Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014

Agenda What is PCI? Evolution of PCI What is PCI DSS? Compliance What does this mean to me? Recent Breach of Target Q & A Page 2

What is PCI? The Payment Card Industry (PCI) standard is a set of requirements designed to ensure that ALL organizations that store, process, or transmit cardholder data do so in a secure environment. The PCI Security Standards Council Page 3

Evolution of PCI PCI Security Standards Council was founded in 2006 by the major card brands: Visa MasterCard Amex Discover JCB Each card brand has input into the guidance provided by the Council. Page 4

What is PCI (cont.) A credit card as defined by the Council is any card that is backed by a major card brand, including but not limited to: Credit Debit HSA FSA Payroll Page 5

Evolution of PCI (cont.) PCI Security Standard Council is responsible for the oversight of the PCI Standards, which include guidance relative to the following: PCI DSS PA-DSS P2PE PTS Page 6

What is PCI DSS? Core set of best security practices Set of 12 requirements broken down into 6 categories, as follows: 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Monitor and test networks 6. Maintain an information security policy Page 7

What is PCI DSS? PCI DSS can include the following depending on the organization: PA-DSS P2PE PTS Page 8

Common PCI Myths We dont take enough cards to necessitate compliance We outsource card processing so we are compliant PCI is an IT issue PCI is unreasonable / difficult PCI compliance makes us secure We arent a target Page 9

Compliance Compliance is determined based on how your organization stores, processes, and/or transmits cardholder data across your infrastructure Compliance is based on Level and Type Level is based on the number of transactions performed in a 12-month period Type is defined by how your organization takes credit cards Page 10

Compliance (cont.) Levels are based on the number of transactions. Visa defines them as follows: Page 11 LevelDescription 1Organizations with over 6M Visa transactions per year OR Any organization that Visa, at its sole discretion, determines should meet the Level 1 requirements to minimize the risk to Visa 2Organization with 1M to 6M Visa transactions per year 3Organization with 20,000 to 1M Visa e-commerce transactions per year 4Organizations with fewer than 20,000 Visa e-commerce transactions per year, and all other merchants - regardless of acceptance channel - processing up to 1M Visa transactions per year

Compliance (cont.) Types are defined by how your organization takes credit cards and are broken down as follows: Page 12 TypeDescription ACard-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced; this would never apply to face-to-face merchants BImprint-only merchants with no cardholder data storage OR Stand-alone dial-up terminal merchants, no cardholder data storage CMerchants with payment application systems connected to the Internet, no cardholder data storage C-VTMerchants using only web-based virtual terminals, no electronic cardholder data storage DAll other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ

What does this mean to me? Based on the volume of transactions, organizations would be required to perform the following: Page 13 LevelVisa Description 1 Annual report on compliance (ROC) to be completed by Qualified Security Assessor (QSA) Quarterly network scan by Approved Scan Vendor (ASV) Attestation of Compliance Form 2 Annual Self-Assessment Questionnaire (SAQ) Quarterly network scan by ASV Attestation of Compliance Form 3 Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form 4 Annual SAQ recommended Quarterly network scan by ASV Compliance validation requirements set by merchant bank

What does this mean to me? (cont.) In English: Depending on what Type of organization you are, you will have to address anywhere from 15 to controls Cost Hardware Software Internal Resources External Resources Page 14

Recent Breach of Target What happened: Lost ~40 million credit and debit cards Theft period: November 27 – December 15 Malware on point-of-sale terminals Not detected until December 15 Page 15

Recent Breach of Target (cont.) Common Questions 1.How could this happen? 2.Was Target PCI compliant? 3.How do I know if I was affected? Costs? Credit score monitoring Fines, sanctions and lawsuits Reputational damage Page 16

Q & A Questions? (585) Page 17