2. Session Evaluation
Each entry via text or web is a chance to win
great NTEN prizes throughout the day!
TEXT ONLINE
Text <Insert Session Use <Insert Session
Hashtag Here> to Hashtag Here> at
69866. http://nten.org/ntc/eval
Session Evaluations
Powered By:
3. Agenda
• The PCI DSS Standard
– What is it? Who are major actors in the process?
• The Scope of the PCI Standard
– How to get started
• Common Myths of PCI
• Developing a Process to Achieve Compliance
– The PCI Prioritized Approach
• Beyond PCI Compliance – What’s Next
• Wrap Up and Final Questions
4.
5. What is PCI DSS?
• PCI DSS = Payment Card Industry Data Security
Standards
• Developed by the PCI Standards Security Council
“The mission of the PCI Security Standards Council is to enhance
payment account security by driving education and awareness of
the PCI Data Security Standard and other standards that increase
payment data security.”
http://www.pcisecuritystandards.org
6. SSC, QSA, ASV…Who’s in Charge Here?
Security Standards Council Card Brands
• Creates and • Track compliance
promotes standard • Issue fines and
• Certifies auditors incentives
Acquiring Banks Qualified Security Assessors Approved Scan Vendors
• Process transactions • Audit merchants • Scan merchants
• Gather compliance • Report to acquiring • Report to acquiring
reports banks banks
Level 1 Merchants Level 2 Merchants Level 3 Merchants Level 4 Merchants
Card-Issuing Banks
Source: InformationWeek – PCI and the Circle of Blame
7. How Much Are You Willing to Risk?
Some researchers are reporting that approximately 77% of
people say they would stop shopping at stores that suffer
data breaches.
9. Requirements for Merchant Levels and
the PCI DSS
Level/ Merchant Validation
Tier Criteria Requirements
1 Merchants processing over 6 million • Annual Report on Compliance by QSA
Visa transactions annually (all • Quarterly network scan by ASV
channels) • Attestation of Compliance Form
2 Merchants processing 1 million to 6 • Annual Self-Assessment Questionnaire
million Visa transactions annually • Quarterly network scan by ASV
(all channels) • Attestation of Compliance Form
3 Merchants processing 20,000 to 1 • Annual SAQ
million Visa transactions annually • Quarterly network scan by ASV
• Attestation of Compliance Form
4 Merchants processing less than • Annual SAQ recommended
20,000 Visa transactions annually • Quarterly network scan by ASV
• Compliance validation requirements set by
acquirer
Source: Individual Card Company Websites
10. Selecting an SAQ – Five Types
SAQ Description
A Card-not-present (e-commerce or mail/telephone-order)) merchants, all
cardholder data functions outsourced. This would never apply to face-to-
face merchants.
B Imprint-only merchants with no electronic cardholder data storage, or
standalone, dial-out terminal merchants with no electronic cardholder
data storage.
C-VT Merchants using only web-based virtual terminals, no electronic
cardholder storage
C Merchants with payment application systems connected to the Internet,
no electronic cardholder data storage.
D All other merchants not included in descriptions for SAQ types A though C
above, and all service providers defined by a payment brand as eligible to
complete an SAQ.
11. The Card Authorization Process
1. A customer purchases a product or
service from your store
2. The payment gateway encrypts data
and securely sends it through the
payment processing network
3. The transaction is reviewed for
authorization or decline, and the
results are sent back through the
Payflow payment gateway
4. Your customer receives a confirmation
receipt and you fulfill the order
5. Once the transaction is processed,
funds are transferred from the
customer’s bank account to your
merchant bank
Source: http://www.paypal.com
12. What is the Scope of the PCI Standard?
Process
Store
Transmit
Source: Information Supplement – PCI DSS Wireless Guideline
13. PCI DSS is a Comprehensive Standard Containing
Technology, Process, and Monitoring Requirements
• Build and Maintain a Secure Network
– Install and maintain a firewall configuration to protect data (18)
– Do not use vendor-supplied defaults for system passwords and other
security parameters (11)
• Protect Cardholder Data
– Protect stored cardholder data (22)
– Encrypt transmission of cardholder data across open, public
networks (3)
• Maintain a Vulnerability Management Program
– Use and regularly update anti-virus software or programs (3)
– Develop and maintain secure systems and applications (34)
14. PCI DSS is a Comprehensive Standard Containing
Technology, Process, and Monitoring Requirements
• Implement Strong Access Control Measures
– Restrict access to cardholder data by business need-to-know (9)
– Assign a unique ID to each person with computer access (20)
– Restrict physical access to cardholder data (26)
• Regularly Monitor and Test Networks
– Track and monitor all access to network resources and cardholder
data (23)
– Regularly test security systems and processes (9)
• Maintain an Information Security Policy
– Maintain a policy that addresses information security for
employees and contractors (44)
15. Ten Common Myths of PCI DSS
• One vendor and product will make us compliant
• Outsourcing card processing makes us compliant
• PCI compliance is an IT project
• PCI will make us secure
• PCI is unreasonable; it requires too much
• PCI requires us to hire a Qualified Security Assessor
• We don’t take enough credit cards to be compliant
• We completed a SAQ so we’re compliant
• PCI makes us store cardholder data
• PCI is too hard
https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf
17. Automated Scans are a Valuable Tool for
Monitoring and Maintaining Secure Systems
18. Manage Achieving PCI Compliance as a Major
Cross-Functional Effort
• Assign a project manager and build a team
– IT, Finance, HR, Legal, etc.
• Assume you’ll need some budget dollars to help
address compliance issues
• Hold regularly scheduled meetings
• Track progress on closing compliance items at an
individual item level and produce status reports
• Build accountability into your ongoing processes
19. Solicit Participation – What Do You Need From
Your Organization
• Support for the initiative within individual groups
– Communication about it’s importance and value
– Participation in and support for the ongoing review processes
• Become aware of security issues
– Question potential vendors and partners on their compliance with PCI
standards
– Reengineer processes to be more secure
– Share data on a need to know basis
– Classify and label information appropriately
– If there’s a question about data security don’t guess at the answer ask
someone who knows
• Question your people
– We’re searching for credit card data in paper or electronic form, if you’ve got it
let us know about it so it can be appropriately protected
20. Where is the Credit Card Data?
• What are the existing processes you know
about (and what don’t you know)?
• Existing web forms?
• Email system?
• On local desktops and laptops? Excel files,
Word docs, CSV files, PDF Reports…
• On your network?
21. PCI Prioritized Approach
1. Remove sensitive authentication data and limit
data retention.
2. Protect the perimeter, internal, and wireless
networks.
3. Secure payment card applications.
4. Monitor and control access to your systems.
5. Protect stored cardholder data.
6. Finalize remaining compliance efforts, and
ensure all controls are in place.
Source: The Prioritized Approach to Pursue PCI DSS Compliance
23. What Changes Did Personnel See?
• Tighter physical security (badges, camera surveillance for server rooms and
central storage rooms)
• Tighter access controls to information resources (strong passwords
frequently changed, no shared accounts, access to data more closely
logged)
• Paper storage of data limited based upon business requirements (two
years) – stored data inventoried, older data securely disposed
• More formalized information access and security policies requiring annual
reviews and signoffs
• Additional review of third party agreements when payments are being
accepted on our behalf
• Background checks for personnel with access to credit card data (including
IT, finance, customer service, etc.)
24. PCI Compliance Isn’t an Activity
But a Process
Plan
PCI
Act Do
Compliance
Study
(Test)
25. Lifecycle Process for Changes to PCI DSS
Source: https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf
26. What’s On the Horizon?
• Massachusetts Data Security Law 201 CMR 17.00 –
Standards for the Protection of Personal Information of
Residents of the Commonwealth
– Pertains to anyone that owns or licenses personal information about
a resident of Massachusetts
– Personal information defined as last name, first name (or initial) in
combination with SSN, driver’s license number, or financial
information (credit/debit card, financial account info, etc.)
• States are considering more of these laws
• Be prepared to secure all personal information
27. Recapping: 10 Things You Should Now Know About
PCI Compliance
1. PCI DSS is not an International, Federal, or State law but rather it's an
information security standard developed by the PCI Security Standards
Council (see http://www.pcisecuritystandards.org).
2. Any business that stores, processes, or transmits credit card data is
responsible for complying with the standard.
3. Compliance and enforcement of the standard is mandated by the various
payment card brands (VISA, MC, AMEX, etc.). This includes the assessment
of any fines or penalties associated with a security breach of the data.
4. The easiest route of compliance is to not store, process, or transmit credit
card data - outsource everything related to credit card processing (this is
often an unrealistic approach).
5. If you must handle credit card data you should seek to: centralize it,
protect it, and monitor access to it.
28. Recapping: 10 Things You Should Now Know About
PCI Compliance
6. There are five different Self-Assessment Questionnaires (SAQ) ranging
from simple to extremely complex based upon how a business handles
credit card data.
7. At its most complex level, the standard covers twelve requirement areas in
six major categories of compliance and 200+ individual questions. A
defined set of information security standards, policies, and procedures is a
major component of the compliance process (and often one of the most
difficult to implement).
8. In order to be compliant you must be compliant with every individual
requirement and pass automated security scans of eCommerce systems
handling credit card data.
9. You need to be as concerned about your business processes as you are
about technology processes in order to be compliant.
10.Compliance and security is an ongoing process not a single project.
29. Where Can You Get Help and More Info
• PCI Security Standards Council Website:
http://www.pcisecuritystandards.org
• Individual Payment Card Brand Websites/Email Addresses:
– American Express: http://www.americanexpress.com/datasecurity or
EMail: American.Express.Data.Security@aexp.com
– VISA: http://www.visa.com/cisp or Email: cisp@visa.com
– MasterCard: http://www.mastercard.com/sdp or Email:
sdp@mastercard.com
– Discover: http://discovernetwork.com/fraudsecurity/disc.html or
Email: askdatasecurity@discover.com
– JCB: http://www.jcb-global.com/english/pci/index.html or Email:
riskmanagement@jcbati.com
30. Where Can You Get Help and More Info
• 2009 Verizon Data Breach Investigations Report –
http://www.verizonbusiness.com/resources/security/reports/
2009_databreach_rp.pdf
• SANS Institute (SysAdmin, Audit, Network, Security) –
http://www.sans.org
31. We Can Keep the Conversation Going
• My Coordinates
– Email: smichaele@csystemsllc.net
– Phone: (732) 548-6100 x19
– LinkedIn: www.linkedin.com/in/smichaele
– Website: www.csystemsllc.net