PCI 3.1 Compliance Panel for CHECO

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Navigating the New SAQs (Helping the 99% validate PCI compliance)
Merchant Card Processing (PCI Compliance for Supervisors) Sponsored by UW-Platteville’s Financial Services and The Office of Information Security.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Introduction to PCI DSS
Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Security & PCI Compliance The Future of Electronic Payments Security & PCI Compliance Greg Grant Vice President – Managed Security Services.
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Web Advisory Committee June 17,  Implementing E-commerce at UW  Current Status and Future Plans  PCI Data Security Standard  Questions.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
PCI DSS Managed Service Solution October 18, 2011.
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
PCI requirements in business language What can happen with the cardholder data?
Date goes here PCI COMPLIANCE: What’s All the Fuss? Mark Banbury Vice President and CIO, Plan Canada.
Payment Card PCI DSS Compliance SAQ-A Training Accounts Receivable Services, Controller’s Office 7/1/2012.
North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919)
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Payment Card PCI DSS Compliance SAQ-B Training Accounts Receivable Services, Controller’s Office 7/1/2012.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
Jon Bonham, CISA, QSA Director, ERC
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to PCI DSS
Credit Card Compliance
Payment Card Industry Data Security Standards
Payment Card Industry (PCI) Rules and Standards
Wake Forest University
PCI DSS Improve the Security of Your Ecommerce Environment
Summary of Changes PCI DSS V. 3.1 to V. 3.2
Payment Card Industry (PCI) Rules and Standards
Performing Risk Analysis and Testing: Outsource or In-house
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
PCI DSS modular approach for F2F EMV mature environments
Internet Payment.
Session 11 Other Assurance Services
Switchover from Teledeposit to VIRTUAL TERMINAL Moneris Solutions
Payment Card Industry Data Security Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Contact Center Security Strategies
Payment Card Industry - Requirements and implementation challenges in Armenian market Vladislav Muradyan Partner.
Utility Payment Conference
Presented by: Jeff Soukup
Presentation transcript:

PCI 3.1 Compliance Panel for CHECO by University of Northern Colorado Colorado School of Mines

Agenda Why the Hoopla? The Self Attested Questionnaire SAQ The Cardholder Data Environment CDE

Jane Rosenthal, JD, CCEP Director, Compliance & Policy About the Presenters Jane Rosenthal, JD, CCEP Director, Compliance & Policy Background: 15+ yrs University, privacy, research, contracts Legal experience, admitted Missouri & Kansas Certified Compliance & Ethics Professional

About the presenters Matt Langford, CISSP-ISSMP, PCIP Chief Information Security Officer Background QSA and PA-QSA Penetration Tester Security Auditor Anti-Malware Engineer

Why the Hoopla? Cybersecurity is a National Issue PCI Security Council cares about small merchants All card brands requiring compliance Just b/c you think it’s out-of-scope, it may not be; Outsourcing/Tokenization are not magic pills Only QSA can confirm Card brands can have differing requirements—differing merchant level assessments

Hoopla? Compliance is not a check the box activity or one and done; IT IS DAILY ACTIVITY!!! Your Bank/Acquirer will pass through the Fines to you or raise your rates Risk-based environment is drive of compliance these days

4 Steps to Compliance Scope Assess Reporting Clarifications PCI-DSS all components within or connected to CDE Assess compliance of system and testing Reporting documentation/SAQ (appendix) or ROC Clarifications

Self Attestation Questionnaire Do we qualify to fill an SAQ? Merchant Expertise There are 9 categories you might fall into for a SAQ. (See appendix)

Questions Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including wireless networks? Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes position?

Questions Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Is a security policy established, published, maintained, and disseminated to all relevant personnel?

CDE

CDE Components Include items such as: Point of Sale Machines Virtual Terminals Card Swipe Machines Printers Network Devices Networking Hardware Servers Connections to the Back Office Environment

CDE Connections Connections between all CDE devices Connections between all other network resources (infrastructure components) Connections to other networks Flow of data from one device to another Flow of data from network segment to segment

Some of the things you need to know about your CDE Are all machines hardened? Are security patches applied? Are all machines defended against malware? Are the applications logs gathered and retained for the required period of time? Are those logs being monitored on a daily basis? Do you have the required documentation?

Some of the things you need to know about your CDE Are the encryption keys being managed and rotated as required? Is the environment being security tested on a regular basis? Are you completing your scanning requirements? Is there a policy, procedure and process in place regarding the vulnerability management of these systems?

Consider Scope In-Scope Out-of-Scope (maybe) Systems that connect directly to CHD environment Encrypted CHD (no key available) If provide VoIP ourselves & CHD transmitted over it Connected 2 Connected systems?? If system can impact security/CDE In-bound connections/telecom provider (such as Cable or Cell Provider) Any transmission, storage, or processing of cardholder data (CHD) Network system isolated from CDE (no connectivity 2 network) *Restricting access by IP/Port may help, but not necessarily solve problems; **Any device on network could compromise/access 2 CDE, but controls minimize risk ***Compensating controls may be acceptable, but only a QSA can confirm this PCI DSS security standards https://discussions.tenable.com/thread/6948 See about discussion threads from Tenable

VoIP? VoIP vs. POTS? (voice over IP v plain old tele system) if your payment processing is outsourced to a third-party provider, but you are accepting customer payments over the phone, then your VoIP phone solution is subject to PCI compliance standards VoIP phone systems in scope Only VoIP systems w/ strong cryptography should be used Segmenting the VoIP Requiring agents to use analog telephone lines? PBX is digital even if analog is engaged? See Tenable Discussion Forum See PCI DSS   1) Any form of transmission, storage, or processing of cardholder data (CHD) is in scope for PCI and subject to applicable PCI DSS requirements;           2) Voice over IP (VoIP) is simply another communications protocol subject to PCI DSS requirements which apply (if the transmission is over an open, public network then it would need to be encrypted (PCI DSS 4.1); and           3) Telecommunications Providers are ordinarily excluded from inclusion in lists of third party Service Providers (PCI DSS 12.8). VoIP in Scope: if your entity is providing the VoIP communications (e.g. maintaining a SIPS server) and CHD is being transmitted over VoIP then this traffic and all associated systems would be in scope for PCI compliance. But if your entity is just receiving inbound telephone calls (VoIP or POTS) that have originated from an external source, then you have no responsibility for the security of these calls, nor are you required to treat your telecommunications provider as a Third Party or Service Provider.

Discussion Questions? Topics Segmented networks for virtual POS terminals Legacy PCI DSS environments Log management Storage of CHD

Appendix A: PCI Standards 6 Goals 12 PCI DSS Requirements Build & Maintain Secure Network & Systems 1. Install & maintain firewall configuration to protect CHD 2. Don’t use vendor-supplied defaults for system passwords & other security parameters Protect Cardholder Data (CHD) 3. Protect stored CHD 4. Encrypt transmission of CHD across open, public networks Maintain Vulnerability Management Program 5. Protect all systems against malware & regularly update AV software or programs 6. Develop & maintain secure systems & applications Implement Strong Access Control Measures 7. Restrict access to CHD by business need-to-know 8. ID & authenticate access to system components 9. Restrict physical access to CHD Regularly Monitor & Test Networks 10. Track & monitor all access to network resources & CHD 11. Regularly test security systems & processes Maintain Info Security Policy 12. Maintain policy that address info security for all personnel PCIDSS Quick Guide v3.1

Appendix A: Assessment Merchant Level? DISCOVER http://www.discovernetwork.com/merchants/data-security/identifying-organizations.html AMEX https://www.americanexpress.com/in/content/merchant/support/data-security/merchant-information.html MC https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/merchants-need-to-know.html VISA https://usa.visa.com/support/small-business/security-compliance.html http://www.discovernetwork.com/merchants/data-security/identifying-organizations.html https://www.americanexpress.com/in/content/merchant/support/data-security/merchant-information.html https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/merchants-need-to-know.html https://usa.visa.com/support/small-business/security-compliance.html **See PCI DSS QRG v3.1 Quick Reference Guide

Appendix B-SAQ types Self Attestation Questionnaire (SAQ) types A A-EP B-IP C C-VT P2PE D (Merchant and Service Provider)

SAQ A Card-not-present (e-commerce or mail/telephone-order), that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s system or premises. Not applicable to face-to-face channels. This is when a PCI validated third party runs all your transactions through a web, mail or telephone order system.

SAQ A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No storage, processing, or transmission of cardholder data on merchant's systems or premises. Applicable only to e-commerce channels. This is when you redirect from your environment to a PCI validated third party runs all your transactions through a web, mail or telephone order system.

SAQ B Merchants using only: Imprint machines with no electronic cardholder data storage, and/or Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.

SAQ B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage. Not applicable to e-commerce channels.

SAQ C-VT Merchants who manually enter a single transition at a time via a keyboard into an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.

SAQ C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.

P2PE Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed P2PE solution, with on electronic cardholder data storage. Not applicable to e-commerce merchants.

SAQ D SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.

SAQ D SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete an SAQ.

Additional Resources https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf

Appendix B – Q1 Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including wireless networks? Expected Response Review current network diagram Interview responsible personnel Examine network configurations

Q2 Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes position? Expected Testing Review policies and procedures Review vendor documentation Interview personnel

Q3 Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Expected Testing Review documented standards Review policies and procedures Review all locations where CHD is transmitted or received Examine system configurations

Q4 Is a security policy established, published, maintained, and disseminated to all relevant personnel? Expected Testing Review the information security policy