PCI Compliance : Whys and wherefores Colleen Medling cmedling@slcolibrary.org SLCO Library Services March17, 2011 PCI Compliance : Whys and wherefores

Denials I am not a Qualified Security Assessor (QSA) I am not a lawyer I am a librarian (and System Administrator) March 17, 2011 Denials SLCoLibrary.org SLCo Library Services Division

Who are they and what do they want? PCI Security Standards - PCI Security Standards Council – Payment Card Industry Standards and procedures created to optimize security of credit/debt card data. All five major payment brands – American Express, Discover, MasterCard, Visa and JBC have agreed to incorporate these requirements into the data security compliance programs Independent organization that develops, manages, educates, and creates awareness of PCI Security Standards Each brand had different, often overlapping requirements. In 2006 the council was created with the 5 major brands all participating. March 17th, 2011 Who are they and what do they want? SLCoLibrary.org SLCo Library Services Division

To comply or not to comply PCI Compliance Not a law (yet) BUT! Failure to comply can result in Loss of reputation Loss of trust Significant fines Lose ability to take credit card payments Many government entities now requiring their organizations to comply Please note that even by being compliant you can STILL get hacked. March 17th , 2011 To comply or not to comply SLCoLibrary.org SLCo Library Services Division

You the merchant Merchant Levels March 17th , 2011 Merchant Criteria Validation Requirements 1 Merchants processing over 6 million transactions annually Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) Quarterly network scan by Approved Scan Vendor (“ASV”) Attestation of Compliance Form 2 Merchants processing 1 million to 6 million transactions annually Annual Self-Assessment Questionnaire (“SAQ”) Quarterly network scan by ASV 3 Merchants processing 20,000 to 1 million e-commerce transactions annually Annual SAQ 4 Merchants processing less than 20,000 e-commerce transactions annually and all other merchants processing up to 1 million transactions annually Annual SAQ recommended Quarterly network scan by ASV if applicable March 17th , 2011 You the merchant SLCoLibrary.org SLCo Library Services Division

Filling out an SAQ does not necessarily make you compliant Self Assessment Questionnaire This is a tool that allows entities to validate their compliance to the PCI Standards Filling out an SAQ does not necessarily make you compliant There are five separate levels, with increasing complex requirements based on number of transactions and how credit card data is held and processed. Even if you a use a PCI Compliant Application YOU still need to complete an SAQ Any moving of paper receipts of media must be approved Any media must be destroyed properly March 17th , 2011 All the SAQs SLCoLibrary.org SLCo Library Services Division

The A, B’s SAQ A – 13 requirements SAQ B – 29 requirements Only to be used for “Card Not Present” entities E-commerce or Mail Order/Telephone Order Merchants Does not store or transmit cardholder data over their systems Requirements Must restrict access to cardholder data Paper receipts must be under lock & key Destroyed properly Maintain an Information Security Policy Policies and procedures to manage service providers SAQ B – 29 requirements Entities use imprint or Dial Up Standalone Terminals No cardholder data is stored electronically Does not store or transmit cardholder data over they network or the Internet In addition to SAQ A Requirements Protect stored cardholder data May not store magnetic strip data Restrict cardholder data on a need to know basis March 17th , 2011 The A, B’s SLCoLibrary.org SLCo Library Services Division

C’s SAQ C-VT (virtual terminals) – 51 requirements New type of SAQ introduce in 2010 Use on web-based virtual terminals Cardholder data is manually entered, data is not read from the card directly Virtual terminal is provided by a third party PCI DSS validated company In addition to SAQ A and SAQ B Must have a firewall Do not use vendor supplied passwords Protect stored cardholder data Encrypt transmission of cardholder data Use anti-virus software and log results Develop and maintain secure systems This includes any wireless networks you may have March 17th , 2011 C’s SLCoLibrary.org SLCo Library Services Division

Final C and D SAQ C – 80 requirements SAQ D – 288 requirements Point of Sale (POS) is connected to the Internet Payment application is not connected to other systems (can be done via network segmentation) LAN is not connected to any other location No sensitive cardholder data is stored electronically In addition to SAQ A, SAQ B and SAQ C-VT Quarterly network scans SAQ D – 288 requirements All other merchants who do not fit under previous categories Merchant stores cardholder data electronically Extremely difficult and costly to attain In addition to SAQ A, SAQ B and SAQ C’s More requirements for each category March 17th , 2011 Final C and D SLCoLibrary.org SLCo Library Services Division

Getting started down the road Scope – determine what components are governed Report Assess – examine current compliance level Compensating Controls – QSA validates alternative technologies or processes Scope – determine what system components are governed by PCI DSS Assess – examine the compliance of system components in scope Controls – assessor validates alternative control technologies/processes Report – assessor and/or entity submits required documentation March 17th , 2011 Getting started down the road SLCoLibrary.org SLCo Library Services Division

You are not alone Find a Qualified Security Assessor – QSA There may be one in your organization already List available at https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php QSA Offers support and suggestions Verifies technical information Evaluates compensating controls Samples systems involved in scope of the work Produces the final report March 17th, 2011 You are not alone SLCoLibrary.org SLCo Library Services Division

Alone 2 Choose an Approved Scanning Vendor (ASV) Scans network for external vulnerabilities List can be found at : https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php SLCO uses CoalFire’s Navis System March 17th , 2011 Alone 2 SLCoLibrary.org SLCo Library Services Division

Tips Never, ever store sensitive cardholder data Segment your network Magnetic Stripe Data Primary Account Data (PAN) If you have to store the data Get rid of it as soon as possible Segment your network March 17th , 2011 Tips SLCoLibrary.org SLCo Library Services Division

What to do, what to do Utahgovpay PayPal Comprise Technologies Would need to develop an interface between our library database. Charges $.75 per transaction regardless of amount 50% of transactions under $10.00 PayPal Would have to develop interface Fee per transaction Would have to host system internally Comprise Technologies Currently use for internal credit card transactions Understands specialized library protocol Online system required us to store cardholder data and Primary Account Number (PAN) Higher level of PCI Compliance March 17th , 2011 What to do, what to do SLCoLibrary.org SLCo Library Services Division

Host it! Another option - PCI Compliant Web-hosting facility Credit cardholder data would not be stored on our network Already PCI SAQ D Compliant Lowers the Library’s level of compliance to SAQ C Hosted solution is an annual subscription – NO per transaction fee Beta tested new service for Comprise Technologies RackSpace hosting facility March 17th , 2011 Host it! SLCoLibrary.org SLCo Library Services Division

March 17th , 2011 SLCO Option SLCoLibrary.org SLCo Library Services Division

We host the entry form only – no cardholder data Rest of the application resides on RackSpace Over $142,000 collected since July 2010 79% SAQ C compliant March 17th , 2011 SLCoLibrary.org SLCo Library Services Division

Questions Questions? Additional Resources Data Security Standard Requirements for Security Assessment Procedures – https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.doc  PCI Forms- https://www.pcisecuritystandards.org/docs/ PCI Security Standards Council Quick Reference Guide - https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf CISP list of PCI DSS compliant service providers - http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf PCI SSC’s list of Qualified Security Assessors (QSAs) - https://www.pcisecuritystandards.org/resources/qualified_security_assessors.htm Approved Scanning Vendors - https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml  Navigating PCI DSS : understanding the intent of the requirements https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf PCI Security Standards Council - https://www.pcisecuritystandards.org/index.shtml March 17th , 2011 Questions SLCoLibrary.org SLCo Library Services Division