.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch
15 years experience Information Technology 8 years experience I.T. governance, risk, compliance and security management US Navy Communications and Intelligence Specialist Humana Inc., The Walt Disney Company, Hard Rock Int. (CISSP) - Certified Information Systems Security Professional (CISA) - Certified Information Systems Auditor (CISM) - Certified Information Systems Manager Jason P. Rusch
2004 Payment Card Industry Security Standards Council (PCI-SSC) is formed by VISA Inc., Master Card, AMEX and Discover The PCI-SSC merges their individual security standards to form the Payment Card Industry Data Security Standard (PCI- DSS v1.0) PCI-SSC Members - The PCI-SSC also consists of other stakeholders including merchants, processing banks and payment system vendors (i.e. Wal-Mart, The Walt Disney Company, Chase, PayPal, Micros, Radiant). Where did PCI-DSS come from??
PCI-DSS contains 6 control groups comprising of 12 standards and 324 total requirements/sub requirements. What is the PCI-DSS??
The PCI data security standard is not a law; it is a set of requirements created and governed by the PCI-SSC and enforced by the banks (acquiring banks). The PCI-DSS is updated every 3 three years and is currently on version 2. PCI-DSS Governed Entities – Banks (acquiring and processing) – Merchants – Service Providers – Vendors What is the PCI-DSS??
What does PCI-DSS include (scope)??
CVV/CVV2 - Card Verification Value, Card Verification Value Code (black data strip) PAN – Primary Account Number Security Code – 3 or 4 digit code located on back of MC, VISA, Discover (front of AMEX) IMPORTANT NOTE You cannot store the CVV or security code under any circumstances, encrypted or not! PCI-DSS includes (the basics)?
The CVV code and Security PIN?. Security Code – NEVER store the 3 or 4 digit code located on back of MC, VISA, Discover (front of AMEX)
Merchant Transactions Level 1 Merchants processing over 6 million transactions annually. 2 Merchants processing 1 million to 6 million transactions annually. 3 Merchants processing 20,000 to 1 million e-commerce transactions annually 4 Merchants processing less than 20,000 e-commerce transactions annually and all other merchants processing up to 1 million transactions annually Merchant Levels Defined
Merchant level 1 and 2 merchants - Validation of compliance is required annually by a external Qualified Security Assessor (QSA) and a Report On Compliance (ROC) be submitted to the merchants acquiring bank annually. VISA and MasterCard enforce PCI-DSS differently on Merchant level 1 and 2s. VISA only requires a ROC from merchant level 1s, whereas MasterCard requires a ROC from both merchant level 1 and 2s (2010). Merchant level 3 and 4 merchants – Submission of a (SAQ) Self Assessment Questionnaire to acquiring bank annually. What does a Merchant have to do??
The credit card companies fine the acquiring bank of the merchant, and the bank then passes that fine down to the merchant. Important Note - The bank can and in many cases does add to the fine and increases the total amount fined. Non-Compliance, Data Breach Fine Process
Damage to public image due to news broadcasts. Brand name degradation. Loss of customer confidence. Fines and penalties for non-compliance. Short or long term suspension of the merchants ability to accept credit and debt cards. Increase in transaction fees. Cost of lawsuits, legal settlements/judgments. Forensics, investigative and containment costs. What happens if there is a credit card breach??
Large YMCAs If you are a large YMCA, group of YMCAs and/ or in a large market I would recommend the following. Consult with a QSA firm Determine your merchant level and TOTAL transaction count. If your systems/applications/data reside with a service provider, inquire about their PCI compliance status Pursue with the assistance of a QSA the completion of your Self Assessment Questionnaire (SAQ) and communicate with your bank. What Should You Do?
o Define Scope & Data Flows (define credit card data environment (CDE). o Policy & Procedure (maintain a simple information governance and security policy framework. o User Account Management (role based access, password management, account reviews) o Vulnerability Management (patch management, Antivirus, PCI vulnerability scans) o Change Management (add procedures in your change management processes to identify PCI scope systems to add the required controls) Things You Can Focus On?
Encryption – PCI-DSS requires that the Primary Account Number be encrypted both in transmission and while at rest. Penetration Tests – PCI-DSS requires that a merchant have a penetration test performed by a certified specialist on both its external/web facing DMZ and internal card holder environment. Logging & Monitoring – Logging and monitoring of all access to credit card data and credit card data environment. Areas That Are The Most Challenging
Audio – (IVR) recording of customer calls/conversations by CSRs that contain credit card information. Because QSAs see recorded audio credit card information as low risk, this is not an area they are actively going after or being strict on. However they still will require compensating controls at the least. Images – Scanning of physical paper forms with customer credit card information, i.e. TIFFs, JPEGs, PDFs. Scanned forms and physical paper that then becomes digital credit card information due to scanning is an area that is increasingly being targeted by QSAs and the credit card companies. Areas Not Often Though About?
Questions?