Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board
Agenda Overview of the Payment Card Industry Data Security Standard (PCI DSS) PCI DSS requirements Merchant levels Requirements of Self-Assessment The ASV conflict. Questions
Protecting card data Why its important causes hardship for our customers loss of customer confidence required by PCI DSS state laws on disposal and notice State breach law notification requirements
Overview of PCI DSS The basis is - cloned cards must never again be capable of being created from stored data, through compromise or eavesdrop One can store elements of the Track II i.e. a card number, expiry date, when required for particular cards. ( front of card information ONLY) In no circumstances should the CVV or the PIN verification value data elements be store
Overview of PCI DSS Applies to all merchants that store, process, or transmit cardholder data ( if you accept one credit card payment a year you must be compliant) all payment (acceptance) channels, including brick-and- mortar, mail, telephone, e-commerce (Internet) Includes 12 requirements, based on administrative controls (policies, procedures, etc.) physical security (locks, physical barriers, etc.) technical security (passwords, encryption, etc.)
Shared Network Resources A network that is shared by other services cannot be considered secure. … whatever we think of our wider network, we cannot fully trust it
Merchant levels Merchant levels are based on yearly transaction volume of merchant Specific criteria for placement in merchant levels varies across card companies All merchants, regardless of level, must adhere to PCI DSS requirements Level into which merchant is placed determines PCI DSS compliance validation (and ultimately cost) Lets take a quick look at Visas levels…
Merchant levels - Visa Level 2: merchants, regardless of acceptance channel, processing 1,000,000 to 6,000,000 Visa transactions Level 3: any merchant processing 20,000 to 1,000,000 Visa e-commerce (Internet) transactions
Merchant levels - Visa Level 4: any merchant processing fewer than 20,000 Visa e-commerce (Internet) transactions all other merchants, regardless of acceptance channel, processing up to 1,000,000 Visa transactions
PCI DSS compliance validation Level 2 and 3 merchants self-assessment questionnaire quarterly network security scan by approved scan vendor (ASV)
PCI DSS compliance validation Level 4 merchants self-assessment questionnaire if required by acquirer quarterly network security scan by approved scan vendor if required by acquirer
PCI DSS compliance validation 5 levels of self assessment 4 self assessment questionnaires
Self Assessment Questionnaire Type 1 Card-not-present (e-commerce or mail/telephone- order) merchants, all cardholder data functions outsourced. This would never apply to face-to- face merchants. Use questionnaire A Type 2 Imprint-only merchants with no electronic cardholder data storage. Use Questionnaire B
Self Assessment Questionnaire Type 3 Stand-alone terminal merchants, no electronic cardholder data storage Use questionnaire B Type 4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage. Use Questionnaire C
Self Assessment Questionnaire Type 5 All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. May be required to perform full Self-Assessment form as opposed to short forms A through C)
Authorized Scanning Vendors External ASV scan may be required for self assessment. Not all ASV's are created equal ASV's must be approved by PCI and on the PCI authorized scanning vendor list DO NOT automatically use the recommended ASV of your card processor!!!
PCI DSS requirements First step is to document the FULL path of credit card data through your company. This is electronic as well and procedural If you do not know the path you cannot self- assess!!!!! Card Environment MUST be isolated...
PCI DSS requirements Best Practice to be applied! Each requirement has many sub-requirements! 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data
PCI DSS requirements 1. Encrypt transmission of cardholder data and sensitive information across public networks 2. Use and regularly update anti-virus software 3. Develop and maintain secure systems and applications 4. Restrict access to data by business need- to-know
PCI DSS requirements 1. Assign a unique ID to each person with computer access 2. Restrict physical access to cardholder data 3. Track and monitor all access to network resources and cardholder data 4. Regularly test security systems and processes 5. Maintain a policy that addresses information security
Resources PCI DSS self assessment guidelines uctions.shtml The PCI DSS guidance document standards/pci_dss.shtml
Questions???