White Paper September 2013 By Peer1 and CompliancePoint www.peer1.com. PCI DSS Compliance Clarity Out of Complexity



Similar documents
PCI Compliance Top 10 Questions and Answers

PCI Compliance. Top 10 Questions & Answers

How To Protect Your Business From A Hacker Attack

Payment Card Industry Data Security Standards.

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Project Title slide Project: PCI. Are You At Risk?

Two Approaches to PCI-DSS Compliance

How To Protect Visa Account Information

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

PCI Compliance: How to ensure customer cardholder data is handled with care

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

PCI Requirements Coverage Summary Table

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

PCI Security Compliance

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Property of CampusGuard. Compliance With The PCI DSS

PAI Secure Program Guide

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI Compliance: Protection Against Data Breaches

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

PCI COMPLIANCE TO BUILD HIGHER CONFIDENCE FOR CARD HOLDER AND BOOST CASHLESS TRANSACTION. Suresh Dadlani, ControlCase

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

PCI: The Dark Side. May 2012 Roanoke, VA

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

How To Protect Your Credit Card Information From Being Stolen

Payment Card Industry Data Security Standards Compliance

SecurityMetrics Introduction to PCI Compliance

SecurityMetrics. PCI Starter Kit

La règlementation VisaCard, MasterCard PCI-DSS

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI Data Security Standards

How To Become A Pca Compliant Organization

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI Compliance for Healthcare

Josiah Wilkinson Internal Security Assessor. Nationwide

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

PCI DSS Compliance Information Pack for Merchants

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

PCI DSS. CollectorSolutions, Incorporated

Complying with PCI is a necessary step in safely accepting Payment Cards.

PCI Requirements Coverage Summary Table

Payment Card Industry - Achieving PCI Compliance Steps Steps

PCI DSS Compliance & Security Awareness Program at UST

Data Security Basics for Small Merchants

Merchant guide to PCI DSS

AISA Sydney 15 th April 2009

PCI DSS Presentation University of Cincinnati

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

An article on PCI Compliance for the Not-For-Profit Sector

PCI DSS. Payment Card Industry Data Security Standard.

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

And Take a Step on the IG Career Path

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

P R O G R E S S I V E S O L U T I O N S

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry Data Security Standard

DATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, Merit Member Conference

Frequently Asked Questions

PCI Compliance Overview

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates

PCI Security Standards Council

PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

Adyen PCI DSS 3.0 Compliance Guide

Becoming PCI Compliant

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

PCI Compliance for Cloud Applications

The PCI DSS Compliance Guide For Small Business

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

HOW SECURE IS YOUR PAYMENT CARD DATA?

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

PCI Compliance : What does this mean for the Australian Market Place? Nov 2007

Important Info for Youth Sports Associations

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

Payment Card Industry Data Security Standard (PCI DSS) v1.2

How To Comply With The Pci Ds.S.A.S

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Recent Developments in PCI DSS. PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2

PCI (Payment Card Industry) Compliance For Healthcare Offices By Ron Barnett

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

PCI Standards: A Banking Perspective

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Payment Card Industry Data Security Standard

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

115 th Annual Convention

Simple & Secure Integrated Payment Processing from Element and Transformations

Accepting Payment Cards and ecommerce Payments

SECURITY FIRST: CLARITY ON PCI COMPLIANCE

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010

Credit Card Processing Overview

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Payment Card Industry (PCI) Data Security Standard (DSS) Motorola PCI Security Assessment

Transcription:

White Paper September 2013 By Peer1 and CompliancePoint www.peer1.com PCI DSS Compliance Clarity Out of Complexity

Table of Contents Introduction 1 Businesses are losing customer data 1 Customers are learning about these losses 1 The payment card industry suffers 1 What is PCI compliance? 2 Other industry standards 2 Scope of PCI DSS 2 PCI myths and assumptions 4 and the most dangerous myth: compliance vs. security Who should be interested in PCI? 4 PCI assessments 5 Implications and risks of non-compliance 5 Cost of data breaches 5 Other consequences of data breaches 5 Competitive advantages of being PCI compliant 6 Finding a PCI-compliant cloud services provider 6 What you need to look for in a hosting provider 6 Additional hosting provider performance criteria 7 Conclusion and call-to-action 7 About CompliancePoint 8

Introduction Whoever first said there s no such thing as bad publicity never had to deal with payment card security breaches. Businesses are losing customer data On May 21, 2013, the St. Louis Post-Dispatch reported that At least three lawsuits seeking class action status have been filed against (a Midwestern grocery chain) in the wake of the credit card breach that impacted an estimated 2.4 million cards, used at 79 stores, from early December to late March. The headline to the article claims the breach could cost the chain $80 million in Illinois alone. 1 Sometimes a news report doesn t even have to include numbers to indicate the seriousness of a situation. The U.S. government has sued (a major hotelier) over allegations that it failed to protect consumers credit card data, says a June 26, 2012 Huffington Post article. 2 Customers are learning about these losses None of these incidents are unusual. According to PrivacyRights.org, the number of personal records involved in security breaches since January 2005 is now more than 607,472,154. This number exceeds the current population of the Unites States. A recent Forbes Magazine article noted a record number of breaches 1,611 took place in 2012. This number is up a staggering 48 percent from 2011. 3 Consumers are nervous. According to the same article, if they received a data breach notification in 2010, their odds of being a fraud victim were one in nine. Last year, that jumped to one in four. A 2013 Data Breach Investigative Report from Verizon analyzed 47,000 reported incidents and 621 confirmed data breaches that occurred during 2012. These incidents were drawn from over 44 million known incidents that year. This astonishing report outlines the increase in consumer fraud, the statistics involved in espionage attacks, and the length of time it takes to discover those attacks. Read the full report at: http://www.verizonenterprise.com/dbir/2013/ Increasing creativity from criminals explains only part of this number. Despite publicly reported horror stories like the ones above, far too many businesses remain blasé about the security of their own data. In doing so, they run unnecessarily high risks of business losses, legal liability, fines and other avoidable problems. The payment card industry suffers The Huffington Post also reported, back in February of 2012, on the fate of a payment card processing company: Visa Inc. has dropped the card processor involved in a massive data breach from its registry of providers that meet data security standards. White Paper: PCI DSS Compliance Page 1

(The CEO of a large payment processor) noted that the company continues to process Visa transactions, but that being dropped from the registry could give our partners some pause that they re doing business with someone who experienced a breach. (The CEO) said he expects (the payment processor) to be reinstated once it has been issued a new report of compliance. But he declined to specify when that might be. He said the situation is absolutely contained but that the investigation is continuing and that parts of it still need to be resolved. 4 The payment card industry is fighting back against criminal hackers. If your business accepts payment cards from customers and doesn t want to suffer the fate of the aforementioned payment processor read on about how to join the fight. What is PCI compliance? Payment card industry (PCI) data security standards (DSS) are a set of standards that the payment card industry and related organizations use to increase controls around cardholder data to reduce credit card fraud via its exposure. PCI 5 came about due to increasing incidents of fraud, which were often related to a similar rise in identity and credit card breaches. Ineffective government regulation compounded these problems, so the payment card industry developed PCI DSS to protect its business interests. Other industry standards All actors in the payment card industry must be aware of PCI DSS, but other sets of standards also apply to specific actors. Standard Payment Card Industry Data Security Standard (PCI DSS) Actors affected All companies that enter, transmit, process or store credit card data Payment Application Data Security Standard (PA DSS) PIN Transaction Security (PTS) All software vendors that build, sell and license application software that enters, transmits or stores credit card data All vendors of payment card transaction or PIN devices Scope of PCI DSS PCI is any system component or business process that stores, processes or transmits cardholder data. 1. Where data enters an organization 2. Where data is stored 3. What business processes data is used for 4. How data exits the organization White Paper: PCI DSS Compliance Page 2

To secure data at each of these stages, organizations need to take specific precautions dealing with: Network segmentation (firewalls/acls) Proper N-tier architecture (application/database servers) Physical control Business workflow/procedures PCI DSS is made up of 12 requirements grouped into 6 categories: Area Build & Maintain a Secure Network Requirement Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendorsupplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business needto-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor & Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for employees and contractors White Paper: PCI DSS Compliance Page 3

PCI myths and assumptions Even though credible, freely available sources clearly explain PCI DSS, certain misunderstandings about it continue to circulate. Here s a short selection. If I use a PCI Certified application, I am compliant with PCI If I use a PCI Certified Service Provider, I am compliance with PCI I don t process enough credit card transactions to require PCI Compliance We completed a SAQ so we re compliant If I don t store credit card data I don t have to be PCI compliant and the most dangerous myth: compliance vs. security Compliance can be considered one facet of security, but it does not guarantee the security of your data. PCI only focuses on the applications and IT infrastructure that affects credit card data. If your organization has other sensitive or high impact data, you need to secure it using other means. Who should be interested in PCI? Large or small, every merchant that accepts payment cards from its customers must at least be aware of PCI. PCI DSS standards specify the following merchant levels to qualify paymentcard-accepting merchants. (Level requirements are subject to periodic review and revision.) Depending on the level, merchants must meet specific requirements to attain PCI compliance status. Merchant Level Criteria Requirements Merchants that process 6 million or more credit card transactions per year 1 6 2 Any merchant that suffered a hack or an attack resulting in an account data compromise A service provider than processes more than 300,000 credit card transactions per year Merchants that process 1 million or more credit transactions per year Service providers that process less the 300,000 transactions per year Annual on-site PCI Data Security Assessment by Qualified Security Assessor (QSA) Quarterly network scans by PCI Approved Scanning Vendor (ASV) 3 4 e-commerce merchants that process less than 1 million transactions per year Merchants that process less than 1 million transactions per year Annual self-assessment questionnaire by merchant Quarterly network scans by PCI Approved Scanning Vendor (ASV) White Paper: PCI DSS Compliance Page 4

PCI assessments Assessments of PCI compliance cover three main areas: Administrative Controls Policy & Procedures Technical Controls IT and Security Infrastructure Physical Security Implications and risks of non-compliance Non-compliance with PCI DSS can substantially raise the risk of data breaches and the consequences associated with them. Cost of data breaches CompliancePoint estimated the cost of data breaches at $354 US per record. That cost breaks down as follows: Cost Component Cost Discovery, Response, Notification $50 Employee Productivity Cost $30 Regulatory Fines $60 Restitution $30 Credit Card Replacement $35 Security and Audit Requirement $10 Opportunity Loss Customer $139 TOTAL/Record $354 Costs can be Staggering In a recent 2013 global study by The Ponemon Institute, the number of breached records per incident averaged between 2,300 and 99,000. US companies averaged 28,765 compromised records. With a cost of $354 per compromised record, costs can quickly escalate - especially for companies not focused on security compliance. 7 Other consequences of data breaches Other potential costs of data breaches include: Legal costs from civil litigation Significant chargeback risk Negative media coverage Loss of business Fines and increased transaction fees from credit card companies Loss of reputation and financial position Brand damage resulting from the loss of trust both inside and outside the organization White Paper: PCI DSS Compliance Page 5

Competitive advantages of being PCI compliant Running a PCI-compliant operation means that merchants can create greater trust among their current and prospective customers and business partners. Many companies today forego their own datacenters in favor of cloud service providers. To maintain your customers trust rooted in your PCI compliance, your cloud service providers must also be PCI compliant. If not, your company can t place any payment card data in your provider s servers without risking your own company s PCI-compliant status. Finding a PCI-compliant cloud services provider Looking for PCI-compliant providers? Look no further than the CIS Security Benchmarks Division (http://benchmarks.cisecurity.org/membership/roster/). Members of this community work together to create ever-more-secure computing environments. As explained on the Division s website: The Security Benchmarks division is recognized as a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of this reputation, our resources are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for FISMA, PCI, HIPAA and other security requirements. Peer 1 Hosting maintains facilities, administration practices and infrastructure that are designed to meet the stringent requirements of the PCI DSS 2.0 standard. We are also periodically audited by CompliancePoint, an independent third party. What you need to look for in a hosting provider If you re looking for a checklist for PCI DSS-compliant providers, we suggest you read Page 11 of the Information Supplement: PCI DSS Cloud Computing Guidelines written by the Cloud Special Interest Group for the PCI Security Standards Council. We ve reproduced their list of best practices here: 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data White Paper: PCI DSS Compliance Page 6

10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel The authors go into greater detail on each best practice, and they recommend that customers as well as cloud service providers implement these best practices. Remember, businesses that use PCI-compliant cloud service providers must also keep their own operations PCI compliant. As we wrote on page 10, Peer 1 s membership in the CIS Security Benchmarks Division helps us stay compliant and implement best practices as they emerge. CompliancePoint serves as Peer 1 s qualified security assessor (QSA), the trusted advisor that works with Peer 1 to maintain PCI compliance. We value our partnership as much as our customers value the security of the payment card information entrusted to them. Additional hosting provider performance criteria Once you attain a fully compliant back-end solution with Peer 1 Hosting, you can enhance the performance of your application with CompliancePoint services like: PCI DSS Assessment PCI DSS Policy Development Vulnerability Scans Penetration Testing Security Awareness Training Compliance Monitoring and Management Program Compliance Automation Portal Conclusion and call-to-action Peer 1 Hosting provides a foundation to help you build a PCI-compliant infrastructure to secure your critical data. CompliancePoint helps make that environment happen, thanks to its full lifecycle approach to managing compliance. We reduce the cost and effort for our customers to become, and stay, PCI compliant. We save our customers money as they implement physical and technical controls. The Peer 1 Hosting environment is already audited, so we make the audits our customers face quicker and more efficient. We use the same compliance playbook. We are Peer 1 Hosting and CompliancePoint, the PCI-compliant partnership your business needs. To learn more about PCI DSS compliant hosted solutions: Call Peer 1 Hosting at 1.866.579.9690 Go to www.peer1.com and chat with an online sales assistant To inquire about PCI DSS compliance services, call CompliancePoint at 1.855.670.8780. White Paper: PCI DSS Compliance Page 7

About CompliancePoint CompliancePoint is a leader in compliance and information risk management. CompliancePoint helps organizations safeguard information assets and ensure regulatory compliance by providing third party assessments and developing enterprise security policies and programs based on the accepted Information Security frameworks and the regulatory requirements of Payment Card Industry (PCI) DSS v2.0 & PCI PA-DSS, HIPAA/HITECH,ISO 27001, SSAE SOC2 and FISMA/NIST. CompliancePoint s three point approach for identifying compliance levels, assisting in the remediation of compliance issues and providing a program to more effectively manage compliance data, documents and activities, ensures organizations not only achieve compliance but are able to maintain it as well. White Paper: PCI DSS Compliance Page 8

Footnotes 1 http://www.stltoday.com/business/local/schnucks-credit-card-breach-couldcost-million-just-in-illinois/article_25804620-9ca5-5d0b-8b1c-1968a56012eb. html 2 http://www.huffingtonpost.com/2012/06/26/wyndham-credit-cardbreach_n_1628005.html 3 http://www.forbes.com/sites/moneybuilder/2013/06/10/this-week-in-creditcard-news-data-breaches-cost-us-billions-profitable-parking-meters/ 4 http://www.huffingtonpost.com/2012/04/02/visa-mastercard-databreach_n_1396035.html 5 People commonly use PCI DSS and PCI interchangeably. 6 While a merchant might not technically qualify for Level 1, it may do business with another organization that demands it meet Level 1 requirements. In that case, the merchant may opt for Level 1 compliance in order to meet its customer s demand. 7 Source - Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis White Paper: PCI DSS Compliance Page 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information