Evolving Challenges of PCI Compliance

Charlie Wood, PCI QSA, CRISC, CISAPrincipal, The Bonadio GroupJanuary 10, 2014

Agenda

• What is PCI?

• Evolution of PCI

• What is PCI DSS?

• Compliance

• What does this mean to me?

• Recent Breach of Target

• Q & A

Page 2

What is PCI?

The Payment Card Industry (PCI) standard is a set of requirements designed to ensure that ALL organizations that store, process, or transmit cardholder data do so in a secure environment.

• The PCI Security Standards Council

Page 3

Evolution of PCI

PCI Security Standards Council was founded in 2006 by the major card brands:

• Visa

• MasterCard

• Amex

• Discover

• JCB

Each card brand has input into the guidance provided by the Council.

Page 4

What is PCI (cont.)

A credit card as defined by the Council is any card that is backed by a major card brand, including but not limited to:

• Credit

• Debit

• HSA

• FSA

• Payroll

Page 5

Evolution of PCI (cont.)

PCI Security Standard Council is responsible for the oversight of the PCI Standards, which include guidance relative to the following:

• PCI DSS

• PA-DSS

• P2PE

• PTS

Page 6

What is PCI DSS?

• Core set of best security practices

• Set of 12 requirements broken down into 6 categories, as follows:

1. Build and maintain a secure network

2. Protect cardholder data

3. Maintain a vulnerability management program

4. Implement strong access control measures

5. Monitor and test networks

6. Maintain an information security policy

Page 7

What is PCI DSS?

• PCI DSS can include the following depending on the organization:

PA-DSS P2PE PTS

Page 8

Common PCI Myths

• We don’t take enough cards to necessitate compliance

• We outsource card processing so we are compliant

• PCI is an IT issue

• PCI is unreasonable / difficult

• PCI compliance makes us secure

• We aren’t a target

Page 9

Compliance

• Compliance is determined based on how your organization stores, processes, and/or transmits cardholder data across your infrastructure

• Compliance is based on “Level” and “Type”

• Level is based on the number of transactions performed in a 12-month period

• Type is defined by how your organization takes credit cards

Page 10

Compliance (cont.)

Levels are based on the number of transactions. Visa defines them as follows:

Page 11

Level Description

1 Organizations with over 6M Visa transactions per year ORAny organization that Visa, at its sole discretion, determines should meet the Level 1 requirements to minimize the risk to Visa

2 Organization with 1M to 6M Visa transactions per year

3 Organization with 20,000 to 1M Visa e-commerce transactions per year

4 Organizations with fewer than 20,000 Visa e-commerce transactions per year, and all other merchants - regardless of acceptance channel - processing up to 1M Visa transactions per year

Compliance (cont.)

Types are defined by how your organization takes credit cards and are broken down as follows:

Page 12

Type Description

A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced; this would never apply to face-to-face merchants

B Imprint-only merchants with no cardholder data storageORStand-alone dial-up terminal merchants, no cardholder data storage

C Merchants with payment application systems connected to the Internet, no cardholder data storage

C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage

D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ

What does this mean to me?

Based on the volume of transactions, organizations would be required to perform the following:

Page 13

Level Visa Description

1 • Annual report on compliance (“ROC”) to be completed by Qualified Security Assessor (“QSA”)

• Quarterly network scan by Approved Scan Vendor (“ASV”)• Attestation of Compliance Form

2 • Annual Self-Assessment Questionnaire (“SAQ”)• Quarterly network scan by ASV• Attestation of Compliance Form

3 • Annual SAQ• Quarterly network scan by ASV• Attestation of Compliance Form

4 • Annual SAQ recommended• Quarterly network scan by ASV• Compliance validation requirements set by merchant bank

What does this mean to me? (cont.)

In English:• Depending on what “Type” of organization you are,

you will have to address anywhere from 15 to 200 + controls

Cost• Hardware

• Software

• Internal Resources

• External Resources

Page 14

Recent Breach of Target

What happened:

• Lost ~40 million credit and debit cards

• Theft period: November 27 – December 15

• Malware on point-of-sale terminals Not detected until December 15

Page 15

Recent Breach of Target (cont.)

Common Questions

1. How could this happen?

2. Was Target PCI compliant?

3. How do I know if I was affected?

Costs?

• Credit score monitoring

• Fines, sanctions and lawsuits

• Reputational damage

Page 16

Q & A

Questions?

cwood@bonadio.com

(585) 249-2757

Page 17