PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller...

PCI DSS Version 3.0For Controllers and Business Users

Luke Harris, Office of State the Controller

David Reavis, UNC General Administration

November 10, 2014

D R A F T

• Not intended to:– Educate you on what PCI is

• Standard has been in effect since 2005• Info available on PCI Council’s website

– Scare you into becoming PCI compliant• Target and Home Depot sufficient examples• Potential fines and loss of employment sufficient

• Intended to focus on responsibilities of the business office (Campus Controller)

2


• PCI is a business problem, primarily with an IT solution– Vulnerability Scanning, Penetration Testing

– Firewalls, encryption, software updates, etc.

– Business should be familiar with various IT requirements

• However, some elements require the business office (campus controller) involvement– Ensuring/monitoring of service providers’ compliance

– Physical protection of capture devices and cardholder data

– Employee awareness training and attestation

– Security Incident Response Plan and annual testing

• Coordination between IT and business staff critical

3


Whose Responsibility is PCI?

• Business-as-usual theme – Emphasis on being security aware on a continuous basis, not just once per year

• Clarification of some requirements, with added sub-requirements

• Required penetration testing, in addition to vulnerability scanning

• Physical protection of card capture devices• Eight SAQs instead of four• Version 3.0 Assessment Document

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

4


What’s New – 3.0

• Requires quarterly external vulnerability scanning of external IP addresses by an ASV

• Requires quarterly internal vulnerability scanning (Req. 11-2) – Can be performed internally

• After first year, four quarters of passing vulnerability scans must have occurred to be considered compliant

• Effective July 2015, requirement 11.3.4 requires annual external and internal penetration tests to validate that segmentation methods are “operational and effective.” (Advanced hacker techniques to bypass security controls.)

• Business office should inquire of IT if vulnerability scanning and penetration testing is required/performed.

5


Penetration Testing Vs. Scanning

• 9.9. Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution

– New requirement effective July 2015

– Card reading devices for card-present transactions POS terminals

– Required for swipe devices, but recommended for key devices such as keyboards and POS keypads

6


Physical Protection of Devices

• 9.9.1. Maintain an up-to-date list of devices• 9.9.2. Periodically inspect device surfaces to detect tampering

(for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

• 9.9.3. Provide training for personnel to be aware of attempted tampering or replacement of devices– Verify the identity of any third-party persons claiming to be repair

or maintenance personnel

– Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices)

7


Protection of Devices – Cont.

• 12.8. Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:– 12.8.1. Maintain a list of service providers.

– 12.8.2. Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

8


Service Providers

• 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement

• 12.8.4. Maintain a program to monitor service providers’ PCI DSS compliance status at least annually

• 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider and which are managed by the entity

9


Service Providers – cont’d

• Target’s breach criticism was not responding timely• 12.10.1. Create the incident response plan to be implemented

in the event of system breach. Ensure the plan addresses the following, at a minimum: (Edited for business office)– Roles, responsibilities, and communication and contact

strategies in the event of a compromise including notification of the payment brands…

– Analysis of legal requirements for reporting compromises

– Reference or inclusion of incident response procedures from the payment brands

• 12.10.2. Test the plan at least annually

10


Security Incident Plan

• Notify OSC immediately (within 24 hours)• OSC will coordinate notification to card processor and the

card brands• Applicability of NC Identity Theft Act to be considered• Campus’s legal council to be involved• OSC will advise of timing of any press releases

http://www.osc.nc.gov/policy/EC/500.10_Merchant_Cards_Security_Incident_Plan.pdf

11


OSC’s Policy for Incident

12


12

Face-to-Face and MOTO Only eCommerce Only

B POS analog not connected to IP *

A Card-not-present fully outsourced *

B-IP POS connected to IP * # A-EP Outsourced, but website redirect can impact security of payment * #

C-VT Virtual Terminal IP, dedicated or segmented, and keyed only * #

C POS Software connected to IP, dedicated or segmented* #

P2PE-HW

POS hardware managed w/ Point to Point Encryption *

D Cardholder data is stored # D Cardholder data is either processed, transmitted, or stored #

Combination of Face-to-Face and eCommerce

D All merchants not included entirely in any one of the above, or where cardholder data is stored (Systems are connected / Not segmented) #

* Indicates cardholder data is not stored; # Indicates vulnerability scanning required.-

• SAQ A and SAQ A-EP are for merchants that use eCommerce channels only (no face-to-face)

• Initial interpretation of standard was that a website that has a “redirect” to a payment gateway is required to prepare SAQ A-EP, which requires vulnerability scanning.

• May 2014 guidance document, however, clarifies that a “URL redirect” (e.g., TouchNet) can still use SAQ-A, if cardholder data is not entered on merchant’s website.

• However, if merchant also has face-to-face applications in addition to eCommerce, SAQ-D applies anyway

13


SAQ A vs. SAQ A-EP

• Under 3.0, SAQ required is determined– eCommerce channel only

– Face-to-face and MOTO only

– Combination of eCommerce and face-to-face

• Some campuses currently use SAQ-D and will continue to do so

• Most campuses currently using A, B, and C will now have to use SAQ-D, since combination

• SAQ-D should not scare you, as it has a column for N/A

14


Impact of New SAQs

• Appropriate SAQ will still be answered at the doing business as level or chain level

• OSC is in the middle of the RFP process and bids are currently being evaluated.

• Communication will be sent out to participants once an award is finalized.

15


New Validation Portal

16


Contact Information:

David Reavis

Office of Compliance and Audit Services

UNC General Administration

140 Friday Center Drive

Chapel Hill, NC 27517

Cell: 919-801-9417

Email: [email protected]

Luke Harris

Statewide Accounting

North Carolina Office of the State Controller

1410 Mail Service Center

Raleigh, NC 27699-1410

Phone: 919-707-0667

Email: [email protected]

Date post:	16-Dec-2015
Category:	Documents
Upload:	kathlyn-hudson
View:	216 times
Download:	0 times

PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller...

Documents