PCI DSS ReadinessPresented By:Paul Grégoire, CISSP, QSA, PA-QSA

PCI DSS Program Overview

• PCI Standards Council• Payment Industry Terminology• What Level Are We? (Levels)• It’s Not Just IT !! Myths & Reality….• Why Do We Need To Focus On The DSS• PGSecure Can Help (QSA, only 1800 Certified

Worldwide)

PCI DSS Program Overview

• An independent industry standards body providing oversight of the development and management of Payment Card Industry Security Standards on a global basis

• Founding Brand Members– American Express– Discover Financial– JCB– MasterCard Worldwide– Visa Inc.

• Cardholder• Customer purchasing goods either as a “Card Present” or “Card

Not Present” transaction• Receives the payment card and bills from the issuer

• Issuer• Bank or other organization issuing a payment card on behalf of a

Payment Brand• Payment Brand issuing a payment card directly (Amex, Discover,

JCB)• Merchant

• Organization accepting the payment card for payment during a purchase

• QSAC - QSA• QSA’s are only certified and Valid if working for a Qualified Security

Assessor Company

Payment Industry Terminology

• Acquirer• Bank or entity the merchant uses to process their payment

card transactions• Receive authorization request from merchant and forward to

Issuer for approval• Provide authorization, clearing and settlement services to

merchants• Determines and advises the Merchant Level (1-4) of all

merchants.• Acquirer is also called:

• Merchant Bank• ISO

Payment Industry Terminology

• The merchant will incur any liability that may result as a non compliance with payment brand compliance programs• Merchant are not compliant until all requirements have been met and

validated• Acquirer is responsible for providing merchant status to the payment brands

• Acquirer is responsible for merchant compliance• Ensure that their merchants understand PCI DSS Compliance requirements

and track compliance efforts• Manage merchant communications

• Merchant Levels are:• Defined by the Payment Brand• Determined by the Acquirer based on transaction volume of each card brand

Payment Industry Terminology

Payment Industry Levels 1 to 4

Level Amex Discover JCB MC Visa (*)1 2.5M > or any

merchant that is deemed L1

6M > or any merchant that is deemed L1 or merchant required by other brand as level 1

1M > or any compromised merchants

6M > MasterCard or Maestro transactions or Merchants that have experienced an account data compromise or merchant required by other brand as level 1

(*) 6M > (all channels) or any merchant required by other brand as level 1

2 50K to 2.5M or any merchant that is deem L1

1 to 6M or or merchant required by other brand as level 2

<1M annually >1M < 6M MasterCard or Maestro transactions

>1M < 6M Visa transactions (all channels)

3 < 50K 20K to 1M card not present or merchant required by other brand as level 3

N/A >20K combined MasterCard and Maestro e-commerce transactions <1M

20K to 1M e-commerce transactions Visa transactions annually

4 N/A All other Discover merchants

N/A All other Merchants 20K e-commerce transactions and all other merchants processing up to 1M Visa transactions annually

Canada - Mandatory signoff by a QSA for all SAQ’s

It’s Not just IT – Myths Vs. Reality ?

•PCI just does not apply to us, because…

• We are to small, a small Company or Non Profit Org., only do some e-commerce or POS, we outsourced “everything”…

•Reality: PCI DSS DOES apply to you if you “accept, capture, store, transmit or process credit card holder data,” no exceptions! •The organization must be compliant not just IT !

Myth # 1

Myth # 2

It’s Not just IT – Myths Vs. Reality ?

•Myth : PCI is easy: just have to “say Yes” on SAQ and “get scanned”

•Reality: Not exactly – you need to:•A) Get a scan 4 times a year and resolve the vulnerabilities found – Need 4 clean scans per year.•B)Really do the things the questions refer to – and Prove It!!•C) Keep doing it – forever!•D) SAQ Signoff by a Qualified Security Assessor working for a QSAC

Myth # 3

It’s Not just IT – Myths Vs. Reality ?

•Myth : My tools are PCI compliant, my network and apps are too!!

•Reality: there is no such thing as “PCI compliant tools or networks:•Fact – The PCI DSS applies to the organization as a whole.

•PCI DSS combines technical AND process, policy, management issues; awareness and practices as well.•Example: An application may be compliant however this is only 1 element of the standard in overall compliancy.

Why do we need to focus on the PCI DSS ?

Why do we need to focus on the PCI DSS ?

Why do we need to focus on the PCI DSS ?

Why do we need to focus on the PCI DSS ?

Where do the attacks come from?• Most come from foreign soil – very difficult to track and seek

legal action against – Most of all loss of reputation is the biggest factor. “Remember the Passport incident?” - NO CHD lost however “Web attacks” compromised many peoples personal information…

PCI DSS It Can’t Happen To Me !!!

“Direct correlation to number of employees in a company and breach

percentage.”

PCI DSS It Can’t Happen To Me !!!

PCI Data Breach Fines and Penalties• Stiff fines and penalties ranging from $10K - $500K per month for non-compliance• $500K fine per credit card data compromise incident if not PCI compliant• $100K fine if Visa is not immediately notified of a suspected data breach• If track data or other sensitive data elements was compromised, the merchant can be assessed the estimated cost of fraud under Visa’s ADCR Program as well as cost ofcard reissuance (est. $7-$20 per card)• Probable termination of credit card processing privileges for a period of time.

Other:• Cost associated with brand damage and lost revenue• Forensics assessment, incident investigation and containment• Identity protection for impacted individuals (~$30 per person)• IT and security remediation and enhancements• Potential lawsuits and liability in the event that privacy data was compromised• Cost of recertification• Cost of Level 1 mandated assessments (75K or more annually) until the acquirer is satisfied to move the merchant back to the true merchant level.

Steps in the process…

A full Data Security Assessment performed in accordance with the PCI Data Security Standard and Audit Procedures

Identify the major gaps and opportunities to improve your current security posture

A consolidation and remediation of gaps found in your cardholder information processing environment after a PCI Security Assessment.

Provide consulting services to help client understand the intent of each requirement in the Self Assessment Questionnaire

PCI Data Security Readiness Review

PCI Data Security Assessment

PCI Data Security Remediation Service

SAQ ConsultingSignoff

PCI DSS V1.2

Why Us ?

• We have extensive experience working with government and large Canadian cities. (Nomination for Gov of Alberta Award of Excellence)

• We have local based QSA’s out of the 1800 certified worldwide.• We have local based PA-QSA’s out of 350 certified worldwide.

• We are focused only on Security, Compliance and forensics.

PCI DSS V1.2

Paul Grégoire, QSA, PA-QSASenior Security Architect | CompliancePaul@pgsecure.comPhone: 204.899.6662

Questions ?

PCI DSS V1.2 SAQ Definitions