The Payment Card Industry Data Security Standard: What it is and How it Works

1
The Payment Card IndustryData Security
StandardWhat it is and How it Works

• Walt Conway
• Walter Conway Associates, LLC

2
Agenda

• The Digital Dozen
• Validating compliance
• Compliance failure/success
• The business case
• Resources

3
PCI History

• 2001 Visa and MasterCard security standards
• Visa Cardholder Information Security Program
  (CISP)
• MasterCard Site Data Protection (SDP)
• 2004 Standards combined into DSS
• Joined by American Express, Discover, JCB
• 2006 PCI Security Standards Council formed
• Own and maintain DSS
• 2007 PCI compliance acceleration

4
Key Players

• PCI Security Standards Council
• Owns and maintains Standards
• Payment brands (5)
• Enforce standards fines, sanctions
• Acquirers
• Certify compliance
• Qualified Security Assessor (QSA) andApproved
  Scanning Vendor (ASV)

5
PCI-DSS Applies

• If you store, process or transmit cardholder data
• Systems that process or store data
  andSystems that connect to them
• Compliance is mandatory
• Obligated through merchant services agreement

6
Cardholder Data
Source PCI SSC
7
PCI-DSS Requirements

• Firewall
• Boundary to untrusted networks
• Any wireless network is untrusted
• Passwords
• No default or user-supplied passwords
• Encrypt stored data
• Data that you can/cannot keep (see table)
• Display only last 4 digits
• Encrypt transmitted data
• No FTP
• WI-FI networks vulnerable

8
PCI-DSS Requirements

• Vulnerability management
• Anti-virus, spyware, trojan horse, sniffer, key
  logger,
• Secure systems and applications
• Vendor patches installed (lots of work)
• Certified version installed
• Contract language
• Restrict access to need to know
• Unique IDs
• Restrict physical access

9
PCI-DSS Requirements

• Track and monitor access
• Log, monitor, audit
• Monitor and test security
• Quarterly scans, annual testing
• Information security policy
• Policy and training

10
Validation Requirements Vary

• Validate through annual Self-Assessment
  Questionnaire (SAQ) and quarterly network scan
• Service providers have stronger validation
  requirements than merchants
• Validation reporting varies by Merchant Level

11
Most Frequent Compliance Failures

• Protect stored data (3)
• Unencrypted data, unsecured PCs
• Testing (11)
• POS and web application vulnerabilities
• Unique IDs (8)
• Default or weak passwords
• Track access (10)
• Log, monitor, audit
• Firewall (1)
• Segment card data

12
Compliance Success

• Top management commitment
• Multidisciplinary team
• Training and/or outside help
• Inventory payment systems, apps, devices
• Limit PCI scopeIf you dont need it, dont
  keep it

13
Sources of Breaches
14
Sources of Breaches

• Database of 666 breaches 2000 to mid-2007
• 45 Lost/stolen PCs and media
• 34 of business breaches involved credit card or
  financial data
• Median breach 5,000 - 50,000 accounts
• 72 of breaches from Outside

15
Cost of Non-Compliance

• Direct costs 182/account compromised
• Notification, hotlines, websites, credit
  monitoring, fines
• Indirect costs
• Forensic investigation, system upgrades, time,
  card re-issuance, fraud liability, lawsuits
• Brand damage
• Small breach (5,000 accounts) costs 1 million
• Median business breach 50,000 to 100,000 accounts

16
PCI Resources

• PCI SSC www.pcisecuritystandards.org
• Data Security Standards version 1.1
• Self Assessment Questionnaire
• Security Audit Procedures
• Visa www.visa.com/cisp
• Payment Application Best Practices (PABP)
• PCI Compliant Service Providers
• Blogs www.pcianswers.com (and forum)
  www.securitycatalyst.com www.treasuryinstitute.
  org/blog (mine!)

17
Parting Thoughts

• PCI is a business and security issue
• Is PCI DSS a standard for all sensitive data?
• Consider validating at Level 1
• YOUR thoughts? Comments? Questions? walt_at_walt
  erconway.com