Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com

Awarding CPE for this session In general Respond to all polling questions The rule Respond to at least 75% of the polling questions to pass with full credit Group participation will not receive CPE You have to be logged in individually to receive credit If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com Grant Thornton LLP. All rights reserved. -2-

Addressing your questions through Q&A Step 1 Step 2 If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com Grant Thornton LLP. All rights reserved. -3-

Other helpful features you can use Be sure to shut down all other applications to allow more Internet bandwidth. If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com Grant Thornton LLP. All rights reserved. -4-

Today's presenters Danny Miller Principal 215-376-6010 Danny.Miller@us.gt.com Anthony Hernandez Principal 215-701-8870 Anthony.Hernandez@us.gt.com Brian Browne Senior Manager 215-376-6057 Brian.Browne@us.gt.com -5-

Agenda Describe PCI DSS Discuss noncompliance risks and costs Highlight strategies for achieving compliance Share emerging technologies related to the standard Questions and answers -6-

What is PCI DSS? The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Initially created by aligning Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.* *Source Official PCI Security Standards Council Site -7-

Who should comply? PCI data security requirements apply to all merchants and service providers that store, process or transmit any cardholder data. Regardless of the quantity of credit card transactions or the volume of revenue from credit cards. PCI DSS compliance validation method varies based on merchant level and the payment brand. Merchant levels are based primarily on yearly transaction volume of merchant. Specific criteria for placement in merchant levels varies across card companies. -8-

Sample Merchant Levels (VISA) Merchant Level 1 2 3 4 Description Merchants processing over six million Visa transactions annually (all channels) or global merchants identified as Level 1 by any Visa region Merchants processing one to six million Visa transactions annually (all channels) Merchants processing 20,000 to one million Visa e-commerce transactions annually Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to one million Visa transactions annually Required Validation Actions Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or internal auditor if signed by officer of the company Quarterly network scan by Approved Scan Vendor (ASV) Attestation of compliance form Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan by ASV Attestation of compliance form Annual SAQ Quarterly network scan by ASV Attestation of compliance form Annual SAQ recommended Quarterly network scan by ASV if applicable Compliance validation requirements set by acquirer -9-

Noncompliance risks and costs -10 -

Threats and trends Source: Verizon 2012 Data Breach Investigations Report -11 -

Threats and trends -12 -

Noncompliance risk examples -13 -

Strategies for achieving PCI DSS Compliance -14 -

PCI DSS myths PCI doesn t apply to us because: We don t take enough credit cards, or It only applies to retailers and ecommerce PCI makes us store cardholder data We are compliant because we: Encrypt our cardholder data, or Use vendor/product ABC, or Outsource our credit card processing PCI compliance is an IT project PCI will make us secure We completed our SAQ so we re compliant -15 -

Organization Compliance may be a challenge due to distributed nature of credit card processing (e.g., multiple campuses/ branches, multiple merchants, etc.). Consider establishing cross-functional project team with a full-time project manager to drive effort: IT / Information Security / Compliance / Finance / Treasury / Revenue Mgmt. participation -16 -

Scoping Based on documented cardholder data flows, identify current PCI DSS scope. Includes those IT infrastructure components that store, process, or transmit cardholder data. Also includes any IT infrastructure components not isolated from the cardholder data flows by network segmentation. Don t forget about paper copies, backups and call recordings! Many times resulting initial scope includes much of the corporate IT infrastructure -17 -

Reducing scope Reduce or eliminate cardholder data storage Reduces compliance efforts Reduces organizational risk Broad PCI DSS scope can lead to costly compliance efforts, so reduce the scope through network segmentation Isolates systems that store, process, or transmit cardholder data from those that do not Not a PCI DSS requirement, but can reduce scope, cost and risk Also consider scope reduction through business process changes that limit the touch points of cardholder data on the IT infrastructure -18 -

Readiness assessment Ensure internal independence leverage compliance and/or internal audit Don t cheat on scoping Follow PCI DSS testing procedures Follow sampling guidance in testing procedures Be diligent in following the compensating control guidance Should include searches for cardholder data using judgmental sampling particularly if scope reduction and data elimination strategies have been implemented -19 -

Reporting compliance There are two methods for reporting your compliance: Report on Compliance (ROC) On-site assessment completed by a QSA, where the QSA will attest to the merchant's compliance. Self Assessment Questionnaire (SAQ) -Form that is competed by the merchant and attested to by an Officer of the company. SAQ A - Card-not-present, all cardholder data functions outsourced SAQ B - Imprint Only, or Dial-out Terminal only - no electronic cardholder data storage SAQ C - Merchants with Payment Application Systems connected to the internet SAQ D - All Other Merchants and all service providers -20 -

PCI DSS prioritized approach What is it? Guidance from PCI SSC for organizations to prioritize their PCI DSS implementation efforts. What are the benefits? Provides an approach that an organization can use to address risks in priority order. Enables organizations to demonstrate progress on PCI DSS compliance process to key stakeholders banks, acquirers, QSAs, etc. Promotes objective and measurable progress indicators. -21 -

Compensating controls Legitimate business or technical constraint to implementing control as explicitly specified. Compensating controls must: Meet the intent and rigor of the original PCI DSS requirement. Sufficiently offset the risk that the original PCI DSS requirement was designed to defend against. Be above and beyond other PCI DSS requirements (i.e., not simply in compliance with other requirements). Be commensurate with the additional risk of not adhering to the original requirement. -22 -

Technology considerations Leverage PCI DSS compliant service providers Lists are maintained by card brands Ensure contracted for PCI compliant service offering Review ROC / determine requirements not covered by service Leverage PA DSS certified payment applications Can help avoid SDLC related requirements Ensure application is configured per guidance Consider leveraging tokenization to limit scope and risk Centralize logging to ease operations Centralize management to ensure consistency (e.g., active directory GPO) Leverage virtualization and storage area networks (SANs) carefully -23 -

How do you validate PCI DSS? You hire the QSA... and you can fire them too! You pay... but the QSA is independent. The QSA produces a Report of Compliance (ROC), but your acquirer ultimately determines your compliance status. Good QSAs will help you become compliant by providing advice and feedback. Consider issuing an RFP for these services. Validate QSA company status via the PCI SSC website (www.pcisecuritystandards.org). -24 -

Emerging technologies -25 -

Tokenization Tokenization replacing the primary account number (PAN) with a surrogate value called a token, which is not considered sensitive. PAN is encrypted, stored in a database, and mapped to token that is used as a replacement except where absolutely required (e.g., authorization and settlement). Benefits: Can greatly reduce scope Can increase the security of cardholder data -26 -

Encryption Encryption technologies are capable of significantly reducing the scope for PCI compliance Point to Point Encryption (P2PE) is defined as hardware encryption of the card number at the swipe, where the merchant will have no access to the encryption keys, and thus no access to card data The implementation of a compliant P2PE solution is capable of reducing the required controls to only these: Protection of media and devices Maintaining information security policies and training for personnel Processes for management of third-party providers (including P2PE provider) Incident response and escalation procedures -27 -

Virtualization Virtualization has added a layer of complexity to compliance efforts Conflicts with the PCI requirement for single use per physical server Mixing VMs of differing security requirements on one host Lack of separation of duties Dormant VMs / VM images and snapshots Immaturity of monitoring solutions for virtual networks, virtual firewalls and virtual compliance systems, etc. In-scope systems (VMs) can be hosted in a virtual environment, however the physical host is then considered in-scope, and any hosts or guests (VMs) with network visibility to the in-scope VMs are also in-scope. It is possible, but not advisable, to host both in-scope and out-of-scope VMs on the same physical host. The challenge with this architecture is that the individual host components must be evaluated in detail including the hypervisor and the virtual switch. -28 -

Mobile PCI SSC completed 1 st phase of its examination of the mobile payment application landscape Category 1 Payment application operates only on a PTS-approved mobile device. Category 2 Payment application meets all of the following criteria: (1) bundled with device, (2) device purpose built, (3) demonstrated compliance via review by PA-QSA. Category 3 operates on any consumer electronic handheld device Category 3 recommendations: not eligible for PA-DSS validation at this time, but should be developed using PA-DSS as a baseline include applications as part of annual PCI DSS assessment applications downloaded and used by consumers for personal shopping viewed similar to the payment card in wallet -29 -

Wireless General wireless requirements Maintain a hardware inventory Regularly test for unauthorized access points Segment wireless networks Using wireless in card processing environments Physical security of wireless devices Change defaults / securely configure wireless devices Wireless IDS/IPS and access logging Strong wireless authentication and encryption Strong cryptography at the application layer Enforcement of wireless usage policy -30 -

EMV New standard in chip card technologies replacing magnetic strip cards Transaction authorized with end users PIN instead of a signature Reduces fraud occurring in magnetic-stripe face-to-face environments Card not present transactions such as internet, telephone or mail order purchases are not effected Cardholder is still used for transaction processing, and must be protected in accordance with PCI DSS -31 -

Questions? -32 -

Thank you for attending. Visit us online at www.grantthornton.com or www.twitter.com/grantthorntonus After the program: Respond to online evaluation form. Print your CPE Certificate from a CPE confirmation email. Note: Group participation will not receive CPE. Download today s slides as a reference resource. For questions regarding your CPE certificate, contact LearnLive at 888.228.0988.