Weitere ähnliche Inhalte Ähnlich wie Payment Card Acceptance PCI Compliance for Local Governments 2012 (20) Mehr von Donald E. Hester (20) Kürzlich hochgeladen (20) Payment Card Acceptance PCI Compliance for Local Governments 20122. eCommerce & Credit Card
Processing
• Risks associated with cc processing
• What is PCI?
• Why is it important?
• What do we have to do?
06-Feb-12 © 2012 Maze & Associates 2
3. The Problem
Albert Gonzalez, 28
With accomplices, he was involved in data breaches of most of the major
data breaches:
Heartland, Hannaford Bros., 7-Eleven, T.J. Maxx, Marshalls, BJ’s Wholesale
Club, OfficeMax, Barnes & Noble, Sports Authority, Dave & Busters, Boston
Market, Forever 21, DSW and others.
06-Feb-12 © 2012 Maze & Associates 5
4. Who is behind data breaches?
• 70% from external agents
• 48% caused by insiders
• 11% implicated business partners
• 27% involved multiple parties
Source:
06-Feb-12 © 2012 Maze & Associates 6
5. Risks
• Fraud
• Theft
• Fines (bank and card brands)
• Credit monitoring fees for customers
• Litigation costs
• Reputation
06-Feb-12 © 2012 Maze & Associates 7
6. Players
• Acquirer (Merchant Bank)
– Bankcard association member that initiates
and maintains relationships with merchants
that accept payment cards
• Hosting Provider
– Offer various services to merchants and
other service providers.
• Merchant
– Provides goods and services for
compensation
• Cardholder
– Customer to whom a card is issued or
individual authorized to use the card
Card Brand
Acquirer
Hosting
Provider
Merchant
Cardholder
06-Feb-12 © 2012 Maze & Associates 13
7. Players
• Card Brand
– Issue fines
– Determine compliance
requirements
• PCI Security Standards Council
– Maintain standards for PCI
– Administer ASV & QSA
• Qualified Security Assessors
– Certified to provide annual audits
• Approved Scanning Vendor
– Certified to provide quarterly
scans
Card
Brands
PCI SSC
QSA
ASV
06-Feb-12 © 2012 Maze & Associates 14
9. What does the PCI Council do?
• Own and manage PCI DSS, including
maintenance, revisions, interpretation and
distribution
• Define common audit requirements to
validate compliance
• Manage certification process for security
assessors and network scanning vendors
• Establish minimum qualification requirements
• Maintain and publish a list of certified
assessors and vendors
06-Feb-12 © 2012 Maze & Associates 16
11. What are the Standards?
• PCI DSS: PCI Data Security Standard
– Overall standard, applies to all
• PA DSS: Payment Application Data Security
Standard
– Supporting standard for payment applications
• PTS (was PED): PIN Transaction Security
Standard
– Supporting standard for PIN entry devices
– Supporting standard for unattended payment
terminals (UPT)
06-Feb-12 © 2012 Maze & Associates 18
12. Who must comply?
• With PCI DSS
– Any organization that processes, stores or transmits credit
card information.
• With PA DSS
– Payment application developers
– Merchants will be required to use only compliant
applications by July 2010.
• With PTS
– Manufactures of PIN entry devices
– Merchants will be required to use only compliant
hardware by July 2010.
– MasterCard PTS to incorporate into PCI SSC April 30, 2010
06-Feb-12 © 2012 Maze & Associates 22
13. PCI Compliance
• This includes:
• Organizations who only use paper based
processing
• Organizations who outsource the credit
card processing
• Organizations that process credit cards in
house
06-Feb-12 © 2012 Maze & Associates 23
14. What if we are a small
organization?
• “All merchants, whether small or
large, need to be PCI compliant.
• The payment brands have collectively
adopted PCI DSS as the requirement
for organizations that process, store
or transmit payment cardholder
data.”
– PCI SSC
06-Feb-12 © 2012 Maze & Associates 25
15. Cost?
• What happens when there is a data
breach?
– Depends if the merchant can reach safe
harbor.
06-Feb-12 © 2012 Maze & Associates 27
17. Safe Harbor Notes:
• For a merchant to be considered
compliant, any Service Providers that
store, process or transmit credit card
account data on behalf of the merchant
must also be compliant.
• The submission of compliance validation
documentation alone does not provide the
merchant with safe harbor status.
06-Feb-12 © 2012 Maze & Associates 29
18. Outside the Safe Harbor
• Losses of cardholders
• Losses of banks
• Losses of card brands
– Fines from the Card brands
– Possible restrictions on process credit cards
– Cost of forensic audit
06-Feb-12 © 2012 Maze & Associates 30
19. Fines
Merchants may be subject to fines by the card associations if deemed non-
compliant. For your convenience fine schedules for Visa and MasterCard are
outlined below.
http://www.firstnationalmerchants.com/ms/html/en/pci_compliance/pci_data_secur_stand.html
06-Feb-12 © 2012 Maze & Associates 31
20. Continuous Process
• “PCI DSS compliance is much more than a
“project” with a beginning and end – It’s an
ongoing process of assessment,
remediation and reporting” - PCI SSC
Assess
ReportRemediate
06-Feb-12 © 2012 Maze & Associates 37
21. Continuous Process
• Many of the PCI requirements have
specific time interval requirements
• Create a schedule for time based
requirements
• Some organizations already have
‘maintenance calendars’ for these type of
actions
06-Feb-12 © 2012 Maze & Associates 38
22. Common Findings
• Clients think they are compliant
– Because they do quarterly networks scans
– Because they filled out the SAQ
– Because they have too few transactions
• Reality
– Validation is not compliance
– Compliance is an ongoing process
– PCI DSS is required for all merchants,
regardless of the number of transactions
06-Feb-12 © 2012 Maze & Associates 39
23. Common Findings
• Payment card information on paper
• No network segmentation
• Logging Access
• Shared Passwords
• Verifying compliance of outsourced
processing
• No one is assigned responsibility
• Not aware of PAN storage in
application
06-Feb-12 © 2012 Maze & Associates 40
24. PCI Pitfalls
• PCI will not make an organization’s
network or data secure
• PCI DSS focuses on one type of
data: payment card transactions
• The organization runs the risk of
focusing on one class of data to the
detriment of everything else
06-Feb-12 © 2012 Maze & Associates 41
25. Important
• Senior management support
• PCI knowledge
• Support from merchant bank
• PCI early in lifecycle
– PCI reviewed when new applications or
systems are purchased
– Should included all PII (Personally Identifiable
Information)
06-Feb-12 © 2012 Maze & Associates 42
26. Cardholder Data
Data Element Storage
Permitted
Protection
Required
PCI DSS 3.4
Cardholder
Data
Primary Account
Number (PAN)
Yes Yes Yes
Cardholder Name Yes Yes No
Service Code Yes Yes No
Expiration Date Yes Yes No
Sensitive
Authentication
Data
Full Magnetic
Stripe Data
No N/A N/A
CVC2 / CVV2 / CID /
CAV2
No N/A N/A
PIN / PIN Block No N/A N/A
06-Feb-12 © 2012 Maze & Associates 61
27. Places to look for CHD
• Electronic Image Files
• SANS
• Fax Servers
• Scan Archive
• Pinter Spool
• Laser Fiche
• Log Files
• Audio Recording:
customer service call
recordings
• Voicemail
• Email Server/Archive
• Backup Media
• Copier Scanner Cache
• Data bases
Perform a search for CHD every 6 months
06-Feb-12 © 2012 Maze & Associates 62
28. Risk Mitigation
• Teamwork
– Finance department takes the lead (payment
processing and associated controls)
– IT department – technical expertise
– Legal department – policy etc…
– Associated departments – payment
processing in support of other City functions
(golf, parks & rec, classes, theater, licenses,
PD, utilities, library etc…)
06-Feb-12 © 2012 Maze & Associates 68
29. Risk Mitigation
• Start implementing the data security
standard starting with policies
• Start with high level polices
– “The City shall not store PAN (Credit Card
Numbers) electronically or physically.
Employees shall be trained on PCI standard
annually. Background checks will be
performed on all staff with access to credit
card information.”
06-Feb-12 © 2012 Maze & Associates 69
30. Policy Examples
• “The City shall develop procedures to
ensure that information security and
privacy best practices are followed to
include compliance with all laws or
contractual requirements.”
• “The City shall adopt information security
and privacy procedures based on industry
standards such as NIST and PCI security
standards.”
06-Feb-12 © 2012 Maze & Associates 70
31. Risk Mitigation
• The merchant is ultimately responsible
– Not the hardware manufacturer’s
responsibility
– Not application vendor’s responsibility
– Not the bank’s responsibility
– Not the customer’s responsibility
06-Feb-12 © 2012 Maze & Associates 81
Hinweis der Redaktion The standard has approximately 194 controls in 12 sections. The 12 sections are group into 6 objectives. The 6 objectives are; build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, maintain an information security policy.
This includes organizations who only use paper based processing, organizations who outsource the credit card processing, to organizations that process credit cards in house. If there is a data breach, the card brands will perform a forensic audit to determine if the merchant was compliant at the time of the data breach. If the merchant is found not compliant at the time of the breach they will be liable for the full cost of the breach; the cost of the forensics, losses of cardholders, losses to the banks, losses to the card brand and in some states fines will be assessed.
In addition, the merchant will be moved to the highest merchant level and will be required to meet the most stringent evidence requirements and their credit card processing fees will go up.
http://usa.visa.com/merchants/risk_management/cisp_if_compromised.html NIST SP 800-37 Rev 1, § 2.1
The standard has approximately 194 controls in 12 sections. The 12 sections are group into 6 objectives. The 6 objectives are; build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, maintain an information security policy.