1 / 33

PCI Compliance: What’s All the Fuss?

PCI Compliance: What’s All the Fuss?. Bob Russo November 7, 2008. The PCI Security Standards Council. PCI PED. PCI PA-DSS. PCI DSS. An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI Security Standards, including:

baylee
Download Presentation

PCI Compliance: What’s All the Fuss?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI Compliance: What’s All the Fuss? Bob Russo November 7, 2008

  2. The PCI Security Standards Council PCI PED PCI PA-DSS PCI DSS • An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI Security Standards, including: • Data Security Standard (DSS) • Payment Application Data Security Standard (PA-DSS) • Pin-Entry Device (PED)

  3. PCI SSC - The Standards 10/5/2014 3

  4. The PCI Security Standards Council Founders

  5. PCI DSS Drivers ADC Forensics Results Industry Best Practices Security Scans PCI Data Security Standard Advisory Board On-Site Audits Self-Assessment Questionnaire Community Meeting Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs) Proactive feedback from POs and Assessor Community

  6. Notable Successes Assessor Servicing Markets per Region Asia Pacific: 29 Canada: 16 CEMEA: 28 Latin America & Caribbean: 27 United States: 87 Europe: 57 • Over 500 Participating Organizations around the world • Successful Community Meetings with over 700 attendees from around the world • Board of Advisors driving special interest groups - Wireless - Pre-authorization • 164 current QSA Companies, of these 74 are also ASV Companies • Total QSAs (individuals) trained to date is 1,063 • Additional devices added to PED Standard • Implemented two-year lifecycle process for DSS & SAQ • PCI SSC participated in 33 events worldwide

  7. Roles and Responsibilities of the Council PCI SSC…. PCI SSC Does Not… • Manage or Drive Compliance • Each brand continues to maintain its own compliance programs • Identifies stakeholders that need to validate compliance • Definitions of Validation Levels • Fines and Fees • Is an Independent Industry Standard • Manages the technical and business requirements for how payment data should be stored and protected • Maintains List of Qualified PCI Assessor Community • QSAs, ASVs, PA-QSAand PED Labs

  8. Resources Provided by Council • Security standards and supporting documents • Frequently asked questions • List of approved QSAs, ASVs, PA-QSAs, PED Labs • Education and outreach programs • Webinars • Newsletters/bulletins • Council appeared in almost 300 pieces of coverage globally since January • Searchable FAQ tool for all standards-related questions • Participating organization membership, community meetings, qualifications standards feedback • One global voice for the industry

  9. PCI SSC Standards

  10. Threat Landscape Implementing the standard is a Journey… Not a Destination • Risky Behavior • 81% store payment card numbers • 73% store payment card expiration dates • 53% store customer data from magnetic stripe on card • 16% store other personal data Source: Forrester Consulting, Sept. 2007 10/5/2014 10

  11. The Cost of Complying The Cost of Not Complying Three Categories of Compliance Same study estimated non-compliance costs significantly higher, including • Upgrading Payments Systems and Security • Verifying Compliance (Assessment) • Sustaining Compliance • “Crisis” cost upgrades • Repeat assessments • Notification costs • Brand reputation • Shareholder and consumer lawsuits How much does this cost your organization? For merchants with complex or older systems, it may cost millions The cost of a breach can easily be 20 times the cost of PCI Compliance “PCI Compliance Cost Analysis: A Justified Expense.” A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex. Jan. 2008 [This study utilized data from several sources including level 1 and level 2 merchants with 2,000 – 2,500 retail locations.] 10/5/2014 11

  12. Forensics Statistics • Consumer data: • Payment card information • -Credit / Debit • -Card-present / CNP • Personal Check information • Identity-related data: • Name, address, email • Social security, Social insurance • IRS / tax return information • Company-proprietary: • Financial records • HR / employee data • Product strategy & roadmap • Trade secrets & technology • > 60% Payment Cards vs. Others Inside Jobs vs. Intrusions 17% Inside ~77% are partial insiders • Breach Sources • ~13% Inside U.S. • Case Commonalities • 19% SQL injection • 45% POS systems • 10% Wireless infrastructure • ~50% Via 3rd party connections Incident Detection >75% via allegation of compromise Findings Percentages 92% Confirmed Security Breach >60% Confirmed Data Compromise • Vulnerability Scanning • SQL Injection cases: • 71% had commercial scanning • 63% detected SQL vulnerability • 15% in scan reports for 1 year + Law Enforcement Involvement 87% of cases • Incident Detection • >75% via allegation of compromise

  13. The Five Stages of Grief 13 • Denial • It doesn’t apply to me • PCI compliance is mandatory • It isn’t fair • PCI applies to all parties in the payment process • Anger • I’ll do some of it • Compliance is “pass / fail” • Bargaining • I’ll never get there • Many merchants already have • Depression • It’ll be OK • PCI doesn’t introduce any new, alien concepts • Acceptance 10/5/2014

  14. The PCI Data Security Standard • The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures • This comprehensive standard is intended to help organizations proactively protect customer payment data Payment Card Industry (PCI) Data Security Standard Version 1.2 Release: October 2008

  15. The PCI Data Security Standard Six Goals, Twelve Requirements 10/5/2014 18

  16. Summary of PCI Requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks 10/5/2014 16

  17. Summary of PCI Requirements Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data 10/5/2014 17

  18. Summary of PCI Requirements Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for employees and contractors 10/5/2014 18

  19. SAQ Objectives Self Assessment Questionnaires • Alignment with the PCI DSS v1.2 • Based on industry feedback • Flexibility for multiple merchant types • Providing guidance for the intent and applicability of the underlying requirements Self-Assessment Questionnaire (SAQ) A 10/5/2014 19

  20. Self Assessment Questionnaire 10/5/2014 20

  21. The Payment Application Data Security Standard • Distinct from but aligned with PCI DSS • PA-DSS is a comprehensive set of requirements designed for payment application software vendors to facilitate their customers’ PCI DSS compliance • This comprehensive standard is intended to help organizations minimize the potential for security breaches due to flawed payment applications, leading to compromise of full magnetic stripe data Payment Application (PA-DSS) Data Security Standard

  22. The Payment Application Data Security Standard

  23. PIN Entry Device Requirements Logical Attributes Physical Attributes • Attributes that deter physical Attacks • ex penetration of device to determine key(s) • Planting a PIN disclosing bug within • Logical security characteristics include functional capabilities that preclude: • Allowing device to output clear text PIN encryption key The PED Security Requirements are designed to secure personal identification number (PIN)-based transactions globally and applies to devices (attended or unattended) that accept PIN entry for all PIN-based transactions as well as non-cardholder interface devices (hardware security modules)

  24. PCI DSS Applicability Information [1]These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted. [2]Sensitive authentication data must not be stored after authorization (even if encrypted). [3]Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.

  25. How To Get Involved

  26. Global Participation & Representation More than 500 organizations have been accepted North America: 411 Asia Pacific: 12 Europe: 78 Latin America / Caribbean: 6 Central Europe / Middle East / Africa: 14

  27. Participating Organizations Categories

  28. Board Representation & Special Interest Groups A Seat at the Table… • Financial institutions • Merchants • Gateways • Processors • Service providers • EFT networks • Associations • Vendors

  29. Participating Organization Privileges • Vote and run for Participating Organization Board of Advisors • Comment on DSS, SAQ, PED, PA-DSS and on other PCI SSC documentation, prior to public release • Attend Community Meetings • Attend Webinar meetings • Recommend new initiatives and standards • Early updates on upcoming press releases • Monthly bulletin from SSC General Manager • Coming soon: Exclusive private Web site for PO and assessor community Reserve Your Seat at the Table

  30. Community Meeting Merchants Acquirers Approved Scanning Vendors Community Meeting Qualified Security Assessors Service Providers Brands

  31. Participating Organizations Other POS Vendors Other Processors Other Merchants Financial Institutions Merchants Associations Merchants Processors For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm For a full list: www.pcisecuritystandards.org/join/participating_organizations.htm

  32. Need More Information?

  33. Thank You!

More Related