Payment Card Industry Data Security Standards

1
Surviving the PCI Self -Assessment
James Placer, CISSP West Michigan Cisco Users
Group Leadership Board
2
Agenda

• Overview of the Payment Card Industry Data
  Security Standard (PCI DSS)
• PCI DSS requirements
• Merchant levels
• Requirements of Self-Assessment
• The ASV conflict.
• Questions

3
Protecting card data

• Why its important
• causes hardship for our customers
• loss of customer confidence
• required by PCI DSS
• state laws on disposal and notice
• State breach law notification requirements

4
Overview of PCI DSS
The basis is - cloned cards must never again be
capable of being created from stored data,
through compromise or eavesdrop One can store
elements of the Track II i.e. a card number,
expiry date, when required for particular cards.
( front of card information ONLY) In no
circumstances should the CVV or the PIN
verification value data elements be store
5
Overview of PCI DSS

• Applies to
• all merchants that store, process, or transmit
  cardholder data ( if you accept one credit card
  payment a year you must be compliant)
• all payment (acceptance) channels, including
  brick-and-mortar, mail, telephone, e-commerce
  (Internet)
• Includes 12 requirements, based on
• administrative controls (policies, procedures,
  etc.)
• physical security (locks, physical barriers,
  etc.)
• technical security (passwords, encryption, etc.)

6
Shared Network Resources

• A network that is shared by other services cannot
  be considered secure.
• whatever we think of our wider network, we cannot
  fully trust it

7
Merchant levels

• Merchant levels are based on yearly transaction
  volume of merchant
• Specific criteria for placement in merchant
  levels varies across card companies
• All merchants, regardless of level, must adhere
  to PCI DSS requirements
• Level into which merchant is placed determines
  PCI DSS compliance validation (and ultimately
  cost)
• Lets take a quick look at Visas levels

8
Merchant levels - Visa

• Level 2
• merchants, regardless of acceptance channel,
  processing 1,000,000 to 6,000,000 Visa
  transactions
• Level 3
• any merchant processing 20,000 to 1,000,000 Visa
  e-commerce (Internet) transactions

9
Merchant levels - Visa

• Level 4
• any merchant processing fewer than 20,000 Visa
  e-commerce (Internet) transactions
• all other merchants, regardless of acceptance
  channel, processing up to 1,000,000 Visa
  transactions

10
PCI DSS compliance validation

• Level 2 and 3 merchants
• self-assessment questionnaire
• quarterly network security scan by approved scan
  vendor (ASV)

11
PCI DSS compliance validation

• Level 4 merchants
• self-assessment questionnaire
• if required by acquirer
• quarterly network security scan by approved scan
  vendor
• if required by acquirer

12
PCI DSS compliance validation

• 5 levels of self assessment
• 4 self assessment questionnaires

13
Self Assessment Questionnaire

• Type 1
• Card-not-present (e-commerce or
  mail/telephone-order) merchants, all cardholder
  data functions outsourced. This would never apply
  to face-to-face merchants. Use questionnaire A
• Type 2
• Imprint-only merchants with no electronic
  cardholder data storage. Use Questionnaire B

14
Self Assessment Questionnaire

• Type 3
• Stand-alone terminal merchants, no electronic
  cardholder data storage Use questionnaire B
• Type 4
• Merchants with POS systems connected to the
  Internet, no electronic cardholder data storage .
  Use Questionnaire C

15
Self Assessment Questionnaire

• Type 5
• All other merchants (not included in Types 1-4
  above) and all service providers defined by a
  payment brand as eligible to complete an SAQ.
• May be required to perform full Self-Assessment
  form as opposed to short forms A through C)

16
Authorized Scanning Vendors

• External ASV scan may be required for self
  assessment.
• Not all ASV's are created equal
• ASV's must be approved by PCI and on the PCI
  authorized scanning vendor list
• DO NOT automatically use the recommended ASV of
  your card processor!!!

17
PCI DSS requirements
First step is to document the FULL path of
credit card data through your company. This is
electronic as well and procedural If you do not
know the path you cannot self- assess!!!!! Card
Environment MUST be isolated...
18
PCI DSS requirements Best Practice to be applied!

• Each requirement has many sub-requirements!
• Install and maintain a firewall configuration to
  protect data
• Do not use vendor-supplied defaults for system
  passwords and other security parameters
• Protect stored data

19
PCI DSS requirements

1. Encrypt transmission of cardholder data and
   sensitive information across public networks
2. Use and regularly update anti-virus software
3. Develop and maintain secure systems and
   applications
4. Restrict access to data by business need-to-know

20
PCI DSS requirements

1. Assign a unique ID to each person with computer
   access
2. Restrict physical access to cardholder data
3. Track and monitor all access to network resources
   and cardholder data
4. Regularly test security systems and processes
5. Maintain a policy that addresses information
   security

21
Resources

• PCI DSS self assessment guidelines
• https//www.pcisecuritystandards.org/saq/instructi
  ons.shtml
• The PCI DSS guidance document
• https//www.pcisecuritystandards.org/security_stan
  dards/pci_dss.shtml

22
Questions???