PCI Compliance: Protection Against Data Breaches

Similar documents
Payment Card Industry Data Security Standards.

La règlementation VisaCard, MasterCard PCI-DSS

How To Protect Your Business From A Hacker Attack

Two Approaches to PCI-DSS Compliance

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

PAI Secure Program Guide

How To Protect Your Credit Card Information From Being Stolen

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Project Title slide Project: PCI. Are You At Risk?

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

PCI Compliance Top 10 Questions and Answers

PCI Compliance. Top 10 Questions & Answers

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Merchant guide to PCI DSS

PCI Compliance for Healthcare

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

And Take a Step on the IG Career Path

PCI Compliance: How to ensure customer cardholder data is handled with care

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Josiah Wilkinson Internal Security Assessor. Nationwide

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Payment Card Industry Data Security Standard

PCI Data Security Standards

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

PCI DSS COMPLIANCE DATA

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

SecurityMetrics Introduction to PCI Compliance

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Why Is Compliance with PCI DSS Important?

E Pay. A Case Study in PCI Compliance. Illinois State Treasurer. Dan Rutherford

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

An article on PCI Compliance for the Not-For-Profit Sector

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

PCI COMPLIANCE GUIDE For Merchants and Service Members

PCI Security Compliance

How To Protect Visa Account Information

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

PCI DSS. Payment Card Industry Data Security Standard.

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Payment Card Industry Data Security Standard

Accepting Payment Cards and ecommerce Payments

How To Comply With The Pci Ds.S.A.S

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Frequently Asked Questions

PCI Standards: A Banking Perspective

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Becoming PCI Compliant

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Vanderbilt University

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Kim Decarolis Compliance and Security Specialist (248) Mark Wayne Vice President Compliance and Security Specialist

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL

Dartmouth College Merchant Credit Card Policy for Processors

The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide

PCI Requirements Coverage Summary Table

Franchise Data Compromise Trends and Cardholder. December, 2010

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

PCI DATA SECURITY STANDARD OVERVIEW

University of Sunderland Business Assurance PCI Security Policy

MEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

PCI DSS. CollectorSolutions, Incorporated

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

Achieving Compliance with the PCI Data Security Standard

Clark University's PCI Compliance Policy

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

Transcription:

Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com

The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013) compromising over 630 million records, which is approximately double the population of the United States. In 2014, there have been 368 information security breaches (that were announced) totaling nearly 11 million records. That s more than two data breaches per day. The Target stores breach alone affected approximately 110 million records. Data breach losses are not only felt by credit card companies, but also by merchants and most importantly, by valued customers. Companies that experience data breaches suffer huge financial impacts. The average financial impact to a business that has been breached is 5 million dollars. In addition, a company pays about $90 for each data record that s been compromised. Merchants that experienced data breaches also suffered hits to their reputation, and the impact of a data breach on a company s reputation may negatively affect their revenue, profits and stock price. As the result of a data breach, credit card companies may also prohibit a merchant s acceptance of credit cards, making it difficult to accept customer payments. There have even been cases where breached companies have faced civil and criminal charges, and individual careers may also be negatively impacted by a data breach. Needless to say, the real victims of data breaches are customers/ cardholders. The impact to the customer is exposing their personal information, which may result in consumer scams, phishing, web scams, social engineering attacks and identify theft. Whitepaper: PCI Compliance: 2

PCI Compliance: A Brief History For many years, credit card companies fought diligently against fraud and stolen assets. In 2005, the Federal Trade Commission (FTC) received more than 685,000 complaints of fraud and identity theft that totaled more than $680 million in stolen assets. Nearly all of these losses stemmed from data breaches associated with credit cards. As a result, each of the major credit card companies developed its own information security program for merchants. However, this created a significant burden on merchants, since companies that accepted Visa, MasterCard, Discover and American Express had to conform to four different information security standards, each with different requirements and reporting. To solve this problem, the credit card companies came together and created the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of requirements designed to ensure that all companies that process, store or transmit credit cards maintain a secure environment. The objective of PCI DSS is to protect cardholder data and facilitate the broad adoption of consistent data security measures globally. Whitepaper: PCI Compliance: 3

PCI Applicability PCI applies to all organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. Said another way, if any customer ever pays a merchant directly using a credit card or debit card, then the PCI DSS requirements apply to that merchant. PCI DSS Requirements Whether the transaction occurs in a brick and mortar store or online, from physical Point of Sale devices to virtualized servers, PCI DSS mandates that organizations are responsible for the security of their customers cardholder data. For PCI DSS compliance requirements, there are four levels of merchants based on the number of credit card transactions a company performs annually. Based on the level of the merchant, there are different PCI requirements that must be met. For those merchants that perform fewer than 6 million credit card transactions annually (Levels 2-4) the merchant is required to fill out part or all of the Self-Assessment Questionnaire, a document outlining specific requirements that need to be met to achieve and maintain compliance. Whitepaper: PCI Compliance: 4

Self-Assessment Questionnaire The Self-Assessment Questionnaire (SAQ) is an online tool to assist merchants in self-evaluating their compliance with the PCI DSS. The SAQ includes questions on a company s information security infrastructure, policies and procedures. In addition to the Self-Assessment Questionnaire, merchants must complete an Attestation of Compliance which is an affirmation of the merchant s compliance with the PCI DSS requirements and security assessment procedures. The Attestation of Compliance puts your name on the line and makes you responsible for compliance and for all the statements made in the questionnaire. There are different versions of the SAQ based on the way merchants accept and process credit cards. Below is a diagram that illustrates the different ways merchants accept and process credit cards. For example, it doesn t make sense to require a merchant that only accepts physical cards with carbon copy paper to comply with requirements for online and electronic capture and processing. Within the SAQ there are 12 separate PCI Requirements sections each made up of many sub-requirements. Whitepaper: PCI Compliance: 5

Objective Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy PCI DSS Requirements 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security PCI DSS Versions Given the increasing sophistication of hackers and other bad actors, the PCI DSS compliance standards have been updated over the years: Version 1 - December 2004 Version 1.1 - September 2006 (to provide clarification and minor revisions to version 1.0) Version 1.2 - October 2008 Version 2.0 - October 2010 (is active for merchants and service providers from January 1, 2011 to December 31, 2014) Version 3.0 - (was released in November 2013 and is active from January 1, 2014 to December 31, 2016) Whitepaper: PCI Compliance: 6

What s New in PCI DSS 3.0 PCI DSS 3.0 helps organizations focus on security, not compliance, by making payment security a part of day-to-day operations. By raising security standards and making PCI DSS compliance the status quo, organizations can monitor the effectiveness of their security controls and maintain their PCI DSS compliant environment. Given that, the changes in PCI 3.0 can be classified into four main categories: 1. Increased Education and Awareness: The new guidance includes recommendations on best practices for implementing security and encourages greater education and training, specifically in the areas of password management and enduser security awareness training. 2. Greater Flexibility: Previous PCI DSS versions sometimes wouldn t allow for alternate solutions that would mitigate the same threat. PCI 3.0 allows merchants to understand the intent behind each requirement (with suggestions on how to mitigate the threat), but leaves it open for alternatives that make sense. While some solutions are more black and white than others (such as the need for a firewall), other requirements such as password management may have multiple options to achieve the same level of security and compliance. 3. Security as a Shared Responsibility: The concept of shared responsibility for security is outlined, and guidelines are provided to show where security responsibilities should fall when multiple organizations are responsible for various parts of the network and security infrastructure. 4. Monitor Controls Continuously: Conducting periodic reviews of the network and having routine audits will ensure issues and failures are addressed quickly. This will eliminate the once a year check-box mentality and help reinforce that security reviews should be an ongoing process. Third-Party Service Providers Merchants are increasingly turning to third-party service providers to assist with storing, processing and transmitting cardholder data and to manage components of their systems such as routers and firewalls. As a result, one of the focus areas of PCI DSS 3.0 is security as a shared responsibility. To address this issue, the PCI Security Standards Council recently released the Third-Party Security Assurance Information Supplement, which is designed to help merchants and their service providers better understand their respective roles in securing card data. The Third-Party Security Assurance document includes information on how to implement a robust third-party assurance program focused on clearly delegating and monitoring security responsibilities. Areas to review when working with third-party service providers include: Shared responsibility may mean that a service provider is fulfilling certain PCI requirements but only for the services or devices they re providing. The merchant or other third party may still be responsible for that same requirement on other devices, systems, or areas of the network. A vendor may state that they re responsible for a particular PCI requirement, but that may be contractually breached by the merchant if they request changes to the service or perform some action that terminates the vendor s responsibility. If a service provider states they are helping a merchant meet part or all of a particular PCI requirement, the merchant needs to ensure there isn t some part of that requirement that remains the responsibility of the merchant or another provider. This is at the heart of shared responsibility. Clear lines of responsibility must be drawn, documented and disseminated to appropriate personnel to conform to PCI 3.0 requirements. Overall, the merchant remains responsible for their information security and needs to ensure that their employees and vendors follow policies and procedures that keep in force all service level agreements and contractual responsibilities. In other words, the merchant is responsible for third-party oversight. Whitepaper: PCI Compliance: 7

Protection Against Data Breaches Managed PCI 3.0 Solutions from MegaPath With PCI 3.0, continuous compliance and continuous monitoring are essential to reduce the risk of a data breach. However, this presents merchants with many operational challenges, including having fully-trained security personnel performing continuous monitoring of every network element that gathers, stores, transmits, or processes payment card data. Contact MegaPath 877.611.6342 www.megapath.com With MegaPath s Security-as-a-Service model, we continuously monitor and analyze your network, eliminating the need for you to hire network security personnel. In addition, MegaPath s Security Operations Center personnel are experts in the identification of security threats and responses to security alerts, and also provide daily log reviews and reporting (per site). MegaPath also works with customers on quarterly security audits and quarterly external vulnerability scans, with corresponding reports to document PCI compliance. MegaPath also offers Managed Broadband Access, Managed Security, Managed Remote Access and Managed WiFi to address compliance gaps. MegaPath has a long history with PCI DSS and was the first communications service provider to achieve PCI compliance and has maintained compliance ever since. Summary PCI DSS 3.0 can be summarized fairly concisely. Security and compliance auditing should not be a once a year practice but rather a daily practice with processes, policies and procedures that follow best practices and use appropriate tools to ensure information security integrity. If you keep your systems and network secure, that will naturally result in appropriate compliance. Treating PCI compliance like a once a year event is not keeping with the spirit of PCI DSS 3.0 and is setting your organization up for a potential information security breach. Information security should be part of the daily culture and routine of an organization. Employees should feel like information security practices are part of the DNA of an organization and senior management should reinforce the importance of daily security practices. If you implement PCI 3.0 as a business as usual process by implementing security methodology as a required daily practice, PCI DSS 3.0 compliance will be a snap. Data Breach charts and statistics from idtheftcenter.org 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information