Demystifying Pci Dss
-
Upload
amanda-squirespod1 -
Category
Technology
-
view
1.309 -
download
1
description
Transcript of Demystifying Pci Dss
www.rackspace.co.uk
Rackspace Partner Network
1
Demystifying Payment Card Industry Data Security Standard
Compliance
Francis OfungwuManager of Security Strategy, Rackspace
www.rackspace.co.uk
www.rackspace.co.uk
Rackspace Partner Network
2
• What is PCI-DSS?
• Why Should My Business or Clients Be PCI-DSS Compliant?
• Penalties For Non-Compliance
• Penalties For Security Breaches
• Key Steps Towards PCI-DSS Compliance
• How Rackspace Can Help
• Rackspace’s PCI-DSS Position
• Questions
Agenda
www.rackspace.co.uk
Rackspace Partner Network
3
What is PCI-DSS?
www.rackspace.co.uk
www.rackspace.co.uk
Rackspace Partner Network
4
What is PCI-DSS?
According to the PCI Security Standards Council:
PCI-DSS is a set of comprehensive requirements for enhancing payment account data security.
• The standard was developed by the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa.
• The primary aim of the council was to help facilitate the broad adoption of consistent data security measures on a global basis.
• “PCI DSS should now be considered Business As Usual for any merchant accepting cards.” (HSBC PCI-DSS Merchant Guide-January 2008)
www.rackspace.co.uk
Rackspace Partner Network
5
Why Should My Business Be PCI-DSS Compliant?
www.rackspace.co.uk
www.rackspace.co.uk
Rackspace Partner Network
6
Why Should my Business or Clients be PCI-DSS Compliant?
If your business stores, processes, or transmits Cardholder data, there is a requirement to be PCI-DSS compliant.
This also includes service providers that provide services for merchants who process, store, or transmit Cardholder data.
Non-compliance to PCI-DSS could lead to:
• Loss of reputation
• Increased costs for accepting credit card transactions
• Substantial fines associated with security breaches and non-compliance
• Revocation of a merchant’s ability to accept credit card payments.
www.rackspace.co.uk
Rackspace Partner Network
7
Penalties for Non-Compliance
www.rackspace.co.uk
www.rackspace.co.uk
Rackspace Partner Network
8
Penalties for Non-Compliance
Penalties for non-compliance will depend on the card scheme.
Examples of non-compliance penalties are as follows:
Event Penalty (Euro)
Non-compliance after 30 days of notification letter
5,000 per incident of non-compliance
Non-compliance after 90 days of notification letter
10,000 per incident of non-compliance
Non-compliance after 120 days of notification letter
25,000 per incident of non-compliance
www.rackspace.co.uk
Rackspace Partner Network
9
Penalties For Security Breaches
www.rackspace.co.uk
www.rackspace.co.uk
Rackspace Partner Network
10
PENALTIES FOR SECURITY BREACHES
When there is a breach, the card scheme will require an independent forensic investigation. As with the penalties for non-compliance, penalties levied for security breaches will depend on the card schemes. For Example,
Number of compromised accounts
Penalty
0 – 19,999 25,000
20,000 – 99,999 100,000
100,000-199,999 200,000
200,000-299,999 300,000
300,000-399,999 400,000
400,000-499,999 500,000
>500,000 750,000
www.rackspace.co.uk
Rackspace Partner Network
11
Key Steps TowardsPCI-DSS Compliance
www.rackspace.co.uk
www.rackspace.co.uk
Rackspace Partner Network
12
Key Steps Towards PCI-DSS Compliance
• Contact your merchant bank
• Conduct a scoping exercise
• Review business processes
• Utilise the information on the PCI-SSC Website https://www.pcisecuritystandards.org/
• Engage a QSA (Qualified Security Assessor)
• Engage an ASV (Approved Scanning Vendor)
• Don’t rest on your laurels
www.rackspace.co.uk
Rackspace Partner Network
13
How Rackspace Can Help
www.rackspace.co.uk
www.rackspace.co.uk
Rackspace Partner Network
14
How Rackspace can help
The Rackspace PCI-DSS Toolbox:
Rackspace’s PCI Toolbox solution: Hardware, Software, and Services
• Managed Cisco Firewalls
• VPN System Management Access (included with all firewalls)
• Sophos/Symantec Anti-virus protection
• SSL Certificates
• Alert Logic Intrusion Detection Services (IDS)
• PCI ASV Network Scanning Service (included with IDS)
• Physical System Security (included with standard support)
• Patch Management Services (included with standard support)
www.rackspace.co.uk
Rackspace Partner Network
15
How Rackspace can help
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Fully Managed Cisco Firewalls • VPN System Management Access• Network Segmentation.
Requirement 2: Do not use vendor-supplied defaults for systems passwords and other security requirements.
Rackspace implements industry best practices in network device deployments to ensure system hardening specifications required by the standard are met.
www.rackspace.co.uk
Rackspace Partner Network
16
How Rackspace can help
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Rackspace provides a Managed Anti-Virus solution that provides proactive protection against viruses, worms, Trojans, spyware and other malware.
Requirement 6: Develop and maintain secure systems and applications.
Rackspace provides a reliable, and flexible Managed Patching services to help maintain secure systems.
www.rackspace.co.uk
Rackspace Partner Network
17
Implement Strong Access Control Measures
Requirement 9: Restrict physical access to cardholder data
Rackspace physical security controls are based on the best practices set out in the
ISO/IEC 27002:2005 Information Security Standard. These controls include:
• Data centre access limited to Rackspace data centre technicians
• Biometric scanning for controlled data center access
• Security camera monitoring at all data centre locations
• 24x7 onsite staff provide additional protection against unauthorised entry
• Unmarked facilities to help maintain low profile
How Rackspace can help
www.rackspace.co.uk
Rackspace Partner Network
18
Regularly Monitor and Test Networks
Requirement 11: Regularly test security systems and processes
Rackspace offers an Intrusion Detection System (IDS) service that meets a number of sub-requirements set out in requirement 11 of the standard, including the requirement for PCI-SSC approved internal and external vulnerability scanning.
How Rackspace can help
www.rackspace.co.uk
Rackspace Partner Network
19
Rackspace’s PCI-DSS Position
www.rackspace.co.uk
www.rackspace.co.uk
Rackspace Partner Network
20
Rackspace’s PCI-DSS Position
On June 30, 2009, Visa USA accredited Rackspace Hosting as a Compliant Level 1 Payment Card Industry (PCI) Service Provider. The scope of Rackspace’s 2009 PCI Service Provider accreditation covers the following:
-Physical Security for:
- UK & US Data centres- U.S & U.K Offices
- Network Infrastructure (Routers & Switches)
- Rackspace employee access to Network Devices
www.rackspace.co.uk
Rackspace Partner Network
21
Summary
www.rackspace.co.uk
www.rackspace.co.uk
Rackspace Partner Network
22
Summary
•If you store, process, or transmit cardholder data then you have a requirement to be PCI-DSS compliant.
•There are penalties associated with non-compliance and data security breaches.
•Rackspace can help you and your clients drive PCI-DSS compliance through the PCI-DSS Toolbox.
•Review the information publically available on the PCI-SSC website. https://www.pcisecuritystandards.org/
www.rackspace.co.uk
Rackspace Partner Network
23
Questions
www.rackspace.co.uk