Date post: | 13-Jun-2015 |
Category: |
Technology |
Upload: | calyptix-security |
View: | 313 times |
Download: | 4 times |
PCI DSS for IT Providers The rules and impact on MSPs and VARs
For PCI DSS Version 3.0
#webclinic
What is PCI DSS? • Payment Card Industry Data
Security Standard
• Enforced by PCI Security Standard Council
• Council formed by the five major card brands shown
#webclinic
What’s the goal?
• Cardholder data: – Primary account number – Cardholder name – Expiration date – Service code
• Sensitive authentication data:
– Full track data (from magnetic strip) – CAV2 / CVC2 / CVV2 / CID – PIN blocks
• Protect cardholder data and sensitive auth. data
#webclinic
What does it cover? • All components of the “cardholder data environment”
• Includes all people, processes, and
technology that handle cardholder data
• Examples: – Payment card readers, POS systems, PCs – Firewalls, routers, switches, servers – Purchased and custom applications
#webclinic
The Threat is Real • Top motivation of cyber
threats: money
• POS malware is proliferating
• Retailers large and small are being breached
Source: 2014 Verizon Data Breach Investigation Report
#webclinic
Who has to comply?
• Merchants • Processors • Financial institutions • Service providers
• Anyone who stores, processes, or transmits
cardholder data
#webclinic
What about MSPs and VARs?
• Must comply internally if you accept payment cards • Must conform services to comply for clients • Our Recommendation: Find a compliance expert
#webclinic
Clients need your expertise
Offer new products and services for compliance Security is more than “compliance”, so offer enhanced protection
PCI DSS = Opportunity for IT Providers
#webclinic
• Failure to comply could cost you:
Customer confidence Sales and revenue Reputation, brand damage Malpractice lawsuits Fines and penalties Cost of reissuing cards
PCI DSS = Potential trap for IT Providers
#webclinic
Penalties for Noncompliance
• Card brands can issue fines of $5,000 to $100,000 per month
• Higher transaction fees
• Many small victims go out of
business – Cost of breach can include containment,
forensic investigation, legal fees, audits, card replacement
#webclinic
What are the rules? • Build and Maintain a Secure Network and Systems
– 1. Install and maintain a firewall configuration to protect cardholder data – 2. Do not use vendor-supplied defaults for system passwords and other
security parameters • Protect Cardholder Data
– 3. Protect stored cardholder data – 4. Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
– 5. Protect all systems against malware and regularly update anti-virus software or programs
– 6. Develop and maintain secure systems and applications
#webclinic
What are the rules? • Implement Strong Access Control Measures
– 7. Restrict access to cardholder data by business need to know – 8. Identify and authenticate access to system components – 9. Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
– 10. Track and monitor all access to network resources and cardholder data
– 11. Regularly test security systems and processes • Maintain an Information Security Policy
– 12. Maintain a policy that addresses information security for all personnel
#webclinic
How do I comply? • Ask your merchant acquirer to walk
you though the steps
• Small merchants typically must : 1. Complete a self assessment
questionnaire (SAQ) 2. Sign attestation of compliance 3. Send required documents to the
merchant acquirer
#webclinic
How do I comply? • Required documents include:
1. Vulnerability scan results 2. Security policy 3. Network diagram
#webclinic
Vulnerability scans • External scan of network
• Required by PCI DSS • Results based on settings and
condition of firewall • Performed by merchant acquirer or
approved vendor – Examples: SecurityMetrics; Trustwave
#webclinic
About Calyptix
Calyptix makes network security easy for small and medium networks. Our all-in-one solution, AccessEnforcer, delivers advanced protection in a simple platform. Learn more: Calyptix.com
[email protected] 704-971-8989
#webclinic
Calyptix Resources
• PCI DSS for IT Providers: 4 steps for compliance – http://www.calyptix.com/pci-dss-it-providers-4-steps-for-compliance/
• PCI DSS and AccessEnforcer
– http://www.calyptix.com/pci-dss-accessenforcer/
• PCI DSS: Easier and cheaper compliance with SAQs
– http://www.calyptix.com/2014/07/pci-dss-make-compliance-easier-and-cheaper/
#webclinic
Additional Resources • Requirements and Security Assessment Procedures:
– https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
• Report on Compliance Reporting Template – https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_ROC_Reporting_Te
mplate.pdf
• Attestation of Validation – https://www.pcisecuritystandards.org/documents/PA-
DSS_Attestation_of_Validation_v3_0.docx • Glossary of Terms, Abbreviations, and Acronyms:
– https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3.pdf
#webclinic
Additional Resources • Understanding the SAQs for PCI DSS v3.0 https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf
• Self-Assessment Questionnaires – A – https://www.pcisecuritystandards.org/documents/SAQ_A_v3.docx
– B – https://www.pcisecuritystandards.org/documents/SAQ_B_v3.docx
– C – https://www.pcisecuritystandards.org/documents/SAQ_C_v3.docx
– D (Merchant) https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.docx
– D (Service Provider)
https://www.pcisecuritystandards.org/documents/SAQ_D_v3_ServiceProvider.docx