pci compliance: the gateway to paradise pci compliance: the gateway to paradise
TRANSCRIPT
PCI Compliance:
The Gateway to Paradise
PCI Compliance:
The Gateway to Paradise
I. Background
II. What is PCI-DSS?
III. Who must comply?
IV. Cost of non-compliance
V. Digital Dozen
VI. Higher Education Challenges
VII. Centralize Compliance
Agenda
Cardholder Information Security Program (CISP)
Site Data Protection Program (SDP)
Discover Information Security Compliance (DISC)
Data Security Standard (DSS)
Confused Merchants
Background
???
• Payment Card Industry Data Security Standard (PCI-DSS)
• Card Associations founded an LLC in 2006 http://www.pcisecuritystandards.org
• One program now• Mission: Enhance payment account data security
by fostering a broad adoption of PCI-DSS
What is PCI-DSS?
Policy decisions made by Executive Committee
Participating organizations provide feedback on evolution of PCI
What is PCC-DSS?
“Payment Card Industry (PCI) Data security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.”
*Payment Card Industry Data Security Standard
Who Must Comply?
Merchant Compliance
1 Any merchant-regardless of acceptance channel-processing over 6,000,000 transactions per year.
Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2 Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 transactions per year.
3 Any merchant processing 20,000 to 1,000,000 e-commerce transactions per year.
4 Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
Who Must Comply?
In the event of the a breach the acquirer CAN make the merchant responsible for:• Any fines from PCI-Co
• Up to $500,000 per incident• Cost to notify victims• Cost to replace cards (about $10/card)• Cost for any fraudulent transactions• Forensics from a QDSC• Level 1 certification from a QDSC
Cost of Non-Compliance
• Example: 50,000 credit cards stolen– PCI Penalty - $100,000 per incident
• $500,000 if you do not have a self-assessment
– Card Replacement - $500,000– Fraudulent Transaction – $61,750,000
• $1,235 - 2004 average fraudulent transaction
– Bad Publicity – Priceless!
Cost of Non-Compliance
Cost of Non-Compliance
• States are making PCI law and adding to the cost of compliance– Minnesota passed the state bill 1574 which
makes PCI a law• Anyone processing more than 20,000 transactions
is subject to fines if a breach occurs
– Texas is working on a similar bill– Other states are likely to follow
Build and Maritain a Secure Network
• Install and maintain a firewall configuration to protect cardholder data• Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
• Protect stored cardholder data• Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
• Use and regularly update anti-virus software• Develop and maintain secure systems and applications
Implement Strong Access Control Measures
• Restrict access to cardholder data by business need-to-know• Assign a unique ID to each person with computer access• Restrict physical access to cardholder data
Regularly Monitor and Test Networks
•Track and monitor all access to network resources and cardholder data• Regularly test security systems and processes
Maintain an Information Security Policy
•Maintain a policy that addresses information security
Digital Dozen
• Higher education networks comprise an estimated 15% of the total advertised Internet address space*
• Extremely “open” by tradition and culture• Highly connected networks to commercial internet,
regional, national, and international research networks• Communities range from 1,000 to 200,000 people• Thousands of networked devices• Departments control local technology and act
independently• Understaffed IT department
* University of Indiana
Higher Education Challenge
Higher Education Challenge
• Higher education accounted for over 26% of the breaches in 2006.
• 68% of schools have 0-1 FTE dedicated to PCI• 36% of schools have an incident response plan
* Survey data from Walt Conway Associates, LLC
• Get executive buy-in– President– Treasurer/CFO– CIO
• Define a commerce committee– IT– Security– Internal Audit– Treasury
Centralize Compliance
Define and publish credit card handling policy• Acceptable payment channels• Handling of PII (Personally Identifiable
Information)• Requesting merchant IDs• Applicability to University employees, work
study…• Background and credit checks for employees
handling credit cards• Training and acknowledgement• Use of vendors
Centralize Compliance
• Gap analysis– Review all existing merchants and their
procedures– Identify “urgent improvements”– Operational remediation plan– Technical remediation plan
• Compliance maintenance– Rules will change– Systems will change– PCI is a journey – not a destination
Centralize Compliance
Consider outsourcing• Get as many credit card numbers off
campus as possible• Use a service provider to process credit
card transactions • Approved scanning vendors• Approved hosting centers
Centralize Compliance
