Download - Compliance to PCI DSS
Compliance toPayment Card Industry (PCI) Data Security Standard (DSS) assessment
Petar Kovačević– Project manager
24. 04. 2012
© 2012 IBM Corporation
Formed in 2005By five leading credit card vendors
The PCI Data Security Standard (PCI DSS) enumerates common industry requirements for the protection of card-holder data.
If your company accepts credit cards for payments, PCI
What is Payment Card Industry Data Security Standard (PCI DSS), and why should you care?
American Express
Discover
© 2012 IBM Corporation2
If your company accepts credit cards for payments, PCI compliance applies to you.
Regardless of size or industry, all companies that accept credit cards must adhere to the prescribed safeguards outlined in the standard.
What are the risks of noncompliance?
Beyond exposing your customers to fraud or identity theft, your business can be held responsible for the credit card company’s losses. In the event of a security breach or lack of PCI compliance, credit card institutions can levy fines or even bar your company from processing any credit card transactions at all.
Discover
JCB
MasterCard
VISA
The cost of noncompliance with Payment Card Industry Data Security Standard can be high.
RBS Worldpay, a subsidiary of Citizens Financial Group Inc, said a breach of its payment systems may
have affected more than 1.5 million people.
Hannaford Brothers Co. disclosed that a breach of its payment systems compromised at least
4.2 million credit and debit card accounts.
© 2012 IBM Corporation3
4.2 million credit and debit card accounts.
TJX Companies Inc, the parent of retailers Marshalls and TJ Maxx said a number of breaches over a three-year period exposed more than
45 million credit and debit card numbers.
A breach at payment card processor CardSystems
Solutions jeopardized roughly 40 million credit and debit card accounts.
What is the scope and complexity of the Payment Card Industry Data Security Standard (PCI DSS)?
Build and Protect Maintain a Implement Regularly Maintain an
Six primary categoriesThe PCI standard is organized into six categories and twelve numbered security requirements, also known as the “digital dozen.” Together they address security concerns ranging from network protection to security governance policies.
© 2012 IBM Corporation4
Build and maintain a secure network
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an Information security policy
Common challenges associated with achieving PCIMany organizations choose alternatives to extensive in-house staff dedicated to compliance activities, primarily for the following reasons:
� The standard is comprehensive and can be very time consuming to follow� Multiple processes, services, and technologies are usually required to meet compliance� Roles and responsibilities of key stakeholders are often misunderstood
Build and maintain a secure network
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
1
2
� Firewall management� Configuration management
Example controls
Here is a subset of PCI-DSS1 categories and requirements.
© 2012 IBM Corporation55
Protect cardholder data
Maintain a vulnerability management program
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
3
4
5
6
� Data classification and policy
� Access control� Data loss prevention� Data encryption
� Anti-virus management� Policy and compliance
mgmt� Web application protection� Vulnerability management
Implement strong access control measures
Restrict access to cardholder data by business need-to-know
Assign a unique identification (ID) to each person with computer access
Restrict physical access to cardholder data
7
8
9
� Access control
� Identity management
� Physical security
Here is a subset of PCI-DSS1 categories and requirements. (continued)
Example controls
© 2012 IBM Corporation66
Regularly monitor and test networks
Maintain an information security policy
data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security
9
10
11
12
� Privileged user monitoring
� Log and event management
� Penetration testing
� Intrusion detection/prevention
� Security policy development
� Awareness programs
� Vendor management
IBM offers a variety of Payment Card Industry (PCI) security solutions.
� IBM Security Services' Payment Card Industry (PCI) security solutions help you determine your level of compliance with PCI, as well as help validate your adherence to PCI requirements.
� PCI compliance from IBM experts:
How can IBM Security Services help you?
© 2012 IBM Corporation7
� PCI compliance from IBM experts:– As one of the only vendors in the world certified to
perform PCI assessment services globally, IBM Security Services can help guide you through the entire PCI compliance process. IBM Security Services can help you manage and gain efficiencies in maintaining compliance. Our qualifications include:
• Qualified Security Assessor (QSA)• Approved Scanning Vendor (ASV)• Payment Application Qualified Security Assessor
(PA-QSA)
7
How do I get started with IBM Professional Security Services?
Assess - IBM’s Qualified Security Assessors (QSAs) are an integral part of helping lead activities that include:
For simplicity, the IBM Professional Security Services portfolio can be mapped to the following areas to help you maintain a continuous process for pursuing Payment Card Industry (PCI) compliance.
1
� Conducting a customized gap assessment to help determine your
© 2012 IBM Corporation8
2
3
� Conducting a customized gap assessment to help determine your current compliance level and the specific steps required to achieve PCI compliance before performing the formal assessment
� Executing PCI scanning activities to review the technical controls on Internet-facing, in-scope devices
Remediate - IBM consultants help you develop paths to compliance management and indicate how to use compensating controls that can optimize benefit and risk reduction; in addition, we can assist you with project compliance milestones and negotiations on timeline or compensating controls with acquiring institutions or card brands
Report - IBM consultants can create:� An interim Report on Compliance (RoC) with audit criteria documented and detailing both compliant
and noncompliant items� A completed formal gap assessment document which details non-compliant items
Typical Customer PCI Roadmap
Phase 5.Educate
Phase 4.
Phase 1.Assess� Action: Assess current level of security effectiveness and strengthen network and security posture by identifying vulnerabilities and weakness against best-practices
� Result: Gap analysis and resolution recommendations between current state and requirements.
� Action: Education and knowledge transfer of security best practices
� Result: Helps to improved employee understanding and security skills
© 2012 IBM Corporation
Phase 4.Manage and Support
Phase 2.Design
Phase 3.Deploy
� Action: Design and documentation of policies, procedures, and architecture/solutions to ensure protection and extension of business capabilities
� Results: Creation of gap closure plan for short and long-term resolution designed to ensure optimization of security infrastructure
� Action: Expert deployment, implementation, tuning, and change supportResults: Helps client execute gap closure
plan, improve performance and cost savings
� Action: Management of security infrastructure/program to meet defined business objectives
� Result: Helps insure that the gaps remain closed and new gaps are not opened by providing improved protection, lowering TCO, and demonstrating compliance
Why should IBM be your Payment Card Industry (PCI) partner?
IBM Security Services is a worldwide PCI services market leader
� IBM has products and services for all 12 PCI requirements– Efficiencies in interoperability, procurement and management
� IBM is globally certified to perform all PCI services and holds the following designations:– Qualified Security Assessor (QSA)– Approved Scanning Vendor (ASV)– Payment Application Qualified Security Assessor (PA-QSA)
© 2012 IBM Corporation10
– Payment Application Qualified Security Assessor (PA-QSA)– PCI experience since 2004
� IBM can help you wherever you are in the compliance lifecycle
� IBM helps clients gain efficiencies with PCI maintenance
� Experience with clients of all sizes, industries, all over the world
� IBM provides PCI services to:– One of the top three retailers across the globe– One of the top three online retail marketplaces– One of the top three online payment processors– One of the largest governments– One of the top three largest mobile phone companies
IBM can provide comprehensive security services.
http://www.ibm.com/software/tivoli/governance/security/pci.html
IBM PCI SolutionsA comprehensive look at IBM services, software and hardware which can help you to meet your total Payment Card Industry (PCI) compliance needs
© 2012 IBM Corporation11
http://www.ibm.com/services/us/index.wss/itservice/iss/a1030786
IBM Security ServicesHelps you reduce the cost and complexity of securing your infrastructure with a comprehensive portfolio of world-class managed security services and consulting services
http://www.ibm.com/services/us/index.wss/offerfamily/iss/a1026954
IBM Managed Security ServicesProtect your information assets around the clock at a fraction of the cost of in-house security with IBM Managed Security services from IBM Security Services
IBM can provide unmatched global and local expertise to help deliver complete security solutions.
9 security operations
centers
9 securityresearchcenters
133monitoredcountries
20,000-plusdevices under
contract
3,700-plus MSS clientsworldwide
7 billion-pluseventsper day
© 2012 IBM Corporation12
Thank you for your time today.
For more information:
� http://www-935.ibm.com/services/us/index.wss/offerfamily/iss/a1031381
Contact:
� Petar Kovačević
© 2012 IBM Corporation13
� Petar Kovačević
� +381 11 2013541