PCI DSS Gap Analysis Briefing The University of Chicago October 1, 2012 Walter Conway, QSA 403 Labs, LLC
Agenda The PCI DSS ecosystem - Key players, roles - Cardholder data - Merchant levels and SAQs UofC s PCI Gap Analysis University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 2
Walt Conway and 403 Labs PCI QSA, consultant, blogger, trainer, speaker, author - Former Visa VP - Consult with schools to become PCI compliant 403 Labs: Information security consulting firm - PCI QSA and PA-QSA, ASV, and PCI forensic investigator (PFI), P2PE (QSA and PA-QSA) University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 3
Some PCI DSS Basics Payment Card Industry Data Security Standard Goal is to protect Cardholder Data - And to keep UofC out of the headlines - PCI does not make you secure If you take plastic, PCI applies to you PCI Scope includes people, processes, and systems - Store, process, or transmit cardholder data (UofC s Cardholder Data Environment) - And all connected systems University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 4
Some PCI DSS Basics PCI is a program, not a project Two things you need to accept about PCI - Your costs have gone up - You will change the way you do business University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 5
The PCI Ecosystem P2PE Manufacturers PCI PTS Pin Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments PCI Security P2PE Ecosystem of payment devices, applications, infrastructure and users University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 6
PCI DSS: 6 Goals, 12 Requirements University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 7
Key Players PCI Security Standards Council - Global forum to enhance global payment security - Multiple standards: PCI DSS, PA-DSS, PCI PTS, and P2PE - Approve assessors (QSAs) and scan vendors (ASVs) - Develop Self-Assessment Questionnaire (SAQ) - Develop and publish PCI documentation University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 8
Key Players Five Payment brands - Track compliance and enforce standards (fines, sanctions) - Determine event response (forensics) - Define merchant levels Acquirers (Merchant Banks) and processors - Set UofC s merchant level - Determine UofC s compliance - Approve compensating controls University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 9
PCI Compliance is Widespread U.S. PCI DSS Compliance Status Merchant Level Estimated Population Size Estimated % of Visa Transactions PCI DSS Compliance Validation Validated Not Storing Prohibited Data Level 1 Merchant (>6M) Level 2 Merchant ( 1-6M) Level 3 Merchant (>6M) Level 4 Merchant (<1M) 403 50% 97% 100% 1058 13% 93% 100% 3,218 < 5% 60% N/A ~ 5,000,000 32% Moderate** TBD * As of June 30, 2012 **Level 4 compliance is moderate among stand-alone terminal merchants, but lower among merchants using integrated payment applications University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 10
Who are the High Risk Merchants? University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 11
Who are the High Risk Merchants? University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 12
Merchant Level Determines Validation Level Visa and MasterCard Amex 1 >6 Million trans/yr, by brand 2 >1 Million trans/yr, by brand 3 >20K ecommerce Annual on-site assessment Quarterly network scan by Approved Scanning Vendor (ASV) Report on Compliance (ROC) Visa: Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan by ASV MasterCard: Same as Level 1 Annual SAQ Quarterly network scan by ASV Annual on-site Security Audit Quarterly network scan by ASV Quarterly network scan ASV Recommend quarterly network scan by ASV 4 Determined by acquirer: Annual SAQ Quarterly network scan by ASV University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 13
Self-Assessment Questionnaire (SAQ) Level 3 and 4 merchants self-assess Card-not-present merchants, all cardholder data functions outsourced, no electronic cardholder data storage Imprint-only merchants, no electronic cardholder data storage Stand-alone terminal merchants, no electronic cardholder data storage A B B 13 Items 29 Items Merchants with POS systems connected to the Internet, no electronic cardholder data storage Merchants who process cards on isolated virtual terminals connected to the Internet All other merchants and service providers C C-VT D 80 Items 51 Items 280+ Items Shortened SAQ only if no electronic cardholder data University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 14
Cardholder Data University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 15
Cardholder Data PAN: OK to store first six and/or last four digits Source: PCI SSC University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 16
Why Store Cardholder Data? Policy: No electronic card data stored on any UofC device But what about? - Recurring payments acquirer has alternatives - Chargebacks, refunds let acquirer store PAN - Legal requirements these apply to banks - Paper receipts reprogram/upgrade terminals to truncate both receipts - Payment applications confirm with vendor or acquirer that software does not store sensitive data University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 17
SAQ A Card-not-present merchants only - E-commerce, mail order/telephone order (MOTO) - Never applies in a face-to-face POS environment Card processing is outsourced - No cardholder data stored, processed, or transmitted on your systems Service provider is PCI compliant Only paper records, not received electronically No electronic cardholder data University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 18
SAQ A Merchant School Website PAY Secure Third-Party Website Students log into school site, and are redirected to PCI compliant service provider to enter payment. No payment data are stored, processed, or transmitted on school s systems. Payment card data are entered and processed on PCI compliant service provider s site. University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 19
SAQ B For merchants with stand-alone dial-up terminals or imprinters (aka, zip-zap machines) - Brick-and-mortar, MOTO, or e-commerce Dial-up terminals - Not connected to any other systems - Not connected to Internet Paper records, not received electronically No electronic cardholder data University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 20
SAQ C Payment application and Internet connection on the same device - Card-present or card-not-present merchants - Can be POS or shopping cart application Device not connected to any other system Store only paper records, not received electronically No electronic cardholder data Payment application vendor provides remote support securely University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 21
SAQ C-VT Merchant uses a virtual terminal - Web browser connected to processor that hosts payment processing function - Enter card data manually (no mag stripe reader), via a secure connection, one transaction at a time - Brick-and-mortar or MOTO Single payment terminal, isolated, fixed Other requirements same as SAQ C University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 22
SAQ D Everybody else 280 questions All 12 PCI requirements University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 23
SAQ A, Outsourcing OMG! Customer Service - Merchant outsources e-commerce payments (hosted) - MOTO, fax orders persist - Staff enter transactions on their workstations - Workstations are not isolated - Result: staff workstations and all connected systems are in PCI scope Result: SAQ D - 280+ questions - Full PCI DSS including scans and pen testing University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 24
Other SAQ OMG! Dial-up POS terminal (SAQ B) - Card numbers on daily batch tape - Non-compliant PIN entry devices - Solution: upgrade or replace device Virtual terminal (SAQ C or C-VT) - Not isolated device connects to other systems - Not dedicated device used for other purposes - Solution: segment network, restrict terminal use Result: SAQ D Conclusion: Not easy to qualify for a shortened SAQ University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 25
Requirement 0 Minimize Scope What it says: - Stop and take a breath - Don t accept status quo as fixed What it means: - Minimize scope to reduce PCI cost and effort - Your mantra: If you don t need it, don t keep it How to comply: - Accept the two Laws of PCI : Your costs will go up. You will change the way you do business. University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 26
UofC s PCI DSS Gap Analysis Identify compliance gaps: no harm, no foul - Meet with all UofC merchants and IT - Understand business needs, processes, technology - Identify gaps and recommend remediation options - Provide options so merchants can meet business requirements Goal: minimize UofC s PCI scope (and risk) - Simplify PCI compliance validation - Identify business process changes (often hard!) - Identify infrastructure changes (expensive) Reporting - Debriefing session at conclusion of onsite - Written report University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 27
Thank You Your comments? Questions? Thoughts? Walter Conway wconway@403labs.com 877.403.5227, ext. 223 (or: 415.690.6876) www.403labs.com Follow my PCI column at storefrontbacktalk.com Higher Education PCI blog (Treasury Institute) treasuryinstitutepcidss.blogspot.com University of Chicago PCI DSS Overview Walter Conway, QSA, 403 Labs, LLC 2012 28