Payment Card Industry Data Security Standard
Download
Report
Transcript Payment Card Industry Data Security Standard
Payment Card Industry
Data Security Standard
AAFA
ISC/SCLC Fall 08
PCI DSS
What is it?
A set of standards developed by the major credit card
companies as a guideline to help organizations that process
credit cards prevent credit card fraud and various other security
vulnerabilities and threats.
Why should I care?
If you process, store, or transmit payment card data you
should be compliant (credit card companies expect it)
Non compliant companies who process payment card
transactions run the risk of:
Losing their ability to process credit card payments
Increased transaction rates
Audits
Fines
Or Worse!…
Why should I care?
Approx 100 million credit and debit card numbers were stolen
by computer hackers
455,000 customers who returned merchandise without receipts
had their personal data stolen including driver’s license
numbers.
Thieves used this data to acquire $1 million in merchandise with
gift cards from Wal-Mart and Sam’s Club
AP - March 29, 2007
Why should I care?
Failure to comply could be costly!
Forrester estimate (4/15/08) - $1.35 billion
Facing possible class actions lawsuits from customers
Offering 3 years of free credit monitoring for 455,000
customers
Compensating customers to replace drivers licenses if their
number is the same as their social security number
Lost customer confidence and trust
Decrease in stockholder faith
Loss of revenue
AP - March 29, 2007
Why should I care?
TJ Maxx not alone
Will your company be next?
What’s required to be compliant?
Under the current standard (version 1.2), there are 12
requirements organized into 6 logically related groups called
“control objectives”
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Build and Maintain a Secure Network
Requirement 1:
Install and maintain a firewall configuration to protect
cardholder data
Requirement 2:
Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect Cardholder Data
Requirement 3:
Protect stored cardholder data
Requirement 4:
Encrypt transmission of cardholder data across open, public
networks
Maintain a Vulnerability Management
Program
Requirement 5:
Use and regularly update anti-virus software
Requirement 6:
Develop and maintain secure systems and applications
Implement Strong Access Control
Measures
Requirement 7:
Restrict access to cardholder data by business need-to-know
Requirement 8:
Assign a unique ID to each person with computer access
Requirement 9:
Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10:
Track and monitor all access to network resources and
cardholder data
Requirement 11:
Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12:
Maintain a policy that addresses information security
Myth #1: Breaches only happen to big-box retailers
Fact: Small- to medium-sized merchants are highly vulnerable
and a frequent target. Based on most of the news coverage,
security breaches may seem to happen only to huge
corporations – such as the TJX security breach. But, in
reality, cardholder data compromises affect small online store
owners far more frequently. Why? Because, the sheer number
of them (according to Visa more than 6 million) makes them
a more frequent target. Also, they are typically the least
sophisticated technologically making them an easier target
for hackers and carders.
Myth #2: PCI compliant merchants cannot be
breached.
Fact: While it is a critical step, PCI DSS compliance is only a
periodic measurement at a point in time – not a guarantee. Just
ask Hannaford Brothers groceries if PCI compliant merchants
can’t be breached. They were thought to be PCI compliant, but
were still affected by a very public breach. There’s a danger that
organizations can develop tunnel vision dealing with PCI at the
expense of building a sound security program. Companies
should develop a consistently high security posture, and in doing
so, they will achieve PCI compliance. Any system involving
people is vulnerable, either from accidental error or intentional
acts of theft.
Myth #3: E-commerce merchants that use PCI
compliant shopping carts or payment gateways are by
default PCI compliant.
Fact: This may be the case, but PCI guidelines cover not only data
security but also the physical security and the existence of written
security policies. Once a year, regardless of how the merchant
handles card data, every merchant is required to complete an self
assessment questionnaire, to complete the relevant Attestation of
Compliance and, in most case, to submit the SAQ and the
Attestation of Compliance to their acquirer. While it is important
that terminals, gateways and shopping carts are compliant, that
doesn’t guarantee that merchants are secure from a physical
standpoint or that they have employee training programs or
security policies in place. SAQ A was specifically developed for
merchants who outsource to a secure terminal.
Myth #4: PCI compliance is too expensive.
Fact: Non-compliance can be very expensive if not catastrophic.
Non-compliance doesn’t just result in costs associated with
fines, credit card replacement and audit fees, but also from loss
of business reputation and revenue. In fact a recent study stated
that 70 percent of the cost of non-compliance was loss of
revenue. This is significant for big companies that are crucified
in the press, but may be catastrophic for small vendors, putting
them out of business.
Myth #5: PCI compliance is getting easier.
Fact: The PCI Security Standards Council is working hard to clarify
and simplify the standard. For example, in October 2008, the
Council released version 1.2 of the Self-Assessment Questionnaire
(SAQ), which now consists of four versions of the SAQ instead of the
previous one-size-fits-all approach. While the attempt to segment
merchants by validation type is a big step forward, it still presents
confusion among many small merchants who are unclear on which
SAQ they should complete. For small merchants in particular,
protecting card holder data and maintaining a secure environment
remains a complex endeavor.