Customer PCI 3.0 Changes = New Opportunity For You Giles Witherspoon-Boyd SecurityMetrics
Who is this guy? Giles Witherspoon-Boyd, PCIP 15 years in technology, 4 years at SecurityMetrics SecurityMetrics Help companies comply with regulatory compliance requirements (PCI, HIPAA, GLBA)
Merchant to do s Update 3 rd party contracts* Use PCI DSS validated 3 rd parties* Self assessment (up to 250 questions) Vulnerability scan Unencrypted card data scanning Employee training, implementation Policies and procedures Network/system updates Send compliance report to acquirer Avoid processor fees ($25 - $200/mo)
The problem with PCI Businesses feel PCI is too complicated They aren t trained in security They don t have time It changes (PCI 3.0) Too technical Little/no resources from PCI Council Little/no education about new tech Still neglect key areas of security
Top vulnerabilities Insecure remote access Lack of industry-standard malware scanning Unencrypted stored payment card data Nonexistent or improperly configured firewall rules Lack of POS environment segmentation Insecure web protocols/lack of dedicated servers Irregular/inadequate vulnerability scanning Lack of new technologies (software patches, hardware)
How can you help them through it?
Start with baby steps Reduce scope Reduce frustration Educate customer and staff How to protect themselves financially Simplify their network Give them tools
Changes and clarifications Table 2: Summary of Changes https://www.pcisecuritystandards.org/documents/pci_ DSS_v3_Summary_of_Changes.pdf
Compliance vs. validation All SAQs state, you must still comply with all applicable PCI DSS requirements in order to be PCI DSS compliant. Validation based on risk Merchants may only have to validate a few PCI requirements, but need to still be compliant in full Risk based on card processing volume and card data handling methods
An SAQ A merchant s statement of compliance Acquiring bank asks merchant for completed SAQ Bank s responsibility to track merchant PCI compliance Merchant s responsibility to accurately complete SAQ
Learn about the SAQ SAQ A https://www.pcisecuritystandards.org/appro SAQ A EP ved_companies_providers/index.php SAQ B SAQ B IP SAQ C SAQ C VT SAQ D For Merchants SAQ D For Service Providers SAQ P2PE-HW
Offer a more complete solution
SAQ A & A-EP Ensure redirect to the third party is secure Ensure third party provider is PCI compliant Clearly define roles
SAQ B & B-IP Receipts may contain card numbers POS terminal software not kept updated Ensure policies are in place to protect card data
SAQ C & C-VT Ensure data is not stored Payment system isolated within its own network environment PA DSS compliant payment software
SAQ P2PE-HW
SAQ D Anti-malware Detect, clean malware, spyware, adware Only allow access to network and payment systems to those who really need it
SAQ D External/internal vulnerability scanning PCI authorized scan vendor for external scanning Work until scans are clean
SAQ D Penetration testing Annually or after significant upgrade or modification Documentation of security policies Review regularly Employees sign annually
SAQ D Secure encryption for stored data Do you really need to store PAN data? If so, strong encryption and proper key management is needed
SAQ D Design network correctly Segment network Set up firewalls correctly Logging Active logging of all systems in the card environment, review daily
SAQ D Physical security Restrict access to network jacks, wireless access points, network hardware ID badges, visitors must be authorized, sign log, given physical token of visitor status
SAQ D Regular operating system and software updates Install critical security patches within 30 days for OS, POS, and supporting software Track system and software configuration changes
SAQ D Remove system defaults Change defaults before adding to cardholder network (passwords, SNMP, wireless safety)
Healthcare mandates Security policies Employee training Firewall Etc.
Recap Be a trusted advisor Partner with company with core competency of data security Add additional revenue streams
Questions? gilesw@securitymetrics.com