PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS for Retail Industry
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?
Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
The ABC’s of PCI DSS Eric Beschinski Relationship Manager Utility Payment Conference Kay Limbaugh Specialist, Electronic Bills & Payments &
PCI DSS Managed Service Solution October 18, 2011.
Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,
EDUCAUSE Security Conference Denver, Colorado April 10 to 12, 2006 Bob Beer Biggs Engineering 117 (419)
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
The Payment Card Industry (PCI) Data Security Standard: What it is and why you might find it useful Fred Hopper, CISSP TASK - 27 March 2007.
PCI requirements in business language What can happen with the cardholder data?
Brian Cloud August 06, Overall Digital Security  What is Digital Security  Murphy’s Law Since 2005, over 263M records breeched (privacyreports.com)
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
PCI: As complicated as it sounds? Gerry Lawrence CTO
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA
FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.
Introduction to Payment Card Industry Data Security Standard
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Information Security 2013 Roadshow - PCI. Roadshow Outline  What IS PCI  Why we Care about PCI  What PCI Means to You and Me.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
EMV: What is it and how will it impact your business.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Payment Card Industry Data Security Standards
Payment Card Industry (PCI) Rules and Standards
Performing Risk Analysis and Testing: Outsource or In-house
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Internet Payment.
Breaches by Merchant Type
Session 11 Other Assurance Services
Session 11 Other Assurance Services
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI DSS Erin Carrick.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI)
Utility Payment Conference
Presented by: Jeff Soukup
Presentation transcript:

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho

What is PCI-DSS?  PCI-DSS stands for Payment Card Industry Data Security Standard  This is commonly called “PCI”  PCI is a council created by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc International

Who Must Comply with PCI?  All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.

History of PCI  PCI was formed in order to make compliance simpler  Up until 2004 there were 4 different standards to follow: –CISP(Visa) –SDS(MC) –DISC(Discover) –DSS(AMX)

History of PCI  Each credit card company had their own standard and they all contained different requirements(encryption strength, etc)  In 2004 the PCI Security Standards Council was formed to bring all of these requirements under 1 umbrella  Level 1 merchants were required to be compliant by Dec. 31, 2007  Level 2-4 merchants were required to be compliant by June 30, 2007

Different Levels of PCI  Level 1 - Any merchant who processes over 6,000,000 transactions annually or has suffered a breach  Level 2 - Any merchant who processes between 1,000,000 and 6,000,000 transactions annually  Level 3 - Any merchant who processes between 20, ,000,000 transactions annually  Level 4 – Any Merchant who processes under 20,000 transaction annually

Different Merchant Level Requirements  Level 1 – Requires a 3 rd party PCI approved Qualified Security Assessor(QSA) to perform a yearly onsite assessment, yearly penetration tests and quarterly security scans by an approved PCI scanning vendor  Level 2 and 3 – Requires merchants to complete a yearly self assessment questioner(SAQ) and quarterly security scans by an approved PCI scanning vendor  Level 4 - Recommended to perform level 2 and 3 requirements but not enforced  All levels are required to be PCI compliant

Non Compliant Risk and Consequences  Visa – Regardless of level requirements –1 st Violation  Up to $50,000 USD for rolling 12-month period –2nd Violation  Up to $100,000  USD for rolling 12-month period –3 rd Violation  Visa’s discretion to refuse future transactions until complaint

Non Compliant Risk and Consequences  Master Card –Level 1  Up to $25,000 USD annual fee per Merchant –Level 2  Up to $5,000 USD annual fee per Merchant –Level 3  Up to $5,000 USD annual fee per Merchant

12 Main Parts of PCI  1. Install and maintain a firewall  2. Do not use vendor default passwords  3. Protect stored data  4. Encrypt transmissions of cardholder data

12 Main Parts of PCI  5. Use and update antivirus software  6. Develop and maintain secure systems and applications  7. Restrict access by need-to-know  8. Assign unique IDs to all users

12 Main Parts of PCI  9. Restrict physical access to cardholder data  10. Track and monitor access to cardholder data  11. Regularly test security systems and processes  12. Maintain an information security policy

Breach Risk and Consequences  Reputation Risk –What will the impact be on your companies brand? – Mandatory involvement of federal law enforcement in investigation  Financial Risk –Merchant banks may pass on substantial fines –Up to $500,000 per incident from Visa alone –$20 - $90 fine per credit card number that COULD have been exposed or compromised –Civil liability and cost of providing ID theft protection –Average cost of a security breach is $5,000,000

Breach Risk and Consequences  Compliance Risk –Exposure to Level 1 validation requirements  Operational Risk –Visa imposed operational restrictions –Potential loss of card processing privileges

AAA Oregon/Idaho  Reached level 1 PCI-DSS compliance in January 2008  The compliance process took about 9 months of planning to reach level 1 status  AAA Oregon/Idaho’s PCI requirement is level 3.

AAA Oregon/Idaho  In June 2007 AAA Oregon/Idaho was level 3 compliance.  Interruption of compliance requirements differed between AAA Oregon/Idaho and our PCI QSA  The cost to become level 1 was under $30,000. This includes contractors and equipment purchases  The cost to remain PCI complaint on a yearly basis is roughly $15,000 this includes yearly audit, Report on Compliance(ROC) and monthly scans

The Storage of Unencrypted Credit Card Numbers  PCI Section 3 –PCI section 3 requires the storage of unencrypted credit card numbers to have 2 factors of authentication –This information needs to be stored in a DMZ(separate network segment) –Must be masked within databases –Responsibly falls on the merchant to keep information safe, even if it is given to you in an unsecured fashion –Section 3 is the main reason companies fail their PCI-DSS assessment

Data Flow  Data is sent from the merchant through Apollo in an encrypted file( 128 bit SSL)  A MIR file is sent to a Galileo Print Manager that resides at the merchant, this file arrives encrypted and is then unencrypted  MIR file then arrives in a repository unencrypted in a plain text file(this file contains full Credit Card numbers) for processing to the merchants GlobalWare database  Credit card numbers are then masked once processed into GlobalWare

What We Did…  We placed our GlobalWare server in a DMZ  We configured the Galileo Printer Manager to place the MIR repository destination in the DMZ on the GlobalWare server

What We Did…  1- We limited access to the GlobalWare server inside the DMZ to specific computers  2- We limited access to the GlobalWare server to specific users within Windows Active Directory  3- We use PGP(encryption software) to create a Virtual Encrypted Disk. This required an AES 256 bit key, but the key can not be stored locally on the server

What We Did…  4- This encrypted disk shows up as a shared drive and is left open for MIR’s to be able to be added and removed during processing to the database  The PGP Virtual Encrypted Disk would be unreadable to anyone without the encryption key, even if someone stole the physical server

Other Options…  There are other options to achieve the PCI section 3 requirements this is just one of the options we could have used: –The use of Full Disk Encryption is an option (meaning the entire server is encrypted) in order to keep MIR files safe. Many companies like IBM have this built into their new servers that does not require the use of PGP.

Verizon Business 2008 Data Breach Report  Breaches by company size – –2% 1-10 Employees –30% Employees –22% 101-1,000 Employees –26% 1,001-10,000 Employees –14% 10, ,000 Employees –6% 100,001 +

Verizon Business 2008 Data Breach Report  84% of all data breaches were targeted at credit card data  70% of all breaches are found by a 3 rd party company(ie.cardholders bank)  82% of all breaches are from online data

Some Common PCI Myths  One vendor and product will make us compliant  Outsourcing card processing makes us compliant  PCI compliance is an IT project  PCI will make us secure  PCI requires us to hire a QSA

Some Common PCI Myths  PCI is unreasonable and it requires too much  We don’t take enough credit cards to be compliant  We completed a SAQ so we’re compliant  PCI makes us store cardholder data  PCI is too hard

QUESTIONS?