Transcript PCI Presentation

Evolving Challenges of PCI Compliance
Charlie Wood, PCI QSA, CRISC, CISA
Principal, The Bonadio Group
January 10, 2014
Agenda
• What is PCI?
• Evolution of PCI
• What is PCI DSS?
• Compliance
• What does this mean to me?
• Recent Breach of Target
• Q&A
Page 2
What is PCI?
The Payment Card Industry (PCI) standard is a set of
requirements designed to ensure that ALL organizations
that store, process, or transmit cardholder data do so in
a secure environment.
• The PCI Security Standards Council
Page 3
Evolution of PCI
PCI Security Standards Council was founded in 2006 by
the major card brands:
• Visa
• MasterCard
• Amex
• Discover
• JCB
Each card brand has input into the guidance provided by
the Council.
Page 4
What is PCI
(cont.)
A credit card as defined by the Council is any card that is
backed by a major card brand, including but not limited
to:
• Credit
• Debit
• HSA
• FSA
• Payroll
Page 5
Evolution of PCI
(cont.)
PCI Security Standard Council is responsible for the
oversight of the PCI Standards, which include guidance
relative to the following:
• PCI DSS
• PA-DSS
• P2PE
• PTS
Page 6
What is PCI DSS?
• Core set of best security practices
• Set of 12 requirements broken down into 6 categories,
as follows:
1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Monitor and test networks
6. Maintain an information security policy
Page 7
What is PCI DSS?
• PCI DSS can include the following depending on the
organization:

PA-DSS

P2PE

PTS
Page 8
Common PCI Myths
• We don’t take enough cards to necessitate compliance
• We outsource card processing so we are compliant
• PCI is an IT issue
• PCI is unreasonable / difficult
• PCI compliance makes us secure
• We aren’t a target
Page 9
Compliance
• Compliance is determined based on how your organization
stores, processes, and/or transmits cardholder data across
your infrastructure
• Compliance is based on “Level” and “Type”
• Level is based on the number of transactions performed in
a 12-month period
• Type is defined by how your organization takes credit
cards
Page 10
Compliance
(cont.)
Levels are based on the number of transactions. Visa defines
them as follows:
Level
Description
1
Organizations with over 6M Visa transactions per year
OR
Any organization that Visa, at its sole discretion, determines should meet the Level
1 requirements to minimize the risk to Visa
2
Organization with 1M to 6M Visa transactions per year
3
Organization with 20,000 to 1M Visa e-commerce transactions per year
4
Organizations with fewer than 20,000 Visa e-commerce transactions per year, and
all other merchants - regardless of acceptance channel - processing up to 1M Visa
transactions per year
Page 11
Compliance
(cont.)
Types are defined by how your organization takes
credit cards and are broken down as follows:
Type
Description
A
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder
data functions outsourced; this would never apply to face-to-face merchants
B
Imprint-only merchants with no cardholder data storage
OR
Stand-alone dial-up terminal merchants, no cardholder data storage
C
Merchants with payment application systems connected to the Internet, no
cardholder data storage
C-VT
Merchants using only web-based virtual terminals, no electronic cardholder data
storage
D
All other merchants not included in descriptions for SAQ types A through C above,
and all service providers defined by a payment brand as eligible to complete an
SAQ
Page 12
What does this mean to me?
Based on the volume of transactions, organizations would
be required to perform the following:
Level
Visa Description
1
•
•
•
Annual report on compliance (“ROC”) to be completed by Qualified Security
Assessor (“QSA”)
Quarterly network scan by Approved Scan Vendor (“ASV”)
Attestation of Compliance Form
2
•
•
•
Annual Self-Assessment Questionnaire (“SAQ”)
Quarterly network scan by ASV
Attestation of Compliance Form
3
•
•
•
Annual SAQ
Quarterly network scan by ASV
Attestation of Compliance Form
4
•
•
•
Annual SAQ recommended
Quarterly network scan by ASV
Compliance validation requirements set by merchant bank
Page 13
What does this mean to me? (cont.)
In English:
• Depending on what “Type” of organization you are,
you will have to address anywhere from 15 to 200 +
controls
Cost
• Hardware
• Software
• Internal Resources
• External Resources
Page 14
Recent Breach of Target
What happened:
• Lost ~40 million credit and debit cards
• Theft period: November 27 – December 15
• Malware on point-of-sale terminals
 Not detected until December 15
Page 15
Recent Breach of Target
(cont.)
Common Questions
1. How could this happen?
2. Was Target PCI compliant?
3. How do I know if I was affected?
Costs?
• Credit score monitoring
• Fines, sanctions and lawsuits
• Reputational damage
Page 16
Q&A
Questions?
[email protected]
(585) 249-2757
Page 17