PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA

PCI DSS Program Overview PCI Standards Council Payment Industry Terminology What Level Are We? (Levels) It’s Not Just IT !! Myths & Reality…. Why Do We Need To Focus On The DSS PGSecure Can Help (QSA, only 1800 Certified Worldwide)

PCI DSS Program Overview An independent industry standards body providing oversight of the development and management of Payment Card Industry Security Standards on a global basis Founding Brand Members American Express Discover Financial JCB MasterCard Worldwide Visa Inc.

Payment Industry Terminology Cardholder Customer purchasing goods either as a “Card Present” or “Card Not Present” transaction Receives the payment card and bills from the issuer Issuer Bank or other organization issuing a payment card on behalf of a Payment Brand Payment Brand issuing a payment card directly (Amex, Discover, JCB) Merchant Organization accepting the payment card for payment during a purchase QSAC - QSA QSA’s are only certified and Valid if working for a Qualified Security Assessor Company

Provide authorization, clearing and settlement services to merchants Payment Industry Terminology Acquirer Bank or entity the merchant uses to process their payment card transactions Receive authorization request from merchant and forward to Issuer for approval Provide authorization, clearing and settlement services to merchants Determines and advises the Merchant Level (1-4) of all merchants. Acquirer is also called: Merchant Bank ISO

Payment Industry Terminology The merchant will incur any liability that may result as a non compliance with payment brand compliance programs Merchant are not compliant until all requirements have been met and validated Acquirer is responsible for providing merchant status to the payment brands Acquirer is responsible for merchant compliance Ensure that their merchants understand PCI DSS Compliance requirements and track compliance efforts Manage merchant communications Merchant Levels are: Defined by the Payment Brand Determined by the Acquirer based on transaction volume of each card brand

Payment Industry Levels 1 to 4 Amex Discover JCB MC Visa (*) 1 2.5M > or any merchant that is deemed L1 6M > or any merchant that is deemed L1 or merchant required by other brand as level 1 1M > or any compromised merchants 6M > MasterCard or Maestro transactions or Merchants that have experienced an account data compromise or merchant required by other brand as level 1 (*) 6M > (all channels) or any merchant required by other brand as level 1 2 50K to 2.5M or any merchant that is deem L1 1 to 6M or or merchant required by other brand as level 2 <1M annually >1M < 6M MasterCard or Maestro transactions >1M < 6M Visa transactions (all channels) 3 < 50K 20K to 1M card not present or merchant required by other brand as level 3 N/A >20K combined MasterCard and Maestro e-commerce transactions <1M 20K to 1M e-commerce transactions Visa transactions annually 4 All other Discover merchants All other Merchants 20K e-commerce transactions and all other merchants processing up to 1M Visa transactions annually Canada - Mandatory signoff by a QSA for all SAQ’s

PCI just does not apply to us, because… It’s Not just IT – Myths Vs. Reality ? Myth # 1 PCI just does not apply to us, because… We are to small, a small Company or Non Profit Org., only do some e-commerce or POS, we outsourced “everything”… Reality: PCI DSS DOES apply to you if you “accept, capture, store, transmit or process credit card holder data,” no exceptions! The organization must be compliant not just IT !

Myth : PCI is easy: just have to “say Yes” on SAQ and “get scanned” It’s Not just IT – Myths Vs. Reality ? Myth # 2 Myth : PCI is easy: just have to “say Yes” on SAQ and “get scanned” Reality: Not exactly – you need to: A) Get a scan 4 times a year and resolve the vulnerabilities found – Need 4 clean scans per year. B)Really do the things the questions refer to – and Prove It!! C) Keep doing it – forever! D) SAQ Signoff by a Qualified Security Assessor working for a QSAC

Myth : My tools are PCI compliant, my network and apps are too!! It’s Not just IT – Myths Vs. Reality ? Myth # 3 Myth : My tools are PCI compliant, my network and apps are too!! Reality: there is no such thing as “PCI compliant tools or networks: Fact – The PCI DSS applies to the organization as a whole. PCI DSS combines technical AND process, policy, management issues; awareness and practices as well. Example: An application may be compliant however this is only 1 element of the standard in overall compliancy.

Why do we need to focus on the PCI DSS ?

Why do we need to focus on the PCI DSS ?

Why do we need to focus on the PCI DSS ?

Why do we need to focus on the PCI DSS ? Where do the attacks come from? Most come from foreign soil – very difficult to track and seek legal action against – Most of all loss of reputation is the biggest factor. “Remember the Passport incident?” - NO CHD lost however “Web attacks” compromised many peoples personal information…

PCI DSS It Can’t Happen To Me !!! “Direct correlation to number of employees in a company and breach percentage.”

PCI DSS It Can’t Happen To Me !!! PCI Data Breach Fines and Penalties • Stiff fines and penalties ranging from $10K - $500K per month for non-compliance • $500K fine per credit card data compromise incident if not PCI compliant • $100K fine if Visa is not immediately notified of a suspected data breach • If track data or other sensitive data elements was compromised, the merchant can be assessed the estimated cost of fraud under Visa’s ADCR Program as well as cost of card reissuance (est. $7-$20 per card) • Probable termination of credit card processing privileges for a period of time. Other: • Cost associated with brand damage and lost revenue • Forensics assessment, incident investigation and containment • Identity protection for impacted individuals (~$30 per person) • IT and security remediation and enhancements • Potential lawsuits and liability in the event that privacy data was compromised • Cost of recertification • Cost of Level 1 mandated assessments (75K or more annually) until the acquirer is satisfied to move the merchant back to the true merchant level.

Steps in the process… Identify the major gaps and opportunities to improve your current security posture PCI Data Security Readiness Review PCI Data Security Assessment A full Data Security Assessment performed in accordance with the PCI Data Security Standard and Audit Procedures Provide consulting services to help client understand the intent of each requirement in the Self Assessment Questionnaire SAQ Consulting Signoff A consolidation and remediation of gaps found in your cardholder information processing environment after a PCI Security Assessment. PCI Data Security Remediation Service

PCI DSS V1.2

Why Us ? We have extensive experience working with government and large Canadian cities. (Nomination for Gov of Alberta Award of Excellence) We have local based QSA’s out of the 1800 certified worldwide. We have local based PA-QSA’s out of 350 certified worldwide. We are focused only on Security, Compliance and forensics.

Questions ? Paul Grégoire, QSA, PA-QSA PCI DSS V1.2 Questions ? Paul Grégoire, QSA, PA-QSA Senior Security Architect | Compliance Paul@pgsecure.com Phone: 204.899.6662

PCI DSS V1.2 SAQ Definitions