Post on 05-Jan-2016
description
Legal Issues Week 8– PCI – Payment Card Industry DSSData Security Standard
Gary A Bannister – FCMA, AICPA, CGEIT
Learning Objectives
An basic understanding of PCI and its impact on Information security.
How it is used by the courts. The difference between best practice
compliance verses legal compliance.
Why PSI
The E-commerce Business Need for PCI
Of approximately 650,000 complaints about fraud that the US Federal Trade Commission received each year in the period 2004 – 2006, identity theft was the main complaint 35% - 36% of the time
21% of banking institutions have either suffered a security breach the past two years, or don’t know if they have. Another 35% have been victims of a phishing attack. { * State of Information Security Survey 2008 www.bankinfosecurity.com}
Understanding PCI There are 3 standards:
PCI data Security Standard – PCIDSS Core standard for merchants and processors. It is for protecting
cardholder data
Payment Application data security Standard – PA DSS This is for software developers who sell commercial
applications for accepting and processing card data
PIN Entry device Security requirements –PED This is for manufacturers of payment card devices
## We will focus on PCI DSS
The Standards Manager PCI security Standards Council founded in
2006. Founded by master Card, VISA, Discover, Amex They share equal responsibility in Council
governance Others that participate include merchants,
banks, hardware and software vendors and other technical and legal working groups
Crucial Roles in Compliance Card Brand Compliance programs
Each of the card company brands have adopted the standard but they have some small variations in how they implement.
Qualified Assessors The council qualifies two kinds of assessors:
The QSA – Qualified Security assessor The QSA is a consultant who assesses an organisation’s compliance with
the standard. ASV – Approved Scanning Vendor
They validate compliance with the standard’s external network scanning requirements.
Self-Assessment Questionnaire Some merchants are able to self-assess, primarily for levels 2 to 4
merchants.
How a credit Card payment Process works
Authorisation Merchant requests & receives authorisation Many points of vulnerability that could expose the cardholder data
to Unauthorised access
Clearing The acquirer and issuer exchange information about the purchase
Settlement The merchant’s bank pays the merchant for the card holder
purchase and the cardholder’s bank bills the cardholder or debits the cardholder’s account.
Issues Is PCI the law?
Only in Minnesota under Statue 365E.64 Legislators in at least 10 states thought Minnesota was a
good idea, and created bills have their own but they never passed
Proposals also made to congress but no bills were passed. The view from most law makers is that anything passed
would conflict with PCI DSS as it stands? Other critics say that making it law, turns the PCI Security
Standards Council and the card companies into a quasi-legislative, quasi judicial bodies with power to set regulations and punishments yet be accountable to no one
So for now PCI Is not the law but is enforceable under private contractual conditions stipulated by each of the card brands.
Issues High Cost Vendor backed standards are difficult
to maintain & sustain. Judges have looked at best practice
and along side ISO 27002 look at PCI. The credit card companies demand
compliance if business & e commerce want to use their credit cards.
Questions?