PCI Compliance P Overview – PCI DSS In the beginning … Each major card brand had its own...
Transcript of PCI Compliance P Overview – PCI DSS In the beginning … Each major card brand had its own...
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
©2015 C
lifto
nLars
onA
llen L
LP
cliftonlarsonallen.com
PCI Compliance
How to Meet Payment Card Industry Compliance Standards
May 2015
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
Overview – PCI DSS
In the beginning …
Each major card brand had its own separate criteria for implementing credit card security. Merchants and processors who accepted multiple brands of cards needed to have a separate compliance program for each.
– Visa's Cardholder Information Security Program
– MasterCard's Site Data Protection
– American Express' Data Security Operating Policy
– Discover's Information Security and Compliance
– JCB's Data Security Program
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
Overview – PCI DSS
Now…
The major card brands have joined together to create a single compliance standard for all organizations that store, transmit, or process card data. This Data Security Standard (DSS) is administered and maintained by the Payment Card Industry (PCI) Security Standards Council.
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
Exercise – Who needs to comply with PCI? 1. Do you accept CC or Debit payment “in-person”?
– Yes/No
2. Do you accept CC or Debit payment over the phone?
– Yes/No
3. Do you accept CC or Debit payment via a website?
– Yes/No
4. Do you accept CC or Debit payment through the mail?
– Yes/No
5. Do you store or process Cards for someone else?
– Yes/No
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
Who needs to comply - Continued
If you answered “Yes” to any of the previous questions your organization is required to comply with all PCI Data Security Standards!
PCI security standards apply to all entities that store, process or transmit cardholder data.
Note: your liability for PCI compliance also extends to third parties involved with your process flow, so you must also confirm that they are compliant.
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
Who needs to comply - Continued
Compliance vs. Certification
Although every organization that answered “Yes” needs to comply with the standards, some organizations must also annually certify compliance utilizing a self assessment questionnaire (SAQ) or independent third party review and Report on Compliance (ROC).
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
PCI Merchant Levels
Merchant Level Merchant Definition Compliance
Level 1 More than 6 million V/MC
transactions annually across all
channels, including e-commerce
Annual Onsite PCI Data Security
Assessment, Quarterly Network Scans,
Annual External and Internal Penetration
Testing
Level 2 1,000,000 – 5,999,999 V/MC
transactions annually
Annual Self Assessment Questionnaire,
Quarterly Network Scans, Annual
External and Internal Penetration Testing
Level 3 20,000 – 1,000,000 V/MC
e-commerce transactions
annually
Annual Self Assessment Questionnaire,
Quarterly Network Scans, Annual
External and Internal Penetration Testing
Level 4 Less than 20,000 e-commerce
V/MC transactions annually, and
all merchants across channel up to
1,000,000 VISA transactions
annually
Annual Self Assessment Questionnaire,
Quarterly Network Scans, Annual
External and Internal Penetration Testing
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
PCI Service Provider Levels
Service
Provider Level
Service Provider Definition Compliance
Level 1 VisaNet processors or any service
provider that stores, processes
and/or transmits over 300,000
transactions per year.
Annual Onsite PCI Data Security
Assessment, Quarterly Network Scans,
Annual External and Internal Penetration
Testing, Quarterly Wireless Testing*
Level 2 Any service provider that stores,
processes and/or transmits less
than 300,000 transactions per
year.
Annual Self Assessment Questionnaire,
Quarterly Network Scans, Annual
External and Internal Penetration Testing,
Quarterly Wireless Testing*
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
Self Assessment or Qualified Security Assessor?
Qualified Security Assessor (QSA) companies are organizations that have been qualified by the Council to have their employees assess compliance to the PCI DSS standard. Qualified Security Assessors are employees of these organizations who have been certified by the Council to validate an entity’s adherence to the PCI DSS.
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS Self-Assessment Questionnaire (SAQ) The PCI DSS SAQ is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organizations in self-evaluating compliance with the PCI DSS, and you may be required to share it with your acquiring bank. There are multiple versions of the PCI DSS SAQ to meet various business scenarios. Each SAQ includes a series of yes-or-no questions about your security posture and practices. The SAQ allows for flexibility based on the complexity of a particular merchant’s or service provider’s business situation. The SAQ validation type is not correlated with a merchant’s classification or risk level.
10
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS Self-Assessment Questionnaire (SAQ) The PCI DSS SAQ consists of two components:
1. Questions corresponding to the PCI DSS requirements – Appropriate to service providers and merchants
2. Attestation of Compliance – Organization certification of eligibility to perform and have
performed the appropriate Self-Assessment. The correct Attestation will be packaged with the SAQ selected.
11
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
Types of Self Assessment Questionnaires
There are five SAQ categories: A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage
C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage
D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
PCI Self Assessment Questionnaires (SAQs)
NO
NO NO NO NO YES YES YES YES
SAQ INSTRUCTIONS & GUIDELINES
Which SAQ do I complete?
SAQ B Imprint or standalone dial-out terminate only
SAQ A
Outsourced all CHD
SAQ C-VT
Virtual terminals only
SAQ C Internet-connected
payment application
SAQ D All other merchants
and service providers
Card-not-present, all cardholder data (CHD) functions outsourced
Imprint or standalone, dial-out terminals only, no electronic
CHD storage
POS or payment system connected to Internet, no electronic CHD storage
Web-based virtual terminals only,
no electronic CHD storage
All other merchants and all service providers eligible to
complete an SAQ
Third party hosted virtual terminal only, accessed by an Internet-connected web browser
Merchant computer not connected to any other systems within environment
Isolated in a single location, not connected to other locations or systems within environment (can be achieved with network segmentation)
Virtual terminal solution provided and hosted by PCI DSS validated service provider
No software installed or hardware attached to merchant computer that captures or stores CHD
No other electronic transmission of CHD
Only paper is retained
No electronic storage of CHD
POS or payment system and Internet on same device and/or same local area network (LAN)
Payment application system/Internet device not connected to any other systems
Single store location
Only paper is retained
No electronic storage of CHD
POS vendor provides secure support
SAQ A (13 questions) and Attestation
SAQ B (29 questions) and Attestation
SAQ C-VT (51 questions) and Attestation
SAQ C (40 questions) and Attestation
SAQ D (288 questions) and Attestation
Imprint machine or standalone dial-out terminals only
Dial-out terminals not connected to any other systems
Dial-out terminals not connected to the Internet, connected via phone line to your processor or acquirer
No CHD over Internet
Only paper is retained
No electronic storage of CHD
Card-not-present only
No CHD on any systems or premises, all outsourced
Third parties are PCI DSS compliant
No CHD over Internet
Only paper is retained
No electronic storage of CHD
NAVIGATING PCI DSS
Understanding the Intent of
the Requirements
Is this my merchant type?
Is this my merchant type?
Is this my merchant type?
Is this my merchant type?
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
Overview – PCI DSS – “Digital Dozen”
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS – Build & Maintain a Secure Network
Default password lists:
• http://www.phenoelit-us.org/
• http://www.cirt.net/passwords
• www.google.com
“default password”
1
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS – Protect Cardholder Data
• Minimize storage
• Implement data retention and disposal policies
• Do NOT store sensitive authentication data
• Mask displayed PAN
• Render PAN unreadable where stored
• Protect cryptographic keys
ADDITION: NEVER send unprotected PAN by end user messaging (email, chat, IM, etc…)
2
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS – Maintain Vulnerability Mgmt Program
• “Use anti-virus…” REALLY???
• Secure software development and change control…
• Secure build checklists:
– CIS offers vendor-neutral hardening resources http://www.cisecurity.org/
– Microsoft Security Checklists http://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true
http://technet.microsoft.com/en-us/library/dd366061.aspx
– PA-DSS “certified” applications will have an Implementation Guide
3
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS – Implement Strong Access Controls
• Principle of minimum access and least privilege
• Unique IDs ( NO shared IDs)
• Long/strong passwords, password controls, strong authentication
Password protected screen saver time outs (15 min)
• Limit and monitor physical access
• Secure storage and tracking of media
4
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS – Regularly Monitor and Test Networks
• Process, system, and application logging
• Secure the audit logs
• Review and retain audit logs
• Regular testing:
– Quarterly*: Wireless testing & Vulnerability scanning
– Annual*: Penetration testing
• IDS/IPS and
• File integrity monitoring
5
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS – Maintain Information Security Policy
6
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
What can you do today towards PCI Compliance?
- Implement strong Information Security Policies and Procedures
- Enforce Segregation of Duties Controls
- Prevent Security loopholes; enable firewalls; configure IDS/IPS devices properly; minimize and isolate cardholder data storage
- Ensure safe web browsing and email usage policies
- Completion of a Self Assessment Questionnaire as gap assessment
- Test systems and processes to validate they behave as expected
- Scrutinize your vendor management policies, procedures, and current state
Proper Remote Access for staff
& Vendors
User Awareness Training is CRITICAL
Strong Software Change & Patch
Management Controls
Re-evaluate Payment Processes
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
Understand Where Your Data Lives
• Develop data flow diagrams
– Payment/data flow
– Where static data resides
• Who is mining data and for what purposes
• Understand how the back up system works
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
Cost of Non-Compliance • The cost of non-compliance
– Specifically for PCI compliance, acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively.
– For prohibited data storage, acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material
progress toward compliance is not made in a timely manner
• If you suffer a breach, you automatically become Level 1 with all of it’s more stringent compliance requirements
More than $200/ compromised record
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
Cost of a Data Breach
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
Summary
• Store, Process, or Transmit…
• Determine Level and SAQ type
• Prioritized Approach
• Leverage other compliance activities
• Understand where your data is
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
Open Discussion and Questions
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS - Definitions • Lots of Acronyms:
– ASV: Approved Scanning Vendor • Vendor certified by PCI Standards Council to have vulnerability
scanning tool/engine that meets DSS requirements
– CDE: Cardholder Data Environment • Possesses cardholder data or sensitive authentication data
– QSA: Qualified Security Assessor • Vendor certified by PCI Standards Council to perform PCI annual
audit
– ROC: Report on Compliance • Document to be submitted for annual compliance requirement
– SAQ: Self Assessment Questionnaire • 5 Versions: A, B, C, C-VT, and D
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
PCI DSS – Definitions - ADDITION • Lots of Acronyms:
– PAN: Primary Account Number
– Cardholder Data • PAN
• Cardholder name
• Expiration date
• Service Code
– Sensitive Authentication Data • Full magnetic strip or chip data, CAV2/CVC2/CVV2/CID, PINs
– PA-DSS ◊ DSS for Payment Applications
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
Thank You
“Information technology and business are becoming
inextricably interwoven. I don’t think anybody can
talk meaningfully about one
without talking about the other.”
-Bill Gates
©2
01
5 C
lifto
nLa
rso
nA
llen
LLP
30
©2
01
3 C
lifto
nLa
rso
nA
llen
LLP
cliftonlarsonallen.com
twitter.com/ CLA_CPAs
facebook.com/ cliftonlarsonallen
linkedin.com/company/ cliftonlarsonallen
Steve Christensen, CIA,CRMA
Manager, Information Security
CliftonLarsonAllen, LLP
888-529-2648
651-283-7772 (mobile)