Payment Card Industry Data Security Standard (PCI DSS) v1.2

Similar documents
PCI Compliance: How to ensure customer cardholder data is handled with care

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Payment Card Industry Data Security Standard Explained

PCI Standards: A Banking Perspective

PCI Compliance Top 10 Questions and Answers

How To Protect Your Business From A Hacker Attack

PCI Compliance. Top 10 Questions & Answers

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

Josiah Wilkinson Internal Security Assessor. Nationwide

Project Title slide Project: PCI. Are You At Risk?

Your Compliance Classification Level and What it Means

PCI DATA SECURITY STANDARD OVERVIEW

Two Approaches to PCI-DSS Compliance

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Becoming PCI Compliant

PCI Security Compliance

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

PCI Compliance Overview

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

A Compliance Overview for the Payment Card Industry (PCI)

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI Data Security Standards

Accepting Payment Cards and ecommerce Payments

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Payment Card Industry Data Security Standard

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

La règlementation VisaCard, MasterCard PCI-DSS

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

PCI DSS. CollectorSolutions, Incorporated

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Payment Card Industry Compliance Overview

SecurityMetrics Introduction to PCI Compliance

How To Protect Your Credit Card Information From Being Stolen

Why Is Compliance with PCI DSS Important?

HOW SECURE IS YOUR PAYMENT CARD DATA?

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Property of CampusGuard. Compliance With The PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

How To Protect Visa Account Information

Achieving PCI Compliance for Your Site in Acquia Cloud

PCI: The Dark Side. May 2012 Roanoke, VA

Achieving Compliance with the PCI Data Security Standard

Payment Card Industry Data Security Standards

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Payment Card Industry Data Security Standards Compliance

Frequently Asked Questions

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Payment Card Industry Data Security Standards.

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

PCI DSS Presentation University of Cincinnati

Presented By: Bryan Miller CCIE, CISSP

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Merchant guide to PCI DSS

E Pay. A Case Study in PCI Compliance. Illinois State Treasurer. Dan Rutherford

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

PCI DSS Compliance Information Pack for Merchants

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

And Take a Step on the IG Career Path

How To Ensure Account Information Security

An article on PCI Compliance for the Not-For-Profit Sector

PCI DSS. Payment Card Industry Data Security Standard.

Payment Card Industry - Achieving PCI Compliance Steps Steps

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

A PCI Journey with Wichita State University

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010

Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

PCI DSS READINESS AND RESPONSE

Transcription:

Payment Card Industry Data Security Standard (PCI DSS) v1.2 Joint LA-ISACA and SFV-IIA Meeting February 19, 2009 Presented by Mike O. Villegas, CISA, CISSP 2009-1-

Agenda Introduction to PCI DSS Overview of PCI DSS 1.2 Requirements Merchant Levels Penalties for Non-Compliance Qualified Security Assessors Self-Assessment Questionnaire (SAQ) Approved Scanning Vendor (ASV) PCI DSS 1.2 Requirements Report on Compliance (ROC) PCI Vendor Selection The examples and approach described in this presentation are for purposes of instruction only and should not be construed as existing at Newegg, Inc. Participants are cautioned to perform their own due diligence before implementing ideas, processes or structures as presented. 2009 2

Introduction to PCI DSS http://datalossdb.org/ 2009 3

As of Jan 21, 2008, there have been recorded by the Privacy Rights Organization 251,175,706 records containing sensitive personal information in security breaches in the US since Jan 2005. // http://www.privacyrights.org 2009 4

PCI SSC PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. In June 2001, VISA developed CISP security audit program. The Payment Card Industry Security Standards Council (PCI SSC) was formed, and on December 15, 2004, these companies aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS). In September 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0. The next version 1.2 was released on October 1, 2008. Version 1.1 is no longer effective as of December 31, 2008. v1.2 did not change requirements, only enhanced clarity, improved flexibility, and addressed evolving risks/threats. 2009 5

PCI Security Standards https://www.pcisecuritystandards.org/ 2009 6

PCI DSS 1.2 Requirements Goals Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know Implement Strong Access Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks Maintain an Information Security Policy 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors 2009 7

Merchant Levels Level VISA Criteria AMEX Criteria 1 2 3 4 Over 6 million transactions per year Any merchant compromised in past year VISA discretion based on risk Identified by any other payment card brand as Level 1 Between 1 million and 6 million transactions per year Between 20 thousand and 1 million e- commerce transactions per year Less than 20 thousand e-commerce transactions per year and all others up to 1 million transactions per year Over 2.5 million AMEX transactions per year Any merchant compromised in past year AMEX discretion based on risk Between 50 thousand and 2.5 million AMEX transactions per year Less than 50 thousand AMEX transactions per year Required Validation Annual onsite assessment Quarterly scans required Quarterly scans required Annual SAQ Annual SAQ Quarterly scans VISA required Quarterly scan AMEX highly recommended N/A Annual SQA Quarterly scan may be required 2009 8

Service Provider Levels Effective February 1, 2009, service providers that store, process or transmit Visa cardholder data on behalf of Visa acquirers, issuers, merchants or other service providers will fall into one of two service provider levels. 2009 9

Penalties for Non-Compliance Merchant banks whose retailers aren t PCI compliant could be fined up to $500,000. Typically, banks pass penalties along to the retailer involved. The merchant also faces loss of its card-acceptance privileges. http://www.internetretailer.com/internet/marketing-conference/80146-compliance-dilemma-html For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers. 2009 10

Qualified Security Assessors (QSA) https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf The PCI Security Standards Council maintains an in depth program for security companies seeking to be certified as Qualified Security Assessors (QSAs), as well as to be recertified as QSAs each year. Certification and re certification indicate only that the applicable QSA has successfully met all PCI Security Standards Council requirements to perform PCI data security assessments, and the PCI Security Standards Council does not endorse these security solution providers or their business processes or practices. 2009 11

Self-Assessment Questionnaires (SAQ) The SAQ is a self validation tool for merchants and service providers who are not required to do on site assessments for PCI DSS compliance. The SAQ are a series of yes or no questions for compliance. If an answer is no, the organization must state the future remediation date and associated actions. 2009 12

Approved Scanning Vendor (ASV) An Approved Scanning Vendor (ASV) is a data security firm using a scanning solution to determine whether or not the customer is compliant with the PCI DSS external vulnerability scanning requirement. https://www.pcisecuritystandards.org/pdfs/asv_report.html ASVs are trained and qualified by the PCI SSC to perform network and systems scans as required by PCI DSS. 2009 13

Needs to be signed by an Executive Officer 2009 14

Lifecycle Process for Changes to PCI DSS 2009 15

Types of Data on Payment Card 2009-16 -

2009-17 -

Build and Maintain a Secure Network 2009 18

Build and Maintain a Secure Network 2009 19

Protect Cardholder Data 2009 20

2009-21 -

Protect Cardholder Data 2009 22

Maintain a Vulnerability Management Program - 23-2009

Maintain a Vulnerability Management Program 2009-24 -

Implement Strong Access Control Measures - 25-2009

Implement Strong Access Control Measures 2009-26 -

Implement Strong Access Control Measures 2009-27 -

Regularly Monitor and Test Networks - 28-2009

Regularly Monitor and Test Networks 2009-29 -

Maintain an Information Security Policy - 30-2009

Report on Compliance (ROC) 1. Executive Summary 1. Description of the entity s payment card business 2. High-level diagram of entity s networking topography 2. Description of Scope of Work and Approach Taken 1. Environment on which assessment focused 2. Network segmentation used to reduce scope of PCI DSS review 3. Documentation and justified sampling 4. List of any wholly-owned entities 5. List of any International entities 6. List of any wireless LANS or APs 7. Version of PCI DSS requirements 8. Timeframe of Assessment 3. Details about Reviewed Environment 1. Diagram of each piece of communication link (LAN, WAN, or Internet) 2. Description of cardholder data environment 3. List of files/tables that store cardholder data 4. List of hardware and critical software used in cardholder data environment 5. List of service providers which company shares cardholder data - 31-2009

Report on Compliance (ROC) 6. List of third-party payment application products and version numbers 7. List of individuals interviewed and their titles 8. List of documentation reviewed 9. For Managed Service Provider (MSP) reviews, description of what applies to PCI DSS 4. Contact Information and Report Date 5. Quarterly Scan Results 1. Summarize the four most recent quarterly scan results in the Executive Summary 2. The most recent must have a passing scan 3. Scan must cover all externally accessible (Internet-facing) IP addresses 6. Findings and Observations 1. Summarize in the Executive Summary any findings that may not fit ROC format 2. Review and documentation of Compensating Controls Section of ROC - 32-2009

Review of Marketing Collateral 2009 33

Research Firms Ratings Gartner Magic Quadrant Gartner offers the combined brainpower of 1,200 research analysts and consultants who advise executives in 80 countries every day. They publish tens of thousands of pages of original research annually and answer 200,000 client questions every year. Leaders in the subject area are typically in the upper right hand quadrant. June 6, 2008 The Forrester Wave : : Data Leak Prevention, Q2 2008 Websense And Reconnex Top The Leaders Stack, Followed By Verdasys, RSA, And Vericept 2009 34

Vendor Options for Applicable Requirement (sample) 2008/2009 PCI Expenditures 2009 35

Proof of Concept 1. Select those vendors you wish to POC 2. Review marketing collateral for appropriateness 3. Perform company background assessment 4. Schedule vendor presentation and/or Webex inviting SMEs 5. POC will incur an internal cost but not to vendor 6. NDA and SOW for POC reviewed by Legal 7. Develop selection criteria 8. Schedule POC and engage SME time and resources 9. Determine what is required for POC: 1. Appliance 2. Dedicated Server 3. Protect Production Environments 4. Agents 5. Vendor Software 10. Test Functionality 11. Rate Based on POC Results 12. Ensure no confidential data is released when POC is completed 2009 36

POC Assessment Score calculation This is strictly a sample. There are many different ways to perform a rating system. 2009 37

Impact on Environment There are times that a POC cannot be tested using live data or in production. This means that one has to assess the impact to your environment considering the following: Calculate the expected EPS (events per second) in POC tested environment and estimate what would otherwise be in production Consider the logging activity and how much storage would be required Consider whether logging activity would be in line or out of line and its respective affect on latency in production If the package requires agents on target devices, determine the latency, performance, or accessibility issues to production Determine if special training, skills, or SME resources will be required to hire or engage from vendor or other PS firms 2009 38

All Vendors Must Provide References Reference Calls Pick those references that are similar to your environment Don t pick references with dissimilar platforms Request that only you and the reference caller is on the call not the vendor Make sure the reference caller does not have a conflict of interest with vendor (e.g., partner) What was the driver for looking for a vendor solution? How long have they had the product? What other products did they look at? POC? Why did they chose this one? Were they satisfied with the POC engineer? Knowledgeable? Responsive? Did they have to spend a lot of time making it run in their environment? Now that they have had time with product, what doesn t it do that you would have liked to see or know before you made the decision to buy? Do they believe the cost was fair and worthy of the product value? Did the product ultimately help them being PCI compliant? 2009 39

Cost Cost should not be the, but one of the, primary factor for selecting a vendor Cost is relative but all prices are negotiable with the vendor Never pay list price; don t let it scare you to consider vendor See if the package can be bundled with other products from same vendor Hold off for month end, quarter end or year end to decide, if possible; vendors have sales goals that you can use to leverage on cost Don t waste the vendor s time if you have no intention of buying If the cost between vendors is not close, determine if the functionality (POC results) far outweighs the cost delta If the cost if greater than your budget, determine if the estimated ROI (POC results) far outweighs the cost delta Share the cost with Information Security, Network, IT, development groups, Audit, Risk Management, SOX group, and/or PCI group If software, consider downloading and save on taxes 2009 40

Management Buy-In No one likes surprises and neither does management Don t inform management what the product will cost at the end of your negotiations with vendor Keep track of your budget and never let the vendor know what it is Keep management informed of your vendor negotiations Get Legal buy in on solution; this helps management feel comfortable to buy Get IT buy in on solution; this helps management comfortable on solution Always show management you performed good due diligence in selecting vendor Show the list versus actual cost of solution Make your management look good; ultimately you will look good as well Pretend this is your company (you own it) and you are making the decision to buy; would you? 2009 41

Contract Negotiations Have someone in Legal (attorney) assigned to help you with contract negotiations Need Terms and Conditions (for POC and for purchase) Need License Agreement (for POC and for purchase) Sometimes, after all the time spent on POC, one or both Legal departments (yours and vendors) will not agree; so sale Most, if not all, of the time, contract negotiations are mutually agreeable Termination clauses (For Cause or For Non Cause) Limitation of Liability clauses (bilateral) Right to Audit clauses If code is involved or software, consider escrow clauses Non disclosure clauses 2009 42

2009 43

Biography Miguel (Mike) O. Villegas is the Director of Information Security at Newegg, Inc. and is responsible for Information Security, Business Continuity Management, and PCI DSS (Payment Card Industry Data Security Standard) compliance. Newegg, Inc. is one of the fastest growing E Commerce companies established in 2001 and exceeded revenues of over $2 Billion in 2008. Mike has over 25 years of Information Systems security and IT audit experience. Mike was previously Vice President & Technology Risk Manager for Wells Fargo Services responsible for IT Regulatory Compliance and was previously a partner at Ernst & Young and Arthur Andersen over their information systems security and IS audit groups over a span of nine years. Mike is a CISA and CISSP. He was the SF ISACA Chapter President during 2005 2006 and the SF Fall Conference Co Chair from 2002 2007. He also served for two years as Vice President on the Board of Directors for ISACA International. Currently, Mike is currently a Director in the LA ISACA Chapter, involved with the LA ISACA Spring Conference Committee, and is the CISA Review Course Coordinator. 2009 44

Questions & Answers - 45-2009 - 45 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information