Legal Issues Week 8– PCI – Payment Card Industry DSS Data Security Standard

1. Legal Issues Week 8– PCI – Payment Card Industry DSSData Security Standard Gary A Bannister – FCMA, AICPA, CGEIT

2. Learning Objectives • An basic understanding of PCI and its impact on Information security. • How it is used by the courts. • The difference between best practice compliance verses legal compliance.

3. Why PSI

4. The E-commerce Business Need for PCI • Of approximately 650,000 complaints about fraud that the US Federal Trade Commission received each year in the period 2004 – 2006, identity theft was the main complaint 35% - 36% of the time • 21% of banking institutions have either suffered a security breach the past two years, or don’t know if they have. Another 35% have been victims of a phishing attack. { * State of Information Security Survey 2008 www.bankinfosecurity.com}

5. Understanding PCI • There are 3 standards: • PCI data Security Standard – PCIDSS • Core standard for merchants and processors. It is for protecting cardholder data • Payment Application data security Standard – PA DSS • This is for software developers who sell commercial applications for accepting and processing card data • PIN Entry device Security requirements –PED • This is for manufacturers of payment card devices ## We will focus on PCI DSS

7. The Standards Manager • PCI security Standards Council founded in 2006. • Founded by master Card, VISA, Discover, Amex • They share equal responsibility in Council governance • Others that participate include merchants, banks, hardware and software vendors and other technical and legal working groups

9. Crucial Roles in Compliance • Card Brand Compliance programs • Each of the card company brands have adopted the standard but they have some small variations in how they implement. • Qualified Assessors • The council qualifies two kinds of assessors: • The QSA – Qualified Security assessor • The QSA is a consultant who assesses an organisation’s compliance with the standard. • ASV – Approved Scanning Vendor • They validate compliance with the standard’s external network scanning requirements. • Self-Assessment Questionnaire • Some merchants are able to self-assess, primarily for levels 2 to 4 merchants.

15. How a credit Card payment Process works • Authorisation • Merchant requests & receives authorisation • Many points of vulnerability that could expose the cardholder data to Unauthorised access • Clearing • The acquirer and issuer exchange information about the purchase • Settlement • The merchant’s bank pays the merchant for the card holder purchase and the cardholder’s bank bills the cardholder or debits the cardholder’s account.

44. Issues • Is PCI the law? • Only in Minnesota under Statue 365E.64 • Legislators in at least 10 states thought Minnesota was a good idea, and created bills have their own but they never passed • Proposals also made to congress but no bills were passed. • The view from most law makers is that anything passed would conflict with PCI DSS as it stands? • Other critics say that making it law, turns the PCI Security Standards Council and the card companies into a quasi-legislative, quasi judicial bodies with power to set regulations and punishments yet be accountable to no one • So for now PCI Is not the law but is enforceable under private contractual conditions stipulated by each of the card brands.

45. Issues • High Cost • Vendor backed standards are difficult to maintain & sustain. • Judges have looked at best practice and along side ISO 27002 look at PCI. • The credit card companies demand compliance if business & e commerce want to use their credit cards.

46. Questions?