7/19/2011

1

PCI Compliance 101: Payment Card

Industry BasicsIndustry BasicsData Security Standards Compliance

Wednesday, July 20, 20112:00 pm – 3:00 pm EDT

This complimentary webinar is brought to you by ASAE-Endorsed Business Solutions and Chase Paymentech.

Your Presenter:With 29 years of experience in the Information Technology (IT) industry and 14 years of Information Security management experience, David Wallace serves as Group Manager for Chase Paymentech’s Security Standards Compliance team. In his role, Wallace is responsible for p pmanaging data security compliance for Chase Paymentech’s merchant portfolio and advising merchants about the Payment Card Industry (PCI) security standards.

Prior to joining Chase Paymentech, Wallace gained invaluable experience serving in information security management roles with companies such as NationsBank, Sabre Holdings/Travelocity, Pilgrim’s Pride and Perot Systems. In addition to his professional experience, Wallace has earned several industry certifications, including Certified Information Systems Security Professional in 1999, Certified Information Security Manager in 2004, and Certified Information Systems Auditor in 2008. He is also a frequent speaker at regional, national and international information security conferences including

David A. Wallace

Group Manager, Security Standards national and international information security conferences including

the RSA Conference and Computer Security Institute Conference.

Wallace spent his undergraduate years attending Louisiana State University in Shreveport, La., where he studied business administration and management information systems. He earned a master’s degree in business administration from Southern Methodist University in Dallas, Texas in 2003.

Security Standards Compliance

2

7/19/2011

2

Polling Question

How PCI compliant is your organization?

1. I don’t know2. We’re know what merchant level we are 3. We have worked on the PCI assessment

and network scan

How PCI compliant is your organization?

4. We are fully PCI compliant

3

Wh t i PCI?

Agenda

• What is PCI?• Payment Brand Requirements• Getting Started• Resources

Q• Questions

4

7/19/2011

3

What is “PCI”?

5

What is PCI?

• A collective term used to refer to theo Payment Card Industry Security Standards Councilo Payment Card Industry Security Standards Council

(PCI SSC)o Data security standards developed and maintained by

this entity• Applies to any system that stores, processes or

transmits cardholder data as part of authorization or settlement of a member brand credit debit or gift cardsettlement of a member brand credit, debit, or gift card transaction

6

7/19/2011

4

PCI Security Standards Council The Organization

Mission — Formed in 2004 by five major payment brands to enhance cardholder data securitybrands to enhance cardholder data security20 member advisory board with 600+ participating organizations

• Merchants• Issuers• Acquirers

I d d t S i O i ti (ISO )• Independent Service Organizations (ISOs)• Third Party Service Providers• Debit Payment Networks• Product Manufacturers

7

• The PCI SSC manages the -o Payment Card Industry Security Standards for:

Scope of PCI Security Standard Council

o Payment Card Industry Security Standards for:• Merchants• Payment Application software developers• Hardware manufacturers

o Accreditation for:Assessors• Assessors

• Scanning Vendors• Forensic Investigators• PED Evaluation Labs

8

7/19/2011

5

PCI Security Standards

• The PCI Data Security Standard (PCI DSS)o Applies to any entity that stores, processes, and/or transmits cardholder datao 12 Requirement covering technical and operational system componentso 12 Requirement covering technical and operational system components

• The Payment Application Data Security Standards (PA-DSS)o Applies to developers and integrators of applications involved in authorization or

settlement or a card transaction. o Governs these applications that are sold, distributed or licensed to third parties.

• The PIN Transaction Security (PTS)o Applies to manufacturers who specify and implement device characteristics and

management for personal identification number (PIN) entry terminals used for payment card financial transactions.

9

PCI Security Standards Council Accreditations

Type PCI SSC Designation Activity

Assessors Internal Security Assessor Merchant resource certified to validateAssessors Internal Security Assessor (ISA)

Merchant resource certified to validate compliance of PCI DSS

Qualified Security Assessor (QSA)

Independent third party certified to validate compliance of PCI DSS

Payment Application Qualified Security Assessor (PA-QSA)

Independent third party certified to evaluate compliance of Payment Applications to the PA DSS

ScanningVendors

Approved Scanning Vendor (ASV)

Independent third party accredited to perform network vulnerability scanVendors (ASV) network vulnerability scan

ForensicsInvestigators

PCI Forensics Investigator (PFI)

Independent third party accredited to perform forensics investigation in the event of suspected cardholder data breach

PED Laboratories

PCI Recognized Laboratory Independent third party certified to validate compliance of PIN Transaction Security Standards

10

7/19/2011

6

PCI DSS Applicability

• The PAN is the defining factor in PCI DSSo Applies if PAN is stored, process or transmittedpp , po If card holder name, expiration date and/or service code are

stored, processed or transmitted with PAN – all must be protected

• PCI DSS represents the minimum o May be enhanced by other regulations and standards

11

Who Can Assess PCI DSS?

Merchant Level Validation Requirements Frequency

R t C li (ROC) O it Annually

Level 1Report on Compliance (ROC) ‐ Onsite Assessment performed by QSA or ISA

Network Scans by ASV

Annually

Quarterly

Level 2Self‐Assessment Questionnaire (SAQ) performed by ISA or QSA

Network scans by ASV

Annually

Quarterly

Self‐Assessment Questionnaire (SAQ) AnnuallyLevel 3

Self Assessment Questionnaire (SAQ)

Network scans by ASV

Annually

Quarterly

Level 4Self‐Assessment Questionnaire (SAQ)

Network scans by ASV

Annually

Quarterly

12

7/19/2011

7

P t B dPayment Brand Requirements

13

Payment Brand Data Security Programs

• Mandate compliance with PCI Standards for entities storing, processing, or transmitting cardholder datastoring, processing, or transmitting cardholder data

• Define deadlines for adoption and penalties for non-compliance

• Serve as an origination point for new PCI standards• May differ from brand to brand

– And in some cases from region to region

• Some more active than others

14

7/19/2011

8

Visa/MasterCard Merchant PCI Levels

Merchant LevelLevel 4

Fewer than 20,000 ecommerce or fewer than 1 million total transactions within one card brand within a 12 month period

Level 3Between 20,000 and 1 million Visa or MC ecommerce transactions

in a 12 month period

Level 2Level 2Between 1 and 6 million Visa or MC transactions in a 12 month

period

Level 1Over 6 million Visa or MC Transactions in a 12 month period

15

PCI DSS Validation Requirements (USA)

16

7/19/2011

9

Self Assessment Questionnaire Types

17

Non-Compliance Penalties (USA)

18

7/19/2011

10

Payment Application Data Security Standard (PA-DSS)

• PA-DSS applies to payment applications sold, distributed, or licensed to third parties.

• A Payment Application o Runs on a commercial

operating system like Windows or LinuxWindows or Linux

o Stores, processes or transmits cardholder data as part of authorization or settlement.

19

Scope of PA-DSS

• PA-DSS includeso POS Software (Micros, Radiant, Squirrel, etc.)( q )o E-Commerce Shopping Cartso Middlewareo Web Based Payment Applicationso ATM

• Ensures a payment application contains PCI DSS-required features and functionsDSS required features and functions

• MasterCard REQUIRES all merchants using in-scope payment applications to use Validated Payment Applications by June 30, 2012.

20

7/19/2011

11

• Validated devices designed to resist attackScope of the evaluation to include:

PIN Transaction Standard (PTS)

• Scope of the evaluation to include:– POS PED devices– Encrypting PIN Pads– Unattended Payment Terminals (Kiosks)

• Visa requires all merchants to use PTS-validated devices by June 30, 2010

E f t ti b i J 30 2012– Enforcement action begins June 30, 2012

• Visa requires all attended PTS devices to use Triple DES (TDES) keys by June 30, 2012

21

2011 Key Dates for PCI Compliance

22

7/19/2011

12

Getting Started

23

Where to Start?• Determine your Merchant PCI Level

– Notification from your acquirery q• Level 1 & 2 – must use QSA or ISA• Level 3 & 4 – can self assess• All Levels must use an ASV for a quarterly network

scan (Does not apply to SAQ A, B, or C-VT)

• Know the card brand specific requirements– For the brands you accept– And the regions within which you operate

• Select and review the appropriate Self Assessment Questionnaire (SAQ)

24

7/19/2011

13

Your Environment

• Determine what system components are governed by PCI DSS– Systems, applications, and networks that store, process and/or

transmit cardholder datatransmit cardholder data

• Gather the resources– Documentation

• Policies, records, operational procedures, network diagrams, etc– Personnel

• IT, business operations, security, HR, etc.

• Examine the compliance of system components in scopeCan you isolate your cardholder data processing to reduce your– Can you isolate your cardholder data processing to reduce your scope?

– Can you meet all the key controls?• If not, can compensating controls, technologies, and or processes be

used to meet spirit of the requirement?

25

The Prioritized Approach – Simply

• Six Milestones:1. Remove sensitive authentication data and

limit data retention. If you don’t need it, don’t store it

2. Protect the perimeter, internal, and wireless networks. Secure the perimeter

3. Secure payment card applications. Use secure applications

4. Monitor and control access to your ysystems.

5. Protect stored cardholder data6. Finalize remaining compliance efforts, and

ensure all controls are in place

26

7/19/2011

14

Resources

27

Additional Resources

Chase Paymentech www.chasepaymentech.com

Merchant Center www.chasepaymentech.com/merchantcenterp yCardholder Data Security www.chasepaymentech.com/datasecurity

PCI Security Standards Council www.pcisecuritystandards.org

Validated Payment Applications www.pcisecuritystandards.org/security_standards/vpaPTS Certified devices www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.htmlSelf-Assessment Questionnaires https://www.pcisecuritystandards.org/merchants/self_assessment_form.phpPrioritized Approach https://www.pcisecuritystandards.org/education/prioritized.shtml

MasterCard Site Data Protection Program http://www.mastercard.com/us/merchant/security/sdp program.html

28

g p y p_p g

TrustWave www.trustwave.com

Portal: Level 4 Merchant Portal www.trustwave.com/level4pciFree Risk Profile - referral code: http://chasepaymentech.riskprofiler.net

welcomechasepay

7/19/2011

15

Questions?

David A. Wallace

G M S it St d d C liGroup Manager, Security Standards ComplianceChase Paymentech

david.wallace@chasepaymentech.com

www.chasepaymentech.com/asae

Thanks for joining us! Go beyond the basics of PCI, and register for:

PCI Compliance 102:Small Steps to Big Changes

September 28, 20112:00 pm – 3:00 pm ET

www.asaecenter.org/calendar