WINNING THE PCI COMPLIANCE BATTLE



Similar documents
La règlementation VisaCard, MasterCard PCI-DSS

Criticial Need for Stronger Network Security. QualysGuard SaaS-based Vulnerability Management for Stronger Security and Verification of Compliance

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

How To Become A Pca Compliant Organization

How To Protect Your Credit Card Information From Being Stolen

How To Protect Your Business From A Hacker Attack

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standards.

Net Report s PCI DSS Version 1.1 Compliance Suite

Two Approaches to PCI-DSS Compliance

PCI Security Compliance

PCI Standards: A Banking Perspective

How To Comply With The Pci Ds.S.A.S

Payment Card Industry Data Security Standard

PCI DSS COMPLIANCE DATA

AISA Sydney 15 th April 2009

Presented By: Bryan Miller CCIE, CISSP

PCI Compliance Top 10 Questions and Answers

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

PCI Compliance. Top 10 Questions & Answers

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Josiah Wilkinson Internal Security Assessor. Nationwide

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

PCI Compliance: How to ensure customer cardholder data is handled with care

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

Merchant guide to PCI DSS

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

P R O G R E S S I V E S O L U T I O N S

PCI DATA SECURITY STANDARD OVERVIEW

Achieving Compliance with the PCI Data Security Standard

I. Overview. II. Vulnerability Management Improves Security. III. Automating Vulnerability Workflow is Crucial

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Payment Card Industry Data Security Standards Compliance

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

How To Protect Visa Account Information

Teleran PCI Customer Case Study

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

PCI Compliance Overview

VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS)

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Payment Card Industry Data Security Standard

Payment Card Industry Compliance

The PCI DSS Compliance Guide For Small Business

PCI DSS. Payment Card Industry Data Security Standard.

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Payment Card Industry Data Security Standard Explained

An article on PCI Compliance for the Not-For-Profit Sector

Payment Card Industry Data Security Standards

Using QUalysgUard to Meet sox CoMplianCe & it Control objectives

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Introduction to PCI DSS

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

PCI DSS 3.0 Changes & Challenges P R E S I D E N T/ C O - F O U N D E R F R S EC U R E

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

115 th Annual Convention

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Field Processing of Credit Cards: Solving Credit and Collections Issues

Frequently Asked Questions

PAI Secure Program Guide

PCI DSS Reporting WHITEPAPER

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

PCI DSS. CollectorSolutions, Incorporated

Payment Card Industry Data Security Standard

PCI Data Security Standards

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

Important Info for Youth Sports Associations

John B. Dickson, CISSP October 11, 2007

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

A Compliance Overview for the Payment Card Industry (PCI)

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

PCI Compliance: Protection Against Data Breaches

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

Payment Card Industry Standard - Symantec Services

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

1 ARE PCI SECURITY MEASURES SUITED TO THE FRENCH MARKET?

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Compliance Overview

Transcription:

WHITE PAPER WINNING THE PCI COMPLIANCE BATTLE A Guide for Merchants and Member Service Providers Table of Contents I. The Payment Card Industry Locks Down Customer Data II. Compliance Requirements of the PCI Data Security Standard III. Participation and Validation Requirements IV. Selecting a PCI Network Security Testing Service V. Introducing On Demand PCI: QualysGuard PCI VI. Automating the PCI Validation Process 2 3 3 5 6 7

Winning the PCI Compliance Battle: A Guide for Merchants and Member Service Providers page 2 The things that PCI is looking for are really the motherhood and apple pie issues of security making sure that firewalls are only passing traffic on accepted and approved ports, that servers are running only those services that really need to be live, that databases aren t configured with vendorsupplied defaults it s all standard securityassessment stuff. Diane Kelly, Vice President and Service Director Burton Group I. The Payment Card Industry Locks Down Customer Data The last several years have seen an unprecedented assault on personal and financial data that customers have knowingly or unwittingly entrusted to retailers, banks, service providers and credit card companies. Bank of America, BJ s Wholesale Club, CardSystems Solutions, Choicepoint, Citigroup, DSW Show Warehouse, Hotels.com, LexisNexis, Polo Ralph Lauren and Wachovia are just a few of the names that have been boldly exposed in the media and pummeled in the financial markets after major data security breaches were revealed. Credit card data in particular has been compromised so frequently that calls for government intervention and regulation became widespread. Taking another approach, the payment card industry countered the criminal onslaught with a homegrown security initiative that is at once broader in scope and more granular in its requirements than any measures additional government regulation might have imposed. The Payment Card Industry Data Security Standard is a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data. PCI, as it is almost universally known, was originally developed by MasterCard and Visa through an alignment of security requirements contained in the MasterCard Site Data Protection Plan (SDP) and two Visa programs, the Cardholder Information Security Plan (CISP) and the international Account Information Security (AIS). In September of 2006, a group of five leading payment brands including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International jointly announced formation of the PCI Security Standards Council, an independent council established to manage ongoing evolution of the PCI standard. Concurrent with the announcement, the council released version 1.1 of the PCI standard.

Winning the PCI Compliance Battle: A Guide for Merchants and Member Service Providers page 3 There s no other regulatory or industry compliance requirement that s quite this granular. PCI is kind of its own unique animal, but the data you collect in a PCI compliance scan can be useful in meeting many other kinds of audit and assessment requirements an ISO 27001 certification or a Sarbanes- Oxley audit, for instance. You ll be looking at many of the same things. After all, most compliance comes down to things like whether your firewall is correctly configured. Diane Kelly, Vice President and Service Director Burton Group II. Compliance Requirements of the PCI Data Security Standard The PCI Data Security Standard requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. The core requirements are organized in six categories: PCI DSS Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security Figure 1: PCI DSS Principles and Requirements III. Participation and Validation Requirements While the newly-established PCI Security Standards Council will manage the underlying data security standard, compliance requirements are set independently by individual payment card brands. While requirements vary between card networks, MasterCard s Site Data Protection Plan and Visa s Cardholder Information Security Program are representative. They stipulate separate compliance validation requirements for merchants and service providers, which vary depending on the size of the company. Compliance levels are defined based on annual transaction volume and corresponding risk exposure as outlined in figure 2.

Winning the PCI Compliance Battle: A Guide for Merchants and Member Service Providers page 4 MERCHANT & SERVICE PROVIDER LEVELS & VALIDATION ACTIONS LEVEL CRITERIA ON-SITE SECURITY SELF-ASSESSMENT NETWORK SCAN AUDIT QUESTIONNAIRE 1 Any merchant, regardless of acceptance Required Annually * Required Quarterly channel, processing more than 6 million transactions per year Any merchant that suffered a security breach, resulting in an account compromise SERVICE PROVIDER MERCHANT 2 Any merchant processing between Required Annually Required Quarterly 150,000 to 6 million transactions per year 3 Any merchant processing between Required Annually Required Quarterly 20,000 to 150,000 transactions per year 4 All other merchants not in Levels 1, 2, Required Annually Required Quarterly or 3, regardless of acceptance channel 1 All processors and all payment Required Annually * Required Quarterly gateways 2 Any service provider that is not in Level 1 Required Annually * Required Quarterly and stores, processes or transmits more than 1 million accounts / transactions annually 3 Any service provider that is not in Level 1 Required Annually Required Quarterly and stores, processes or transmits less than 1 million accounts / transactions annually * On-Site Security Audits may be conducted through Qualys PCI Consulting Partners - http://www.qualys.com/partners/pci Figure 2: Merchant & Service Provider Levels and Validation Actions Validation Requirements Annual on-site security audits MasterCard and Visa require the largest merchants (level 1) and service providers (levels 1 and 2) to have a yearly on-site compliance assessment performed by a certified third-party auditor. Annual self-assessment questionnaire In lieu of an on-site audit, smaller merchants (levels 2, 3 and 4) and service providers (level 3) are required to complete a self-assessment questionnaire to document their security status. Quarterly external network scans All merchants and service providers are required to have external network security scans performed quarterly by a certified third-party vendor. Scan requirements are rigorous: all 65,535 ports must be scanned, all vulnerabilities detected of level 3-5 severity must be remediated, and two reports must be issued a technical report that details all vulnerabilities detected with solutions for remediation, and an executive summary report with a PCI approved compliance statement suitable for submission to acquiring banks for validation.

Winning the PCI Compliance Battle: A Guide for Merchants and Member Service Providers page 5 First of all, you have to use an approved PCI vendor, so that s pretty much a binary decision. Beyond that, customers really need to consider their comfort level with the service provider s methodology the way that reports are presented and the level of transparency into the data collection process. Intrusiveness is also an important consideration: some scanning tools are more invasive than others, and customers need to be sure that these are low-touch processes that won t cause disruption on their networks. Reusability of the scan data in other security management processes and with other SIM tools is another thing to look for. This is good data they re getting, and it s applicable beyond PCI. Diane Kelly, Vice President and Service Director Burton Group Validation Enforcement While non-compliance penalties also vary among major credit card networks, they can be substantial. Participating companies can be barred from processing credit card transactions, higher processing fees can be applied; and in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance. Since compliance validation requirements and enforcement measures are subject to change, merchants and service providers should closely monitor the requirements of all card networks in which they participate. IV. Selecting a PCI Network Security Testing Service At first exposure, PCI compliance and validation requirements can appear daunting, particularly the external scan requirement. Merchants can simplify the selection process by establishing a few key selection criteria. Three important things to look for in a PCI network scanning service are: Accuracy It s extremely important that a testing service be able to accurately identify real vulnerabilities and not generate a large inventory of false positives, each of which must be manually evaluated for remediation. False positives (and false negatives) can significantly and unnecessarily inflate the workloads and labor costs of maintaining PCI compliance. Efficient vulnerability remediation process The service provider must offer tested and documented remediation processes for all identified vulnerabilities, and provide expert technical support assistance. Automated report preparation and on-line filing Automatic report preparation and electronic filing greatly simplify compliance administration and reduces the attendant workload.

Winning the PCI Compliance Battle: A Guide for Merchants and Member Service Providers page 6 For us, the major advantage of an online service like QualysGuard PCI is that it s accessible from everywhere in the world. That lets us perform the external network scan as part of our onsite work with a customer. Another advantage is the fact that it is tailored specifically for PCI compliance evaluation, including the reports. That saves us time and saves the customer money. Stephan Engelke, Security Consultant and PCI Auditor Excelsis Business Technology PCI compliance is extremely intimidating for organizations relying on the payment card industry for the majority of their transactions. The QualysGuard PCI On Demand platform reduces the cost and complexity of security and compliance for organizations through the software-as-aservice model. Dr. Michael G. Mathews, CTO CynergisTek Rose Ryan, J.D., a research analyst in IDC s Security Products and Services group, urges merchants to also consider the service provider s background and core expertise. The most successful vendors in this space have a history in security assessment and management as well as compliance services. I also think it s important to evaluate a provider s ability to adapt as requirements change, and look for good partnerships in the consultant community for remediation referrals. Smaller companies should also search out specialized PCI offerings from established security management providers that help make PCI compliance affordable. V. Introducing On Demand PCI: QualysGuard PCI One such specialized solution is QualysGuard PCI, a network scanning, security assessment and reporting platform delivered on QualysGuard, the industry-leading on demand solution for vulnerability management and policy compliance. QualysGuard PCI is provided on demand as a Web application with no hardware or software to be installed and maintained on the customer network. It allows merchants and service providers to complete all validation requirements. Using QualysGuard PCI users can easily complete and submit the PCI self-assessment questionnaire online, and perform pre-defined PCI scans on all external systems to identify and resolve network and system vulnerabilities as required by the PCI standard. Figure 3: QualysGuard PCI Dashboard QualysGuard PCI is certified by the PCI Council for network scanning and PCI compliance validation, and is used worldwide by merchants, security consultants and network-certified PCI auditors. Consultants and security auditors can use QualysGuard PCI in their practice to help clients achieve compliance in an efficient manner.

Winning the PCI Compliance Battle: A Guide for Merchants and Member Service Providers page 7 With Tribune s distributed organizational structure and heterogeneous environment, we needed a rapid and economical way to scan for and eliminate server vulnerabilities. The QualysGuard PCI On Demand platform and the services of CynergisTek are helping us to verify the PCI compliance of our IT infrastructure. Dr. Joshua Seeger, CIO Tribune Broadcasting Since our business is PCI compliant, I was familiar with and had used other PCI compliance services. I was very surprised at the thoroughness of the scan from Qualys. It discovered issues that had not been brought to my attention from other compliance scans. Sam Lehrfeld, CIO KneeDraggers.com Inc. Key features of QualysGuard PCI include: An online self-assessment questionnaire that lets the user revisit the questionnaire as often as necessary, and enables collaboration with other members within the organization. Unlimited PCI scanning for all systems within the user account. An organization can scan all external systems on a quarterly basis or on as needed basis in order to reach compliance. PCI reporting that delivers executive level and technical reports as defined by the PCI standard. Online filing that automatically notifies the acquiring bank when a merchant achieves PCI compliance. A friendly and fast process to address and eliminate false positives detected during scans. But the most important feature of QualysGuard PCI is the Six Sigma level of accuracy made possible by the industry s most complete vulnerability knowledgebase, an encyclopedic inventory of thousands of known vulnerabilities that covers all major operating systems, services and applications. The result is a current error rate of less than 3.4 defects per million production scans. VI. Automating the PCI Validation Process Achieving PCI compliance may seem at first like an insurmountable task, but in fact the PCI Data Security Standard requirements represent fundamental security best practices that should be observed by any organization with IT systems and data to protect. Because networks are always connected, new devices are constantly being added, and new vulnerabilities are discovered daily, the possibility of exploitation is ever-present. PCI delivers best practice approaches that help keep companies on top of this ever-evolving situation, ensure compliance, and secure cardholder information stored within their networks. For additional information and a 14-day free trial on how Qualys On Demand PCI can help make PCI compliance an automated, effective process for continuous security improvement, visit Qualys on the Web at http://www.qualys.com/products/qgpci/. www.qualys.com USA Qualys, Inc. 1600 Bridge Parkway Redwood Shores CA 94065 T: 1 (650) 801 6100 sales@qualys.com UK Qualys, Ltd. 224 Berwick Avenue Slough, Berkshire SL1 4QT T: +44 (0) 1753 872101 Germany Qualys GmbH München Airport Terminalstrasse Mitte 18 85356 München T: +49 (0) 89 97007 146 France Qualys Technologies Maison de la Défense 7 Place de la Défense 92400 Courbevoie T: +33 (0) 1 41 97 35 70 Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 10/06

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information