Date post: | 29-Mar-2015 |
Category: |
Documents |
Upload: | luke-landor |
View: | 217 times |
Download: | 1 times |
Evolving Challenges of PCI Compliance
Charlie Wood, PCI QSA, CRISC, CISAPrincipal, The Bonadio GroupJanuary 10, 2014
Agenda
• What is PCI?
• Evolution of PCI
• What is PCI DSS?
• Compliance
• What does this mean to me?
• Recent Breach of Target
• Q & A
Page 2
What is PCI?
The Payment Card Industry (PCI) standard is a set of requirements designed to ensure that ALL organizations that store, process, or transmit cardholder data do so in a secure environment.
• The PCI Security Standards Council
Page 3
Evolution of PCI
PCI Security Standards Council was founded in 2006 by the major card brands:
• Visa
• MasterCard
• Amex
• Discover
• JCB
Each card brand has input into the guidance provided by the Council.
Page 4
What is PCI (cont.)
A credit card as defined by the Council is any card that is backed by a major card brand, including but not limited to:
• Credit
• Debit
• HSA
• FSA
• Payroll
Page 5
Evolution of PCI (cont.)
PCI Security Standard Council is responsible for the oversight of the PCI Standards, which include guidance relative to the following:
• PCI DSS
• PA-DSS
• P2PE
• PTS
Page 6
What is PCI DSS?
• Core set of best security practices
• Set of 12 requirements broken down into 6 categories, as follows:
1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Monitor and test networks
6. Maintain an information security policy
Page 7
What is PCI DSS?
• PCI DSS can include the following depending on the organization:
PA-DSS P2PE PTS
Page 8
Common PCI Myths
• We don’t take enough cards to necessitate compliance
• We outsource card processing so we are compliant
• PCI is an IT issue
• PCI is unreasonable / difficult
• PCI compliance makes us secure
• We aren’t a target
Page 9
Compliance
• Compliance is determined based on how your organization stores, processes, and/or transmits cardholder data across your infrastructure
• Compliance is based on “Level” and “Type”
• Level is based on the number of transactions performed in a 12-month period
• Type is defined by how your organization takes credit cards
Page 10
Compliance (cont.)
Levels are based on the number of transactions. Visa defines them as follows:
Page 11
Level Description
1 Organizations with over 6M Visa transactions per year ORAny organization that Visa, at its sole discretion, determines should meet the Level 1 requirements to minimize the risk to Visa
2 Organization with 1M to 6M Visa transactions per year
3 Organization with 20,000 to 1M Visa e-commerce transactions per year
4 Organizations with fewer than 20,000 Visa e-commerce transactions per year, and all other merchants - regardless of acceptance channel - processing up to 1M Visa transactions per year
Compliance (cont.)
Types are defined by how your organization takes credit cards and are broken down as follows:
Page 12
Type Description
A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced; this would never apply to face-to-face merchants
B Imprint-only merchants with no cardholder data storageORStand-alone dial-up terminal merchants, no cardholder data storage
C Merchants with payment application systems connected to the Internet, no cardholder data storage
C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage
D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ
What does this mean to me?
Based on the volume of transactions, organizations would be required to perform the following:
Page 13
Level Visa Description
1 • Annual report on compliance (“ROC”) to be completed by Qualified Security Assessor (“QSA”)
• Quarterly network scan by Approved Scan Vendor (“ASV”)• Attestation of Compliance Form
2 • Annual Self-Assessment Questionnaire (“SAQ”)• Quarterly network scan by ASV• Attestation of Compliance Form
3 • Annual SAQ• Quarterly network scan by ASV• Attestation of Compliance Form
4 • Annual SAQ recommended• Quarterly network scan by ASV• Compliance validation requirements set by merchant bank
What does this mean to me? (cont.)
In English:• Depending on what “Type” of organization you are,
you will have to address anywhere from 15 to 200 + controls
Cost• Hardware
• Software
• Internal Resources
• External Resources
Page 14
Recent Breach of Target
What happened:
• Lost ~40 million credit and debit cards
• Theft period: November 27 – December 15
• Malware on point-of-sale terminals Not detected until December 15
Page 15
Recent Breach of Target (cont.)
Common Questions
1. How could this happen?
2. Was Target PCI compliant?
3. How do I know if I was affected?
Costs?
• Credit score monitoring
• Fines, sanctions and lawsuits
• Reputational damage
Page 16