PCI What it is Why it Matters

1
PCI What it is Why it Matters
2
What is PCI ?

• Payment Card Industry
• Not a Law
• Data security standard adopted by major card
  processing networks (Visa, MasterCard, etc.) to
  combat fraud and promote secure processing of
  payment card transactions

3
Terms you need to know

• Merchant sells products and services
  e-Merchant sells online
• Card Holder - Customer buys products and
  services using a credit card as method of payment
• Service Provider 3rd Party payment support
  entity (web host, shopping cart, payment
  processor, etc.)

4
Terms

• Issuer financial institution that issues card
  and contracts with cardholder for repayment of
  transactions (your bank)
• Acquirer Financial institution that contracts
  with merchants to accept and process cards for
  payment (merchant bank Chase, Citibank)

5
More Terms

• Shopping Cart capability to select merchandise
  or services, review what has been selected with
  related monetary and item quantity amounts, make
  necessary modifications or additions, and
  finalize the transaction (purchase merchandise or
  service)
• Magnetic Stripe Data (Full Track Data) data
  coded on magnetic stripe used for authorization
  during a card present transaction.

6
More Terms

• Payment Gateway Service that allows an
  e-commerce merchant to connect to the Acquirer or
  merchant processor to complete a card transaction
  in real time (PayPal, Authorize.Net)
• Merchant Processor Routes electronic
  transaction for authorization, clearing, and
  settlement on behalf of the Acquirer (PaymentTech)

7

• Whenever someone clicks a pay button on a
  website, payment information is processed
  in-house or by 3rd party service provider

8
Transaction Cycle
9
Three Core Processing Actions

• Authentication
• Validation of cardholders identity and card being
  used
• Authorization
• Issuer approves or declines purchase
• Settlement
• Transfer of funds into merchant account once
  product/service shipped or delivered

10
Authentication

• AVS Address Verification Service allows
  e-commerce merchants to check a cardholder
  billing address with the issuer.
• AVS provides merchants with a key indicator that
  helps verify whether or not a transaction is
  valid.

11
Authentication

• CVV2 Card Verification Value 2 a three digit
  number imprinted on the back of cards to help
  validate that the customer has a genuine card in
  his/her possession and that the card account is
  legitimate.

12
Settlement
13
What are PCI Requirements

• Comply with security standards based on Merchant
  Level
• Validation and Reporting Requirements by Merchant
  Level

14
Security Standards

15
Build and Maintain a Secure Network

• Install and maintain a firewall configuration to
  protect data
• Do not use vendor-supplied defaults for system
  passwords and security parameters

16
Protect Cardholder

• Protect stored data
• Limit type and length of storage
• Mask card numbers
• Encrypt transmission of cardholder data and
  sensitive information across public networks

17
Maintain a Vulnerability Management Program

• Use and regularly update anti-virus software
• Develop and maintain secure systems and
  applications

18
Implement Strong Access Control Measures

• Restrict access to data by business need-to-know
• Assign a unique ID to each person with computer
  access
• Restrict physical access to cardholder data

19
Regularly Monitor and Test Networks

• 10. Track and monitor all access to network
  resources and cardholder data
• 11. Regularly test security systems and processes

20
Maintain an Information Security Policy

• 12. Maintain a policy that addresses information
  security for employees and contractors
• Incident Response Plan
• Business Continuity
• Business Recovery
• Backup procedures
• TEST these Annually

21
Application of Standards

• Standards apply to ALL members, merchants, and
  service providers that store, process or transmit
  cardholder data
• Apply to all system components included in or
  connected to cardholder environment
• Network component
• Server
• Application

22
Network Components

• Include but not limited to
• Firewalls
• Switches
• Routers
• Wireless access points
• Network appliances
• Other Security appliances

23
Levels of Merchants

• Compliance Requirements

24
Level 1

• Over 6 Million Visa or MasterCard transactions
  per year
• Any merchant that suffered a hack or attack that
  resulted in data compromised
• Any merchant that Visa or MasterCard determine
  should meet level 1 requirements to reduce risk
  to their systems

25
Level 1 Compliance

• Annual on-site security audit completed by
  Qualified Independent Security Assessor
• Quarterly network scan conducted by qualified
  independent scan vendor

26
Level 2

• Any merchant processing 150K to 6M Visa or
  MasterCard transactions per year
• Compliance
• Annual PCI Self-Assessment Questionnaire
  validated by Merchant
• Quarterly network scan conducted by qualified
  independent vendor

27
Level 3

• Any merchant processing between 20K to 150K Visa
  or MasterCard transactions per year
• Level 3 Compliance
• Annual PCI Self-Assessment Questionnaire
  validated by Merchant
• Quarterly network scan conducted by qualified
  independent vendor

28
Level 4

• Any other merchant
• Compliance
• Recommended Annual PCI Self-Assessment
  Questionnaire validated by Merchant
• Recommended quarterly network scan conducted by a
  qualified independent scan vendor

29
How To Become Compliant

• Submit Application to PCI
• Depending on Merchant Level
• Audit by approved firm
• Self Assessment Questionnaire
• Security Scans by approved firm

30
If Data is Compromised

• Must Notify within 24 hours of Suspected Breach
• Potential Fines up to 500,000
• Each Card Company Different
• All Fraud Losses Incurred from Date of Compromise
  Forward
• Cost of Re-issuing Cards
• Cost any Additional Fraud Prevention/Detection
  Activities

31
Visa Penalties

• Violation with in 12 Month Period
• 1st - 50,000
• 2nd - 100,000
• 3rd Discretion of Visa
• Failure to Report a Compromise
• Up to 100,000
• Egregious Violation up to 500,000

32
MasterCard Penalties

• Level 1 Merchant
• Up to 100,000 if not compliant after 60 days
• Additional 10,000 per day not to exceed
  500,000
• Level 2 Merchant
• Up to 50,000 and 10,000 per day after 60 days
  not to exceed 500,000
• Level 3 Merchant
• Up to 25,000 and 10,000 per day after 60 days
  not to exceed 500,000

33
Breach Case Study

• Level 2 Merchant
• Visa and MasterCard only
• Estimate 1,000 Fraud per Card
• Replacement of Card 75 each
• Credit Card Monitoring 45 per account
• Egregious Loss Fines Discretionary
• Based on Local SLC Case

34
(No Transcript)
35
Incident Response Plan

• PCI Requirements
• Data Privacy Laws
• Notification of Customers

36
Wrap-up

• Changes to PCI Standards
• Backlog of providing PCI Certificates
• Backlog of audits