Payment Card Industry Data Security Standard

1
Payment Card IndustryData Security Standard
AAFA ISC/SCLC Fall 08
2
PCI DSS

• What is it?
• A set of standards developed by the major credit
  card companies as a guideline to help
  organizations that process credit cards prevent
  credit card fraud and various other security
  vulnerabilities and threats.

3
Why should I care?

• If you process, store, or transmit payment card
  data you should be compliant (credit card
  companies expect it)
• Non compliant companies who process payment card
  transactions run the risk of
• Losing their ability to process credit card
  payments
• Increased transaction rates
• Audits
• Fines
• Or Worse!

4
Why should I care?

• Approx 100 million credit and debit card numbers
  were stolen by computer hackers
• 455,000 customers who returned merchandise
  without receipts had their personal data stolen
  including drivers license numbers.
• Thieves used this data to acquire 1 million in
  merchandise with gift cards from Wal-Mart and
  Sams Club

AP - March 29, 2007
5
Why should I care?
Failure to comply could be costly!

• Forrester estimate (4/15/08) - 1.35 billion
• Facing possible class actions lawsuits from
  customers
• Offering 3 years of free credit monitoring for
  455,000 customers
• Compensating customers to replace drivers
  licenses if their number is the same as their
  social security number
• Lost customer confidence and trust
• Decrease in stockholder faith
• Loss of revenue

AP - March 29, 2007
6
Why should I care?

• TJ Maxx not alone

Will your company be next?
7
Whats required to be compliant?

• Under the current standard (version 1.2), there
  are 12 requirements organized into 6 logically
  related groups called control objectives
• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy

8
Build and Maintain a Secure Network

• Requirement 1
• Install and maintain a firewall configuration to
  protect cardholder data
• Requirement 2
• Do not use vendor-supplied defaults for system
  passwords and other security parameters

9
Protect Cardholder Data

• Requirement 3
• Protect stored cardholder data
• Requirement 4
• Encrypt transmission of cardholder data across
  open, public networks

10
Maintain a Vulnerability Management Program

• Requirement 5
• Use and regularly update anti-virus software
• Requirement 6
• Develop and maintain secure systems and
  applications

11
Implement Strong Access Control Measures

• Requirement 7
• Restrict access to cardholder data by business
  need-to-know
• Requirement 8
• Assign a unique ID to each person with computer
  access
• Requirement 9
• Restrict physical access to cardholder data

12
Regularly Monitor and Test Networks

• Requirement 10
• Track and monitor all access to network resources
  and cardholder data
• Requirement 11
• Regularly test security systems and processes

13
Maintain an Information Security Policy

• Requirement 12
• Maintain a policy that addresses information
  security

14
Myth 1 Breaches only happen to big-box retailers

• Fact Small- to medium-sized merchants are highly
  vulnerable and a frequent target. Based on most
  of the news coverage, security breaches may seem
  to happen only to huge corporations such as the
  TJX security breach. But, in reality, cardholder
  data compromises affect small online store owners
  far more frequently. Why? Because, the sheer
  number of them (according to Visa more than 6
  million) makes them a more frequent target. Also,
  they are typically the least sophisticated
  technologically making them an easier target for
  hackers and carders. 

15
Myth 2 PCI compliant merchants cannot be
breached.

• Fact While it is a critical step, PCI DSS
  compliance is only a periodic measurement at a
  point in time not a guarantee. Just ask
  Hannaford Brothers groceries if PCI compliant
  merchants cant be breached. They were thought to
  be PCI compliant, but were still affected by a
  very public breach. Theres a danger that
  organizations can develop tunnel vision dealing
  with PCI at the expense of building a sound
  security program. Companies should develop a
  consistently high security posture, and in doing
  so, they will achieve PCI compliance. Any system
  involving people is vulnerable, either from
  accidental error or intentional acts of theft.

16
Myth 3 E-commerce merchants that use PCI
compliant shopping carts or payment gateways are
by default PCI compliant.

• Fact This may be the case, but PCI guidelines
  cover not only data security but also the
  physical security and the existence of written
  security policies. Once a year, regardless of how
  the merchant handles card data, every merchant is
  required to complete an self assessment
  questionnaire, to complete the relevant
  Attestation of Compliance and, in most case, to
  submit the SAQ and the Attestation of Compliance
  to their acquirer.  While it is important that
  terminals, gateways and shopping carts are
  compliant, that doesnt guarantee that merchants
  are secure from a physical standpoint or that
  they have employee training programs or security
  policies in place. SAQ A was specifically
  developed for merchants who outsource to a secure
  terminal.

17
Myth 4 PCI compliance is too expensive.

• Fact Non-compliance can be very expensive if not
  catastrophic. Non-compliance doesnt just result
  in costs associated with fines, credit card
  replacement and audit fees, but also from loss of
  business reputation and revenue. In fact a recent
  study stated that 70 percent of the cost of
  non-compliance was loss of revenue. This is
  significant for big companies that are crucified
  in the press, but may be catastrophic for small
  vendors, putting them out of business.

18
Myth 5 PCI compliance is getting easier.

• Fact The PCI Security Standards Council is
  working hard to clarify and simplify the
  standard.  For example, in October 2008, the
  Council released version 1.2 of the
  Self-Assessment Questionnaire (SAQ), which now
  consists of four versions of the SAQ instead of
  the previous one-size-fits-all approach.  While
  the attempt to segment merchants by validation
  type is a big step forward, it still presents
  confusion among many small merchants who are
  unclear on which SAQ they should complete.  For
  small merchants in particular, protecting card
  holder data and maintaining a secure environment
  remains a complex endeavor.