Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2015 RSM US LLP. All Rights Reserved. 2015 IASA CAROLINA’S CHAPTER MEETING WAKE FOREST UNIVERSITY CHARLOTTE DECEMBER 14, 2015.

Published byOwen Garrison Modified over 8 years ago

Similar presentations

Presentation on theme: "©2015 RSM US LLP. All Rights Reserved. 2015 IASA CAROLINA’S CHAPTER MEETING WAKE FOREST UNIVERSITY CHARLOTTE DECEMBER 14, 2015."— Presentation transcript:

1 ©2015 RSM US LLP. All Rights Reserved. 2015 IASA CAROLINA’S CHAPTER MEETING WAKE FOREST UNIVERSITY CHARLOTTE DECEMBER 14, 2015

2 ©2015 RSM US LLP. All Rights Reserved. HOW CAN PCI BE LEVERAGED TO IMPROVE YOUR CYBERSECURITY PROGRAM December 14, 2015

3 ©2015 RSM US LLP. All Rights Reserved. Objectives What is PCI, why does it exist, and how PCI compliance affects your industry and organization Challenging requirements that could drastically impact your compliance efforts Guidance on how to provide the highest level of security for confidential data while still implementing efficient payment card processes How to gain the most benefit from PCI compliance to protect your whole organization.

4 ©2015 RSM US LLP. All Rights Reserved. Corbin Del Carlo National Leader PCI Services Director, Security and Privacy Services RSM US LLP Corbin.DelCarlo@rsmus.com (847) 413-6319 Introductions 3

5 ©2015 RSM US LLP. All Rights Reserved. “The world isn’t run by weapons anymore, or energy, or money. It’s run by little ones and zeroes, little bits of data. It's all just electrons.” Cosmo - Sneakers 4 The World Has Changed

6 ©2015 RSM US LLP. All Rights Reserved. What drives PCI compliance? Hackers and large international organized crime syndicates Higher monthly fees for non-compliance The fallout of a data breach: -The fallout can be significant, including fines/penalties, termination of your ability to accept payment cards, lost customer confidence, legal costs, settlements and judgments, fraud losses, etc. -A breach could result in a cost of, on average, $200 per card number lost. Knowing what data you have and where it resides

7 ©2015 RSM US LLP. All Rights Reserved. Information Value (marketplaces) 6

8 ©2015 RSM US LLP. All Rights Reserved. Fraud cycle

9 ©2015 RSM US LLP. All Rights Reserved. The PCI DSS  The PCI DSS was introduced to force the implementation of controls at service providers and merchants to protect CHD  The PCI DSS has very specific controls that can be implemented to reduce risk data compromise.  Based on 12 requirements  Roughly 404 sub-requirements which are specific controls to be implemented  Designed with current breach methods in mind and focused on implementing controls that prevent data loss. 8

10 ©2015 RSM US LLP. All Rights Reserved. The PCI DSS (cont)  Required for all organizations that store, process, or transmit CHD.  Compliance deadline for Service Providers was April 30, 2007  Compliance deadline for all organizations was September 30, 2009  Why if the deadline past six years ago do so many organizations still not even know what PCI compliance is?  Compliance vs. Validation 9

11 ©2015 RSM US LLP. All Rights Reserved. We are PCI compliant, we’re done right?  Of Course not…  Many validated complaint organizations were still compromised.  Heartland Payment systems (2008) - 100 million cards lost  Hannaford Brothers (2008) – 4.2 million cards lost  RBS Worldpay (2008) – 1.5 million  Global Payments (2012) – 7 million cards  Target (2013) – 40 million cards 10

12 ©2015 RSM US LLP. All Rights Reserved. So what is the problem?  PCI compliance is…  Point in Time  Very limited focus  Contractual not unlawful  Gives a false sense of security  Significant costs create management expectations  Implemented controls create employee frustration (by passing controls)  Security is the Goal of the PCI DSS, but not the outcome 11

13 ©2015 RSM US LLP. All Rights Reserved. How does this effect Insurance industry Lots of recurring payments which can require significant CHD storage Legal or regulatory scrutiny based on publicity of data breach PAN data integrated into multiple business processes -Segmentation difficult to impossible

14 ©2015 RSM US LLP. All Rights Reserved. Scope of assessment -Evidence that card holder data only resides in the card holder data environment. Proof via Data flow documentation Interviews with business process owners Automated scans at perimeter points Proof of data containment Image courtesy of PCI SSC Requirements that organizations struggle with

15 ©2015 RSM US LLP. All Rights Reserved. Requirements that organizations struggle with (cont.) E-Commerce Scoping whitepaper -Published in January 2013 -Clarifies the scope of PCI DSS in relation to e-commerce apps -Most importantly pulls redirect systems into scope. -SAQ exceptions http://bit.ly/1Lg1NXO Images courtesy of PCI SSC Information Supplement – PCI DSS E-Commerce Guidelines

16 ©2015 RSM US LLP. All Rights Reserved. Requirements that organizations struggle with (cont.) Requirement 3.4 Mixture of Hash and Truncation (tokens) -Additional controls are required if both the hashed and the truncated tokens are present in the same system If the organization is using tokens, what are those tokens? See Council’s token guidance 1.http://bit.ly/1G2jfeW Requirement 4.1 -SSL no longer considered a Secure Protocol -TLS - must migrate to TLS 1.2 or have plan to do so by June 2016

17 ©2015 RSM US LLP. All Rights Reserved. Requirement 10.2.1 Audit access to CHD -Requirement that all individual user access to CHD must be logged and included in the audit trails -No shared accounts without some other control Requirement 10.6 daily log reviews -Clarified that log reviews should identify suspicious activity or anomalies -Allows risk management strategy to be applied to the logs reviewed -Actually a bit easier but almost (always) requires a SIEM Requirements that organizations struggle with (cont.)

18 ©2015 RSM US LLP. All Rights Reserved. Requirement 9.9 – protect capture devices -All devices that capture payment data (PIN PADs, Card swipes, CHIP readers, etc.) must have unique tamper proof stickers Periodic review of all stickers to validate “not broken or equipment substituted” Requirement 11.3 – Pen-testing methodology -Methodology has to be documented and based on industry standard (such as NIST SP800-115) and include current threats and vulnerabilities -Has to include the CDE perimeter and critical devices -Has to validate any segmentation or scope reduction controls used to reduce the scope of the assessment -Retention of remediation documentation -http://bit.ly/1NrH5pt Requirements that organizations struggle with (cont.)

19 ©2015 RSM US LLP. All Rights Reserved. Requirement 12.8.5 – Vendor Management -Merchant must maintain information of which PCI DSS requirements are managed by each servicer provider or by the entity -Responsibility matrix -MORE than just contractual language -Organization may need to determine if TPSP meets PCI DSS requirements, depending on services provided Requirement 12.9 – vendor acknowledgement -Service providers must provide and merchants must obtain written acknowledgement of responsibilities discussed in 12.8 Requirements that organizations struggle with (cont.)

20 ©2015 RSM US LLP. All Rights Reserved. Matrix example: Requirements that organizations struggle with (cont.)

21 ©2015 RSM US LLP. All Rights Reserved. SAQ’S

22 ©2015 RSM US LLP. All Rights Reserved. SAQ v 3.1

23 ©2015 RSM US LLP. All Rights Reserved. SAQ v 3.1

24 ©2015 RSM US LLP. All Rights Reserved. EMV AND HOW TO REDUCE PCI RISK

25 ©2015 RSM US LLP. All Rights Reserved. EMV – Chip based cards EMV - Europay, MasterCard and Visa October 1, 2015 date to have EMV (Chip) implemented Only Chip and Signature in USA Liability of loss shifts to lower technology Minimal PCI DSS impact -Consider: Chip does not change PAN transmission Are they going directly from POS to processor and not entering the network? -Card Not Present (eComm, Mail In, Phone, Fax) not impacted What are the costs to implement updated PINPAD/POS? Business perspective to update

26 ©2015 RSM US LLP. All Rights Reserved. EMV – Chip and Signature Confirm issuer and processor are ready for accepting Chip and signature Global Operations -Implement global, if you have not already done so -Implement in US P2PE – Point-to-Point Encryption – consider EMV as part of this solution Multiple initiatives: -Some organizations are in process of implementing as part of POS upgrade tasks -Some organizations are waiting to upgrade until it is time to replace POS devices -Some organizations are waiting to see if the date is pushed back for EMV solutions -EMV will move forward as a result of high rate of breaches. US does 24% of global card transactions and is currently the target of 70% of fraud activity.

27 ©2015 RSM US LLP. All Rights Reserved. Tokenization The process of replacing a credit card number with a unique set of numbers that have no bearing on the original data. 26

28 ©2015 RSM US LLP. All Rights Reserved. P2PE -P2PE ensures sensitive credit and debit card data is protected from first card swipe, while in transit to the payment processor where it is securely decrypted -Consider P2PE along with EMV as part of your solution 27

29 ©2015 RSM US LLP. All Rights Reserved. WHAT CAN BE DONE IT’S NOT HOPELESS

30 ©2015 RSM US LLP. All Rights Reserved. How Do I get Started? When I get Back to the Office today? − Review your Information Security Policy/Program − How mature is our incident Response plan − How mature is our Risk Assessment Daily/Weekly − Update anti-virus software & apply patches − Monitor access to critical data 29

31 ©2015 RSM US LLP. All Rights Reserved. How Do I get Started (cont.)? Monthly − Review Daily processes (terms, change management, log reviews) − Check security patches Quarterly − Test security systems and processes − Vulnerability Scanning Yearly − Independent penetration testing − Review and Update DR/IRP Plan − Vendor Security Reviews − Security Awareness Every 3-5 Years − Revisit Security Strategy /Needs (RA) does it really address your threats? 30

32 ©2015 RSM US LLP. All Rights Reserved. 31 Corbin Del Carlo Corbin.DelCarlo@rsmus.com (847) 413-6319

33 ©2015 RSM US LLP. All Rights Reserved. 32

34 ©2015 RSM US LLP. All Rights Reserved. This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registered trademark of RSM US LLP. © 2015 RSM US LLP. All Rights Reserved. RSM US LLP 4725 Piedmont Row Drive Suite 300 Charlotte, NC 28210 704.367.6251 +1 800 274 3978 www.rsmus.com``````````````````````````````````````````````````````````````````````````

Download ppt "©2015 RSM US LLP. All Rights Reserved. 2015 IASA CAROLINA’S CHAPTER MEETING WAKE FOREST UNIVERSITY CHARLOTTE DECEMBER 14, 2015."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.

1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.
Northwest Card Association Acquirer Update January 2012.

Northwest Card Association Acquirer Update January 2012.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.

© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.

Payment Card PCI DSS Compliance SAQ-D Training Accounts Receivable Services, Controller’s Office 7/1/2012.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Around the World, Around the Corner WorldPay for Small Business.

Around the World, Around the Corner WorldPay for Small Business.
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.

Similar presentations

Ads by Google