White Paper September 2013 By Peer1 and CompliancePoint www.peer1.com PCI DSS Compliance Clarity Out of Complexity
Table of Contents Introduction 1 Businesses are losing customer data 1 Customers are learning about these losses 1 The payment card industry suffers 1 What is PCI compliance? 2 Other industry standards 2 Scope of PCI DSS 2 PCI myths and assumptions 4 and the most dangerous myth: compliance vs. security Who should be interested in PCI? 4 PCI assessments 5 Implications and risks of non-compliance 5 Cost of data breaches 5 Other consequences of data breaches 5 Competitive advantages of being PCI compliant 6 Finding a PCI-compliant cloud services provider 6 What you need to look for in a hosting provider 6 Additional hosting provider performance criteria 7 Conclusion and call-to-action 7 About CompliancePoint 8
Introduction Whoever first said there s no such thing as bad publicity never had to deal with payment card security breaches. Businesses are losing customer data On May 21, 2013, the St. Louis Post-Dispatch reported that At least three lawsuits seeking class action status have been filed against (a Midwestern grocery chain) in the wake of the credit card breach that impacted an estimated 2.4 million cards, used at 79 stores, from early December to late March. The headline to the article claims the breach could cost the chain $80 million in Illinois alone. 1 Sometimes a news report doesn t even have to include numbers to indicate the seriousness of a situation. The U.S. government has sued (a major hotelier) over allegations that it failed to protect consumers credit card data, says a June 26, 2012 Huffington Post article. 2 Customers are learning about these losses None of these incidents are unusual. According to PrivacyRights.org, the number of personal records involved in security breaches since January 2005 is now more than 607,472,154. This number exceeds the current population of the Unites States. A recent Forbes Magazine article noted a record number of breaches 1,611 took place in 2012. This number is up a staggering 48 percent from 2011. 3 Consumers are nervous. According to the same article, if they received a data breach notification in 2010, their odds of being a fraud victim were one in nine. Last year, that jumped to one in four. A 2013 Data Breach Investigative Report from Verizon analyzed 47,000 reported incidents and 621 confirmed data breaches that occurred during 2012. These incidents were drawn from over 44 million known incidents that year. This astonishing report outlines the increase in consumer fraud, the statistics involved in espionage attacks, and the length of time it takes to discover those attacks. Read the full report at: http://www.verizonenterprise.com/dbir/2013/ Increasing creativity from criminals explains only part of this number. Despite publicly reported horror stories like the ones above, far too many businesses remain blasé about the security of their own data. In doing so, they run unnecessarily high risks of business losses, legal liability, fines and other avoidable problems. The payment card industry suffers The Huffington Post also reported, back in February of 2012, on the fate of a payment card processing company: Visa Inc. has dropped the card processor involved in a massive data breach from its registry of providers that meet data security standards. White Paper: PCI DSS Compliance Page 1
(The CEO of a large payment processor) noted that the company continues to process Visa transactions, but that being dropped from the registry could give our partners some pause that they re doing business with someone who experienced a breach. (The CEO) said he expects (the payment processor) to be reinstated once it has been issued a new report of compliance. But he declined to specify when that might be. He said the situation is absolutely contained but that the investigation is continuing and that parts of it still need to be resolved. 4 The payment card industry is fighting back against criminal hackers. If your business accepts payment cards from customers and doesn t want to suffer the fate of the aforementioned payment processor read on about how to join the fight. What is PCI compliance? Payment card industry (PCI) data security standards (DSS) are a set of standards that the payment card industry and related organizations use to increase controls around cardholder data to reduce credit card fraud via its exposure. PCI 5 came about due to increasing incidents of fraud, which were often related to a similar rise in identity and credit card breaches. Ineffective government regulation compounded these problems, so the payment card industry developed PCI DSS to protect its business interests. Other industry standards All actors in the payment card industry must be aware of PCI DSS, but other sets of standards also apply to specific actors. Standard Payment Card Industry Data Security Standard (PCI DSS) Actors affected All companies that enter, transmit, process or store credit card data Payment Application Data Security Standard (PA DSS) PIN Transaction Security (PTS) All software vendors that build, sell and license application software that enters, transmits or stores credit card data All vendors of payment card transaction or PIN devices Scope of PCI DSS PCI is any system component or business process that stores, processes or transmits cardholder data. 1. Where data enters an organization 2. Where data is stored 3. What business processes data is used for 4. How data exits the organization White Paper: PCI DSS Compliance Page 2
To secure data at each of these stages, organizations need to take specific precautions dealing with: Network segmentation (firewalls/acls) Proper N-tier architecture (application/database servers) Physical control Business workflow/procedures PCI DSS is made up of 12 requirements grouped into 6 categories: Area Build & Maintain a Secure Network Requirement Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendorsupplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business needto-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor & Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for employees and contractors White Paper: PCI DSS Compliance Page 3
PCI myths and assumptions Even though credible, freely available sources clearly explain PCI DSS, certain misunderstandings about it continue to circulate. Here s a short selection. If I use a PCI Certified application, I am compliant with PCI If I use a PCI Certified Service Provider, I am compliance with PCI I don t process enough credit card transactions to require PCI Compliance We completed a SAQ so we re compliant If I don t store credit card data I don t have to be PCI compliant and the most dangerous myth: compliance vs. security Compliance can be considered one facet of security, but it does not guarantee the security of your data. PCI only focuses on the applications and IT infrastructure that affects credit card data. If your organization has other sensitive or high impact data, you need to secure it using other means. Who should be interested in PCI? Large or small, every merchant that accepts payment cards from its customers must at least be aware of PCI. PCI DSS standards specify the following merchant levels to qualify paymentcard-accepting merchants. (Level requirements are subject to periodic review and revision.) Depending on the level, merchants must meet specific requirements to attain PCI compliance status. Merchant Level Criteria Requirements Merchants that process 6 million or more credit card transactions per year 1 6 2 Any merchant that suffered a hack or an attack resulting in an account data compromise A service provider than processes more than 300,000 credit card transactions per year Merchants that process 1 million or more credit transactions per year Service providers that process less the 300,000 transactions per year Annual on-site PCI Data Security Assessment by Qualified Security Assessor (QSA) Quarterly network scans by PCI Approved Scanning Vendor (ASV) 3 4 e-commerce merchants that process less than 1 million transactions per year Merchants that process less than 1 million transactions per year Annual self-assessment questionnaire by merchant Quarterly network scans by PCI Approved Scanning Vendor (ASV) White Paper: PCI DSS Compliance Page 4
PCI assessments Assessments of PCI compliance cover three main areas: Administrative Controls Policy & Procedures Technical Controls IT and Security Infrastructure Physical Security Implications and risks of non-compliance Non-compliance with PCI DSS can substantially raise the risk of data breaches and the consequences associated with them. Cost of data breaches CompliancePoint estimated the cost of data breaches at $354 US per record. That cost breaks down as follows: Cost Component Cost Discovery, Response, Notification $50 Employee Productivity Cost $30 Regulatory Fines $60 Restitution $30 Credit Card Replacement $35 Security and Audit Requirement $10 Opportunity Loss Customer $139 TOTAL/Record $354 Costs can be Staggering In a recent 2013 global study by The Ponemon Institute, the number of breached records per incident averaged between 2,300 and 99,000. US companies averaged 28,765 compromised records. With a cost of $354 per compromised record, costs can quickly escalate - especially for companies not focused on security compliance. 7 Other consequences of data breaches Other potential costs of data breaches include: Legal costs from civil litigation Significant chargeback risk Negative media coverage Loss of business Fines and increased transaction fees from credit card companies Loss of reputation and financial position Brand damage resulting from the loss of trust both inside and outside the organization White Paper: PCI DSS Compliance Page 5
Competitive advantages of being PCI compliant Running a PCI-compliant operation means that merchants can create greater trust among their current and prospective customers and business partners. Many companies today forego their own datacenters in favor of cloud service providers. To maintain your customers trust rooted in your PCI compliance, your cloud service providers must also be PCI compliant. If not, your company can t place any payment card data in your provider s servers without risking your own company s PCI-compliant status. Finding a PCI-compliant cloud services provider Looking for PCI-compliant providers? Look no further than the CIS Security Benchmarks Division (http://benchmarks.cisecurity.org/membership/roster/). Members of this community work together to create ever-more-secure computing environments. As explained on the Division s website: The Security Benchmarks division is recognized as a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of this reputation, our resources are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for FISMA, PCI, HIPAA and other security requirements. Peer 1 Hosting maintains facilities, administration practices and infrastructure that are designed to meet the stringent requirements of the PCI DSS 2.0 standard. We are also periodically audited by CompliancePoint, an independent third party. What you need to look for in a hosting provider If you re looking for a checklist for PCI DSS-compliant providers, we suggest you read Page 11 of the Information Supplement: PCI DSS Cloud Computing Guidelines written by the Cloud Special Interest Group for the PCI Security Standards Council. We ve reproduced their list of best practices here: 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data White Paper: PCI DSS Compliance Page 6
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel The authors go into greater detail on each best practice, and they recommend that customers as well as cloud service providers implement these best practices. Remember, businesses that use PCI-compliant cloud service providers must also keep their own operations PCI compliant. As we wrote on page 10, Peer 1 s membership in the CIS Security Benchmarks Division helps us stay compliant and implement best practices as they emerge. CompliancePoint serves as Peer 1 s qualified security assessor (QSA), the trusted advisor that works with Peer 1 to maintain PCI compliance. We value our partnership as much as our customers value the security of the payment card information entrusted to them. Additional hosting provider performance criteria Once you attain a fully compliant back-end solution with Peer 1 Hosting, you can enhance the performance of your application with CompliancePoint services like: PCI DSS Assessment PCI DSS Policy Development Vulnerability Scans Penetration Testing Security Awareness Training Compliance Monitoring and Management Program Compliance Automation Portal Conclusion and call-to-action Peer 1 Hosting provides a foundation to help you build a PCI-compliant infrastructure to secure your critical data. CompliancePoint helps make that environment happen, thanks to its full lifecycle approach to managing compliance. We reduce the cost and effort for our customers to become, and stay, PCI compliant. We save our customers money as they implement physical and technical controls. The Peer 1 Hosting environment is already audited, so we make the audits our customers face quicker and more efficient. We use the same compliance playbook. We are Peer 1 Hosting and CompliancePoint, the PCI-compliant partnership your business needs. To learn more about PCI DSS compliant hosted solutions: Call Peer 1 Hosting at 1.866.579.9690 Go to www.peer1.com and chat with an online sales assistant To inquire about PCI DSS compliance services, call CompliancePoint at 1.855.670.8780. White Paper: PCI DSS Compliance Page 7
About CompliancePoint CompliancePoint is a leader in compliance and information risk management. CompliancePoint helps organizations safeguard information assets and ensure regulatory compliance by providing third party assessments and developing enterprise security policies and programs based on the accepted Information Security frameworks and the regulatory requirements of Payment Card Industry (PCI) DSS v2.0 & PCI PA-DSS, HIPAA/HITECH,ISO 27001, SSAE SOC2 and FISMA/NIST. CompliancePoint s three point approach for identifying compliance levels, assisting in the remediation of compliance issues and providing a program to more effectively manage compliance data, documents and activities, ensures organizations not only achieve compliance but are able to maintain it as well. White Paper: PCI DSS Compliance Page 8
Footnotes 1 http://www.stltoday.com/business/local/schnucks-credit-card-breach-couldcost-million-just-in-illinois/article_25804620-9ca5-5d0b-8b1c-1968a56012eb. html 2 http://www.huffingtonpost.com/2012/06/26/wyndham-credit-cardbreach_n_1628005.html 3 http://www.forbes.com/sites/moneybuilder/2013/06/10/this-week-in-creditcard-news-data-breaches-cost-us-billions-profitable-parking-meters/ 4 http://www.huffingtonpost.com/2012/04/02/visa-mastercard-databreach_n_1396035.html 5 People commonly use PCI DSS and PCI interchangeably. 6 While a merchant might not technically qualify for Level 1, it may do business with another organization that demands it meet Level 1 requirements. In that case, the merchant may opt for Level 1 compliance in order to meet its customer s demand. 7 Source - Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis White Paper: PCI DSS Compliance Page 9