Maze & Associates PCI Compliance Tracker for Local Governments
-
Upload
donald-hester -
Category
Technology
-
view
125 -
download
2
description
Transcript of Maze & Associates PCI Compliance Tracker for Local Governments
![Page 1: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/1.jpg)
Maze & AssociatesPCI Compliance Tracker for
Local Governments
![Page 2: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/2.jpg)
Action Items
• Document how your organization stores, processes or transmits credit card information
• Determine your merchant level• Determine your validation requirements
– Contact your merchant banks and acquirers• Determine your SAQ validation type• Find an ASV for compliance network vulnerability
scans– Perform at least quarterly scans
• Annually fill out your SAQ– turn in and/or keep on file
![Page 3: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/3.jpg)
10 Steps to Document Cardholder Environment
1. Determine Merchant Level (number of transactions)2. List all Merchant Banks and Acquirers3. List all outsourced processors, ASPs and third party
processors4. Document all Payment Applications5. Document all PEDs used (Point of Interaction)6. List all physical locations that CHD is processed,
stored or transmitted7. List all electronic storage of CHD8. Document electronic transmission9. Document policies that address PCI requirements10. Implement applicable PCI DSS controls
![Page 4: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/4.jpg)
Step 1: Determine Merchant Level
• List the number of all credit card transactions for all Merchant Banks and Acquirers
• List by card brand as well• Determine your merchant level based on
total annual credit card transactions• Number is based on the aggregate
number of transactions for a DBANote: Merchant levels are defined by the Card Brands and determined by the Acquirer based on transaction volume.
![Page 5: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/5.jpg)
Step 2: Document Acquirers• List all Acquirers, Merchant Banks and/or
Acquiring Banks • Included card brands when they act as
acquirer, e.g. Amex, Discover, JCB • Would never be Visa or MasterCard• They determine your merchant level and
reporting requirements
![Page 6: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/6.jpg)
Step 2: Document Acquirers
• Contact Information– Address– Phone Number
• Incident Response Team• Website– Monitor for changes in requirements
• Any notes or document conversations you have with them
![Page 7: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/7.jpg)
Step 3: Determine Service Providers
• A Service Provider is an business or entity that is directly involved in the processing, storage, transmission, and switching of transaction data and/or card holder data (CHD)
• Any service provider that has control or could have a security impact on CHD
![Page 8: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/8.jpg)
Example of Service Providers
• Transaction Processors• Customer Service• Call Centers• Payment Gateways• Credit Reporting • External Sales
• Remittance Processing• Card Embossing
Companies• Information security
providers• Offsite Data Storage
Providers
![Page 9: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/9.jpg)
Manage Service Providers
• Maintain a list of service providers• Maintain agreements that hold service
providers responsible for security of CHD– Include reporting and breach notification
• Have a process to validate new service providers before they become service providers
• Have a program to monitor service provider compliance at least annually
![Page 10: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/10.jpg)
Step 4: Document Payment Applications
• List all payment applications• Document the business use of the
applications• Determine if the application is compliant• Determine if the application stores CHD• Check PCI website for list of approved
applications
![Page 11: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/11.jpg)
Action Items• Contact the vendor, make sure payment
applications are PA DSS complaint or will be.
• Contact your PIN device supplier, make sure you have compliant PIN Entry Devices.
https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.htmlhttps://www.pcisecuritystandards.org/security_standards/vpa/
![Page 12: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/12.jpg)
Payment Applications• In house
applications– SDLC controls– Code reviews – Application
firewalls– OWASP
![Page 13: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/13.jpg)
Step 5: Document PED • List all Points of Interaction (POI)– List all PIN Entry Devices (PED)– List all Point of Interaction devices– List all Unattended Payment Terminals (UPT)– List all Point of Sale (POS) devices
• Document compliance for those devices currently required to be PCI compliant
![Page 14: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/14.jpg)
![Page 15: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/15.jpg)
PED
• PIN Entry Device– Scope of the standard increasing• PIN Transaction Security (PTS)
– Will include • UPT (Unattended Payment Terminals)• POI (Point of Interaction)• POS (Point of Sale Devices)
– Standard addresses the vendors who make devices
– Merchants must use approved devices
![Page 16: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/16.jpg)
Step 6: Physical CHD• List all physical locations that PAN is processed,
stored or transmitted– Paper, – Receipts, – Imprints, – Carbon Copies– Locations of backup media
• Document Retention Period – Justify with business need
• Document Destruction Policy
![Page 17: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/17.jpg)
Step 7: Electronic Data Storage• List all electronic storage of CHD• Document business reason for storing
and retention period• Requirements in PCI DSS– Encryption– Access Controls and Audit logs– Never permitted to store full track data
![Page 18: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/18.jpg)
Cardholder DataData Element Storage
PermittedProtectionRequired
PCI DSS 3.4
Cardholder Data
Primary Account Number (PAN) Yes Yes Yes
Cardholder Name Yes Yes No
Service Code Yes Yes No
Expiration Date Yes Yes No
SensitiveAuthentication
Data
Full Magnetic Stripe Data No N/A N/A
CVC2 / CVV2 / CID / CAV2 No N/A N/A
PIN / PIN Block No N/A N/A
![Page 19: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/19.jpg)
Places to look for CHD
• Electronic Image Files• SANS• Fax Servers• Scan Archive• Pinter Spool• Laser Fiche• Log Files
• Audio Recording: customer service call recordings
• Voicemail• Email Server/Archive• Backup Media• Copier Scanner Cache • Data bases
Perform a search for CHD every 6 months
![Page 20: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/20.jpg)
Unknown Storage
• Fax Machine and Copy Machines may store CHD
http://www.youtube.com/watch?v=iC38D5am7go
![Page 21: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/21.jpg)
Step 8: Document Data Transmission
• Not only do you need to know where you data is stored but you also need to know where it travels
• Create a Data Flow diagram– Diagram with CHD flow superimposed over
network diagram• Evaluate flow every 6 months or more often if
there has been a change• Helps to determine the PCI scope and aids in
determining network segmentation
![Page 22: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/22.jpg)
Document Data Flow
• With a network diagram document the flow of credit card information (transmission)
• Locate any places the information might be stored along the data path (storage)
![Page 23: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/23.jpg)
Step 9: Create Needed Policies
• What policies do you currently have that address PCI related issues
• Create needed policies• See section 12 of the PCI DSS• You will need to create additional subordinate
policies, procedures or administrative directives for specific PCI control requirements
• Every PCI DSS control should be documented in some policy, procedure, administrative directive, SOP or schedule
![Page 24: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/24.jpg)
Step 10: Document PCI DSS
![Page 25: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/25.jpg)
PCI DSS
The Payment Card Industry Data Security Standard 6 Objectives (Goals) 12 Sections (Requirements) 194 Controls
![Page 26: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/26.jpg)
PCI DSS
![Page 27: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/27.jpg)
PII Policy
• If you already have a policy for handling confidential information or personally identifiable information add credit card information to confidential information or PII.
![Page 28: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/28.jpg)
PCI DSS
• Start implementing the data security standard starting with policies
• Start with high level polices– “The City shall not store PAN (Credit Card
Numbers) electronically or physically. Employees shall be trained on PCI standard annually. Background checks will be performed on all staff with access to credit card information.”
![Page 29: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/29.jpg)
PCI DSS
• Use the prioritized approach to implement the most important controls first.
![Page 30: Maze & Associates PCI Compliance Tracker for Local Governments](https://reader036.fdocuments.in/reader036/viewer/2022062513/55548038b4c90548358b4ba1/html5/thumbnails/30.jpg)
Document Compliance
• Determine if all PEDs are PCI compliant• Determine if all payment applications are
PCI compliant• Determine if all 3rd party processors and 3rd
parties are PCI compliant• Obtain documentation from each• Annually renew documentation from 3rd
parties • Annually check payment application and
PED list