Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI Data Security Compliance SCITDA Spring Conference

Published byJosefa Coronel Blázquez Modified over 6 years ago

Similar presentations

Presentation on theme: "PCI Data Security Compliance SCITDA Spring Conference"— Presentation transcript:

1 PCI Data Security Compliance SCITDA Spring Conference
Roadmap for PCI Data Security Compliance SCITDA Spring Conference David C. Reavis Office of South Carolina State Treasurer March 5, 2018

2 The Enemy Hacker / Fraudster Major Card Breaches TJ-Max Equifax Target
NC Ferry Division As merchants, governments are: To be PCI compliant Subject to fines by card brands Fraud is rampant across the country Governments easy targets Subscription to a PCI Compliance Validation service is now required Hacker / Fraudster

3 Responses After Card Security Breach
I thought the IT Department was taking care of PCI compliance, since it deals mostly with IT stuff I thought outsourcing processing to a vendor relieved me of PCI responsibility I didn’t know I was required to give all new hires PCI Awareness training, and provide refresher training annually I didn’t know the contract with our third-party service provider had to specify their responsibility for PCI compliance I didn’t know I had to complete a self-assessment questionnaire (SAQ) annually and provide it to the card processor I didn’t know the IP addresses for our POS software had to undergo quarterly vulnerability scans I didn’t know we had to have a security incident plan tested annually I didn’t know we could be fined for not being PCI compliant

4 Treasurer’s Policy on PCI Compliance
SC State Treasurer issued policy July 2016 Specifies participants’ responsibilities regarding PCI compliance Subscription to a PCI Compliance Validation service is a requirement to continue participating in the new statewide contract Utilize First Data’s “PCI Rapid Comply” service; or Select a vendor of choice (for extensive services) STO issued a PCI Roadmap document providing guidance in complying with PCI Designed for the business staff, more so than the IT staff Adherence is responsibility of the business office

5 Source of PCI Compliance Requirements
Participants in the Merchant Card Services Agreement are contractually: Considered “merchants” Subject to card association rules (Visa, Master, etc.) Rules specifically require all merchants to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS) Issued by PCI Security Standards Council Council formed by card brands Failure to comply with PCI-DSS can result in substantial fines (Up to $500,000 per brand)

6 Fines for PCI Non-Compliance
Card brands can ask for proof of compliance at any time Merchant must provide proof of compliance Must respond within specified time frame Visa and MasterCard at their discretion may levy non-compliance assessments if compliance not validated Published MasterCard Assessments Occurrence or Violation Amount First violation $10,000 Second violation $20,000 Third violation $40,000 Fourth violation $80,000

7 Three Components of PCI DSS
Compliance – Adherence to the standard Applies to every merchant regardless of volume Applies to both technical and business practices Validation – Verification that merchant is compliant Depends upon type of card capture method(s) utilized Two types of Validation Self-Assessment Questionnaire (SAQ) Annually – Applies to every merchant External Vulnerability Scanning Quarterly – Applies if external-facing IP addresses are involved (Web and POS Software) – Must be performed by a Qualified Scanning Vendor (QSV) Attestation – Providing proof of validation to card processor Card processor reports to Visa and MasterCard Attest whenever requested by the card processor

8 PCI Compliance Responsibilities
Business problem with an IT solution Imperative there be a coordination of all parties and activities involved in the validation process Best practice is to have a PCI Oversight committee comprised of both business and IT staff Business staff (who signed merchant card contract), not IT, is responsible for attestation

9 Card Volumes Determine Level of Compliance
Four levels of merchants Determined by each card brand, not by PCI council Based upon annual volume of the highest brand, not all brands combined (Visa is normally higher than MasterCard State agencies and universities are either a level 3 or 4 Level 4 - Fewer than 20,000 e-commerce transactions and all other channels less than one million transactions Level ,000 or more e-commerce transactions annually Both levels require annual SAQ and vulnerability scans Levels 1 & 2 requires on-site security assessment One million transactions of highest brand

10 Cardholder Data Environment (CDE)
Identify all capture methods / merchant numbers Ecommerce vs Non-ecommerce In-house vs Outsourced Identify all capture methods with IP addresses Ecommerce POS Software

11 Third-party Service Providers
Outsourcing limits PCI scope, not eliminates If service provider is not compliant, then merchant is not compliant Fines for breaches accessed to merchant not to the service provider However, service provider can require merchant to be compliant also Requirement 12.8/12.9 requires merchant to “manage” the service provider: Maintaining a “written agreement” specifying the service provider’s and merchant’s responsibility for compliance Best practice is to also address “liability” for non-compliance Monitoring the service provider’s ongoing compliance status Two Levels of Service Providers

12 Service Provider Arrangements
Two Types of Arrangements with Service Providers Depends upon who is the “merchant of record” – Agency or Service Provider Agency is “Merchant of Record” Agency executes a “Participation Agreement” to participate in First Data’s contract Agency is assigned one or more merchant numbers by First Data Service Provider is “Merchant of Record” Agency has an agreement with service provider only Service Provider has one merchant number with First Data for all its clients SC.Gov (SC Interactive, LLC) provides both types of arrangements PCI-DSS liability to agency applicable under both arrangements Scope is limited is service provider is merchant of record Service provider’s agreement with agency still requires agency to be PCI compliant

13 Internal Service Providers
Definition of Service Provider - “Business entity … directly involved in the processing, storage, or transmission of cardholder data. This includes companies that provide service that control or could impact the security of cardholder data.” External-facing IP addresses require external vulnerability scanning By an “Approved Scanning Vendor” (ASV) Regardless of who houses the server(s) DTO’s Role in PCI Compliance Server housed and managed by DTO DTO considered an internal service provider DTO arranges for scanning Server housed by DTO but managed by agency Agency arranges for scanning

14 Card Capture Devices New Requirement 9.9 effective July 2015
Pertains to physical protection of devices Maintain an updated list of devices Periodically inspect device surfaces to detect: Tampering Substitution Provide training to employees to be aware of attempted tampering or substitution. Perform inventory of devices utilized and stored

15 POS Software Applications
PA-DSS Payment Application Data Security Standard Different than PCI DSS Pertains to software application Ensure application listed on the PCI Security Council’s Website Ensure the version utilized is consistent with the current version indicated on the Council’s Website Ensure the application is configured correctly. Perform inventory

16 PCI Compliance Security Policy
Requirement 12.1 Develop Publish Disseminate Employee expectations Full-time Part-time Consultants Volunteers STO has a sample policy available for state agencies

17 Employee Awareness Program
Requirement 12.6 Formal Awareness Training Upon Hire Annual Refresher Employee must acknowledge training In writing Electronically Two options for training Third-party vendor In-house developed (STO has a power point module for use)

18 Security Incident Plan
Requirement 12.10 General IT Security Incident Plan not sufficient Should incorporate card brands’ requirements Visa requires proof of compliance within 48 hours of a breach Forensic investigation may be required if breached Must be tested annually Timely notification most important – Fines higher if not STO has a sample policy available for state agencies

19 IT Related Issues Vulnerability Scanning Penetration Testing Firewalls
Encryption & Tokenization Two types of encryption - E2E and P2P E2E better: Combines encryption with tokenization TransArmor provided by First Data Utilizes E2E (Fee is $.01 per transaction) Reduces PCI Scope by eliminating certain SAQ questions Business area should ensure that IT staff is complying with PCI DSS

20 Some Scanning Vulnerabilities
SSH Protocol Version - Cryptographic problems Telnet Accessibility - Plaintext (unencrypted) management channels Data Base Accessibility - Open port SSH Protocol Version – Prior to Version 2 Open SSH X11 Session Hijacking Vulnerability Remote Desktop Man In The Middle IIS .cnf - Allows remote users to read sensitive information MySQL Server Date_Format Function Format String Vulnerability PHP prior to Multiple Vulnerabilities - Buffer overflows Apache Prior to Version Multiple Vulnerabilities SSLv2 Supported - Cryptographic weaknesses Darwin Streaming Server < Multiple Vulnerabilities

21 Penetration Testing Became requirement with version 3.2 standard – July 2015 Pertains to capture methods associated with SAQs A-EP, C, and D Primarily to demonstrate proof of “segmentation” of networks Performed annually or when significant system change Cover both application and network layer threats Can be performed by in-house staff The persons must by qualified staff members who are organizationally independent from those responsible for the security of the systems Refer to PCI Council’s document _March_2015.pdf

22 Chip Card (EMV) Technology
Designed to reduce fraud for Card Present transactions only POS Terminals – Terminal only or terminal with attached PIN Pad POS Software – Different manufactures must certify their product EMV “capable” different than EMV “enabled” Fraud liability shift became effective October 1, 2015 Party that does not support EMV takes on certain fraud liabilities Party is either bank that issued the card or merchant that accepts the card Not an industry requirement, but a best practice Has no effect on PCI liability for smaller merchants Fraud liability is not considerably more than it was prior to the October 2015 Merchants were responsible for most fraud anyway Card counterfeit fraud protection is provided by all brands However, lost/stolen fraud protection is only provided by MasterCard and Discover (not Visa or Amex)

23 Validating PCI Compliance
Validating compliance with PCI DSS SAQ and External Vulnerability Scanning Two options First Data’s PCI Rapid Comply – Online Portal Contract with a QSA Extensive PCI Related Services may be needed Example – PCI Gap analysis and penetration testing Not available from PCI Rapid Comply Explanation of eight SAQs Depends upon capture methods utilized

24 Eight SAQs Choose the SAQ that applies to your organization
Link to Council’s guidelines for selection of SAQ:

25 PCI Rapid Comply Portal
Read FAQs at following website: Watch Educational Videos and read Educational Articles Gather merchant statement and identify the Agency’s unique MID (chain #) Register the agency using the agency’s MID (chain number) All merchants numbers associated with the MID will be displayed Only one SAQ for the entire agency (chain level) is to be prepared If multiple capture methods (e.g., Website, Mail/Telephone, In person) Prepare a paper SAQ for each method or merchant number - Offline Use paper SAQs to prepare one SAQ online through the portal

26 PCI Rapid Comply Screen
Similar to TurboTax, questions prompted next depend upon items selected Document repository useful to upload proof of compliance (policies, security incident plans, scan results, devices inventory, etc.

27 First Steps for PCI Establish a PCI Oversight Committee (Business & IT staff) Identify cardholder data environment (CDE) Identify service providers and obtain written agreements Inventory card capture devices Inventory POS software Develop a security policy Develop an employee awareness training program Develop a security incident plan – specific to PCI Verify IT’s compliance Vulnerability Scanning if applicable Penetration Testing if applicable Subscribe to a “validation” service PCI Rapid Comply, or Qualified Security Assessor Complete the proper SAQ annually Ascertain anniversary date - for expiration Required within 90 days of implementation Close the Barn Door

28 Not Recommended

29 SC State Treasurer’s Office David Reavis – david.reavis@sto.sc.gov
Resources PCI Security Council Web Site Visa’s CISP Web Site MasterCard SDP Web Site PCI Rapid Comply Service SC State Treasurer’s PCI Policy and Road Map Document Consider securing the services of a Qualified Security Assessor (QSA) Banking Division SC State Treasurer’s Office David Reavis –

Download ppt "PCI Data Security Compliance SCITDA Spring Conference"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry

PCI DSS for Retail Industry
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
This refresher course will:

This refresher course will:
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Utah Financial and Business Services

University of Utah Financial and Business Services
PCI Compliance Roundtable Update Presented by the PCI Compliance Task Force.

PCI Compliance Roundtable Update Presented by the PCI Compliance Task Force.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,

PCI DSS Version 3.0 For Controllers and Business Users Luke Harris, Office of State the Controller David Reavis, UNC General Administration November 10,
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento

Similar presentations

Ads by Google