PCI-DSS - PowerPoint PPT Presentation

About This Presentation
Title:

PCI-DSS

Description:

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho What is PCI-DSS? PCI-DSS stands for Payment Card Industry Data Security Standard This is ... – PowerPoint PPT presentation

Number of Views:423
Avg rating:3.0/5.0
Slides: 28
Provided by: sys86
Category:
Tags: dss | pci

less

Transcript and Presenter's Notes

Title: PCI-DSS


1
PCI-DSS
  • Erin Benedictson
  • Information Security Analyst
  • AAA Oregon/Idaho

2
What is PCI-DSS?
  • PCI-DSS stands for Payment Card Industry Data
    Security Standard
  • This is commonly called PCI
  • PCI is a council created by American Express,
    Discover Financial Services, JCB International,
    MasterCard Worldwide and Visa Inc International

3
Who Must Comply with PCI?
  • All merchants, whether small or large, need to be
    PCI compliant. The payment brands have
    collectively adopted PCI DSS as the requirement
    for organizations that process, store or transmit
    payment cardholder data.

4
History of PCI
  • PCI was formed in order to make compliance
    simpler
  • Up until 2004 there were 4 different standards to
    follow
  • CISP(Visa)
  • SDS(MC)
  • DISC(Discover)
  • DSS(AMX)

5
History of PCI
  • Each credit card company had their own standard
    and they all contained different
    requirements(encryption strength, etc)
  • In 2004 the PCI Security Standards Council was
    formed to bring all of these requirements under 1
    umbrella
  • Level 1 merchants were required to be compliant
    by Dec. 31, 2007
  • Level 2-4 merchants were required to be compliant
    by June 30, 2007

6
Different Levels of PCI
  • Level 1 - Any merchant who processes over
    6,000,000 transactions annually or has suffered a
    breach
  • Level 2 - Any merchant who processes between
    1,000,000 and 6,000,000 transactions annually
  • Level 3 - Any merchant who processes between
    20,000 - 1,000,000 transactions annually
  • Level 4 Any Merchant who processes under 20,000
    transaction annually

7
Different Merchant Level Requirements
  • Level 1 Requires a 3rd party PCI approved
    Qualified Security Assessor(QSA) to perform a
    yearly onsite assessment, yearly penetration
    tests and quarterly security scans by an approved
    PCI scanning vendor
  • Level 2 and 3 Requires merchants to complete a
    yearly self assessment questioner(SAQ) and
    quarterly security scans by an approved PCI
    scanning vendor
  • Level 4 - Recommended to perform level 2 and 3
    requirements but not enforced
  • All levels are required to be PCI compliant

8
Non Compliant Risk and Consequences
  • Visa Regardless of level requirements
  • 1st Violation
  • Up to 50,000 USD for rolling 12-month period
  • 2nd Violation
  • Up to 100,000
  • USD for rolling 12-month period
  • 3rd Violation
  • Visas discretion to refuse future transactions
    until complaint

9
Non Compliant Risk and Consequences
  • Master Card
  • Level 1
  • Up to 25,000 USD annual fee per Merchant
  • Level 2
  • Up to 5,000 USD annual fee per Merchant
  • Level 3
  • Up to 5,000 USD annual fee per Merchant

10
12 Main Parts of PCI
  • 1. Install and maintain a firewall
  • 2. Do not use vendor default passwords
  • 3. Protect stored data
  • 4. Encrypt transmissions of cardholder data

11
12 Main Parts of PCI
  • 5. Use and update antivirus software
  • 6. Develop and maintain secure systems and
    applications
  • 7. Restrict access by need-to-know
  • 8. Assign unique IDs to all users

12
12 Main Parts of PCI
  • 9. Restrict physical access to cardholder data
  • 10. Track and monitor access to cardholder data
  • 11. Regularly test security systems and processes
  • 12. Maintain an information security policy

13
Breach Risk and Consequences
  • Reputation Risk
  • What will the impact be on your companies brand?
  • Mandatory involvement of federal law enforcement
    in investigation
  • Financial Risk
  • Merchant banks may pass on substantial fines
  • Up to 500,000 per incident from Visa alone
  • 20 - 90 fine per credit card number that COULD
    have been exposed or compromised
  • Civil liability and cost of providing ID theft
    protection
  • Average cost of a security breach is 5,000,000

14
Breach Risk and Consequences
  • Compliance Risk
  • Exposure to Level 1 validation requirements
  • Operational Risk
  • Visa imposed operational restrictions
  • Potential loss of card processing privileges

15
AAA Oregon/Idaho
  • Reached level 1 PCI-DSS compliance in January
    2008
  • The compliance process took about 9 months of
    planning to reach level 1 status
  • AAA Oregon/Idahos PCI requirement is level 3.

16
AAA Oregon/Idaho
  • In June 2007 AAA Oregon/Idaho was level 3
    compliance.
  • Interruption of compliance requirements differed
    between AAA Oregon/Idaho and our PCI QSA
  • The cost to become level 1 was under 30,000.
    This includes contractors and equipment purchases
  • The cost to remain PCI complaint on a yearly
    basis is roughly 15,000 this includes yearly
    audit, Report on Compliance(ROC) and monthly scans

17
The Storage of Unencrypted Credit Card Numbers
  • PCI Section 3
  • PCI section 3 requires the storage of unencrypted
    credit card numbers to have 2 factors of
    authentication
  • This information needs to be stored in a
    DMZ(separate network segment)
  • Must be masked within databases
  • Responsibly falls on the merchant to keep
    information safe, even if it is given to you in
    an unsecured fashion
  • Section 3 is the main reason companies fail their
    PCI-DSS assessment

18
Data Flow
  • Data is sent from the merchant through Apollo in
    an encrypted file(128 bit SSL)
  • A MIR file is sent to a Galileo Print Manager
    that resides at the merchant, this file arrives
    encrypted and is then unencrypted
  • MIR file then arrives in a repository unencrypted
    in a plain text file(this file contains full
    Credit Card numbers) for processing to the
    merchants GlobalWare database
  • Credit card numbers are then masked once
    processed into GlobalWare

19
What We Did
  • We placed our GlobalWare server in a DMZ
  • We configured the Galileo Printer Manager to
    place the MIR repository destination in the DMZ
    on the GlobalWare server

20
What We Did
  • 1- We limited access to the GlobalWare server
    inside the DMZ to specific computers
  • 2- We limited access to the GlobalWare server to
    specific users within Windows Active Directory
  • 3- We use PGP(encryption software) to create a
    Virtual Encrypted Disk. This required an AES 256
    bit key, but the key can not be stored locally on
    the server

21
What We Did
  • 4- This encrypted disk shows up as a shared drive
    and is left open for MIRs to be able to be added
    and removed during processing to the database
  • The PGP Virtual Encrypted Disk would be
    unreadable to anyone without the encryption key,
    even if someone stole the physical server

22
Other Options
  • There are other options to achieve the PCI
    section 3 requirements this is just one of the
    options we could have used
  • The use of Full Disk Encryption is an option
    (meaning the entire server is encrypted) in order
    to keep MIR files safe. Many companies like IBM
    have this built into their new servers that does
    not require the use of PGP.

23
Verizon Business 2008 Data Breach Report
  • Breaches by company size
  • 2 1-10 Employees
  • 30 11-100 Employees
  • 22 101-1,000 Employees
  • 26 1,001-10,000 Employees
  • 14 10,001-100,000 Employees
  • 6 100,001

24
Verizon Business 2008 Data Breach Report
  • 84 of all data breaches were targeted at credit
    card data
  • 70 of all breaches are found by a 3rd party
    company(ie.cardholders bank)
  • 82 of all breaches are from online data

25
Some Common PCI Myths
  • One vendor and product will make us compliant
  • Outsourcing card processing makes us compliant
  • PCI compliance is an IT project
  • PCI will make us secure
  • PCI requires us to hire a QSA

26
Some Common PCI Myths
  • PCI is unreasonable and it requires too much
  • We dont take enough credit cards to be compliant
  • We completed a SAQ so were compliant
  • PCI makes us store cardholder data
  • PCI is too hard

27
QUESTIONS?
Write a Comment
User Comments (0)
About PowerShow.com