PCI Compliance: Tips to Avoid Fraud, Fines and Litigation

Jim Fish, Coalfire SystemsSaskia Ipema, Active Network

2

Coalfire Systems, Inc.

Clients include Fortune 100, retail, government, education, financial, healthcare, and manufacturing

Offices in Denver, CO; Seattle, WA; San Diego, CA; New York, NY and Vancouver, BC with over 40 IT Auditors

Security, Governance, Compliance Mgmt, Audit –GLBA, CIP, SOX, PCI, HIPAA, SAS70 & Government

Application Security: PA-DSS Certification, Code Audits, Penetration Testing, SDL Development

Forensics: E-discovery, Forensic Analysis and Litigation Support

Assessments: IT Risk Assessments, Vulnerability Assessments and Compliance Audits

IT Governance

and Compliance Management

3

Valued Clients

4

AgendaDefinitionsRegulatory LandscapeScary Bedtime Stories … What went wrong?PCI Compliance Process o What are we protectingo PCI compliance requirementso Compliance strategieso Issues

Active’s Hosted Solutions and PCI ComplianceQuestions

5

DefinitionsPCI DSS – Payment Card Industry Data Security StandardPCI SSC – Payment Card Industry Security Standards CouncilPA-DSS – Payment Application Data Security StandardQSA – Qualified Security Assessor ASV – Approved Scan VendorCVV2 – Card Validation Value (3 Digit Number on Visa)CVC2 – Card Validation Code (3 Digit Number on MasterCard)CID – Card Identification Data (4 Digit Number on Amex/Discover)PAN – Primary Account NumberCVC/CVV – Field stored on the magnetic stripeTrack Data – Data stored on the magnetic stripe

6

The Perfect Storm

FinancialLiabilityPCI

Security Standards

EscalatingCyber Breaches

Low tolerance for service

disruptions

State Privacy Laws Customer

Expectation of Privacy

7

Regulation Timeline2008 to Present

Card Processor Int’lHannafordHeartland

Hold onto your hats!!PCI AUDIT THE AUDITORSPayment Application auditsCompliance enforced at all levelsLikely federal regulationState Privacy LawsState Data Breach Laws for CC

2005 - 2006

TJ Maxx ( May 2006)DSW Shoe Warehouse

Converted to PCIRequired Certification of No stored Security ValuesSerious enforcement on Level 1 and 2 merchantsVISA launches ADCR = charge back for fraud on compromised accountsFocus of PCI turns to brick and mortar merchants

2000 - 2004

Data Processors Inc

1st Major Card Data BreachStarted Enforcement of VISA CISPFocus on ProcessorsAlmost caused CC regulationVISA launches CAMS

1970-1980

1980-1999

Computer Security Act of 1987

Regulatory Environment is following major data breach scenarios

Captain Crunch

Changed technology to more than dial tone for long distance calls

8

Organizations must establish basic information security programs

Organizations must proactively manage their confidential 

consumer information

Organizations must take steps to know when their defenses have been 

breached

In the event of an actual or suspected data privacy breach, organizations have a legal obligation to notify 

impacted consumers

State Privacy Laws

9

Compromise Statistics

Over 80% of compromised systems were “card present” or in person transactions90% of all compromised merchants are PCI level 4 merchants ( less than 1 million transactions per year)No fully compliant merchant has ever been compromised50% of the merchants do not survive the breach … or, operate with the same independence

10

Impact of Organized Crime

There is a multi-tiered market for stolen personal information.

The thieves are generally not the ones who use it to commit fraud.

11

Popular MythsWe are the government. There are liability limits that protect us.

Who would want to attack us? There must be better places to target.

PCI is Hard.

PCI will make us Secure.

12

VA Breach Example(5/22/06) VA employee violated VA policy and brought data home on VA laptop which was stolen.

o The database contained the names, social security numbers and dates of birth of as many as 26.5 million veterans and their families

o Laptop was stolen from employee’s homeo The employee notified his superiors immediately, but the VA took nearly

three weeks to warn vets that their information was at risk.(6/29/06): Laptop turned into the FBI, by an unidentified personseeking the $50,000 reward. 2 teens were charged in the theft, charges pending on another suspect.(7/14/06): FBI and VA Inspector General conducted a forensic examination on the laptop and reported that no data had been removed. But experts say there are ways to thwart detection.

13

VA Breach ExampleConsequences:

o 02/06/09 VA agrees to pay $20M o VA had a documented history of

poor security practices:– 2004: VA was cited as failing to comply

with the Federal Information Security Management Act

– 2004: Received failing grades from the House Government Reform Committee on its information and computer security programs

– VA’s delay in notifying vets was likely the key fault in the case.

– VA did not have a data breach plan in place

– Did not provide staff with adequate (if any) training on handling a data breach.

14

15

Recent BreachesNYPD Pension Fund

o A civilian official of the NYPD’s pension fund has been charged with stealing the identities of 80,000 current and retired cops, sources said. Anthony Bonelliallegedly got into a secret backup-data warehouse on Staten Island last month and walked out with eight tapes packed with Social Security numbers, direct-deposit information for bank accounts, and other sensitive material. Bonelli was the fund's director of communications.

City of Beaumont, TXo Personal information of about 500 current and former Beaumont city workers

accidentally was posted online. The info contained birth dates and SSNs and was posted on the city's website on Jan 14.

City of Muskogee, OKo City discovered a “possible breach of utility billing information” on about 4,500

utility accounts that were closed prior to August 2000. “The disk obviously made it into some surplus property; into a computer box with other things by accident,”City Clerk Pam Bush said.

16

• Notify Clients

• Fines and Penalties

• Increased audit needs

• Fraud liability

• Total Financial Impact

• Reputation Loss

$30 x 1,000 = $30,000

$50,000+

$25,000 x 3 years = $75,000 (minimum)

1,000 accounts x $500 =  $50,000

$200,000 or more

PRICELESS!

A hypothetical Department compromises 1,000 accounts

Economics of a Breach

The cost of a breach can easily be 20 times the cost of PCI Compliance. Ponemon Study 2008

17

What are We Protecting?

1. Cardholder Verification Number (CVN)Visa/Discover's Card Verification Value (CVV) MasterCard's Card Validation Code (CVC)

2. Primary Account Number (PAN)

CVN

CVN

PAN

18

PCI Ecosystem

19

The Payment Process

Merchant’sAcquiring Bank

PCI Security Standards Council

Cardholder’sIssuing Bank

1. Authorization Request

3. Authorization Request

5. Settlement (next day)

2. Authorization Processed 4. Account

Processing

6. Cardholder Statement

Payment Server

20

PCI Standards Security CouncilPCI SSC Is…

o An Independent Industry Standard

o Manages the technical and business requirements for how payment data should be stored and protected

o Maintains List of Qualified Assessors

– QSAs, ASVs, PA-QSA and PED

– Labs

PCI SSC Does Not…o Manage or enforce

complianceo Replace the card brands

compliance programs (Visa CISP, MasterCard SDP, AMEX DSOP, etc.)

o Define validation levelso Levy fines

21

Binding Contract

CISP is based on the Payment Card Industry Data Security Standard, with which all members, merchants and service providers must comply according to contracts.

22

Top System Risks to Watch

23

PCI Standards

24

Compliance vs. ValidationCompliance

o All merchants must adhere to the PCI standard, regardless of size or number of transactions processed

o Requires a Cyber security program

Validation o Compliance must be

tested and reported to Acquiring Banks based upon transactions volumes or risk levels(Audit of the cyber security program)

25

Merchant Compliance Levels

MerchantLevel 1

MerchantLevel 2

MerchantLevel 3

MerchantLevel 4

Any merchant processing 1 to 6 million VISA or MasterCard transactions per year.

Any merchant processing 20,000 to 1 million VISA or MasterCard e-commerce transactions per year.

Any merchant processing less than 20,000 VISA or MasterCard e-commerce transactions per year, and all other merchants with less than 1 million transactions

Any merchant processing over 6 million VISA or MasterCard transactions per year OR identified as any card brand as a Level 1 merchant.

26

Merchant Validation

MerchantLevel 1

MerchantLevel 2

MerchantLevel 3

MerchantLevel 4

• Annual Self-Assessment Questionnaire (SAQ) • Quarterly Network Scan

• Annual Self-Assessment (SAQ) Questionnaire • Quarterly Network Scan

• Self-Assessment Questionnaire recommended

• Quarterly Network Scan

• Annual, On-site PCI Data Security Assessment • Quarterly Network Scan

• Merchant Executive• Approved Scan Vendor• Attestation of Compliance Form

• Merchant Executive• Approved Scan Vendor• Attestation of Compliance Form

• Merchant Executive• Approved Scan Vendor• Compliance validation

requirements set by acquirer

• Qualified Security Assessor • Approved Scan Vendor• Attestation of Compliance

Form

Validation Action: Validated By:

27

Careful What You SignPart 3a. Confirmation of Compliant Status

Merchant confirms:PCI DSS Self-Assessment Questionnaire D, Version 1.2, was completed according to the instructions therein.

All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects.

I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization.

I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times.

No evidence of magnetic stripe (i.e., track) data, CAV2, CVC2, CID, or CVV2 data, or PIN data storage after transaction authorization was found on ANY systems reviewed during this assessment.

Part 3b. Merchant Acknowledgement

Signature of Merchant Executive Officer Date

Merchant Executive Officer Name Title

Merchant Company Represented

28

Service Providers

Service ProviderLevel 1

Service ProviderLevel 2

Any service provider that stores, processes and/or transmits less than 300,000 transactions per year

VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year

29

Service Provider Validation

Service ProviderLevel 1

Service ProviderLevel 2

• Annual PCI Self-Assessment Questionnaire • Quarterly Network Scan

• Annual On-site PCI Data Security Assessment • Quarterly Network Scan

• Service Provider Executive• Approved Scanning Vendor

• Qualified Security Assessor• Approved Scanning Vendor

Validation Action: Validated By:

30

DeadlinesPCI Data Security Standard o No Actual Deadline - merchants have always been

required to comply with card brand rulesPayment Application Data Security Standardo Oct. 1, 2009 - All merchants will be required to start

terminating the use of any noncompliant payment applications that they might still have in their environments.

o July 1, 2010 - Mandates the use of only those payment applications that support the new standards.

31

DeadlinesPin Entry Deviceso July 1, 2010 - Mandates that all deployed POS PEDs

must have passed testing by a PCI recognized laboratory and been approved by the PCI SSC.

32

PCI’s 5 Stage to Acceptance

Denial

Anger

Bargaining

Depression

It isn’t fair• PCI applies to all parties

I’ll do some of it• Compliance is “pass / fail”

I’ll never get there• Many merchants already have

It doesn’t apply to me• PCI compliance is mandatory

Acceptance It’ll be OK• It’s an ongoing business process

33

Compliance ProgramProject Charter• Align team• Assign Responsibility• Scope Environment

Assess• Conduct Testing to PCI DSS• Identify Gaps• Establish a Remediation Roadmap

Remediate• Align to a Project Plan (Time, $)• Policies, Plans and Procedure• Infrastructure changes• Training

Validate Compliance• Final Testing (independent?)• Report to Acquiring Banks• Report to Internal Oversight

34

Customer

Production Environment

Acquiring BankWells Fargo, BoA, Chase,

etc.

Admin Environment

Portal Access to Reconciliation Data (Charge Back / Sales Audit)

Transaction Servers or Payment Gateway

Transaction Record & Archive

Data WarehousePayment Gateway and Transaction Database

Batch Settlement

Application Servers

Back Office & Customer Svc

• Marketing• Customer Service

• Ecommerce• Phone / Fax• Gift Cards

• Fraud• ACCT. / Admin

PhoneFax

Email

Web Server(card not present)

POS Terminals(card present in

stores and parking facilities)

Authorization

Document VaultsPaper records

Where is Your Cardholder Data?

35

SAQ 1• No face-to-face transactions

• Process e-commerce or mail order/telephone orders

• Outsource all cardholder data storage, processing or transmission to a third party service provider

• Only retain paper reports or receipts with cardholder data on your premises

• No electronic storage of cardholder data on your premises

Card not present

13 Questions to Complete

36

SAQ 2

• Imprint only machine used for transactions

• Do not transmit cardholder data over phone line or the Internet

• Only retain paper copies of receipts

• No electronic storage of cardholder data on your premises

Imprint Only

26 Questions to Complete

37

SAQ 3

• Transactions processed via phone line connection to processor

• Can be face-to-face, ecommerce, or mail order/telephone order transactions

• Standalone hardware terminal not connected to any other systems or the Internet

• Only retain paper copies of receipts

• No electronic storage of cardholder data on your premises

26 Questions to Complete

Standalone Hardware Terminal with Dial-up Connectivity

38

SAQ 4• Transactions processed via internet connection to processor

• Also includes merchants where the payment application used to process transactions is on a personal computer connected to the internet for reasons such as email, etc.

• Can be face-to-face, ecommerce, or mail order/telephone order transactions

• Only retain paper copies of receipts

• No electronic storage of cardholder data on your premises41 Questions to Complete

Standalone Hardware Terminal or Software System with Internet Connectivity

39

SAQ 5

• Electronic cardholder data storage on premises.

• Examples would include merchants processing recurring billing transactions that are not outsourced to a third party Servicer or those with their own network connectivity to the card brand companies.

225 Questions to Complete

All Other Merchants Defined as Self-Assessment Questionnaire Eligible

40

Sample Scanning Report Overall Compliance Status FAIL

Live IP Address Scanned Security Risk Rating Compliance Status

11.22.33.44 1.0 Pass

11.22.33.45 1.0 Pass

11.22.33.46 2.0 Pass

11.22.33.47 1.0 Pass

11.22.33.48 1.0 Pass

11.22.33.49 1.0 Pass

11.22.33.50 1.0 Pass

11.22.33.51 4.0 FAIL

11.22.33.52 1.0 Pass

41

PCI Compliance StrategiesInsist on Executive Visibility Confirm you are running a Validated Payment ApplicationRead and Follow Your POS Implementation GuideIf You Don’t Need it, Don’t Store ItSegment your NetworkImplement Quarterly ScanningComplete Your PCI SAQ Update Your Policies and ProceduresImplement Logging and Monitoring Manage Security like your Business Depends on It

42

Questions in plain English (does not mimic the PCI SAQ)Evidence Library for ControlsSchedule automated scanning (monthly or quarterly)

Comparison to Like OrganizationsBased on responses:

Automatically determines the appropriate validation type (A, B, C or D)Presents only those follow-on questions that are appropriate

43

Centrally manage and monitor complex reporting requirements Ability to save, review and go backContextual helpOpportunity to select live Qualified Security Assessor (QSA) assistance

44

ReferencesPCI Security Standards Council

o https://www.pcisecuritystandards.org/

PCI Blog – PCI Answerso http://pcianswers.com/GAO - Report on Continuing Security

Weakness

State Notice of Data Breach Lawso http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm

Rapid SAQ Resourceso https://navis.coalfiresystems.com

Identity Theft Resource Center o www.idtheftcenter.org

45

Summary PCI Compliance is an Ongoing PROCESS - NOT A PROJECT

o This means a new ongoing operating expense

Roles – everyone has a stake in the program successKey Activities

o Map all cardholder processeso Validate with vendors that no unencrypted cardholder data or security values are

stored o Identify all critical locations where cardholder data is processed, stored or

transmittedo Remediate compliance gaps and train all key stakeholderso Provide well documented (i.e. justified with evidence) reports to senior

management and Acquiring Bankso Schedule vulnerability scans

Manage Risk and not just a in the box

46

Active and PCI ComplianceActive is committed to ensuring the highest security and privacy standardsWe have successfully completed a PA-DSS certification with CoalfireSystems, Inc.o Customers can contact your

account manager for more information.

o http://support.theactivenetwork.com

47

Hosted Payment Server Hosted Internet Registration Hosted POSWeb ActiveNet

How Active Hosted Solutions Can Help

With Active, as both the applications provider and merchant, most of the burden is on us:o Mitigate your riskso Save money, time and resources o Reduce reporting requirements

48

Questions?

Jim FishVice President 

Jim.Fish@CoalfireSystems.com206.352.6028 ext. 7501

Saskia IpemaDirector, Account Management 

ServicesSaskia.Ipema@ActiveNetwork.com

Thank you

www.ActiveNetwork.com