2/12/2019

1

Payment Card Industry (PCI) Compliance

February 13, 2019

To Receive CPE Credit› Individuals

• Participate in entire webinar• Answer polls when they are provided

› Groups

• Group leader is the person who registered & logged on to the webinar• Answer polls when they are provided• Complete group attendance form • Group leader sign bottom of form• Submit group attendance form to training@bkd.com within 24 hours of webinar

› If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar

2/12/2019

2

Presenter

Rex Johnson, CISSP®, CISA®, CIPT, PMP®, PCIP™, QSADirectorrjohnson@bkd.com

Which HFMA Chapter are you a member?

1. Western PA

2. Central PA

3. Northeast PA

4. Metro Philadelphia

5. Other

Getting to Know You

2/12/2019

3

Credit Cards Are the Most Frequently Available Item on the Dark Web

› Credit cards account for most instances of identity theft› With the rollout of the EMV chip, credit card application fraud is

expected to increase in the U.S.› Most fraud for credit cards are called card-not-present (CNP)› Internationally, CNP fraud rose by 7%, resulting in $242.1 million in

losses› Interestingly enough, credit cards go for $1 each on the dark web

Sources: FICO, https://www.fico.com/enterprisefraud/ Fortune, http://fortune.com/2017/02/01/credit-card-chips-fraud/ Australian Payments Network, 2018 https://www.auspaynet.com.au/

› Many years ago, the payment card brands elected to have a standard for assessing the protection of cardholder data (CHD)

› Implemented the Payment Card Industry Data Security Standard (PCI DSS)

› If an organization accepts card payment, & stores, processes or transmits cardholder data, they need to be PCI DSS compliant

› PCI DSS is a set of rules, not a law, that is enforced by the payment brands & governed by the PCI Security Council

What Is PCI Compliance?

2/12/2019

4

What Is the Security Standards Council?

› PCI standards are required by the card brands & administered by the Payment Card Industry Security Standards Council

› Created to increase controls around cardholder data to reduce credit card fraud

› Qualifies companies & individuals to be PCI assessors, known as Qualified Security Assessors (QSA)

P2PE

Merchants & Service ProvidersPCI DSS

Secure Environment

Software Developers

PCI PA-DSS

Payment Applications

ManufacturersPCI PTS

Pin Entry Devices

PCI DSS› PCI DSS defines technical & operational requirements for

• Organizations accepting or processing card payment transactions; &

• Software developers & manufacturers of applications & devices used in those transactions

› QSA are trained to conduct PCI DSS assessments• Code of conduct that sets standards to include avoiding a conflict of interest

• Requires initial training & certification exam

• Annual training & recertification exam

• Must maintain working papers for assessments for three years

2/12/2019

5

› Organizations (called merchants in the PCI world) typically have more than one way to take a payment

› Known as a payment channel• In person

• Payment devices (POS POI)

• Mail order

• Online

• Phone

How Do You Take Credit Card Payments?

TELEPHONE ORDERS

Two Types of Assessments

ROC

• Report on compliance (ROC)• Must be performed by an

independent organization • Lead by a QSA• Level 1 merchants & service

providers• Acquiring banks may elect

other levels to do a ROC

SAQ

• Self-assessment questionnaire (SAQ)

• Intended to assist merchants & service providers in self-evaluating their PCI DSS compliance

• May engage a QSA to assist or perform

• Eight different types of SAQs• All levels except Level 1

Attestation of Compliance

The organization’s bank (acquirer) or card brands

will determine type of assessment

ROC SAQ

2/12/2019

6

Level Annual Transactions Validation Actions Validated By

1 6 to 20 million • Annual on-site security audit (ROC)

**&**• Quarterly network scan

• Independent assessor(QSA) or IA with PCI training

• Scans conducted by ASV

2 1 to 6 million • Annual self-assessment questionnaire (SAQ)

**&**• Quarterly network scan

• Merchant (Self-assessment)

• Scans conducted byASV

3 20,000 to 1 million

4 20,000 or less network scan recommended

PCI Levels – Merchants in General

Service Providers› A service provider is a business that is not a payment brand & is directly involved in the

processing, storage or transmission of cardholder data

› Performs these duties on behalf of another entity

› Includes companies that provide services to merchants, other service providers or other entities which control or could impact the security of cardholder data

› Examples include• Data centers

• Transaction processors

• Managed service providers (MSP)

• Payment gateways

• Vendors that provide POS maintenance

2/12/2019

7

Level Validation Actions Validated By

1Payment gateways &

processors

• Annual on-site security audit

**&**

• Quarterly network scan

• Independent assessor (QSA) or IA with PCI training

• Scans conducted by ASV

2(storage/transmission/

process above 1 million transactions)

• Annual SAQ

**&**

• Quarterly network scan

• Self-assessment

• Scans conducted by ASV

3(storage/transmission/ process below 1 million

transactions)

PCI Levels – Service Providers in General

PCI SAQ Types

Type of SAQ depends on the type of merchant environment & confirmed by acquirerA: card not present merchants (e-commerce or mail/telephone order)

A-EP: e-commerce merchants who outsourced payment processing to third parties

B: merchants using a) imprint machines or b) standalone dial-out terminals

B-IP: standalone, PTS-approved payment terminals

C-VT: manually enter a single transaction at a time virtual payment (not e-commerce)

C: payment applications connected to the internet, no electronic CHD storage

P2PE: hardware payment terminals managed by P2PE solution (not e-commerce)

D: all merchants not included in the above

2/12/2019

8

PCI DSS RequirementsGoals PCI DSS Requirement

Build & maintain a secure network1. Install & maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords & other security

parameters

Protect cardholder data3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program 5. Use & regularly update anti-virus software or programs

6. Develop & maintain secure systems & applications

Implement strong access control measures7. Restrict access to cardholder data by business need to know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly monitor & test networks 10. Track & monitor all access to network resources & cardholder data

11. Regularly test security systems & processesMaintain information security policy 12. Maintain a policy that addresses information security for all personnel

Requirement 1: Install & Maintain Firewall Configuration to Protect Cardholder Data› Firewalls are required to protect the CDE

› Restrict traffic from “untrusted” networks & hosts

› Prohibit direct public access from internet to CDE

› Although network segmentation is a good idea, it is not required

2/12/2019

9

› Network devices come with default passwords › Remove/change these defaults for better security› Configuration standards are part of this requirement

• NIST

• ISO

• SANS

• CIT

Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords & Other Security Parameters

Default Password

Requirement 3: Protect Stored Cardholder Data

› Implement a data retention & disposal processes› Do not store the whole PAN

• OK to display first six & last four digits of a card

› Encryption for additional protection› Consider additional security measures, such as

tokenization

2/12/2019

10

Tokenization

› The process of replacing a credit card number (PAN) with a unique set of numbers that have no bearing on the original data

› Creates specific characters that only work during the transaction

› Reduces risk of credit card data theft or misuse

Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks› Use strong encryption where CHD

is transmitted over public networks

› Includes wireless networks

› Never send unprotected PANs by end user messaging

• Don’t email CC#• Don’t send over IM

2/12/2019

11

Requirement 5: Use & Regularly Update Anti-Virus Software or Programs

› Use anti-virus software on systems

› Maintain anti-virus definitions are current & actively running

› Prevent the ability to disable anti-virus

› Generating logs

Requirement 6: Develop & Maintain Secure Systems & Applications

› Keep system patches current• Critical patches deployed within 30 days

of release

› Risk ranking to vulnerabilities› Change control processes &

procedures› Secure coding guidelines

2/12/2019

12

Requirement 7: Restrict Access to Cardholder Data by Business Need to Know

› Limit access only to those whose job requires

› Documented approval for access

› Access control systems in place• Deny all unless specifically allowed• Only those with a business need

Requirement 8: Identify & Authenticate Access to System Components› Unique IDs required & proper authentication

› Strong password parameters

› Multifactor authentication• Two or more authentication methods

› Something you know (password),

› Have (token) or

› Are (biometric)

› Do not use group, shared or generic IDs

2/12/2019

13

Requirement 9: Restrict Physical Access to Cardholder Data

› Limit & monitor physical access to systems in the CDE› Procedures to distinguish between on-site personnel & visitors› Visitors are authorized & a log maintained› Backups are secure› Media is classified & safeguarded› Destroy media when no longer in use› Training for identifying tampered devices

Device Tampering: Skimming

› A skimming device is a camouflaged counterfeit card reader to record the card’s information

› It will still allow the cardholder to perform their transaction

› Used at ATM machines, retail stores, restaurants & taxis

› Can sometimes be a hand-held skimmer small enough to fit into a pocket

2/12/2019

14

Requirement 10: Track & Monitor All Access to Network Resources & Cardholder Data› Audit trail for users who have access to CHD› Logging of invalid attempts› Restricted access to logs› Prevent log tampering› Time synchronization

• Critical systems time synchronized• Unable to tamper with time data

› Retain audit history for at least one year

Requirement 11: Regularly Test Security Systems & Processes

› Identify wireless access points

› Run internal & external network vulnerability scans quarterly

› Internal & external penetration testing annually (or twice a year for service providers)

› Intrusion detection & prevention in place

2/12/2019

15

Requirement 12: Maintain a Policy that Addresses Information Security for All Personnel› Establish, publish & maintain security policies for PCI

› Daily operational security procedures

› Usage policies for technology in the CDE

› Assign personnel with security responsibilities

› Security awareness program

› Employee screening prior to hiring

› Policies for service providers with CDE access

› Incident response plan in place

Appendices

› Appendix A1: additional PCI DSS Requirements for Shared Hosting Providers

• Protecting each entity’s hosted environment & data

• Restrict the entity’s access only to their environment

› Appendix A2: additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections

› Appendix A3: Designated Entities Supplemental Validation (DESV)• Only entities designated by payment brand or acquirer

• Additional valuation steps as required

2/12/2019

16

Compensating Controls› In the event that an organization does not meet a PCI control, the assessor

can determine if compensating controls are in place

› Compensating controls worksheet is listed in the ROC template1. Constraints

2. Objectives

3. Identified Risk

4. Definition of Compensating Controls

5. Validation of Compensating Controls

6. Maintenance

› Must address risk & be stronger than the control it is replacing

› Management must approve compensating controls every year

Why Is PCI DSS Compliance Important?

› Hackers & large international organized crime target merchants & their payment channels

› High fees for noncompliance with PCI-DSS

• At the discretion of the payment brands

• $5,000 to $10,000 per month

› The fallouts of a card data breach

• The resulting costs can be significant

• Breach could result in an average cost of $200 per card number lost

• Long-term reputational effects to an organization

2/12/2019

17

Lack of PCI compliance Can Cost› Lost confidence & customers go to other merchants

› Diminished sales

› Cost of reissuing new payment cards

› Fines

› Fraud losses

› Higher subsequent costs of compliance

› Termination of the ability to accept credit cards

› Going out of business

Benefits of PCI Compliance

› The security of cardholder data affects everyone

› Increases security of cardholder data

› Customer confidence

› Better protection for clients

› Universal principles

› Avoidance of fines

› Reduces the cost of a breach

2/12/2019

18

Summary› PCI compliance is a requirement, but not a law, from the card brands for any organization

that stores, processes or transmits payment card data

› Card brands set the standards & has the right to invoke penalties for organizations that fail PCI compliance

› PCI Security Standards Council is the governing board who trains & qualifies assessors (QSAs)

› Organizations with over six million card transactions annually must have a report on compliance (ROC) by an independent QSA company

› Other organizations are able to do a self-assessment questionnaire (SAQ)

› There are 12 requirements to PCI, which have a number of questions/controls each

› Cost of noncompliance is significant

2/12/2019

19

Continuing Professional Education Credit

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered

CPE Credit

› CPE credit may be awarded upon verification of participant attendance

› For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at training@bkd.com

2/12/2019

20

bkd.com | @BKDLLP

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered

Rex Johnson | rjohnson@bkd.com@BKDCyber @RexSecurity