PCI Compliance Myths, Reality and Solutions for Retail

www.indefensesecurity.com 11
Presented by
PCI Obligations for Merchants:
Myths, Reality and Solutions

TOM
PIRES
Chief Info Security Officer
PCI-QIR Certified
GIAC Certified Pen Tester
InDefense Security
tom@indefensesecurity.com
843-633-3732
Your Presenters
JEANA
THOMAS
NCR Certified Counterpoint Trainer
PCI-QIR Certified
C&K Systems
training@cksystem.com
888-476-7911 ext. 3

MYTHS &
MISCONCEPTIONS
REALITY
CHECKS
AVAILABLE
SOLUTIONS
Today’s webinar will focus on three core areas of focus that can help provide
definitive clarity for merchants in regards to their PCI Compliance Obligations.
Three Areas of Focus

COMMON MYTHS & MISCONCEPTIONS
merchants have about their PCI Compliance Obligations.
Part 1.

Common Myths & Misconceptions
“I’m a small company, hackers only target
large companies to hack.”
Misconception.

“PCI is a recommendation, not a
requirement.”
Misconception.

“PCI Compliance is only for larger
companies with an IT team.”
Misconception.

“I do quarterly vulnerability scans,
therefore I am PCI Compliant.”
Misconception.

“Outsourcing card processing takes my
business out of scope for PCI Compliance.”
Myth.

“I didn’t sign anything saying I would be
PCI Compliant.”
Myth.

“I can wait until my bank requires me
to be PCI Compliant.”
Misconception

“I use PayPal / Authorize.Net, therefore PCI
Compliance does not apply to me.”
Misconception

“PCI Compliance only applies to
e-commerce businesses and websites.”
Misconception

“My point of sale software is compliant,
therefore I am PCI Compliant.”
Misconception

“I don’t process credit cards through my
POS system, so I don’t have to follow
PCI Compliance requirements.”
Misconception

“Its ok to have shared usernames and
passwords for my employees.”
Misconception

“I use EMV technology, so I am
PCI Compliant.”
Misconception

“I’ve been in business for over a decade
and have never had a fraudulent charge.”
Misconception

“I process less than 10,000 transactions a
year, so I am out of scope.”
Myth

“I have cyber breach insurance, so I don’t
have to worry about being hacked.”
Misconception

“My bank makes sure my cardholder data
is kept safe.”
Misconception

“I have a firewall and anti-virus, so I am
already protected.”
Misconception

“My employees don’t have to know about
PCI Compliance.”
Myth

REALITY CHECK:
Why merchants SHOULD be concerned
about their PCI Compliance Obligations.
Part 2.

Reality: Source of Cyber Security Incidents
6%
73%
18%
2%
Attack Source
Malicious Outsider
Accidental Loss
Malicious Insider
State Sponsored
Hacktivist
1%
Source: Gemalto’s Breach Level Index Report - 2013-Present

Hackers only have to be
right once, you have to be
right 100% of the time.
REALITY CHECK

REALITY CHECK
“There are those who
have been hacked and
those who don’t know
they have been hacked.”
-James Comey, FBI Director

The following is an example of
a common path of an attack.
Phishing
Email Link
Email
Attachment
Alter
behavior
Person User
Desktop
Malware
Installation
Steal
Credentials
Use of Stolen
Credentials
Direct Install
of Malware
Backdoor, C2,
Ram Scraper,
Export data
PaymentPOS terminal
Controller
Common Attack Vector

MERCHANT AGREEMENTS
The Fine Print that all merchants need to read.

Reality Check
“Banks are not doing a good job educating
merchants about PCI Compliance.”
REALITY

Reality Check
“Banks do a great job at only assessing
and collecting fines.”
REALITY

LIABILITY SHIFT FROM BANKS TO MERCHANTS
Merchants are now at risk of fines for credit card fraud.
October 2015

What Exactly Is PCI Compliance?
A set of requirements the merchant must follow to protect cardholder data
An organization created by the major credit card companies in an effort to
better protect cardholder data.
WHO IS THE PCI COUNCIL?
Payment Card Industry Security Standards Council (PCI-SSC).
WHO MAKES THESE REQUIREMENTS?
The PCI-SSC was formed in response to an increase in data security breaches,
which not only put customers at risk, but also increase the credit card companies’
costs.
WHY DID THEY MAKE THESE REQUIREMENTS?
Anyone who excepts credit cards for payments.
WHO HAS TO BE PCI COMPLIANT?
Download PCI-DSS v3.2 Quick Reference Guide.
www.indefensesecurity.com/pci

PCI Compliance: A 50,000 Ft View
Monitor and Test
Networks
Information
Security Policy
Strong Access
Control
Protect
Cardholder Data
Vulnerability
Management
Build and Maintain a
Secure Network

Goals PCI-DSS Requirements
Build and Maintain a Secure
Network and Systems
1. Install and maintain a firewall configuration
2. Do not use vendor supplied passwords
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
5. Protect all systems against malware and regularly update anti-virus software programs
6. Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business ‘need to know’
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test
Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security of all personnel
PCI Compliance: On The Ground

QUARTERLY INTERNAL VULNERABILITY SCANS
are required according to PCI-DSS guidelines.
Did You Know. . .

Trustwave only provides external scans.
Did You Know. . .

ANNUAL PENETRATION TESTS
are required according to PCI-DSS guidelines.
Did You Know. . .

A penetration test is an
attack on the network to
exploit weaknesses.
PENETRATION TESTS
Very clear, distinct differences. . .
Vulnerability Scans vs. Penetration Tests
A vulnerability scan looks
for weaknesses in the
network.
VULNERABILITY SCANS

WRITTEN SECURITY POLICIES AND PROCEDURES
for your organization?
Do You Have. . .
PROVIDE SECURITY TRAINING FOR EMPLOYEES
on security best practices, procedures and awareness?
Do You . . .
PROVIDE AWARENESS TRAINING FOR EMPLOYEES
on how to recognize phishing attempts and social engineering?
Do You . . .

SECURITY SOLUTIONS & AWARENESS PROGRAMS:
A Pathway for Merchants to Achieve PCI Compliance.
Part 3.

Month(s) Level 1 Level 2
1 to 3 $10,000/mo. $5,000/mo.
4 to 6 $50,000/mo. $25,000/mo.
7 and on $100,000/mo. $50,000/mo.
Wake-Up Call: Non-Compliance Fines
Banks:
from $5,000 to $500,000, based
on forensic research to remediate
non-compliance.
Example:
Time-Cost Schedule - VISA:
Credit Card Institutions:
May levy fines and propose a
timeline of “increasing fines”

www.indefensesecurity.com
We’re here to help slide
43
We’re Here to Help!
Accurate
Assessment
Effective
Planning
Proper
Execution

Our Services
Our comprehensive,
centrally managed
security solutions help
organizations simplify
their security operations
with a complete suite of
security safeguards,
products and services.
DATA LOSS
PREVENTION
PCI COMPLIANCE
CONSULTING
PCI-QIR
POS VALIDATION
MANAGED
SECURITY
PENETRATION
TESTING
VULNERABILITY
ASSESSMENTS
POLICY &
PROCEDURE
MANAGEMENT
SECURITY
AWARENESS
TRAINING
CYBER RISK
ASSESSMENTS
PCI-DSS Req. 11.2 PCI-DSS Req. 11.3 PCI-DSS Req. 12.6
VISA Merchant Req. PCI-DSS Req. 12

Identify critical assets that need protected.
Protect those assets to limit impact.
Be able to accurately detect security problems.
Preparedness to recover from an incident.
Be ready to respond if you have an incident.
PROTECT
DETECT
RESPOND
IDENTIFY
RECOVERY
NIST Cyber Security Framework Is Our Philosophy

Annual Security Model
Action PlanEducation &
Awareness
Discovery
A well established security
model works with each stage
of the NIST Cyber Security
Framework.

Action Plan For Endpoint Security
• Managed Anti-Virus
• Patch Management
• Policy Management
ENDPOINT MANAGEMENT & SECURITY
• Vulnerability & Risk Monitoring
• Backup / Disaster Recovery (DLP)
• Mobile Device Management

Action Plan For Network Security
• Firewall Management
• Network Traffic Monitoring
• Network Protocol Security Review
• Server Security Review
• DNS Filtering / Monitoring
• Security Log Monitoring
• Mobile Infrastructure Management
• Data Loss Prevention (DLP)
• Data In Transit Monitoring
• Data At Rest Monitoring
• Backup / Disaster Recovery
NETWORK MANAGEMENT & SECURITY

SECURITY AWARENESS TRAINING
Action Plan For Security Training
• Mobile Device Security
• Password Management
• Executive Security Awareness
• Breach Planning
• Email Phishing Security Tests
• Ransomware / Malware
• Credit Card Security Awareness
• Social Engineering Dangers
• Safe Web Browsing

We provide assistance in developing the
necessary security policies and education
programs needed to meet HR, insurance,
legal and regulatory requirements.
50
Action Plan For Security Policy Development

Action Plan For Regulatory Compliance
• Penetration Testing & Risk Assessment
• On-going Security Awareness Training
ACHIEVE & MAINTAIN REGULATORY COMPLIANCE
• Compliance Consulting
• Security Policy & Procedure Review

CYBER RISK ASSESSMENTS
an executive summary of your overall security posture.
DISCOVERY
TASKS
RISK
SCORE
ISSUE
SUMMARY
INTERNET
SPEED TEST
ASSET
SUMMARY
SERVER
AGING
WORKSTATION
AGING

Cyber Risk Assessments
2-3hr
Assessment
Report Card
Results
In-Depth
Score Review

(843)633-3732
Questions?
www.cksystem.com
(888)476-7911

PCI Compliance Myths, Reality and Solutions for Retail

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie PCI Compliance Myths, Reality and Solutions for Retail

Ähnlich wie PCI Compliance Myths, Reality and Solutions for Retail (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (10)

PCI Compliance Myths, Reality and Solutions for Retail