6
All Contents © 2007 Burton Group. All rights reserved. Burton Group Take 5! The PCI Half-Dozen: 6 Recommendations for PCI Compliance Diana Kelley, VP & Service Director March, 2007
All Contents © 2007 Burton Group. All rights reserved.
Burton Group Take 5!The PCI Half-Dozen: 6 Recommendations for PCI ComplianceDiana Kelley, VP & Service DirectorMarch, 2007
The PCI Half-Dozen
It’s 5pm – do you know where your credit card numbers are?
•“BJ'S Wholesale Club Settles FTC Charges”•~Thousands of credit and debit card numbers•http://www.ftc.gov/opa/2005/06/bjswholesale.htm
•“Customer Data Breach Began in 2005, TJX Says”•~card numbers impacted?– still investigating•http://www.washingtonpost.com/wp-yn/content/article/2007/02/21/AR2007022102039_pf.html
•“CardSystems' Data Left Unsecured”•~40 million card numbers impacted
•http://www.wired.com/news/technology/0,1282,67980,00.html
2
3
The PCI Half-Dozen
Data element Storage permitted Protection required
PCI DSS Requirement 3.4
Cardholder data PAN Yes Yes Yes
Cardholder name Yes Yes No
Service code Yes Yes NoExpiration data Yes Yes No
Sensitive authentication data
Full magnetic stripe
No N/A—Storage not allowed
N/A—Storage not allowed
CVC2/CVV2/CID No N/A—Storage not allowed
N/A—Storage not allowed
PIN/PIN block No N/A—Storage not allowed
N/A—Storage not allowed
Covered Data Elements (Data Source: PCI DSS Version 1.1, September 2006)
4
1. Get the Facts
• Go to the source – the PCI Data Security Standard and the PCI DSS Security Audit Procedures
• Self assess – uncover and remediate gaps in advance
2. Segment the Scope
• PCI DSS applies to the cardholder data environment• Reduce scope through zoning and segmentation
3. Don’t Store What You Don’t Need
• No Track II/Sensitive Auth Data!• But do you need the Cardholder data at all?
The PCI Half-Dozen
The PCI Half-Dozen
4. Be Prepared and Be a Partner
• Work with Qualified Security Assessors (QSA) or in-house assessors• Agree on the scope up-front• Prepare supporting documentation – including for compensating controls• Build remediation plans – and follow them
5. Get Involved• Changes were made between v1.0 and v1.1 in part, due to feedback• Merchants and Payment Service Providers can become “Participating
Organizations” of the SSC 6. Build a Compliance Program
• Compliance is about more than PCI• Take a long-view approach to compliance as a whole
5
6
Thank you!For more information:• Burton Group Security and Risk Management Strategies Overview – “What
and Why PCI? Inside the Payment Card Industry Data Security Standards,” http://www.burtongroup.com/content/doc.aspx?cid=1001
• The PCI Security Standards Council, http://www.pcisecuritystandards.org• Payment Card Industry (PCI) Data Security Standard, Version 1.1,
https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm• PCI DSS Security Audit Procedures, • https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf
