Payment Card IndustryData Security Standard

AAFA ISC/SCLC Fall 08

PCI DSSWhat is it?

A set of standards developed by the major credit card companies as a guideline to help organizations that process credit cards prevent credit card fraud and various other security vulnerabilities and threats.

Why should I care?If you process, store, or transmit payment

card data you should be compliant (credit card companies expect it)

Non compliant companies who process payment card transactions run the risk of:

Losing their ability to process credit card paymentsIncreased transaction ratesAuditsFines

Or Worse!…

Why should I care?

Approx 100 million credit and debit card numbers were stolen by computer hackers

455,000 customers who returned merchandise without receipts had their personal data stolen including driver’s license numbers.

Thieves used this data to acquire $1 million in merchandise with gift cards from Wal-Mart and Sam’s Club

AP - March 29, 2007

Why should I care?

Forrester estimate (4/15/08) - $1.35 billionFacing possible class actions lawsuits from

customersOffering 3 years of free credit monitoring for

455,000 customersCompensating customers to replace drivers

licenses if their number is the same as their social security number

Lost customer confidence and trustDecrease in stockholder faithLoss of revenue

AP - March 29, 2007

Failure to comply could be costly!

Why should I care?TJ Maxx not alone

Will your company be next?

What’s required to be compliant?Under the current standard (version 1.2),

there are 12 requirements organized into 6 logically related groups called “control objectives”

Build and Maintain a Secure NetworkProtect Cardholder DataMaintain a Vulnerability Management ProgramImplement Strong Access Control MeasuresRegularly Monitor and Test NetworksMaintain an Information Security Policy

Build and Maintain a Secure NetworkRequirement 1:

Install and maintain a firewall configuration to protect cardholder data

Requirement 2:Do not use vendor-supplied defaults for

system passwords and other security parameters

Protect Cardholder DataRequirement 3:

Protect stored cardholder data

Requirement 4:Encrypt transmission of cardholder data

across open, public networks

Maintain a VulnerabilityManagement Program

Requirement 5:Use and regularly update anti-virus software

Requirement 6:Develop and maintain secure systems and

applications

Implement Strong Access Control Measures

Requirement 7:Restrict access to cardholder data by

business need-to-know

Requirement 8:Assign a unique ID to each person with

computer access

Requirement 9:Restrict physical access to cardholder data

Regularly Monitor and Test NetworksRequirement 10:

Track and monitor all access to network resources and cardholder data

Requirement 11:Regularly test security systems and

processes

Maintain an Information Security PolicyRequirement 12:

Maintain a policy that addresses information security

Myth #1: Breaches only happen to big-box retailers

Fact: Small- to medium-sized merchants are highly vulnerable and a frequent target. Based on most of the news coverage, security breaches may seem to happen only to huge corporations – such as the TJX security breach. But, in reality, cardholder data compromises affect small online store owners far more frequently. Why? Because, the sheer number of them (according to Visa more than 6 million) makes them a more frequent target. Also, they are typically the least sophisticated technologically making them an easier target for hackers and carders. 

Myth #2: PCI compliant merchants cannot

be breached.Fact: While it is a critical step, PCI DSS compliance is

only a periodic measurement at a point in time – not a guarantee. Just ask Hannaford Brothers groceries if PCI compliant merchants can’t be breached. They were thought to be PCI compliant, but were still affected by a very public breach. There’s a danger that organizations can develop tunnel vision dealing with PCI at the expense of building a sound security program. Companies should develop a consistently high security posture, and in doing so, they will achieve PCI compliance. Any system involving people is vulnerable, either from accidental error or intentional acts of theft.

Myth #3: E-commerce merchants that use PCI compliant shopping carts or payment gateways are by default PCI compliant.Fact: This may be the case, but PCI guidelines cover not

only data security but also the physical security and the existence of written security policies. Once a year, regardless of how the merchant handles card data, every merchant is required to complete an self assessment questionnaire, to complete the relevant Attestation of Compliance and, in most case, to submit the SAQ and the Attestation of Compliance to their acquirer.  While it is important that terminals, gateways and shopping carts are compliant, that doesn’t guarantee that merchants are secure from a physical standpoint or that they have employee training programs or security policies in place. SAQ A was specifically developed for merchants who outsource to a secure terminal.

Myth #4: PCI compliance is too expensive.

Fact: Non-compliance can be very expensive if not catastrophic. Non-compliance doesn’t just result in costs associated with fines, credit card replacement and audit fees, but also from loss of business reputation and revenue. In fact a recent study stated that 70 percent of the cost of non-compliance was loss of revenue. This is significant for big companies that are crucified in the press, but may be catastrophic for small vendors, putting them out of business.

Myth #5: PCI compliance is getting easier.Fact: The PCI Security Standards Council is working

hard to clarify and simplify the standard.  For example, in October 2008, the Council released version 1.2 of the Self-Assessment Questionnaire (SAQ), which now consists of four versions of the SAQ instead of the previous one-size-fits-all approach.  While the attempt to segment merchants by validation type is a big step forward, it still presents confusion among many small merchants who are unclear on which SAQ they should complete.  For small merchants in particular, protecting card holder data and maintaining a secure environment remains a complex endeavor.