Transcript The State of the Web SLCoLibrary.org

Colleen Medling
[email protected]
SLCO Library Services
March17, 2011
March 17, 2011
 I am not a Qualified Security Assessor (QSA)
 I am not a lawyer
 I am a librarian (and System Administrator)
2
SLCoLibrary.org
SLCo Library Services Division
 PCI Security Standards Payment Card Industry
Standards and procedures
created to optimize security of
credit/debt card data.
March 17th, 2011
 PCI Security Standards Council –
All five major payment brands
Independent
– American Express,
organization
Discover,
that
MasterCard,
develops, manages,
Visa andeducates,
JBC have
and
agreed
creates
to incorporate
awareness these
of PCI
requirements
Security Standards
into the data
security compliance programs
3
SLCoLibrary.org
SLCo Library Services Division
 PCI Compliance
March 17th , 2011
 Not a law (yet)
 BUT! Failure to comply can result in
 Loss of reputation
 Loss of trust
 Significant fines
 Lose ability to take credit card payments
 Many government entities now requiring their organizations to
comply
4
SLCoLibrary.org
SLCo Library Services Division
 Merchant Levels
Merchant Criteria
1
Validation Requirements
Merchants processing over 6 million transactions •Annual Report on Compliance (“ROC”) by
annually
Qualified Security Assessor (“QSA”)
•Quarterly network scan by Approved Scan Vendor
(“ASV”)
•Attestation of Compliance Form
•Annual Self-Assessment Questionnaire (“SAQ”)
•Quarterly network scan by ASV
•Attestation of Compliance Form
3
Merchants processing 20,000 to 1 million ecommerce transactions annually
•Annual SAQ
•Quarterly network scan by ASV
•Attestation of Compliance Form
•Annual SAQ recommended
•Quarterly network scan by ASV if applicable
4
Merchants processing less than 20,000 ecommerce transactions annually and all other
merchants processing up to 1 million
transactions annually
March 17th , 2011
2
Merchants processing 1 million to 6 million
transactions annually
5
SLCoLibrary.org
SLCo Library Services Division
 Self Assessment Questionnaire
Filling out an SAQ does not
necessarily make you compliant
There are five separate levels,
with increasing complex
requirements based on number
of transactions and how credit
card data is held and processed.
Even if you a use a PCI
Compliant Application YOU still
need to complete an SAQ
March 17th , 2011
This is a tool that allows entities
to validate their compliance to
the PCI Standards
6
SLCoLibrary.org
SLCo Library Services Division
» SAQ A – 13 requirements
˃
˃
˃
˃
Only to be used for “Card Not Present” entities
E-commerce or Mail Order/Telephone Order Merchants
Does not store or transmit cardholder data over their systems
Requirements
+ Must restrict access to cardholder data
– Paper receipts must be under lock & key
– Destroyed properly
+ Maintain an Information Security Policy
– Policies and procedures to manage service providers
» SAQ B – 29 requirements
March 17th , 2011
˃
˃
˃
˃
Entities use imprint or Dial Up Standalone Terminals
No cardholder data is stored electronically
Does not store or transmit cardholder data over they network or the Internet
In addition to SAQ A Requirements
+ Protect stored cardholder data
– May not store magnetic strip data
+ Restrict cardholder data on a need to know basis
7
SLCoLibrary.org
SLCo Library Services Division
» SAQ C-VT (virtual terminals) – 51 requirements
˃
˃
˃
˃
˃
New type of SAQ introduce in 2010
Use on web-based virtual terminals
Cardholder data is manually entered, data is not read from the card directly
Virtual terminal is provided by a third party PCI DSS validated company
In addition to SAQ A and SAQ B
Must have a firewall
Do not use vendor supplied passwords
Protect stored cardholder data
Encrypt transmission of cardholder data
Use anti-virus software and log results
Develop and maintain secure systems
– This includes any wireless networks you may have
March 17th , 2011
+
+
+
+
+
+
8
SLCoLibrary.org
SLCo Library Services Division
» SAQ C – 80 requirements
˃ Point of Sale (POS) is connected to the Internet
˃ Payment application is not connected to other systems (can be done via network
segmentation)
˃ LAN is not connected to any other location
˃ No sensitive cardholder data is stored electronically
˃ In addition to SAQ A, SAQ B and SAQ C-VT
+ Quarterly network scans
» SAQ D – 288 requirements
March 17th , 2011
˃
˃
˃
˃
All other merchants who do not fit under previous categories
Merchant stores cardholder data electronically
Extremely difficult and costly to attain
In addition to SAQ A, SAQ B and SAQ C’s
+ More requirements for each category
9
SLCoLibrary.org
SLCo Library Services Division
Scope – determine what
components are
governed
Assess – examine
current compliance
level
Report
March 17th , 2011
Compensating Controls
– QSA validates
alternative technologies
or processes
10
SLCoLibrary.org
SLCo Library Services Division
» Find a Qualified Security Assessor –
˃ There may be one in your organization already
˃ List available at
https://www.pcisecuritystandards.org/approved_companies_provider
s/qsa_companies.php
» QSA
Offers support and suggestions
Verifies technical information
Evaluates compensating controls
Samples systems involved in scope of the work
Produces the final report
March 17th, 2011
˃
˃
˃
˃
˃
11
SLCoLibrary.org
SLCo Library Services Division
» Choose an Approved Scanning Vendor (ASV)
March 17th , 2011
˃ Scans network for external vulnerabilities
˃ List can be found at :
˃ https://www.pcisecuritystandards.org/approved_companies_provider
s/approved_scanning_vendors.php
˃ SLCO uses CoalFire’s Navis System
12
SLCoLibrary.org
SLCo Library Services Division
» Never, ever store sensitive cardholder data
+ Magnetic Stripe Data
+ Primary Account Data (PAN)
+ If you have to store the data
– Get rid of it as soon as possible
March 17th , 2011
» Segment your network
13
SLCoLibrary.org
SLCo Library Services Division
» Utahgovpay
˃ Would need to develop an interface between our library database.
˃ Charges $.75 per transaction regardless of amount
˃ 50% of transactions under $10.00
» PayPal
˃ Would have to develop interface
˃ Fee per transaction
˃ Would have to host system internally
» Comprise Technologies
March 17th , 2011
˃ Currently use for internal credit card transactions
˃ Understands specialized library protocol
˃ Online system required us to store cardholder data and Primary Account Number
(PAN)
˃ Higher level of PCI Compliance
14
SLCoLibrary.org
SLCo Library Services Division
» Another option - PCI Compliant Web-hosting
facility
Credit cardholder data would not be stored on our network
Already PCI SAQ D Compliant
Lowers the Library’s level of compliance to SAQ C
Hosted solution is an annual subscription – NO per transaction fee
Beta tested new service for Comprise Technologies
+ RackSpace hosting facility
March 17th , 2011
˃
˃
˃
˃
˃
15
SLCoLibrary.org
SLCo Library Services Division
March 17th , 2011
16
SLCoLibrary.org
SLCo Library Services Division
March 17th , 2011
» We host the entry form only – no cardholder
data
» Rest of the application resides on RackSpace
» Over $142,000 collected since July 2010
» 79% SAQ C compliant
17
SLCoLibrary.org
SLCo Library Services Division
March 17th , 2011
» Questions?
» Additional Resources
˃ Data Security Standard Requirements for Security Assessment Procedures –
https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_ds
s_v1-2.doc
˃ PCI Forms- https://www.pcisecuritystandards.org/docs/
˃ PCI Security Standards Council Quick Reference Guide https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Referen
ce%20Guide.pdf
˃ CISP list of PCI DSS compliant service providers http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-serviceproviders.pdf
˃ PCI SSC’s list of Qualified Security Assessors (QSAs) https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm
˃ Approved Scanning Vendors https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml
˃ Navigating PCI DSS : understanding the intent of the requirements
https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf
˃ PCI Security Standards Council - https://www.pcisecuritystandards.org/index.shtml
18
SLCoLibrary.org
SLCo Library Services Division