pci compliance

Topic Here

PCI Compliance: Delving Deeper in the Standard

John Bedrick, AccuCode

Agenda• About AccuCode

• Payment Card Industry Data Security Standard (PCI DSS) Schedules

• Merchant Levels and Validation Requirements

• PCI DSS Requirements

• Where To Start

• PCI DSS Self-Assessment Questionnaires (SAQ)

• Continuous Compliance

• PCI DSS: Validation Actions

• Overcoming the Top PCI DSS Challenges

• PCI DSS: The Top Violations and Basic Remediation Strategies

• AO:Compliance™ and Next steps on the road to becoming PCI Compliant

• Questions and Answers

AccuCode the Company

• Founded 1995• VAR, Professional & Managed Services, Commercial

Software Products• National leader in application of retail systems, security

& compliance, wireless networking, mobile computing, bar code & RFID technologies

• Fastest Growing Privately Held Company in the U.S.• Trusted Advisor Delivering Guaranteed Outcomes

http://www.accucode.com/pr.php?release=4

AccuCode Customers & Partners

AccuCode has hundreds of customers & thousands of end-users!

PartnersManufacturingRetail Transportation

http://www.accucode.com/pr.php?release=1

PCI DSS Schedules

Schedule - Version 2.0 PCI DSS & PA-DSS

October 28, 2010 – 2.0 Released

January 1, 2011 – 2.0 Effective

December 31, 2011 – 1.2.1 Retired

July 1, 2012 – Risk Ranking (6.2) sunrise

Merchant Levels and

Validation Requirements

The Mandate: Merchant Levels DefinedVisa, MasterCard, Discover, & JCB

Level Qualification Criteria* Requirements

1 Merchants processing over 6 million transactions annually on one or more card brands individually.

Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)Quarterly network scan by an Approved Scanning Vendor (ASV)Attestation of Compliance (AOC) Form

2 Merchants processing between 1 million and 6 million transactions annually on one or more card brands individually.

Annual Self Assessment Questionnaire (SAQ)Quarterly network scan by an Approved Scanning Vendor (ASV)Attestation of Compliance (AOC) Form

3 Merchants processing between 20,000 and 1 million transactions annually on one or more card brands individually.

Annual Self Assessment Questionnaire (SAQ)Quarterly network scan by an Approved Scanning Vendor (ASV)Attestation of Compliance (AOC) Form

4 Merchants processing between less than 20,000 transactions annually on one or more card brands individually.

Annual Self Assessment Questionnaire (SAQ)Quarterly network scan by an ASVRequirements set by acquirer

*Any merchant can be assigned to a specific level by their acquirer, bank, or by a card brand.

The Mandate: Merchant Levels DefinedAmerican Express (AMEX)

Level Qualification Criteria* Requirements

1 Merchants processing over 2.5 million transactions annually.

Annual Report on Compliance by QSAQuarterly network scan by ASVAttestation of Compliance (AOC) Form

2 Merchants processing between 50,000 and 2.5 million transactions annually.

Annual Self Assessment Questionnaire (SAQ)Quarterly network scan by ASVAttestation of Compliance (AOC) Form

3** Merchants processing less than 50,000 transactions annually.

Annual Self Assessment Questionnaire (SAQ)Quarterly network scan by ASVAttestation of Compliance (AOC) Form

*Any merchant can be assigned to a specific level by their acquirer, bank, or AMEX.**Compliance at this level is strongly suggested, but not mandated.

PCI DSSRequirements

Six Goals, Twelve Requirements

Do not use vendor-supplied defaults for system passwords and other security parameters

Install and maintain a firewall configuration to protect cardholder data

Build and Maintain a Secure Network

Protect cardholder

data

Maintain a vulnerability management

program




Encrypt transmission of cardholder data across open, public networks

Protect stored cardholder data


Protect cardholder

data


program

Develop and maintain secure systems and applications

Use and regularly update anti-virus software or programs







Protect cardholder

data


program


Use and update anti-virus software or programs regularly






Restrict access to cardholder data by business need-to-know

Assign a unique ID to each person with computer access


Protect cardholder

data


program

Restrict physical access to cardholder data

Implement strong access

control measures











Protect cardholder

data


program



control measures

Regularly test security systems and processes

Track and monitor all access to network resources and cardholder data

Regularly monitor and

test networks











Protect cardholder

data


program



control measures

Regularly test security systems and processes

Track and monitor all access to network resources and cardholder data

Regularly monitor and

test networks

Maintain a policy that addresses information security for employees and contractors

Maintain an information

security policy

PCI DSS Requirements - SummaryBuild and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other

security parameters

Protect Cardholder Data 3. Protect stored cardholder data4. Encrypt transmissions of cardholder data

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

Where to Start

Steps to Validate PCI Compliance

1. Identify your validation type• This determines which Self-assessment Questionnaire (SAQ) you complete

2. Complete the appropriate SAQ

Steps to Validate PCI Compliance

3. Complete and provide evidence of a passing vulnerability scan• This scan must be completed by a PCI SSC Approved Scanning Vendor (ASV)• Scanning applies to any merchant electronically storing cardholder data or

with processing systems with Internet connectivity

4. Complete the relevant Attestation of Compliance (AOC)• Located in the SAQ

5. Submit the SAQ, AOC and any other requested documents to your Bank/Acquirer

PCI DSS Self-Assessment Questionnaires (SAQ)

SAQ 1.2

SAQ Version Validation Type Description of Subject Merchant

SAQ 1.2 A13 Questions

1 Card not present merchants only that outsource all parts of the credit card transaction. Data is only kept in paper reports.

SAQ 1.2 B27 Questions

2 This merchant only accepts payment cards using an imprint machine and does not keep any card data electronically.

SAQ 1.2 B27 Questions

3Merchants who use stand alone, dial out terminal connected to a phone line or processor. Terminal has NO internet connection and no data is stored electronically.

SAQ 1.2 C41 Questions

4

Payment application is connected to the internet but is not connected to any other system w/in the network. No data is stored electronically. Service providers who connect remotely to the application are in compliance with Security Best Practices.

SAQ 1.2 D222 Questions

5 Any merchant that does not fit any of the above categories and any eligible service provider.

Continuous Compliance

Challenges

• The PCI DSS is NOT a checklist and being compliant does not necessarily equate with being secure• Achieving PCI DSS compliance is based on a snapshot of the level of

security at the time of an audit

• PCI DSS is a baseline for security, not the pinnacle

• Many merchants make a last-minute “rush to compliance” in order to satisfy audit criteria• This last minute rush may produce a perfect compliance snapshot—

but not produce ongoing security

Continuous Compliance

The PCI DSS helps businesses address security and risk.• Merchants should:

• Know their risk profile and level of compliance daily

• Be ready to adapt to any requirement changes

• Ensure employees are following security policies at all times

Assessmentf Compliancef Maintaining Compliancef

Creating Continuous Compliance

The process of compliance is ongoing:1. Assess

• Identify gaps• Inventory IT assets and business processes for payment cards

2. Remediate• Fix vulnerabilities

3. Report• Submission of paperwork/records to proper groups, such as acquiring

banks• Paperwork includes audit results, such as Report on Compliance (ROC) or

SAQ• Submit appropriate AOC Form

Assess

RemediateReport

How to Assess

• Study the PCI DSS standards• Inventory IT Assets and processes

• Identify all systems, personnel and processes involved with the transmission, processing or store of cardholder data

• Identify Vulnerabilities• Your SAQ guides the assessment

• Validate with Third-party Experts• Depending on the complexity of the network environment, a Qualified

Security Assessor (QSA) may be required to conduct a proper assessment

How to Remediate

Remediation is the process of fixing vulnerabilities and may include:

• Network scans to analyze infrastructure and identify known vulnerabilities

• Review and remediate vulnerabilities uncovered by an on-site assessment or SAQ process

• Prioritizing remediation to address most to least serious

• Patches, fixes and any changes to processes and workflow

• Re-scanning to confirm remediation

How to Report

• Conduct regular vulnerability scanning• All merchants need to submit quarterly scan reports, completed by an

approved ASV

• Some businesses may need to enlist a QSA to conduct an annual on-site assessment

• Each payment brand has its own reporting guidelines

PCI DSS:Validation Actions

Merchant & Service Provider Levels & Validation ActionsLEVEL CRITERIA

QSA ON-SITE

SECURITY AUDIT

NETWORK SCANS

SELF-ASSESSMENT QUESTIONAIRE

VALIDATE 3RD PARTY PAYMENT

APPLICATION

1

• Any Merchant, regardless of acceptance channel, processing more than 6 million transactions per year

• Any Merchant, that suffered a security breach, resulting in an account compromise.

Required Annually

Required Quarterly

Required *

2 Any Merchant, processing between 1million - 6 million transactions per year.

** = Required Annually after June 30, 2011

Required Quarterly

Required Annually **

Required *

3 Any Merchant, processing between 20,000 - 1 million transactions per year.

Required Quarterly

Required Annually

Required *

4 All other Merchants not in Levels 1 – 3, regardless of acceptance channel.

Required Quarterly

Required Annually

Required *

1All 3rd Party Processors and all Data Storage Entities that store, transmit or process more than 300,000 transactions per year.

Required Annually

Required Quarterly

Required *

2 All Data Storage Entities that store, transmit or process less than 300,000 transactions per year.

Required Quarterly

Required Annually

Required *

* = Any Merchant or Service Provider using 3rd party payment applications are required to validate compliance or use an approved PCI DSS payment application.

ME

RC

HA

NT

SE

RV

ICE

PR

OV

IDE

R

Checklist for Continuous Compliance

Don’t just “get” compliant, stay compliant:

Use the technologies and procedures implemented for compliance to reduce risk, making PCI DSS the basis for your policies

Establish a cycle of risk management analysis and response

Continue to reduce scope where possible

Work towards making the process of staying compliant easier

Compliance is the baseline for your information security program

Overcoming the Top PCI DSS Challenges


Requirement 1: Install and maintain a firewall to protect cardholder data

• Firewalls are the locks on doors

• Firewall configurations must prohibit unauthorized access to system components in the cardholder data environment

• Deny all connections in and out not specifically required for business functionality

• Install firewall software on each mobile and/or employee-owned computer that connects to the cardholder data environment or to the public Internet

34


Requirement 2: Do not use vendor-supplied defaults• In 2010, 88% of our cases found third-party vendors introduced

security vulnerabilities, likely due to vendor supplied passwords

• Choose a vendor with a solid security history

• Monitor all vendors to ensure they follow best security practices

• Make sure contracts with vendors also include security control requirements and acceptance of responsibility for loss of CHD in their custody


Requirement 3: Protect stored data• PAN (primary account number) must be unreadable, including:

• Backup media

• In logs

• On portable digital devices

• Via wireless and public networks

• To render PAN unreadable, use:• Truncation (to first 6 and last 4 characters at a minimum)

• Strong one-way hash functions

• Strong cryptography

• Better yet, get rid of it, you probably don’t need it!


Requirement 6: Develop and maintain secure systems and applications

• New vulnerabilities pop up every day, along with new ways for hackers to compromise your systems

• Merchants should:• Use payment applications and devices approved by the PCI Security Standards

Council

• Identify and install security patches in a timely manner

• Follow industry best practices if developing own payment apps

• Regularly test the application’s security


Requirement 8: Assign a unique ID to each person with computer access

• Following this requirement allows actions to be traced to a specific person—vital when a forensic analysis needs to take place

• Each user needs their own password

• For remote access, two-factor authentication is required

• Passwords must be unreadable, in storage and during transmission

• Enforce Role Based Access Control (RBAC). • You should only have access to the systems and information necessary to

perform your function


Requirement 10: Track and monitor access to network and card data

• System logs are the audit trail when something goes wrong

• Logs must be captured

• Logs must be reviewed at least once daily (automate the exception events as compared to a ‘known good’ baseline)

• Logs must be stored securely for a year (preferably centrally)

• Good log management can be the difference between an annoying event, and a business crippling disaster


Requirement 11: Regularly test security systems and processes• If you don’t test it, how will you know if it’s broken?

• Testing should be frequent to identify any vulnerabilities• PCI DSS requires quarterly scans

• Vulnerability scanning products/services from an Approved Scanning Vendor (ASV) fulfill this PCI requirement

• What to test:• External network (conducted by an ASV)

• Internal network (may be conducted in-house)

• Wireless network, identifying all wireless devices for purposes of access control

• Any other traffic in the cardholder data environment


Requirement 12: Maintain a policy that addresses information security

• The written policy determines the controls used to ensure security and compliance with the PCI DSS

• Must address all PCI DSS requirements, as well as:

• Daily procedures

• Usage policies for each technology, such as laptops and e-mail

• Info. security responsibilities for employees and contractors

• Security awareness program for employees

• Employee screening

• Third-party vendor responsibility and accountability

• Incident response plan

PCI DSS:The Top Violations and

Basic Remediation Strategies

98.4%97.5%

83.6%74.6%

8.1% 7.4%

68.9%

90.9%

48.4%

92.6%99.2% 95.1%

Top PCI DSS Violations

Source: Trustwave - 2011 Global Security Report

Remediation Strategies

• Segmentation:• Isolate Point-of-Sale (POS) systems / PCI workstations from rest of the

network environment

• Default Device Configurations:• Change or Remove them (if they exist)

• Firewall / IPS:• Build a secure configuration• Self-managed / Outsourced

• Log Monitoring:• Applies to both POS systems and networking

• Policies and Procedures:• Templates available

Summary

• Make sure your firewall is configured correctly and working properly.

• No vendor-supplied default configurations and/or passwords

• Make PCI data (specifically PAN) inaccessible and/or unreadable

• Use secure applications and check for updates and patches often

• Everyone gets their own UNIQUE User ID and password

• Collect and store the necessary system logs, reviewing daily

• Test at least quarterly to find vulnerabilities (e.g., network scans)

• Write a security policy (update as needed) and educate/train ALL your

employees.

AO:Compliance™ and Next Steps

AO:Compliance Makes PCI Compliance as Easy as:

1•Assess & Analyze

2•Close GAPs

3•Stay Compliant

Next Steps, If You Need Help

• AccuCode and our partners are ready to assist you with getting and staying PCI Compliant.• Go to the AO:Compliance website to find out more information

about our compliance and security offerings www.aocompliance.com

• Contact Us: [email protected]

• If you need help with other technology issues, AccuCode can also assist you with that as well.• Visit the AccuCode website for more information about our

other products and services www.accucode.com

http://www.aocompliance.com/

mailto:[email protected]

http://www.accucode.com/

Questions and Answers

pci compliance - delving deeper in the standard

Technology

pci dss challengespci

security compliance

pci compliantquestions

validation actionsovercoming

mobile computing

wireless networking

application of retail