Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Unique Alternative to the Big Four ® 25 th Annual Conference of the Association of Local Government Auditors (ALGA) Understanding Payment Card Industry.

Published byHarold Bennett Modified over 8 years ago

Similar presentations

Presentation on theme: "The Unique Alternative to the Big Four ® 25 th Annual Conference of the Association of Local Government Auditors (ALGA) Understanding Payment Card Industry."— Presentation transcript:

1 The Unique Alternative to the Big Four ® 25 th Annual Conference of the Association of Local Government Auditors (ALGA) Understanding Payment Card Industry Data Security Standards Assessments and Compliance Auditing Presented by: Bert Nuehring and Kevin O’Sullivan May 7, 2013

2 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 2 Audit | Tax | Advisory | Risk | Performance What is PCI?  The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.  The Council's five founding global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. -- have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. Each founding member also recognizes the QSAs, PA-QSAs and ASVs certified by the PCI Security Standards Council.

3 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 3 Audit | Tax | Advisory | Risk | Performance What is PCI?

4 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 4 Audit | Tax | Advisory | Risk | Performance What is PCI?

5 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 5 Audit | Tax | Advisory | Risk | Performance PCI Brand Compliance Requirements  Level 1: entities perform annual onsite assessment (ROC)  May hire a QSA or use internal resources  entities report to acquirer(s) using Report on Compliance (ROC)  Level 2: entities may perform self assessment  entities report using appropriate Self Assessment Questionnaire (SAQ)  Level 3 & Level 4: entities validation and reporting requirements vary by payment brand and/or the acquirer

6 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 6 Audit | Tax | Advisory | Risk | Performance Report on Compliance (RoC)  For Level 1 entities as defined in the previous slide  A PCI On-site Assessment analyzes the applicability and implementation of all requirements within the PCI DSS in order to determine whether sufficient controls or adequate compensating controls are in place. The goal is to validate your organization’s compliance with the PCI DSS in order to issue a Report on Compliance (RoC)  At a high level, the ROC provides a comprehensive summary of assessment activities performed and information collected during the assessment.  The information contained in a ROC must provide enough detail and coverage to verify the entity’s compliance status. The assessor should clearly  describe how the validation activities were performed and how the resultant findings were reached for each section of the ROC. https://www.pcisecuritystandards.org/documents/PCI_DSS_2.0_ROC_Reporting_In structions.pdf

7 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 7 Audit | Tax | Advisory | Risk | Performance Self Assessment Questionnaire (SAQ)  This is a questionnaire that a entity can fill out by itself which is a subset of the ROC.  SAQ A: Card-Not-Present (e-commerce or MO/TO) entities, all cardholder data functions outsourced. This would never apply to face-to-face entities  SAQ B: Imprint-only entities with no electronic cardholder data storage, or standalone, dial-out terminal entities with no electronic card holder data storage  SAQ C/VT: entities using only web-based virtual terminals, segmented from all other systems, no electronic cardholder data storage  SAQ C: entities with payment application systems connected to the internet, segmented from all other systems, no electronic cardholder data storage  SAQ D: All other entities (not included in descriptions for SAQs A, B, or C above) and all service providers defined by a payment brand as eligible to complete an SAQ.

8 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 8 Audit | Tax | Advisory | Risk | Performance Self Assessment Questionnaire (SAQ)

9 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 9 Audit | Tax | Advisory | Risk | Performance 6 Objectives and 12 Requirements

10 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 10 Audit | Tax | Advisory | Risk | Performance Requirement 1: Install and maintain a firewall configuration to protect cardholder data Firewalls are devices that control computer traffic allowed between an entity’s networks (internal) and untrusted networks (external), as well as traffic into and out of the Cardholder Data Environment. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.

11 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 11 Audit | Tax | Advisory | Risk | Performance Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information.

12 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 12 Audit | Tax | Advisory | Risk | Performance Requirement 3: Protect stored cardholder data Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. Methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN (Primary Account Number) is not needed, and not sending unprotected PANs using end-user messaging technologies, such as a e-mail and instant messaging.

13 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 13 Audit | Tax | Advisory | Risk | Performance Requirement 4: Encrypt transmission of cardholder data across open, public networks Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.

14 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 14 Audit | Tax | Advisory | Risk | Performance Requirement 5: Use and regularly update anti-virus software or programs Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. Methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end- user messaging technologies, such as a e-mail and instant messaging.

15 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 15 Audit | Tax | Advisory | Risk | Performance Requirement 6: Develop and maintain secure systems and applications Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. Methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end- user messaging technologies, such as a e-mail and instant messaging.

16 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 16 Audit | Tax | Advisory | Risk | Performance Requirement 7: Restrict access to cardholder data by business need to know To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. “Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.

17 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 17 Audit | Tax | Advisory | Risk | Performance Requirement 8: Assign a unique ID to each person with computer access. Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.

18 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 18 Audit | Tax | Advisory | Risk | Performance Requirement 9: Restrict physical access to cardholder data Any physical access to data or systems that house cardholder data provides the opportunity of individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. For the purposes of requirement 9, “onsite personnel” refers to full-time and part- time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. “Media” refers to all paper and electronic media containing cardholder data.

19 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 19 Audit | Tax | Advisory | Risk | Performance Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.

20 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 20 Audit | Tax | Advisory | Risk | Performance Requirement 11: Regularly test security systems and processes Vulnerabilities are being discovered continually by malicious individual and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.

21 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 21 Audit | Tax | Advisory | Risk | Performance Requirement 12: Maintain a policy that addresses information security for all personnel A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of requirement 12, “personnel” refers to full time and part-time employees, temporary employees, contractors and consultants who are “resident” on the entity’s site or otherwise have access to the cardholder data environment.

22 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 22 Audit | Tax | Advisory | Risk | Performance Reducing the Scope of PCI The goal is to reduce the access to Cardholder Data to the smallest footprint possible and separate that part of the network. Network Segmentation  Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of the corporate network is not a PCI DSS requirement. However, it is recommended as a method that may reduce:  The scope of the PCI DSS assessment  The cost of the PCI DSS assessment  The cost and difficulty of implementing and maintaining PCI DSS controls  The risk to an organization (reduced by consolidating cardholder data into fewer, more c ontrolled locations) Tokenization-  Replace Credit Card number with a token which refers to a separate database which has the Credit Card number in it.

23 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 23 Audit | Tax | Advisory | Risk | Performance PCI-DSS 3.0  This October, the Payment Card Industry Security Standards Council will be issuing a major update to the PCI Data Security Standards (PCI DSS 3.0). It will be effective January 1, 2014.  To help entities prepare for this update, the council also issued a new PCI DSS eCommerce guidelines Information Supplement on how to better secure themselves and achieve compliance. https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2 _eCommerce_Guidelines.pdf

24 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 24 Audit | Tax | Advisory | Risk | Performance Highlights to PCI-DSS 3.0 Understanding Compliance vs. Security  Compliance addresses some security measures but there are many areas of your website that can still be vulnerable.  All areas where customer information is entered and/or stored must be protected with additional measures like SSL encryption. Additionally, non-purchase pages are also applicable if you have an update feature where customers can update their payment or account information. Avoiding Common Security Risks  While there are many dangers eCommerce entities face when it comes to securing their websites, SQL injection and cross-site scripting (XSS) attacks are some of the most common, yet most often overlooked.  it is important for entities to go beyond just following PCI regulations and work with third parties to address these and other easy-to-fix vulnerabilities.

25 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 25 Audit | Tax | Advisory | Risk | Performance Highlights to PCI-DSS 3.0 Evaluating Third Parties  Many entities don’t realize that the responsibility to ensure PCI compliance continues even after payment processing or other functions are outsourced to a third party.  Even if another company is handling part or the entire environment, entities still need to know where and how cardholder data is dealt with by the vendors to which they outsource.

26 The Unique Alternative to the Big Four ® © 2013 Crowe Horwath LLP 26 Audit | Tax | Advisory | Risk | Performance Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2013 Crowe Horwath LLP For more information, contact: Bert Nuehring Direct (630) 706-2071 Bert.Nuehring@crowehorwath.com Kevin O’Sullivan Direct (973) 442-7188 Kevin.Osullivan@crowehorwath.com

Download ppt "The Unique Alternative to the Big Four ® 25 th Annual Conference of the Association of Local Government Auditors (ALGA) Understanding Payment Card Industry."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.

Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Similar presentations

Ads by Google