PCI Compliance Roundtable Update Presented by the PCI Compliance Task Force.
Pci compliance overview earth link business
description
Transcript of Pci compliance overview earth link business
What is PCI Compliance?
Definition – Payment Card Industry Data Security Standard (PCI-DSS)
Set up in 2004 by Visa, MasterCard, American Express, Discover, and JCB to reduce the risk of credit card theft and transfer liability to merchants
Requires mandatory adoption by all businesses that store, process, transmit credit/debit card data
6 Control Objectives
6 Control Objectives
12 Core Requirements
280+ Audit
Procedures
I don’t need to be compliant because…“…I don’t process many credit cards.”“…I don’t store credit card information.”“…I’m not a major brand retailer.”
PCI DSS is complex, and applies to all merchants who accept credit cards
Many misconceptions about PCI DSS
OR I’m compliant because…“ …My POS systems are compliant”“…I have firewalls in place”“…I’ve passed an ASV scan”“…I’ve implemented the basic requirements”
If you cannot answer yes to the three questions below, you are NOT PCI Compliant
Have ALL employees completed a PCI Certified security awareness training program upon hire and annually thereafter?
Have all employees read and signed a formal security policy?
Can you demonstrate that all remote access from you, your employees or vendors incorporate 2-factor authentication?
1
2
3
A recent survey by Gartner, Inc. found that 18 percent of respondents admitted to not being PCI-
compliant
Timeline: What happens if I am breached?
Timing ActionDay 1 Notification of breach
Stop taking credit cardsMonitor for PR/social impact
Day 5 Complete forensic auditContact a Qualified Security Assessor (QSA)
Day 7 Obtain remediation proposals
Day 10 toDay 40-180
Execute remediation planReplace credit cards Disclose breachAddress brand impactPossible reclassification as Level 1
What’s the likelihood and risk of breach?
Average per location direct cost of a data breach, excludes indirect costs such as damage to brand
$80K
Small businesses will suffer a credit card breach in the next 24 months1 in
6
Breaches originate from organized criminal groups98%
Average days between intrusion and detection174
97%of U.S. incidents are brick & mortar merchants91%
of U.S. breach events occurred at small merchants
Data Breach Cost Breakdown
• ~$20,000 for an internal forensic audit
• $50 per breached card for reissuance
• Up to $500,000 in regulatory compliance violation fines
• Payment of transactions held back from merchant processor
• Damage to brand/lost revenue• Loss of credit privileges/credit
impact
What’s the financial impact to my business?
What are the requirements for PCI Compliance?
12
3
4
5
6
Build and Maintain a Secure Network
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords or other security parameters
3. Protect stores data4. Encrypt transmission of cardholder data and sensitive information across public networks
5. Use and regularly update antivirus software6. Develop and maintain secure systems and
applications
7. Restrict access to data by business need to know8. Assign a unique ID to each person with computer
access 9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes
1. Maintain a policy that addresses information security
280 specific requirements under the
12 levels
LEVEL CRITERIA On-Site Security
Audit
Self-Assessment
Quest-ionnaire
(SAQ)
Network Authorized
Vendor Scan (ASV)
1
Any merchant processing more
than 6 million transactions per
year
Required Annually
Required Quarterly
2
Any merchant processing 1 to 6
million transactions per year
Required Annually
Required Quarterly
3
Any merchant processing 20,000 to
1 million transactions per
year
Required Annually
Required Quarterly
4
All other merchants, not in Levels 1, 2 or
3
Required Annually
Required Quarterly
What do I need to do to validate PCI compliance?
•4 merchant levels based on volume of transactions
•Validation requirements vary based on level
How to Proactively Protect Your Business from Breach
Step 1: Establish Financial Protection
Step 2: Validate PCI Compliance
Step 3: Achieve Compliance
Step 4: Maintain Compliance
Step 1: Financially Protect Your Business
Acquire adequate breach protection for each store location to help cover direct costs in the event of a breachFor as little as $1 per day per location, this can cover the costs of:•Forensic audit and consultation with a Qualified Security Assessor (QSA)•Replacement of credit cards and related expenses•Fines and penalties incurred
Step 2: Validate PCI Compliance
PCI compliance must be validated on an ongoing basis.
Have each block build (start with On-Site Security Audit)
Step 3: Achieve PCI compliance
Address gaps identified during the validation process
Up to 280 requirements depending on your environment
Common issues:• Outdated Firewalls• Insecure Remote Access• Weak security configurations• Operating system flaws• Lack of staff training• Flawed security policies• Poor change control procedures
Step 4: Maintain Compliance• Conduct on-going PCI
Training for employees including cashiers, IT staff
• Document and enforce security policies
• Conduct regular assessments and network scans for all locations, and remediate gaps
• Identify and work closely with a PCI Compliance Partner who can help
PCI Compliance Validation Service for Level 2-4 merchants
Provides $100,000 in breach protection per location
Includes Web-based tools for: Wizard-based Self Assessment
Questionnaire (SAQ) Authorized Scan Vendor (ASV)
scanning Task Management and Reporting Security Policy Templates PCI eLearning (cashier, IT and
owner) Powered by ANX eBusiness
Protect Your Business & Validate PCI Compliance with EarthLink