SlideShare a Scribd company logo

PCI Compliance The Circuit

The Circuit, profile picture
The Circuit

- PCI compliance involves meeting technical and operational security standards to protect credit card data as defined by the PCI Security Standards Council which includes Visa, MasterCard, and other major payment brands. - If a business accepts credit cards, they must comply with the PCI Data Security Standard. Compliance is important to avoid consequences of a data breach such as fines, loss of customers, litigation, and damage to reputation. - Common reasons for non-compliance found after data breaches include lack of network segmentation, failure to implement necessary access controls, and failure to apply security patches. Regular security monitoring is important for compliance.

1 of 12
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
1 PCI Compliance Fundamentals 2011
What is PCI Compliance? 2 • PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. – (American Express, Discover, JCB International, MasterCard, and Visa) • Security Management and Monitoring • Policies & Procedures • Network Architecture • Software design • If you accept payment cards, you are required to be compliant with the PCI Data Security Standard. • PCI – The Gold Standard – Compared to other standards the requirements are clearly defined
The PCI Data Security Standard 3
Why Is Compliance with PCI DSS Important? 4 • A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including: – Regulatory notification requirements, – Loss of reputation, – Loss of customers, – Potential financial liabilities (for example, regulatory and other fees and fines), and – Litigation
Economics of an Credit Card Breach – Source CoalFire 5 A hypothetical merchant has 10,000 card numbers and account holder information compromised. What is the potential financial impact to the merchant? Notify Clients and Provide Privacy $30 x 10,000 = $300,000 Guard Fines and Penalties from Card Brands $50,000 to $500,000 and Acquiring Banks Increased PCI audits and $50,000 x 3 years = $150,000 requirements for new controls Potential costs to re-issue credit 10,000 accounts x $20 = $200,000 cards Reputation Loss PRICELESS! Estimates are based on actual incidents examined by Coalfire’s forensic team. Fees and services required vary by incident. For more information on potential costs and risk from credit card compromise, contact Coalfire (www.coalfiresystems.com)
Why Is Compliance with PCI DSS Important? 6 • Investigations after compromises consistently show common PCI DSS violations, including but not limited to: – Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised entities are unaware that their systems are storing this data. – Inadequate access controls due to improperly installed merchant POS systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3) – Default system settings and passwords not changed when system was set up (Requirement 2.1) – Unnecessary and insecure services not removed or secured when system was set up (Requirements 2.2.2 and 2.2.4) – Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the web site (Requirement 6.5) – Missing and outdated security patches (Requirement 6.1) – Lack of logging (Requirement 10) – Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems) (Requirements 10.6, 11.2, 11.4 and 11.5) – Poorly implemented network segmentation resulting in the cardholder data environment being unknowingly exposed to weaknesses in other parts of the network that have not been secured according to PCI DSS (for example, from unsecured wireless access points and vulnerabilities introduced via employee e-mail and web browsing) (Requirements 1.2, 1.3 and 1.4) *Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0
What are my organizations requirements? 7
Self-Assessment Questionnaire? 8 A) Requirement Areas: 9 & 12 13 Questions / requirements B) Requirement Areas: 3,4,7,9 & 12 29 Questions / requirements C-VT) Requirement Areas: 1-7,9 & 12 51 Questions / requirements C) Requirement Areas: 1-9,11 & 12 80 Questions / requirements D) Requirement Areas: 1-12 286 Questions / requirements Does your company store any cardholder data in electronic format? *Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0
Policies and Procedures 9 PCI requirement Policies/procedures Requirement 1 Configuration standards, Change control approval and testing process, Firewall placement, Maintain current Install and maintain a firewall configuration to network diagram, Description of Roles & Responsibilities, Documentation and business justification of all protect cardholder data ports, protocols and services, FW and Router review. Requirement 2 Pre-production modifications, Develop configuration hardening standards, Removing/disabling Do not use vendor supplied defaults for system insecure/unnecessary services, protocols and functionality, One function per server, Encrypting all non- passwords and other security Parameters console access Requirement 3 Limit duration of data retention, Secure deletion, Data types retained, Display masking, Safe storage, Protect stored cardholder data Encryption key management Requirement 4 Minimum encryption standards, Wireless standards Encrypt transmission of cardholder data across open, public networks Requirement 5 Antivirus validation, current-actively running and generating logs, Use and regularly update anti-virus software or programs Requirement 6 Vulnerability identification, rank and management, Patching and patch validation, Secure application Develop and maintain secure systems and development and deployment, Change control, Code reviews applications Requirement 7 Data control need-to-know requirements, Role-based access Restrict access to cardholder data by business need to know Requirement 8 Authentication and password management policies and procedures, Unique ID, user verification for password Assign a unique ID to each person with computer access resets, Employee termination, Remove inactive users, Vendor access, length, duration, strength Requirement 9 Access control, Badge assignment, Visitors, Media access, distribution and destruction Restrict physical access to cardholder data Requirement 10 Daily log review, Exception handling, log retention and availability Track and monitor all access to network resources and cardholder data Requirement 11 Detect and identify wireless access points, Alerting, incident handling and response, IDS/IPS configuration Regularly test security systems and processes and updates, Change control Requirement 12 Information security policy, Risk assessment, Daily operational procedures, Usage policy, Personnel roles Maintain a policy that addresses information security for and responsibilities, monitoring & analysis, incident response and escalation plan, security awareness employees and contractors program
Technologies 10 PCI requirement Technologies Requirement 1 Firewall (network and personal), Routers and Switches, File Integrity Monitoring Install and maintain a firewall configuration to protect cardholder data Requirement 2 Vulnerability Scanning / Management, VPN Do not use vendor supplied defaults for system passwords and other security Parameters Requirement 3 Encryption, Backup / data retention Protect stored cardholder data Requirement 4 Encryption, VPN, Firewall, WAF, IDS/IPS Encrypt transmission of cardholder data across open, public networks Requirement 5 Antivirus, File Integrity Monitoring, Log Management Use and regularly update anti-virus software or programs Requirement 6 Vulnerability Scanning / Management, Patch Management, WAF Develop and maintain secure systems and applications Requirement 7 Firewall, VPN, Authentication, Application level access control Restrict access to cardholder data by business need to know Requirement 8 Multi-Factor Authentication, Application level access control, Firewall, VPN Assign a unique ID to each person with computer access Requirement 9 PCI Certified Data Centers Restrict physical access to cardholder data Requirement 10 Log Management, SIM , SEIM, File Integrity Monitoring, NTP Service Track and monitor all access to network resources and cardholder data Requirement 11 Vulnerability Scanning, IDS/IPS, File Integrity Monitoring, Log Management Regularly test security systems and processes Requirement 12 Log Management, SIM , SEIM, IDS/IPS Maintain a policy that addresses information security for employees and contractors
Ten Common Myths of PCI DSS 11 Myth 1 – One vendor and product will make us compliant Myth 2 – Outsourcing card processing makes us compliant Myth 3 – PCI compliance is an IT project Myth 4 – PCI will make us secure Myth 5 – PCI is unreasonable; it requires too much Myth 6 – PCI requires us to hire a Qualified Security Assessor Myth 7 – We don’t take enough credit cards to be compliant Myth 8 – We completed a SAQ so we’re compliant Myth 9 – PCI makes us store cardholder data Myth 10 – PCI is too hard *Source: PCI Security Standards Council
Proven PCI management practices 12 • Limit the Scope of the PCI environment • PCI embedded in an overall security program • PCI compliant policies, procedures, and training • Monitoring and Reporting • Due diligence of your service provides, vendors • Work with a QSA • PCI DSS General Tips and Strategies to Prepare for Compliance Validation 1. Sensitive Authentication Data (includes the full track contents of the magnetic strip or chip, card verification codes and values, PINs and PIN blocks: 1. NEVER STORE THIS DATA 2. Ask your POS vendor about the security of your system 3. Card holder data- if you don’t need it don’t store it! 1. Payment brand rules allow for the storage of Personal Account Number (PAN), expiration date, cardholder name, and service code. 4. Card holder data- if you do need it, consolidate and isolate it. 5. Compensating Controls *Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0

More Related Content

PDF
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...
- Mark - Fullbright
 
DOC
IBRHAEEM RESUMe
ibraheem khan
 
PDF
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
ClubHack
 
PDF
Top10 Trends Impacting Marketing, Sales and Service
The Circuit
 
PDF
PCI Compliance Fundamentals The Circuit
The Circuit
 
PDF
Connie The Circuit
The Circuit
 
PPTX
SCM304 Group 1: Operations Unlimited Powerpoint Presentation
vmmarscher
 
PDF
Protecting Payment Card Data Wp091010
Erik Ginalick
 
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...
- Mark - Fullbright
 
IBRHAEEM RESUMe
ibraheem khan
 
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
ClubHack
 
Top10 Trends Impacting Marketing, Sales and Service
The Circuit
 
PCI Compliance Fundamentals The Circuit
The Circuit
 
Connie The Circuit
The Circuit
 
SCM304 Group 1: Operations Unlimited Powerpoint Presentation
vmmarscher
 
Protecting Payment Card Data Wp091010
Erik Ginalick
 

Similar to PCI Compliance The Circuit (20)

PDF
Data Power For Pci Webinar Aug 2012
gaborvodics
 
PPTX
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 
PPTX
PCI DSS and PA DSS
Kimberly Simon MBA
 
PPTX
PCI DSS and PA DSS Compliance
ControlCase
 
PPTX
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
PDF
PCI DSS for Pentesting
n|u - The Open Security Community
 
PDF
Pci dss-for-it-providers
Calyptix Security
 
PPTX
PCI DSS for Penetration Testing
Network Intelligence India
 
PPT
PCI DSS
Duy Do Phan
 
PPTX
PCI DSS Compliance Checklist
ControlCase
 
PPTX
PCI DSSand PA DSS
Kimberly Simon MBA
 
PPTX
PruebaJLF.pptx
JoseLuna802663
 
PPTX
Performing PCI DSS Assessments Using Zero Trust Principles
ControlCase
 
PPTX
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PPT
PCIs_Changing_Environment_-_What_You_Need_to_Know_&_Why_You_Need_To_Know_It..ppt
suridhalder
 
PDF
PCI Certification and remediation services
Tariq Juneja
 
PDF
Tripwire pci basics_wp
Edward Lam
 
PPTX
PCI DSS Compliance Readiness
Al Abbas, PMP, CISSP, MBA, MSc
 
PPTX
PCI DSS Compliance in the Cloud
ControlCase
 
PPT
pci-comp pci requirements and controls.ppt
gealehegn
 
Data Power For Pci Webinar Aug 2012
gaborvodics
 
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 
PCI DSS and PA DSS
Kimberly Simon MBA
 
PCI DSS and PA DSS Compliance
ControlCase
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
PCI DSS for Pentesting
n|u - The Open Security Community
 
Pci dss-for-it-providers
Calyptix Security
 
PCI DSS for Penetration Testing
Network Intelligence India
 
PCI DSS
Duy Do Phan
 
PCI DSS Compliance Checklist
ControlCase
 
PCI DSSand PA DSS
Kimberly Simon MBA
 
PruebaJLF.pptx
JoseLuna802663
 
Performing PCI DSS Assessments Using Zero Trust Principles
ControlCase
 
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PCIs_Changing_Environment_-_What_You_Need_to_Know_&_Why_You_Need_To_Know_It..ppt
suridhalder
 
PCI Certification and remediation services
Tariq Juneja
 
Tripwire pci basics_wp
Edward Lam
 
PCI DSS Compliance Readiness
Al Abbas, PMP, CISSP, MBA, MSc
 
PCI DSS Compliance in the Cloud
ControlCase
 
pci-comp pci requirements and controls.ppt
gealehegn
 
Ad

More from The Circuit (12)

PDF
Mobile Apps for Business Productivity The Circuit
The Circuit
 
PPT
Branding For Success
The Circuit
 
PDF
Virtualization Myths and Realities Exposed The Circuit
The Circuit
 
PDF
Extreme Media Makeover
The Circuit
 
PPT
Its All About The Message!
The Circuit
 
PPTX
Death by PowerPoint
The Circuit
 
PPT
Facebook - Beyond Joining - Make it Work for You!
The Circuit
 
PPTX
The Circuit - The Market Has Changed...Have You?
The Circuit
 
PPT
The Circuit LinkedIn Workshop
The Circuit
 
PDF
Enterprise Use of Twitter by Doug Ross
The Circuit
 
PPT
The Circuit EHR Presentation
The Circuit
 
PPT
2 Tweet Not2 Tweet2
The Circuit
 
Mobile Apps for Business Productivity The Circuit
The Circuit
 
Branding For Success
The Circuit
 
Virtualization Myths and Realities Exposed The Circuit
The Circuit
 
Extreme Media Makeover
The Circuit
 
Its All About The Message!
The Circuit
 
Death by PowerPoint
The Circuit
 
Facebook - Beyond Joining - Make it Work for You!
The Circuit
 
The Circuit - The Market Has Changed...Have You?
The Circuit
 
The Circuit LinkedIn Workshop
The Circuit
 
Enterprise Use of Twitter by Doug Ross
The Circuit
 
The Circuit EHR Presentation
The Circuit
 
2 Tweet Not2 Tweet2
The Circuit
 
Ad

PCI Compliance The Circuit

  • 2. What is PCI Compliance? 2 • PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. – (American Express, Discover, JCB International, MasterCard, and Visa) • Security Management and Monitoring • Policies & Procedures • Network Architecture • Software design • If you accept payment cards, you are required to be compliant with the PCI Data Security Standard. • PCI – The Gold Standard – Compared to other standards the requirements are clearly defined
  • 3. The PCI Data Security Standard 3
  • 4. Why Is Compliance with PCI DSS Important? 4 • A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including: – Regulatory notification requirements, – Loss of reputation, – Loss of customers, – Potential financial liabilities (for example, regulatory and other fees and fines), and – Litigation
  • 5. Economics of an Credit Card Breach – Source CoalFire 5 A hypothetical merchant has 10,000 card numbers and account holder information compromised. What is the potential financial impact to the merchant? Notify Clients and Provide Privacy $30 x 10,000 = $300,000 Guard Fines and Penalties from Card Brands $50,000 to $500,000 and Acquiring Banks Increased PCI audits and $50,000 x 3 years = $150,000 requirements for new controls Potential costs to re-issue credit 10,000 accounts x $20 = $200,000 cards Reputation Loss PRICELESS! Estimates are based on actual incidents examined by Coalfire’s forensic team. Fees and services required vary by incident. For more information on potential costs and risk from credit card compromise, contact Coalfire (www.coalfiresystems.com)
  • 6. Why Is Compliance with PCI DSS Important? 6 • Investigations after compromises consistently show common PCI DSS violations, including but not limited to: – Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised entities are unaware that their systems are storing this data. – Inadequate access controls due to improperly installed merchant POS systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3) – Default system settings and passwords not changed when system was set up (Requirement 2.1) – Unnecessary and insecure services not removed or secured when system was set up (Requirements 2.2.2 and 2.2.4) – Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the web site (Requirement 6.5) – Missing and outdated security patches (Requirement 6.1) – Lack of logging (Requirement 10) – Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems) (Requirements 10.6, 11.2, 11.4 and 11.5) – Poorly implemented network segmentation resulting in the cardholder data environment being unknowingly exposed to weaknesses in other parts of the network that have not been secured according to PCI DSS (for example, from unsecured wireless access points and vulnerabilities introduced via employee e-mail and web browsing) (Requirements 1.2, 1.3 and 1.4) *Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0
  • 7. What are my organizations requirements? 7
  • 8. Self-Assessment Questionnaire? 8 A) Requirement Areas: 9 & 12 13 Questions / requirements B) Requirement Areas: 3,4,7,9 & 12 29 Questions / requirements C-VT) Requirement Areas: 1-7,9 & 12 51 Questions / requirements C) Requirement Areas: 1-9,11 & 12 80 Questions / requirements D) Requirement Areas: 1-12 286 Questions / requirements Does your company store any cardholder data in electronic format? *Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0
  • 9. Policies and Procedures 9 PCI requirement Policies/procedures Requirement 1 Configuration standards, Change control approval and testing process, Firewall placement, Maintain current Install and maintain a firewall configuration to network diagram, Description of Roles & Responsibilities, Documentation and business justification of all protect cardholder data ports, protocols and services, FW and Router review. Requirement 2 Pre-production modifications, Develop configuration hardening standards, Removing/disabling Do not use vendor supplied defaults for system insecure/unnecessary services, protocols and functionality, One function per server, Encrypting all non- passwords and other security Parameters console access Requirement 3 Limit duration of data retention, Secure deletion, Data types retained, Display masking, Safe storage, Protect stored cardholder data Encryption key management Requirement 4 Minimum encryption standards, Wireless standards Encrypt transmission of cardholder data across open, public networks Requirement 5 Antivirus validation, current-actively running and generating logs, Use and regularly update anti-virus software or programs Requirement 6 Vulnerability identification, rank and management, Patching and patch validation, Secure application Develop and maintain secure systems and development and deployment, Change control, Code reviews applications Requirement 7 Data control need-to-know requirements, Role-based access Restrict access to cardholder data by business need to know Requirement 8 Authentication and password management policies and procedures, Unique ID, user verification for password Assign a unique ID to each person with computer access resets, Employee termination, Remove inactive users, Vendor access, length, duration, strength Requirement 9 Access control, Badge assignment, Visitors, Media access, distribution and destruction Restrict physical access to cardholder data Requirement 10 Daily log review, Exception handling, log retention and availability Track and monitor all access to network resources and cardholder data Requirement 11 Detect and identify wireless access points, Alerting, incident handling and response, IDS/IPS configuration Regularly test security systems and processes and updates, Change control Requirement 12 Information security policy, Risk assessment, Daily operational procedures, Usage policy, Personnel roles Maintain a policy that addresses information security for and responsibilities, monitoring & analysis, incident response and escalation plan, security awareness employees and contractors program
  • 10. Technologies 10 PCI requirement Technologies Requirement 1 Firewall (network and personal), Routers and Switches, File Integrity Monitoring Install and maintain a firewall configuration to protect cardholder data Requirement 2 Vulnerability Scanning / Management, VPN Do not use vendor supplied defaults for system passwords and other security Parameters Requirement 3 Encryption, Backup / data retention Protect stored cardholder data Requirement 4 Encryption, VPN, Firewall, WAF, IDS/IPS Encrypt transmission of cardholder data across open, public networks Requirement 5 Antivirus, File Integrity Monitoring, Log Management Use and regularly update anti-virus software or programs Requirement 6 Vulnerability Scanning / Management, Patch Management, WAF Develop and maintain secure systems and applications Requirement 7 Firewall, VPN, Authentication, Application level access control Restrict access to cardholder data by business need to know Requirement 8 Multi-Factor Authentication, Application level access control, Firewall, VPN Assign a unique ID to each person with computer access Requirement 9 PCI Certified Data Centers Restrict physical access to cardholder data Requirement 10 Log Management, SIM , SEIM, File Integrity Monitoring, NTP Service Track and monitor all access to network resources and cardholder data Requirement 11 Vulnerability Scanning, IDS/IPS, File Integrity Monitoring, Log Management Regularly test security systems and processes Requirement 12 Log Management, SIM , SEIM, IDS/IPS Maintain a policy that addresses information security for employees and contractors
  • 11. Ten Common Myths of PCI DSS 11 Myth 1 – One vendor and product will make us compliant Myth 2 – Outsourcing card processing makes us compliant Myth 3 – PCI compliance is an IT project Myth 4 – PCI will make us secure Myth 5 – PCI is unreasonable; it requires too much Myth 6 – PCI requires us to hire a Qualified Security Assessor Myth 7 – We don’t take enough credit cards to be compliant Myth 8 – We completed a SAQ so we’re compliant Myth 9 – PCI makes us store cardholder data Myth 10 – PCI is too hard *Source: PCI Security Standards Council
  • 12. Proven PCI management practices 12 • Limit the Scope of the PCI environment • PCI embedded in an overall security program • PCI compliant policies, procedures, and training • Monitoring and Reporting • Due diligence of your service provides, vendors • Work with a QSA • PCI DSS General Tips and Strategies to Prepare for Compliance Validation 1. Sensitive Authentication Data (includes the full track contents of the magnetic strip or chip, card verification codes and values, PINs and PIN blocks: 1. NEVER STORE THIS DATA 2. Ask your POS vendor about the security of your system 3. Card holder data- if you don’t need it don’t store it! 1. Payment brand rules allow for the storage of Personal Account Number (PAN), expiration date, cardholder name, and service code. 4. Card holder data- if you do need it, consolidate and isolate it. 5. Compensating Controls *Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0