PCI Compliance

Forrest Walsh

Director, Information Technology

California Chamber of Commerce

PCI-Data Security Standards

• What is PCI-DSS?

• Does PCI-DSS Apply to My Business?

• What are the Consequences of Non-Compliance?

• What are My Next Steps?

• Resources

What is PCI-DSS?

• 5 Major Credit Card Companies Created the Payment Card Security Standards Council

• Established (Almost) Common Data Security Standards for Credit Card Data

Does PCI-DSS Apply to My Business?

• “Payment Card Industry (PCI) Data Security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.”

• Applies to all system components which are defined as “any network component, server, or application included in, or connected to, the cardholder data environment”.

Merchant Levels

Level Description

1

Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year.

Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

2Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.

3Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.

4

Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

Compliance Requirements Vary By Merchant Level

Compliance Validation Requirements

Level Merchant Validation Requirements

1Annual onsite review by QSA (PCI DSS Assessment) and Quarterly Network

Scan by ASV

2 Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV

3 Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV

4 Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV

Validation Requirements Vary By Merchant Level

Consequences of Non-Compliance

• Increased Bank Fees

• Reclassification of Merchant Level

• Potential loss of card processing privileges

Consequences of a Breach

• Damage to Brand• Mandatory involvement of federal law

enforcement• Merchant banks may pass along

substantial fines levied by the credit card companies

• Up to $500,000 per incident from Visa• Civil liability and cost of providing Identity

Theft protection

PCI Goals and Requirements6 Goals, 12 Requirements

Build and Maintain a Secure Network • Install and maintain a firewall configuration to protect cardholder data

• Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data • Protect stored cardholder data• Encrypt transmission of cardholder data across open,

public networks

Maintain a Vulnerability Management Program

• Use and regularly update anti-virus software• Develop and maintain secure systems and applications

Implement Strong Access Control Measures

• Restrict access to cardholder data by business need-to-know

• Restrict physical access to cardholder data• Assign a unique ID to each person with computer

access

Regularly Monitor and Test Networks • Track and monitor all access to network resources and cardholder data

• Regularly test security systems and processes

Maintain an Information Security Policy • Maintain a policy that addresses information security

Next Steps

• Complete the SAQ• Create a remediation plan• Find an ASV and schedule your quarterly

network scans• Check with your bank or credit card

authority to find out when they expect to receive your SAQs and ASV scans.

• Obtain a statement of compliance or SAQ from each of your service providers.

Resources

• Your Bank

• PCI Security Council Website https://www.pcisecuritystandards.org/index.shtml