1 / 17

.. PCI Payment Card Industry Compliance October 2012

.. PCI Payment Card Industry Compliance October 2012. Presented By: Jason P. Rusch. Jason P. Rusch . 15 years experience Information Technology 8 years experience I.T. governance, risk, compliance and security management US Navy Communications and Intelligence Specialist

rowland
Download Presentation

.. PCI Payment Card Industry Compliance October 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ..PCI Payment Card Industry ComplianceOctober 2012 Presented By: Jason P. Rusch

  2. Jason P. Rusch • 15 years experience Information Technology • 8 years experience I.T. governance, risk, complianceand security management • US Navy Communications and Intelligence Specialist • Humana Inc., The Walt Disney Company, Hard Rock Int. • (CISSP) - Certified Information Systems Security Professional • (CISA) - Certified Information Systems Auditor • (CISM) - Certified Information Systems Manager

  3. Where did PCI-DSS come from?? • 2004 Payment Card Industry Security Standards Council (PCI-SSC) is formed by VISA Inc., Master Card, AMEX and Discover. • 2006 The PCI-SSC merges their individual security standardsto form the Payment Card Industry Data Security Standard (PCI-DSS v1.0) • PCI-SSC Members - The PCI-SSC also consists of other stakeholders including merchants, processing banks and payment system vendors (i.e. Wal-Mart, The Walt Disney Company, Chase, PayPal, Micros, Radiant).

  4. What is the PCI-DSS?? • PCI-DSS contains 6 control groups comprising of 12 standards and 324 total requirements/sub requirements.

  5. What is the PCI-DSS?? • The PCI data security standard is not a law; it is a set of requirements created and governed by the PCI-SSC and enforced by the banks (acquiring banks). • The PCI-DSS is updated every 3 three years and is currently on version 2. • PCI-DSS Governed Entities • Banks (acquiring and processing) • Merchants • Service Providers • Vendors

  6. What does PCI-DSS include (scope)??

  7. PCI-DSS includes (the basics)? • CVV/CVV2 - Card Verification Value, Card Verification Value Code (black data strip) • PAN – Primary Account Number • Security Code – 3 or 4 digit code located on back of MC, VISA, Discover (front of AMEX) IMPORTANT NOTE You cannot store the CVV or security code under any circumstances, encrypted or not!

  8. The CVV code and Security PIN? . Security Code – NEVER store the 3 or 4 digit code located on back of MC, VISA, Discover (front of AMEX)

  9. Merchant Levels Defined Merchant Transactions Level 1 Merchants processing over 6 million transactions annually. 2 Merchants processing 1 million to 6 million transactions annually. 3 Merchants processing 20,000 to 1 million e-commerce transactions annually 4 Merchants processing less than 20,000 e-commerce transactions annually and all other merchants processing up to 1 million transactions annually

  10. What does a Merchant have to do?? • Merchant level 1 and 2 merchants - Validation of compliance is required annually by a external “Qualified Security Assessor” (QSA) and a “Report On Compliance” (ROC) be submitted to the merchants acquiring bank annually. • VISA and MasterCard enforce PCI-DSS differently on Merchant level 1 and 2’s. VISA only requires a ROC from merchant level 1’s, whereas MasterCard requires a ROC from both merchant level 1 and 2’s (2010). • Merchant level 3 and 4 merchants– Submission of a (SAQ) Self Assessment Questionnaireto acquiring bank annually.

  11. Non-Compliance, Data Breach Fine Process • The credit card companies fine the acquiring bank of the merchant, and the bank then passes that fine down to the merchant. • Important Note - The bank can and in many cases does add to the fine and increases the total amount fined.

  12. What happens if there is a credit card breach?? • Damage to public image due to news broadcasts. • Brand name degradation. • Loss of customer confidence. • Fines and penalties for non-compliance. • Short or long term suspension of the merchants ability to accept credit and debt cards. • Increase in transaction fees. • Cost of lawsuits, legal settlements/judgments. • Forensics , investigative and containment costs.

  13. What Should You Do? • Large YMCA’s If you are a large YMCA, group of YMCA’s and/ or in a large market I would recommend the following. • Consult with a QSA firm • Determine your merchant level and TOTAL transaction count. • If your systems/applications/data reside with a service provider, inquire about their PCI compliance status • Pursue with the assistance of a QSA the completion of your “Self Assessment Questionnaire” (SAQ) and communicate with your bank.

  14. Things You Can Focus On? • Define Scope & Data Flows (define credit card data environment (CDE). • Policy & Procedure (maintain a simple information governance and security policy framework. • User Account Management (role based access, password management, account reviews) • Vulnerability Management (patch management, Antivirus, PCI vulnerability scans) • Change Management (add procedures in your change management processes to identify PCI scope systems to add the required controls)

  15. Areas That Are The Most Challenging • Encryption – PCI-DSS requires that the Primary Account Number be encrypted both in transmission and while at rest. • Penetration Tests – PCI-DSS requires that a merchant have a penetration test performed by a certified specialist on both its external/web facing DMZ and internal card holder environment. • Logging & Monitoring – Logging and monitoring of all access to credit card data and credit card data environment.

  16. Areas Not Often Though About? • Audio – (IVR) recording of customer calls/conversations by CSR’s that contain credit card information. • Because QSA’s see recorded audio credit card information as low risk, this is not an area they are actively going after or being strict on. However they still will require compensating controls at the least. • Images – Scanning of physical paper forms with customer credit card information, i.e. TIFF’s, JPEG’s, PDF’s. • Scanned forms and physical paper that then becomes digital credit card information due to scanning is an area that is increasingly being targeted by QSA’s and the credit card companies.

  17. Questions?

More Related