliant 3. PCI compliance is an IT project 4. PCI will make us secure Ten myths 5. PCI is unreasonable, it requires too much 6. PCI requires us to hire a Qualified Security Assessor 7. We don t take enough credit cards to be compliant 8. We completed a SAQ so we re compliant 9. PCI makes us store cardholder data 10.PCI is too hard
PCI DSS is not a federal or state mandate, it is a contractual obligation between the merchant and the acquiring banks that represent the card brands. FACTA vs PCI DSS FACTA is a federal law and covers many aspects of credit. Masking of the cardholder account number and expiration date is part of FACTA but also a requirement of PCI DSS
Compliance deadlines
All merchants who accept credit cards as payment are qualified by four merchant levels As defined by Visa (The other brands are similar) Level 1 Any merchant processing over 6 million Visa transactions per year Merchant levels Level 2 Any merchant processing 1 million to 6 million Visa transactions per year Level 3 Any merchant processing 20,000 to 1 million Visa e-commerce transactions per year Level 4 Any merchant processing less an 20,000 e- commerce transactions, and all other merchants processing less than 1 million transactions per year
Cardholder Data Storage Requirement Cardholder data storage requirement
There are six categories of requirements 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy
There Are Twelve Main Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes 12.Maintain a policy that addresses information security
185 sub requirements But there are over 185 sub requirements
Things you can do about the 12 requirements 1 - Install and maintain a firewall configuration to protect cardholder data CRS typically provides a router/firewall that is configured to block common intrusion methods CRS cannot monitor what or how you use the internet that may compromise your firewall There are services available that can monitor activity through the firewall and prevent malicious intrusion.
Things you can do about the 12 requirements 2 - Do not use vendor-supplied defaults for system passwords and other security parameters CRS has for some time delivered systems with vendor supplied default passwords removed or changed to unique passwords This requirement is not the same as requirement 8 which requires a unique ID for each user of the system CRS can review system passwords for products supplied by CRS This is an included service with a software maintenance plan Since there can be multiple vendors providing system components, each vendor should be consulted.
Things you can do about the 12 requirements 3 - Protect stored cardholder data Make sure your system is configured to mask the primary account number and expiration date PIN based debit must now use PCI PTS validated devices If using stand alone payment terminals, merchant copies of paper receipts must be securely stored
Things you can do about the 12 requirements 4 - Encrypt transmission of cardholder data across open, public networks Validated payment applications meet this requirement Wireless networks that are part of the payment environment must not use WEP encryption after March 1, 2009 Public wireless networks must not be part of the payment environment
Things you can do about the 12 requirements 5 - Use and regularly update anti-virus software Know how to verify that anti-virus software is active and up to date. CRS can show you how to do this if the anti-virus is provided by CRS Make sure you renew your subscription before expiration All workstations with operating systems that are vulnerable to viruses need to be protected Anti-virus subscription may be included in some managed network security solutions
Things you can do about the 12 requirements 6 - Develop and maintain secure systems and applications CRS recommends that Microsoft Windows operating systems have the automatic update feature enabled where available. CRS also strongly encourages customers to keep current with their software and hardware.
Things you can do about the 12 requirements 7 - Restrict access to cardholder data by business need-toknow Only users that need access to credit card transaction data should be granted access to such data through permissions
Things you can do about the 12 requirements 8 - Assign a unique ID to each person with computer access Make sure that each user of your system has a unique ID and password Do not allow users to share their ID or password Do not assign users administrator privileges unless they need them Do not use remote support connections that don t use dual factor authentication Make sure you remove inactive user accounts at least every 90 days Change user passwords every 90 days Use strong passwords
Things you can do about the 12 requirements 9 - Restrict physical access to cardholder data If possible, locate payment application server in a locked room with limited access. If payment application server must be located in the open, keep it in a locked cabinet If keeping it in a locked cabinet is not appropriate, secure the PC to a counter and provide video surveillance as a means of documenting physical access It is recommended that routers also be located in secure areas
Things you can do about the 12 requirements 10 - Track and monitor all access to network resources and cardholder data CRS doesn t monitor log entries. CRS does not review logs Other than hard drive backup strategies, CRS does not provide log archiving. There are managed network services available that do these things.
Things you can do about the 12 requirements 11 - Regularly test security systems and processes CRS does not provide network vulnerability scans as we are not an ASV There are services available that do these scans
Things you can do about the 12 requirements 12 - Maintain a policy that addresses information security Most acquiring banks and card processors have resources available to the merchant to develop these policies.
Highlighted requirements are the only ones the POS or Payments Application vendors address 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes 12.Maintain a policy that addresses information security
Self Assessment Questionnaire Validation Types SAQ validation types
What s The Price Of Not Complying? VISA - since 2005 more than 80% of the instances of data breaches involve small businesses. Contractual penalties and/or sanctions including fines up to What s $500,000 per the incident price and revocation of not of a company's right to accept or process credit card transactions. complying? Computer Security Institute - Average reported loss for an individual company in 2006 was $167,713 not including liability in civil suits (lawyers, court fees, etc.). Gartner Group estimates data breaches cost $140 per customer.
Some Typical Events In A Breach Investigation Merchant contact by card brand, their acquirer, or the Secret Service Typical events in a breach Forensic investigation by a Qualified Incident Response Assessor (QIRA) investigation Recommended remediation Meeting with acquiring bank brand leading the investigation Penalty assessment
Likely Activities In a Forensic Investigation Secret Service or FBI begin criminal investigation and will likely confiscate equipment to investigate hard drives Activities in a forensic QIRA will examine locations and interview staff investigation Measure security to the PCI-DSS Standard Security logs and system images examined Cost of investigation likely to exceed $20,000
Penalty Assessment Card brand notifies the merchant of their decision regarding penalties Potential fine of $500K (It can be lower) May be responsible for card replacement fees $50-75 per card Penalty assessment Potential mandate to provide card monitoring for the victims ($5-15 / per month for every card) Prohibited to process credit cards, also referred to as the death penalty If allowed to continue accepting credit cards, immediate change to Level 1 status Must have annual compliance audits by a QSA
The Problem Never Goes Away Damage to reputation Internet stories are always there Problem never goes away Affected customers never forget If stolen cards are used (even months or years after a breach) the merchant will still be liable for the charges
Website Links to Additional Information Link for the PCI DSS v1.2 https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml Link for all of the Self Assessment Questionnaires https://www.pcisecuritystandards.org/saq/index.shtml Website Links List of validated payment applications https://www.pcisecuritystandards.org/security_standards/vpa/ Prioritized Approach for DSS 1.2 https://www.pcisecuritystandards.org/education/prioritized.shtml