PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho
What is PCI-DSS? PCI-DSS stands for Payment Card Industry Data Security Standard This is commonly called “PCI” PCI is a council created by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc International
Who Must Comply with PCI? All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.
History of PCI PCI was formed in order to make compliance simpler Up until 2004 there were 4 different standards to follow: –CISP(Visa) –SDS(MC) –DISC(Discover) –DSS(AMX)
History of PCI Each credit card company had their own standard and they all contained different requirements(encryption strength, etc) In 2004 the PCI Security Standards Council was formed to bring all of these requirements under 1 umbrella Level 1 merchants were required to be compliant by Dec. 31, 2007 Level 2-4 merchants were required to be compliant by June 30, 2007
Different Levels of PCI Level 1 - Any merchant who processes over 6,000,000 transactions annually or has suffered a breach Level 2 - Any merchant who processes between 1,000,000 and 6,000,000 transactions annually Level 3 - Any merchant who processes between 20, ,000,000 transactions annually Level 4 – Any Merchant who processes under 20,000 transaction annually
Different Merchant Level Requirements Level 1 – Requires a 3 rd party PCI approved Qualified Security Assessor(QSA) to perform a yearly onsite assessment, yearly penetration tests and quarterly security scans by an approved PCI scanning vendor Level 2 and 3 – Requires merchants to complete a yearly self assessment questioner(SAQ) and quarterly security scans by an approved PCI scanning vendor Level 4 - Recommended to perform level 2 and 3 requirements but not enforced All levels are required to be PCI compliant
Non Compliant Risk and Consequences Visa – Regardless of level requirements –1 st Violation Up to $50,000 USD for rolling 12-month period –2nd Violation Up to $100,000 USD for rolling 12-month period –3 rd Violation Visa’s discretion to refuse future transactions until complaint
Non Compliant Risk and Consequences Master Card –Level 1 Up to $25,000 USD annual fee per Merchant –Level 2 Up to $5,000 USD annual fee per Merchant –Level 3 Up to $5,000 USD annual fee per Merchant
12 Main Parts of PCI 1. Install and maintain a firewall 2. Do not use vendor default passwords 3. Protect stored data 4. Encrypt transmissions of cardholder data
12 Main Parts of PCI 5. Use and update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access by need-to-know 8. Assign unique IDs to all users
12 Main Parts of PCI 9. Restrict physical access to cardholder data 10. Track and monitor access to cardholder data 11. Regularly test security systems and processes 12. Maintain an information security policy
Breach Risk and Consequences Reputation Risk –What will the impact be on your companies brand? – Mandatory involvement of federal law enforcement in investigation Financial Risk –Merchant banks may pass on substantial fines –Up to $500,000 per incident from Visa alone –$20 - $90 fine per credit card number that COULD have been exposed or compromised –Civil liability and cost of providing ID theft protection –Average cost of a security breach is $5,000,000
Breach Risk and Consequences Compliance Risk –Exposure to Level 1 validation requirements Operational Risk –Visa imposed operational restrictions –Potential loss of card processing privileges
AAA Oregon/Idaho Reached level 1 PCI-DSS compliance in January 2008 The compliance process took about 9 months of planning to reach level 1 status AAA Oregon/Idaho’s PCI requirement is level 3.
AAA Oregon/Idaho In June 2007 AAA Oregon/Idaho was level 3 compliance. Interruption of compliance requirements differed between AAA Oregon/Idaho and our PCI QSA The cost to become level 1 was under $30,000. This includes contractors and equipment purchases The cost to remain PCI complaint on a yearly basis is roughly $15,000 this includes yearly audit, Report on Compliance(ROC) and monthly scans
The Storage of Unencrypted Credit Card Numbers PCI Section 3 –PCI section 3 requires the storage of unencrypted credit card numbers to have 2 factors of authentication –This information needs to be stored in a DMZ(separate network segment) –Must be masked within databases –Responsibly falls on the merchant to keep information safe, even if it is given to you in an unsecured fashion –Section 3 is the main reason companies fail their PCI-DSS assessment
Data Flow Data is sent from the merchant through Apollo in an encrypted file( 128 bit SSL) A MIR file is sent to a Galileo Print Manager that resides at the merchant, this file arrives encrypted and is then unencrypted MIR file then arrives in a repository unencrypted in a plain text file(this file contains full Credit Card numbers) for processing to the merchants GlobalWare database Credit card numbers are then masked once processed into GlobalWare
What We Did… We placed our GlobalWare server in a DMZ We configured the Galileo Printer Manager to place the MIR repository destination in the DMZ on the GlobalWare server
What We Did… 1- We limited access to the GlobalWare server inside the DMZ to specific computers 2- We limited access to the GlobalWare server to specific users within Windows Active Directory 3- We use PGP(encryption software) to create a Virtual Encrypted Disk. This required an AES 256 bit key, but the key can not be stored locally on the server
What We Did… 4- This encrypted disk shows up as a shared drive and is left open for MIR’s to be able to be added and removed during processing to the database The PGP Virtual Encrypted Disk would be unreadable to anyone without the encryption key, even if someone stole the physical server
Other Options… There are other options to achieve the PCI section 3 requirements this is just one of the options we could have used: –The use of Full Disk Encryption is an option (meaning the entire server is encrypted) in order to keep MIR files safe. Many companies like IBM have this built into their new servers that does not require the use of PGP.
Verizon Business 2008 Data Breach Report Breaches by company size – –2% 1-10 Employees –30% Employees –22% 101-1,000 Employees –26% 1,001-10,000 Employees –14% 10, ,000 Employees –6% 100,001 +
Verizon Business 2008 Data Breach Report 84% of all data breaches were targeted at credit card data 70% of all breaches are found by a 3 rd party company(ie.cardholders bank) 82% of all breaches are from online data
Some Common PCI Myths One vendor and product will make us compliant Outsourcing card processing makes us compliant PCI compliance is an IT project PCI will make us secure PCI requires us to hire a QSA
Some Common PCI Myths PCI is unreasonable and it requires too much We don’t take enough credit cards to be compliant We completed a SAQ so we’re compliant PCI makes us store cardholder data PCI is too hard
QUESTIONS?