Navigating PCI Compliance:A Risk Avoidance Strategy

Google Hangout Session

July 23, 2014

This Is Where it All Began

December 15, 2004PCI DSS V1.0 is launced

Payment Credit Card Security Standards

Who is the PCI Security Standards Council?

• The PCI Security Standards Council is an open global forum responsible for the development, management, education, and awareness of the PCI Security Standards

• Work closely with the five founding global payment brands: American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.

• PCI Council official launch occurred in 2006

• Current Data Security Standard is V3.0 published in November 2013

• Standards Committee has established: Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.

What is PCI DSS and PA-DSS?

• PCI Data Security Standard (PCI DSS) provides an actionable framework for developing a robust payment card data security process including prevention, detection and appropriate reaction to security incidents.

• This applies to any organization with a Merchant ID (MID)

• PCI DSS V3.0 requirements must be completed by December 31st

• Payment Application Data Security Standard (PA-DSS) is the global security standard created by the PCI Council in an effort to provide the definitive data standard for software vendors that develop payment applications

• (ie. POS application or website ecommerce)

How Does This Affect My Business?

Managing the Requirements:

• Companies that accept, process, transmit, or store payment credit cardholder data must adhere to PCI Compliance requirements

• Having a SSL certificate for your website is not enough as this doesn’t prevent malicious attacks or intrusions from occurring

• If you electronically store cardholder data post authorization or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required

Positive Impact and Benefits:

• Compliance with the PCI DSS means that your systems are secure, and you earn customer’s trust in managing their personal information resulting in future business potential

• Helps you to be better prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc.

• Establishes a baseline corporate security strategy

• Assists in identification of methods to improve the efficiency of your IT infrastructure

What Happens if I don’t Comply?

• Payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations

• Banks will also most likely either terminate your relationship or increase transaction fees if your organization is non PCI compliant

• Potential for lost revenues, customer transitions, and an overall negative image in the marketplace could negatively impact future earnings potential

• Liable for lawsuits, insurance claims, cancelled accounts, payment card issuer fines, along with government fines

Security Training Requirements for PCI DSS V3.0

Current State of Data Security

• Breaches make headlines

• Businesses at risk regardless of size

• The enemy is getting smarter

• Companies must:

• Understand the threats

• Take steps to protect themselves and their customers.

• Industry demand has never been higher

• The weakest link: The human • Social engineering

• Lost/compromised login credentials

• Careless behavior accounts for most incidents

Need for Training

Reduce the Risk – Don’t Store Data

• Don’t store any payment card data

• The less you have, the smaller a target you’ll be

• Know what your vendors are storing.

Reducing Risk – 3rd Party Data Security

• Use PCI validated Point of Sale systems

• Confirm that your vendors follow the PCI DSS and the PA DSS

• Talk to your bank about reviewing your technology and data storage practices

Reducing Risk – Strong Passwords

• Changing default passwords could have helped avoid the majority of compromises.

• Nearly 80% of breaches of confidential consumer information involved compromised passwords.

Reducing Risk – Updating Software

• Hackers take advantage of software bugs

• Product vendors deal with this by releasing software updates and patches

• Use automated alert services

Become Part of the Solution

1. Understanding of PCI Compliance and Requirements

2. Ongoing Education and Awareness

3. Take Steps to Safeguard your Business

4. Get Involved

5. Have a Plan