surviving the pci self -assessment james placer, cissp west michigan cisco users group leadership...
TRANSCRIPT
Surviving the PCI Self -Assessment
James Placer, CISSPWest Michigan Cisco Users Group Leadership Board
Agenda
• Overview of the Payment Card Industry Data Security Standard (PCI DSS)
• PCI DSS requirements• Merchant levels• Requirements of Self-Assessment• The ASV conflict. • Questions
Protecting card data
• Why it’s important• causes hardship for our customers• loss of customer confidence• required by PCI DSS• state laws on “disposal” and “notice”• State breach law notification requirements
Overview of PCI DSS
The basis is - cloned cards must never again be capable of being created from stored data, through compromise or eavesdropOne can store elements of the Track II i.e. a card number, expiry date, when required for particular cards. ( front of card information ONLY)In no circumstances should the CVV or the PIN verification value data elements be store
Overview of PCI DSS• Applies to
• all merchants that “store, process, or transmit cardholder data” ( if you accept one credit card payment a year you must be compliant)
• all payment (acceptance) channels, including brick-and-mortar, mail, telephone, e-commerce (Internet)
• Includes 12 requirements, based on• administrative controls (policies, procedures, etc.)• physical security (locks, physical barriers, etc.)• technical security (passwords, encryption, etc.)
Shared Network Resources
• A network that is shared by other services cannot be considered secure.
• …• whatever we think of our wider network,
we cannot fully “trust” it
Merchant levels• Merchant levels are based on yearly transaction
volume of merchant• Specific criteria for placement in merchant levels
varies across card companies• All merchants, regardless of level, must adhere to
PCI DSS requirements• Level into which merchant is placed determines
PCI DSS compliance validation (and ultimately cost)
• Let’s take a quick look at Visa’s levels…
Merchant levels - Visa
• Level 2:• merchants, regardless of acceptance channel,
processing 1,000,000 to 6,000,000 Visa transactions
• Level 3:• any merchant processing 20,000 to 1,000,000
Visa e-commerce (Internet) transactions
Merchant levels - Visa
• Level 4:• any merchant processing fewer than 20,000
Visa e-commerce (Internet) transactions• all other merchants, regardless of acceptance
channel, processing up to 1,000,000 Visa transactions
PCI DSS compliance validation
• Level 2 and 3 merchants• self-assessment questionnaire• quarterly network security scan by approved
scan vendor (ASV)
PCI DSS compliance validation
• Level 4 merchants• self-assessment questionnaire
• if required by acquirer
• quarterly network security scan by approved scan vendor• if required by acquirer
PCI DSS compliance validation
• 5 levels of self assessment
• • 4 self assessment questionnaires
Self Assessment Questionnaire
• Type 1Card-not-present (e-commerce or mail/telephone-
order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. Use questionnaire A
• Type 2 Imprint-only merchants with no electronic cardholder
data storage. Use Questionnaire B
Self Assessment Questionnaire
• Type 3Stand-alone terminal merchants, no electronic
cardholder data storage Use questionnaire B
• Type 4 Merchants with POS systems connected to the
Internet, no electronic cardholder data storage . Use Questionnaire C
Self Assessment Questionnaire
• Type 5All other merchants (not included in Types 1-4
above) and all service providers defined by a payment brand as eligible to complete an SAQ.
• May be required to perform full Self-Assessment form as opposed to short forms A through C)
Authorized Scanning Vendors
• External ASV scan may be required for self assessment.
• Not all ASV's are created equal• ASV's must be approved by PCI and on the
PCI authorized scanning vendor list• DO NOT automatically use the
“recommended” ASV of your card processor!!!
PCI DSS requirements
First step is to document the FULL path of credit card data through your company.
This is electronic as well and procedural
If you do not know the path you cannot self- assess!!!!!
Card Environment MUST be isolated...
PCI DSS requirementsBest Practice to be applied!
Each requirement has many sub-requirements!
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored data
PCI DSS requirements
1. Encrypt transmission of cardholder data and sensitive information across public networks
2. Use and regularly update anti-virus software
3. Develop and maintain secure systems and applications
4. Restrict access to data by business need-to-know
PCI DSS requirements
1. Assign a unique ID to each person with computer access
2. Restrict physical access to cardholder data3. Track and monitor all access to network
resources and cardholder data4. Regularly test security systems and
processes5. Maintain a policy that addresses
information security
Resources
PCI DSS self assessment guidelineshttps://www.pcisecuritystandards.org/saq/
instructions.shtml
The PCI DSS guidance documenthttps://www.pcisecuritystandards.org/
security_standards/pci_dss.shtml
Questions???