Risk and Rewards For PCI DSS 3.1 Compliance What Risks Exist If I Don t Become Compliant? What Do I Gain For Being Compliant? What Is PCI DSS? PCI DSS is an acronym for Payment Card Industry (PCI) Data Security Standards (DSS) Started in 2002 with VISA CISP Program for protection of the Cardholder Data (CHD) and the Cardholder Data Environment (CDE) Grew over the years to PCI DSS version 3.1 as of this presentation Represents only the Five Card Brands Below VISA (International and VISA Europe) Master Card Discover American Express JCB PCI covers logical data and physical data in all forms and formats 1
QUIZ True (T) or False (F) 1. I am a level 3 Merchant I do not need to Be PCI Compliant T F 2. I report on a SAQ and do not need to be compliant with all of the requirements T F 3. My POS devices are fully managed by a Service Provider so I do not need to worry about them as I contracted this risk to them T F 4. I use Authorize.Net and PayPal for Credit Card Processing so I do not have to be PCI Compliant T F 5. I am permitted to store the Security Code for my customers as they have monthly recurring charges T F 6. I segmented my CDE from all other networks by use of a firewall that requires all of the devices to pass through so this CDE is the only segment In-Scope for PCI T F Quiz Answers and PCI Facts If you answered True for any of the six quiz questions you are incorrect as all six are False Statements Your company obligated itself to maintain PCI Compliance by the contract to accept credit cards Proof of PCI DSS compliance is an annual requirement and the evidence must be gathered in that twelve month period New evidence each year You cannot outsource your PCI compliance if any part of the data flows through the systems If you only have historic paper PCI data you must be PCI compliant If you file with a SAQ the instructions explicitly explain you are required to be compliant with 100% of the requirements applicable to your Merchant activities 2
What Does PCI Cover? PCI DSS Covers People All people that can or do interact with the CHD and/or the CDE Process All Processes that touch or impact the CHD Technology All Technologies that are used to Secure, Administer, Manage, or Touch the CDE and CHD What Are the Six Goals and Twelve Requirements? 3
PCI DSS 3.1 Has Future Date Requirements The reasons for the future date is to allow you to have time to meet these requirements Depending on the breaches that occur these future dated requirements could move to an earlier date Example of this is the Liability Shift for POS Devices to be EMV Compliant. This date was originally set to 30 June 2016 but was moved to 01 October 2015 Yes, the Card Brands can do this and you are obligated by your contract to accept Credit Cards from one of the Five PCI Card Brands What Are These Future Date Requirements for PCI DSS? 4
How Many Total PCI DSS Requirements Exist The Reporting Requirements for PCI DSS 3.0 has approximately 2,800 by line testing requirements covering Requirement 1 through Appendix A inclusive. These requirements also have an Executive Summary Section that requires additional data like but not limited to: Network Diagrams Data Flows List of in-scope LANs or VLANs List of out-of-scope LANs or VLANs List of Hardware List of Software Testing for Primary Account Numbers (PAN) in plain text Incident Response Plan and complete testing annually Vulnerability Scanning Quarterly based on your filing date EMV Compliant POS Devices Because you have EMV Compliant POS devices does not remove your company from being 100% compliant with ALL Applicable Requirements Applicability to you means that the requirements that map to your activity with or to Cardholder Data are in scope for you Applicability also means that if you use Service Providers you also have the responsibility for their actions on your behalf 5
What Is PCI Cardholder Data?(CHD) PCI CHD is Full Track Data ( Track 1, 2, and 3) Full Primary Account Number (PAN) Sensitive Authentication Data (SAD) Where Can CHD Exist in Your Systems? On Workstation In Databases On File Shares On Backup Tapes In Paper Reports and Spreadsheets In Email In Contract and Similar Records In Written Notes in files stored in the Office and Off-Site Other Locations you can identify 6
What if the CHD is Old? Old does not matter if it is CHD you are required to protect it, PAN, or remove it SAD Old data is generally found in older DR tapes and Backups In Older Emails On Local Drives On Receipts for Historic Stored Records On the Hotel Folios What Can You Save After Authorization? Can Save Full PAN Data if it is Encrypted Tokenized Truncated Hashed Note: If Hashed and Truncated are in same data set they must be protected as it is a trivial exercise to reconstruct the PAN with these two data points Name Expiration Date (With PAN must be protected) 7
What Cannot Be Saved After Authorization? Can Not Save even if encrypted Full Track Data Track 1 Track 2 Track 3 Security Code CVV CVS Other 3 or 4 digits value Even for recurring charges this CANNOT be saved How Does SAD Get Into Your Data? SAD comes to you in all forms including but not limited to: Your request as part of the transaction or as part of the swipe or touch Email Snail Mail (USPO FedEx DHL Other) FAX Voice Writing by staff Electronic messaging including but not limited to SMS, Tweets, etc. 8
How to Reduce SAD Place blockers on inbound and outbound email to prevent receipt or sending Train staff not to write the SAD data Ensure your applications securely wipe or do not save SAD after authorization Train your customers not to send this data to you Work with your processor or Acquirer to remove the need for this data for non face-to-face transaction What if you Have SAD In Your Systems This Data MUST be Removed Removal is only possible by a Wiping Process for Electronic Data This involves overwriting multiple times with sequential and random character USA Minimum iterations is three (3) Global Minimum iterations is seven (7) What if You Cannot Wipe Data must be quarantined and removed from access except for emergencies like court orders 9
What if you Have SAD In Your Physical Environment Physical Copies with this data must be securely destroyed Shredding with Cross Cut Shredders Burning Using Certified Third Parties for Secure Destruction Note: If you use this you must at least annually observe this destruction You must keep a record of your actions You MUST have a copy of their certification of secure destruction What About PAN Data PAN Data can be retained but only in specific formats Encrypted Truncated Tokenized Hashed Note: If you have both truncated and Hashed values of PAN in the same database you have a PCI DSS issue as this is viewed as a trivial effort to convert to the full PAN 10
Liability Shift-1 October 2015 The date had originally been set to 30 June 2016 VISA and MasterCard moved it forward to help prevent the losses sustained during the Christmas Season in 2014 and prior during high purchase times for face-to-face transactions Yes, they know more transaction occur over the internet but this face-to-face loss is substantial and EMV compliant devices will help stop these losses The Liability shift move all Fraud Costs to the Acquirer and to the Merchant for losses caused by fraudulent cards in card present transaction What Does Liability Mean To My Business? Liability Shift The Card Brands are pushing the liability to protect your environment and your customers data to you exclusively You will be held accountable for your actions or lack their of What if I can t afford to make this change? Contract Law Contact the Card Brands and ask for relief Ensure you have a plan for meeting this Unknown if this will work and most likely will not work the closer you get to 1 October 015 How can the Card Brands do this? By Contract Law Look at your contract to receive the card data it covers how you are to follow the requirements set forth at the time of an incident 11
The Cost of Not Going to EMV Compliant POS Devices by 1 October 2015 The Card Brands (VISA MasterCard) have stated that as of 1 October 2015, if the merchant has not implemented EMV POS devices and a breach occurs, the full cost of the breach is carried by the merchant Some of these costs are Your Individual Losses The Processors Losses The Acquirers Losses The Card Brand Losses Forensics Costs Card Replacement Costs for all that demand or require this Litigation Costs Fines and Penalties Examples of Cost for Breach Typical Cost for Breach Response Forensics $500.00 USD per hour from the time they are called until they complete and are back home (24*7) Generally this is 30 to 90 days of two or more Forensics specialists Card Replacement Approximately $15.00 USD per Card and due to recent cases it is replacing all of the cards for the customer not just the card having the fraud. Customers normally have 3 or more cards Includes ALL customers those breached and those that were not but in your systems 12
Examples of Cost for Breach Continued Litigation Costs Open ended and can be applied through the total time permitted by the statute of limitation Class Actions Suites John Doe Suites Your Cost, Card Brand Cost, Processor Costs, Other Cost for outside Attorneys and Legal Specialists Generally in the Millions of Dollars Fines and Penalties Up to $500,000 USD per occurrence Occurrences are defined by the state laws and can be as small as each card No enforcement to date of individual cards as a threshold Generally bundled to specific date ranges but still could result in more than one breach classification Examples of Cost for Breach Continued Processor and Acquirer Losses Cost of their fines Cost of legal needs in case of a lawsuit Cost of frauds that occurred Costs of reworking and purging of their systems Potential forensics cost for them as a result of your actions 13
Examples of Cost for Breach Continued Litigation Costs For ALL affected parties due to your lack of compliance Note: In the US Litigation goes from day one through the end of the Statute of Limitations Class Action Law Suits Representation is each of the areas where a case is filed This dollar value can exceed all of the other costs OK What Else Bad Can Occur You can be found outside the Due Diligence Practices and if this occurs the following may occur You May be found Grossly Negligent This finding can void any Cyber Insurance This finding may prohibit the use of any other insurance like Executive Insurance You may be individually found at fault If this occurs your personal wealth is at risk The Company can only represent one entity them or you and I suspect they will represent themselves The business may be forced to close due to bankruptcy caused by the breach 14
I Now Have EMV Complaint POS Devices The fact you have EMV Compliant POS devices puts you on the plus side of PCI Compliance Having them does not make you PCI Compliant Not using the EMV Compliant POS Devices as required in PCI DSS 3.1 will have you working outside PCI Compliance You are required by your contract allowing you to accept Credit Cards to function fully (100%) PCI Compliant regardless of your Level Merchant Levels The VISA and Master Card Levels for Merchants are Level 1-6,000,000 or more transactions per card brand per year Level 2 1,000,000 to 6,000,000 transactions per card brand per year Level 3 20,000 to 1,000,000 transactions per card brand per year Level 4 1 to 20,000 transactions per card brand per year 15
Service Provider Levels Service Providers per VISA and MasterCard Levels are Level 1 over 300,000 cumulative transactions per card brand per year Level 2 under 300,000 cumulative transactions per card brand per year Levels and Compliance PLEASE NOTE: Regardless of your level you are required to be compliant with ALL (100%) PCI DSS Requirements applicable to you Levels only address the methods of reporting the compliance and who can report this for you Master Card specifically requires All Level 1 and Level 2 Merchants to use a QSA Firm or and ISA reporting to Internal Audit for the reporting regardless if the report is a Report on Compliance (RoC) or a Self Assessment Questionnaire (SAQ) 16
I Have EMV Compliant POS Devices Now What Having the compliant devices is step one of a many step process PCI DSS 3.0 and now 3.1 have a specific requirement 9.9 that has a required inspection of these devices to detect tampering and/or substitution of the device This is required to ensure the devices you are using are the ones you acquired and that they have not been tampered with PCI DSS Requirement 9.9 PCI DSS 3.0 Requirement 9.9 Requires that all POS devices be Periodically inspected For Tampering For Substitution Covers all POS including P2PE, EMV, and Non EMV Devices Requires you to take some form of activity to show compliance like the following Document this inspection for evidence in case an issue comes Non enforced or not validated processes are not processes that will stand up in court 17
Oops I Said Court Yes, all of the PCI DSS Compliance Activities you do or do not do are designed to show the courts how compliant you were at the time of a breach You have never had a breach-are you 100% sure? A Server, Room Clerk, Bar Tender, Room Service, Amenities like but not limited to SPA Golf Bikes Retail, and Maid generally have access to a customers Credit Card at one time or another during their stay Are you certain that any of the above have not taken one card for their own use? If they have, this is a breach and you just did not get detected as the breach point I am Not Technical-How Can I Inspect a POS Device? Requirement 9.9 does not require you to be technical It does requires you to protect the POS Devices from tampering and/or substitution To this end you can Record and check the serial number of the POS devices to be sure you have the one that was installed You can use tamper proof serialized seals on the seams of the POS to allow for an indication of tampering Record the seal serial number as part of the inspection 18
What Should You Do if the POS shows signs of Tampering or Substitution Actions to take Stop the use of the device Notify Security and IT Gather the inspection records to see when this could have occurred Unplug the device from the equipment it is attached too Remove the devices from public and general staff access Report this to the appropriate internal staff member for action What You Should Not Do? Do not reset the POS to its default settings by use of the reset input from the number pad Do not reset the POS to its default settings by use of the reset button Allow the POS device to stay in use 19
How to Inspect? What to Look For When You Are Inspecting Yes, it is a POS device Is the Serial Number the Same? Has it Been Unplugged? Has The Case Been Opened? A key for this inspection is to use a serialized Tamper Proof Seal to allow for proof of no tampering or substitution You Convinced Me-I Must Have EMV Compliant POS Devices You are not out of risk of being Non-Compliance with the PCI DSS Requirements Having EMV POS devices is only one of the requirements EMV devices does not remove any of the PCI DSS 2,800 requirements other than you have them You must meet 100% of the applicable PCI requirements or you are not PCI compliant. 99% compliant is NOT COMPLIANT 20
Now You Know The Risks- Where Are The Rewards? You do in fact have rewards of becoming PCI Compliant beyond the certificate or notes from you processor you are compliant for that specific year Yes, compliance must be validated annually For those companies going from zero compliance to full compliance there is generally a Return on Investment (ROI) ROI for PCI Compliance These are real dollar savings Refinement in the network to reduce bandwidth needs Process driven change management leading to less down time Trained staff that can better assist the customer faster allowing for faster sales with less rework Better use of technology assets requiring less assets Reduced footprint of PCI Data by scope reduction leading to lower cost of operation 21
Now Its Your Time To Ask PCI DSS Risk and Rewards Thank You! 22
Contact Data Howard Glavin CPP, CISM, CRISC, PA_QSA, QSA, CTGA Senior Vice President K3DES LLC 904.631.9204 Mobile Phone 904.287.4433 Home Office 904.287.2213 FAX Secur8ty Skype ID 23