PCI DSS Erin Carrick
What is PCI DSS? PCI Compliance Payment Card Industry Data Security Standard Also known as: PCI Compliance
History December 2004 Major Players: Visa, MasterCard, American Express, Discover, JCB Each had its own security standards Problem: Credit Card Fraud due to Merchant's failure to secure information Goal: Encourage companies to standardize security measures on a global scale
History Standardization of Credit Card Data Security Essentially a checklist of technical/operational standards Yearly review; Version 2.0 as of October 2010. http://www.youtube.com/watch?v=1boEXDVkKj U&feature=relmfu
Motivation Ideally, if all requirements are met, breaches will be practically impossible. Many security experts believe this to be true. “No compromised entity has been found to be in compliance at the time of the breach.”
Why do we care? 80% of Americans own credit cards 576.4 million credit cards in U.S. Millions of dollars lost each year due to fraud Protecting Personal Information Protecting Others' Information
Overview PCI Requirements Difficulties with Compliance Controversial Issues Does compliance mean security? Is it possible to always be compliant? Is PCI just for credit card company profit?
PCI: A “Simple” 6-Step Security Standardization Process Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
Slightly more complicated...
...and even more complicated. Example: Step 1 – Install and Maintain Firewall Actually 28 steps total...
Steps to become Compliant Report on Compliance (ROC) Pass vulnerability scans by Approved Scanning Vendor Complete Attestation of Compliance (AOC) Submit all paperwork to the aquirer
Additional Requirements Wireless Card Not Present Compensating Controls
Non-Compliance Too many requirements: 220+ total Terrifying for Merchants Not always computer-savvy Don't always understand motivation behind steps Problems with Scope Confusing Requirements Ambiguous Requirements
Controversial Issues High Cost Huge burden, cost and time Fines even if there is no fraud loss Huge burden, cost and time Confusing Requirements Subjective Enforcement No Validation Requirement for Level 4 Merchants, where most breaches occur.
Compliance = Security At least Visa thinks so. The requirements are pretty comprehensive, so if everything went according to plan, breaches would be highly unlikely. PCI forces companies to think about security, even if they do not meet all requirements. Hannaford Bros. Co. Heartland Payment Systems Global Payments
100% Compliance 24-7? Some validations are not as thorough as others Card Companies do not want to admit problems in their standard Easy to find Non-Compliance, if that is the goal Networks are ever-changing “PCI compliance is like a drivers license. You take and pass the test, but it doesn't mean that you're a good, safe driver all of the time.”
PCI for Profit: Cost of Compliance Upgrading payment systems Level 1 Merchants averaged $2.7 million Level 2 Merchants $1.1 million Verifying compliance (assessments) Level 1 Merchants averaged $237,000 Level 2 Merchants $135,000 Continuing compliance
PCI for Profit: Cost of Non-Compliance Huge Fines Cisero Ristorante and Nightclub Network “might have been compromised” Forensics showed no sign of breaches Found POS stored data in unencrypted form Visa estimated liability $1.33 million Visa fined them $55,000; MasterCard $15,000 $15,000 for fraudulent charges
PCI for Profit: Cost of Non-Compliance Heartland Payment Systems Much-larger scale Agreed to: $60 million – Visa $3.6 million – American Express Forensic Investigation Reputation Damage
Sources https://www.pcisecuritystandards.org/document s/pci_dss_v2.pdf http://www.creditcards.com/credit-card- news/how-a-credit-card-is-processed-1275.php http://www.creditloan.com/infographics/the- american-credit-card-craze/ http://en.wikipedia.org/wiki/Payment_Card_Indu stry_Data_Security_Standard http://www.wired.com/threatlevel/2012/01/pci- lawsuit http://pciguru.wordpress.com/2011/12/04/what- is-in-scope/ http://www.cso.com.au/article/296278/visa_post -breach_criticism_misplaced/?pp=2#closeme http://www.bankinfosecurity.com/blogs.php?pos tID=492 http://www.computerworld.com/s/article/913090 1/PCI_security_standard_gets_ripped_at_Hous e_hearing?intsrc=news_ts_head http://www.computerworld.com/s/article/907805 9/Q_A_Head_of_PCI_council_sees_security_st andard_as_solid_despite_breaches?taxonomyI d=17&pageNumber=2