2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR Connecting Great Ideas and Great People Agenda Introduction of Speakers Overview of PCI Standards The Bank s Perspective Insight from an AMS Company Tales of an Association CFO 1
Why all the fuss? PCI Compliance by merchants is mandatory by July, 2010. So what if we aren t compliant by July 2010? What are the consequences? How do I get my arms around these regulations and get PCI compliant? Twelve PCI/DSS Requirements #1 - Install & maintain a firewall configuration to protect cardholder data Establish firewall & router configurations that restrict access to cardholder information. Create DMZ for cardholder data. Implement personal firewalls for laptops p p p p and mobile connections to data. 2
Twelve PCI/DSS Requirements #2 Do not use vendor supplied defaults for system passwords and other security parameters Change vendor supplied password defaults before installing system on network. Change wireless vendor supplied defaults if wireless used. Disable all unnecessary functions and services. Twelve PCI/DSS Requirements #3 Protect stored cardholder data Keep cardholder data stored to a minimum. Do not store full magnetic strip data and encrypt data stored. Keep following information: Cardholder name Primary account number (masked) Expiration date Service code 3
Twelve PCI/DSS Requirements #4 Encrypt transmission of cardholder data across open, public networks Use SSL/TLS or IPSEC For wireless networks WEP encryption no longer allowed after June 30, 2010. Never send unencrypted end user information (PAN) by email, IM or chat. Twelve PCI/DSS Requirements #5 Use & regularly update anti-virus software or programs Deploy anti-virus software to all on all systems. Ensure anti-virus programs are running and regularly updated. 4
Twelve PCI/DSS Requirements #6 Develop & maintain secure systems & applications Ensure all systems & applications have latest vendor supplied patches & updates. Develop applications that are PCI/DSS compliant and ensure all 3 rd party applications have met PCI/DSS requirements. Separate development & test environments from production. Develop all web apps using secure coding guidelines such as Open Web Application Security Guide. Twelve PCI/DSS Requirements #7 Restrict access to cardholder data by business need to know Provide access only to staff whose jobs require such access. Default deny all setting to user access. 5
Twelve PCI/DSS Requirements #8 Assign a unique ID to each person with computer access In addition to unique ID employ at least one of following authentication methods: Strong password Two-factor authentication (i.e., token devices, smart cards, biometrics, etc.) Render all passwords unreadable with encryption. Do not allow group or shred passwords. Change passwords every 90 days. Make idle sessions of 15 minutes time out. Twelve PCI/DSS Requirements #9 Restrict physical access to cardholder data Use appropriate physical access controls. Use video or other access control methods to monitor physical access. Develop procedures to quickly identify visitors from staff. Sore media for backups securely, destroy when no longer needed and encrypt data stored. 6
Twelve PCI/DSS Requirements #10 Track & monitor all access to network resources and cardholder data Lik Link admin privileges iil to idiid individuals. Implement automated audit trails & secure so they cannot be changed or deleted. Review all system logs daily. Use file monitoring or change detection software logs. Twelve PCI/DSS Requirements #11 Regularly test security systems & processes Test for rogue wireless access points. Run internal and external network scans (minimum by approved ASV every 6 months). Perform internal & external network and application tests. Use intrusion detection systems. 7
Twelve PCI/DSS Requirements #12 Maintain a policy that addresses information security for employees and contractors Establish & maintain i a formal security policy that: t Addresses al PCI/DSS requirements. Includes an annual formal risk assessment. Annual review for changes. Develop and publish acceptable use policies. Establish control team for information security. Implement formal security education awareness program. Maintain continual review of 3 rd party providers. Security Standards d for Payment Card Industry Is your company PCI DSS compliant? Kimberly Bonzelaar Senior Vice President Capital One Merchant Services American Society of Executives Finance and Business Operations Symposium May 2010 8
Data Compromise Trends Visa estimates that 85% of all breaches occur at small businesses* External hacking and malware (viruses and harmful software) are on the rise Point-of-Sale systems with backend databases storing card numbers continue to be a favorite target for hackers and crooks Source: *http://www.bbb.org/data-security/intro-to-small-businesses/ How Breaches Occur The vast majority of breaches are a result of hacks which exploit security weaknesses in customer networks that allow access to payment devices and databases Data breaches not just due to hacks: Improper data handling; e.g., lost disks/laptops, paper p files Lack of a clear security policy; e.g., lack of well defined access controls, password policy, change management, background checks, etc. 9
Top 5 Causes of Credit Card Data Breaches 1. Storage of prohibited data 2. Un-patched systems 3. Vendor default settings and passwords (i.e., unsecured wireless networks) 4. Poorly coded Web applications resulting in SQL injection attacks; e.g., dummy account on top of your real account 5. Unnecessary services on servers; e.g., software products not being used Data What can and cannot be stored? Storage Permitted Protection Required Cardholder data Account Number Yes Yes Cardholder Name Yes Yes Expiration Date Yes Yes Authentication Data Magnetic Stripe No N/A CVV No N/A PIN Data No N/A 10
Increasing Data Compromise Trends Indicate Lack of awareness of data security requirements and responsibilities Failure to upgrade older systems and technologies on a regular basis Hackers getting smarter PCI DSS Getting Tough on Data Security Standards maintained and enforced by PCI Security Standards Council It is all about Cardholder Data Security Set of 12 standards to ensure Data Protection Visit www.pcisecuritystandards.org to learn more 11
Who Needs to Worry about PCI DSS? Any entity that stores, processes or transmits cardholder data: Merchants Service providers (issuers/acquirers/processors/third party providers) Annual compliance requirements for all entities storing data Compliance with PCI DSS All merchants must comply with PCI DSS requirements as mandated by the Card Associations Acquirer is responsible to ensure merchants are compliant Heavy fines ranging from $5,000 to $50,000 and beyond for non-compliance 12
PCI DSS Compliance Requirements All 12 PCI DSS requirements address the following main security issues: Network Environment building and maintaining a secure network Data Storage Security access controls, encryption and data transfer Security Policy comprehensive policy for testing and maintaining i i secure payment channels PCI DSS Plan Make sure your acquirer utilizes a third-party vendor that is certified as an approved PCIcompliant scanning vendor Complete any required risk assessments, selfassessment questionnaires and network scans where applicable 13
How You Can Help Educate your members about the importance of data security Guide your members to the right resources for PCI Compliance Use PCI Compliance measures as a tool to promote the value your association brings to your members Questions Kimberly Bonzelaar Senior Vice President Capital One Bank Merchant Services 936-524-7485 Kimberly.Bonzelaar@capitalonebank.com This presentation is for informational purposes only, does not constitute the rendering of legal, accounting or other professional services by Capital One, N. A. or any of its subsidiaries or affiliates, and is without any warranty whatsoever. 2010 Capital One. Member FDIC. All rights reserved. 14
PCI Requirements for Payment Application Installation and Usage Using the PA-DSS Implementation Guide to Ensure PCI-DSS Compliance Richard Eggleston Senior Project Director TMA Resources American Society of Executives Finance and Business Operations Symposium May 2010 Introduction Richard Eggleston Principal Project Manager with TMA Resources, Inc. since January 2000. Managed the PA-DSS compliance certification for TMA Resources Personify software. Support internal and external clients with the evolving PCI standards. 15
Introduction to PCI PA-DSS Effective July 1, 2010 all merchants must use PA-DSS compliant applications. (Visa) In scope applications are most commercial applications that store, process, or transmit cardholder data as part of an authorization for payment. Payment applications should facilitate, t and not prevent, the customers' PCI Data Security Standard compliance. Examples of Non-Compliant Applications Store magnetic stripe data after authorization. Require disabling other features required by the PCI Data Security Standard, like anti-virus software or firewalls, in order to get the payment application to work properly. An application vendor s use of unsecured methods to connect to the application to provide support. 16
Purpose of the PA-DSS Implementation Guide To instruct customers and resellers/integrators on secure product implementation. To document the secure configuration specifics required for a compliant installation. To clearly delineate vendor, reseller/integrator, and customer responsibilities for meeting PCI Data Security Standard requirements. PA-DSS Implementation Guide Topics Delete cardholder data stored by previous versions of the payment application. Delete any sensitive authentication data (preauthorization) gathered as a result of troubleshooting the payment application. Purge cardholder data after customer-defined retention ti period. 17
PA-DSS Implementation Guide Topics Delete cryptographic key material or cryptograms stored by previous versions of the payment application. Use unique usernames and secure authentication for administrative access to the payment application and also for any access to cardholder data. Implement automated audit trails. PA-DSS Implementation Guide Topics Implement secure wireless technology. Secure transmissions of cardholder data over wireless networks. Store cardholder data only on servers that are not connected to the internet. Securely deliver remote payment application software updates. 18
PA-DSS Implementation Guide Topics Implement two-factor authentication for remote access to the payment application. Securely implement remote access software. Secure transmissions of cardholder data over public networks. Encrypt cardholder data sent over end-user messaging technologies. Encrypt non-console administrative access. Questions & Resources PCI Council website www.pcisecuritystandards.org Visa Merchants website http://usa.visa.com/merchants/risk_manag ement/cisp_merchants.html Visa Payment Applications http://usa.visa.com/merchants/risk_manag ement/cisp_payment_applications.html 19
An Association Perspective in PCI Compliance Tales from the trenches of a CFO Judy Durham CFO - NPES American Society of Executives Finance and Business Operations Symposium May 2010 About NPES Three associations working under one network: Three associations working under one network: NPES-Trade Association ($5 mil budget) GASC-Show Company ($20 mil budget) GAERF-Foundation ($300K budget) 28 employees Database conversion from GoMembers to Personify (Live on March 1, 2009 Great Plains General Ledger Located in Reston, VA S T B k (Ch ki A d M h S i ) SunTrust Bank (Checking Accounts and Merchant Services) NPES has in house IT Manager who has worked on PCI compliance issues Nortec Outside Network Support 20
The PCI Compliance Journey. Selected Security Metrics Support If you store credit card information electronically: Merchant SAQ Validation Type: 5 You will need to enroll in the Quarterly Site Certification, which includes the following service: 12-month service PCI approved external vulnerability scanning Online PCI Self-Assessment Questionnaire (SAQ) Scans performed automatically each quarter Unlimited rescanning Unlimited calls to customer/technical support Use of Site Certified logo Automatic acquirer reporting The PCI Compliance Journey. Ongoing efforts to compliance: Have to update application for each issues addressed Have to update application for each issues addressed Had issues with ISP secure connection My thoughts: This can/will be much bigger process than you think Get the assistance of an outside vendor to help you determine all areas that will need to be addressed The process you take you longer than you anticipated get started NOW! 21
Contact Information: Cort M. Kane COO, designdata Phone: 240-876-5081 E-mail: ckane@designdata.com Website: www.designdata.com Connecting Great Ideas and Great People Questions This presentation is for informational purposes only, does not constitute the rendering of legal, accounting or other professional services by Capital One, N. A. or any of its subsidiaries or affiliates, and is without any warranty whatsoever. 2010 Capital One. Member FDIC. All rights reserved. 22