PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce

PCI-Data Security Standards What is PCI-DSS? Does PCI-DSS Apply to My Business? What are the Consequences of Non- Compliance? What are My Next Steps? Resources

What is PCI-DSS? 5 Major Credit Card Companies Created the Payment Card Security Standards Council Established (Almost) Common Data Security Standards for Credit Card Data

Does PCI-DSS Apply to My Business? “Payment Card Industry (PCI) Data Security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.” Applies to all system components which are defined as “any network component, server, or application included in, or connected to, the cardholder data environment”.

Merchant Levels LevelDescription 1 Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. 2 Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year. 3 Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year. 4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. Compliance Requirements Vary By Merchant Level

Compliance Validation Requirements LevelMerchant Validation Requirements 1 Annual onsite review by QSA (PCI DSS Assessment) and Quarterly Network Scan by ASV 2 Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV 3 4 Validation Requirements Vary By Merchant Level

Consequences of Non-Compliance Increased Bank Fees Reclassification of Merchant Level Potential loss of card processing privileges

Consequences of a Breach Damage to Brand Mandatory involvement of federal law enforcement Merchant banks may pass along substantial fines levied by the credit card companies Up to $500,000 per incident from Visa Civil liability and cost of providing Identity Theft protection

PCI Goals and Requirements 6 Goals, 12 Requirements Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to cardholder data by business need-to- know Restrict physical access to cardholder data Assign a unique ID to each person with computer access Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security

Next Steps Complete the SAQ Create a remediation plan Find an ASV and schedule your quarterly network scans Check with your bank or credit card authority to find out when they expect to receive your SAQs and ASV scans. Obtain a statement of compliance or SAQ from each of your service providers.

Resources Your Bank PCI Security Council Website