Payment Card Industry (PCI) Compliance

Transcription

1 Payment Card Industry (PCI) Compliance February 13, 2019 To Receive CPE Credit Individuals Participate in entire webinar Answer polls when they are provided Groups Group leader is the person who registered & logged on to the webinar Answer polls when they are provided Complete group attendance form Group leader sign bottom of form Submit group attendance form to within 24 hours of webinar If all eligibility requirements are met, each participant will be ed their CPE certificate within 15 business days of webinar 1

2 Presenter Rex Johnson, CISSP, CISA, CIPT, PMP, PCIP, QSA Director Getting to Know You Which HFMA Chapter are you a member? 1. Western PA 2. Central PA 3. Northeast PA 4. Metro Philadelphia 5. Other 2

3 Credit Cards Are the Most Frequently Available Item on the Dark Web Credit cards account for most instances of identity theft With the rollout of the EMV chip, credit card application fraud is expected to increase in the U.S. Most fraud for credit cards are called card-not-present (CNP) Internationally, CNP fraud rose by 7%, resulting in $242.1 million in losses Interestingly enough, credit cards go for $1 each on the dark web Sources: FICO, Fortune, Australian Payments Network, What Is PCI Compliance? Many years ago, the payment card brands elected to have a standard for assessing the protection of cardholder data (CHD) Implemented the Payment Card Industry Data Security Standard (PCI DSS) If an organization accepts card payment, & stores, processes or transmits cardholder data, they need to be PCI DSS compliant PCI DSS is a set of rules, not a law, that is enforced by the payment brands & governed by the PCI Security Council 3

4 What Is the Security Standards Council? PCI standards are required by the card brands & administered by the Payment Card Industry Security Standards Council Created to increase controls around cardholder data to reduce credit card fraud Qualifies companies & individuals to be PCI assessors, known as Qualified Security Assessors (QSA) Manufacturers PCI PTS Pin Entry Devices Software Developers PCI PA-DSS Payment Applications P2PE Merchants & Service Providers PCI DSS Secure Environment PCI DSS PCI DSS defines technical & operational requirements for Organizations accepting or processing card payment transactions; & Software developers & manufacturers of applications & devices used in those transactions QSA are trained to conduct PCI DSS assessments Code of conduct that sets standards to include avoiding a conflict of interest Requires initial training & certification exam Annual training & recertification exam Must maintain working papers for assessments for three years 4

5 How Do You Take Credit Card Payments? Organizations (called merchants in the PCI world) typically have more than one way to take a payment Known as a payment channel In person Payment devices (POS POI) Mail order Online Phone TELEPHONE ORDERS Two Types of Assessments ROC Report on compliance (ROC) Must be performed by an independent organization Lead by a QSA Level 1 merchants & service providers Acquiring banks may elect other levels to do a ROC ROC SAQ The organization s bank (acquirer) or card brands will determine type of assessment SAQ Self-assessment questionnaire (SAQ) Intended to assist merchants & service providers in self-evaluating their PCI DSS compliance May engage a QSA to assist or perform Eight different types of SAQs All levels except Level 1 Attestation of Compliance 5

6 PCI Levels Merchants in General Level Annual Transactions Validation Actions Validated By 1 6 to 20 million Annual on-site security audit (ROC) **&** Quarterly network scan to 6 million 20,000 to 1 million Annual self-assessment questionnaire (SAQ) **&** Quarterly network scan 4 20,000 or less network scan recommended Independent assessor (QSA) or IA with PCI training Scans conducted by ASV Merchant (Selfassessment) Scans conducted by ASV Service Providers A service provider is a business that is not a payment brand & is directly involved in the processing, storage or transmission of cardholder data Performs these duties on behalf of another entity Includes companies that provide services to merchants, other service providers or other entities which control or could impact the security of cardholder data Examples include Data centers Transaction processors Managed service providers (MSP) Payment gateways Vendors that provide POS maintenance 6

7 PCI Levels Service Providers in General Level Validation Actions Validated By 1 Payment gateways & processors Annual on-site security audit **&** Quarterly network scan Independent assessor (QSA) or IA with PCI training Scans conducted by ASV 2 (storage/transmission/ process above 1 million transactions) 3 (storage/transmission/ process below 1 million transactions) Annual SAQ **&** Quarterly network scan Self-assessment Scans conducted by ASV PCI SAQ Types Type of SAQ depends on the type of merchant environment & confirmed by acquirer A: card not present merchants (e-commerce or mail/telephone order) A-EP: e-commerce merchants who outsourced payment processing to third parties B: merchants using a) imprint machines or b) standalone dial-out terminals B-IP: standalone, PTS-approved payment terminals C-VT: manually enter a single transaction at a time virtual payment (not e-commerce) C: payment applications connected to the internet, no electronic CHD storage P2PE: hardware payment terminals managed by P2PE solution (not e-commerce) D: all merchants not included in the above 7

8 PCI DSS Requirements Goals PCI DSS Requirement 1. Install & maintain a firewall configuration to protect cardholder data Build & maintain a secure network 2. Do not use vendor-supplied defaults for system passwords & other security parameters 3. Protect stored cardholder data Protect cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use & regularly update anti-virus software or programs 6. Develop & maintain secure systems & applications 7. Restrict access to cardholder data by business need to know Implement strong access control measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor & test networks 10. Track & monitor all access to network resources & cardholder data 11. Regularly test security systems & processes Maintain information security policy 12. Maintain a policy that addresses information security for all personnel Requirement 1: Install & Maintain Firewall Configuration to Protect Cardholder Data Firewalls are required to protect the CDE Restrict traffic from untrusted networks & hosts Prohibit direct public access from internet to CDE Although network segmentation is a good idea, it is not required 8

9 Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords & Other Security Parameters Network devices come with default passwords Remove/change these defaults for better security Configuration standards are part of this requirement NIST ISO SANS CIT Default Password Requirement 3: Protect Stored Cardholder Data Implement a data retention & disposal processes Do not store the whole PAN OK to display first six & last four digits of a card Encryption for additional protection Consider additional security measures, such as tokenization 9

10 Tokenization The process of replacing a credit card number (PAN) with a unique set of numbers that have no bearing on the original data Creates specific characters that only work during the transaction Reduces risk of credit card data theft or misuse Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks Use strong encryption where CHD is transmitted over public networks Includes wireless networks Never send unprotected PANs by end user messaging Don t CC# Don t send over IM 10

11 Requirement 5: Use & Regularly Update Anti-Virus Software or Programs Use anti-virus software on systems Maintain anti-virus definitions are current & actively running Prevent the ability to disable anti-virus Generating logs Requirement 6: Develop & Maintain Secure Systems & Applications Keep system patches current Critical patches deployed within 30 days of release Risk ranking to vulnerabilities Change control processes & procedures Secure coding guidelines 11

12 Requirement 7: Restrict Access to Cardholder Data by Business Need to Know Limit access only to those whose job requires Documented approval for access Access control systems in place Deny all unless specifically allowed Only those with a business need Requirement 8: Identify & Authenticate Access to System Components Unique IDs required & proper authentication Strong password parameters Multifactor authentication Two or more authentication methods Something you know (password), Have (token) or Are (biometric) Do not use group, shared or generic IDs 12

13 Requirement 9: Restrict Physical Access to Cardholder Data Limit & monitor physical access to systems in the CDE Procedures to distinguish between on-site personnel & visitors Visitors are authorized & a log maintained Backups are secure Media is classified & safeguarded Destroy media when no longer in use Training for identifying tampered devices Device Tampering: Skimming A skimming device is a camouflaged counterfeit card reader to record the card s information It will still allow the cardholder to perform their transaction Used at ATM machines, retail stores, restaurants & taxis Can sometimes be a hand-held skimmer small enough to fit into a pocket 13

14 Requirement 10: Track & Monitor All Access to Network Resources & Cardholder Data Audit trail for users who have access to CHD Logging of invalid attempts Restricted access to logs Prevent log tampering Time synchronization Critical systems time synchronized Unable to tamper with time data Retain audit history for at least one year Requirement 11: Regularly Test Security Systems & Processes Identify wireless access points Run internal & external network vulnerability scans quarterly Internal & external penetration testing annually (or twice a year for service providers) Intrusion detection & prevention in place 14

15 Requirement 12: Maintain a Policy that Addresses Information Security for All Personnel Establish, publish & maintain security policies for PCI Daily operational security procedures Usage policies for technology in the CDE Assign personnel with security responsibilities Security awareness program Employee screening prior to hiring Policies for service providers with CDE access Incident response plan in place Appendices Appendix A1: additional PCI DSS Requirements for Shared Hosting Providers Protecting each entity s hosted environment & data Restrict the entity s access only to their environment Appendix A2: additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections Appendix A3: Designated Entities Supplemental Validation (DESV) Only entities designated by payment brand or acquirer Additional valuation steps as required 15

16 Compensating Controls In the event that an organization does not meet a PCI control, the assessor can determine if compensating controls are in place Compensating controls worksheet is listed in the ROC template 1. Constraints 2. Objectives 3. Identified Risk 4. Definition of Compensating Controls 5. Validation of Compensating Controls 6. Maintenance Must address risk & be stronger than the control it is replacing Management must approve compensating controls every year Why Is PCI DSS Compliance Important? Hackers & large international organized crime target merchants & their payment channels High fees for noncompliance with PCI-DSS At the discretion of the payment brands $5,000 to $10,000 per month The fallouts of a card data breach The resulting costs can be significant Breach could result in an average cost of $200 per card number lost Long-term reputational effects to an organization 16

17 Lack of PCI compliance Can Cost Lost confidence & customers go to other merchants Diminished sales Cost of reissuing new payment cards Fines Fraud losses Higher subsequent costs of compliance Termination of the ability to accept credit cards Going out of business Benefits of PCI Compliance The security of cardholder data affects everyone Increases security of cardholder data Customer confidence Better protection for clients Universal principles Avoidance of fines Reduces the cost of a breach 17

18 Summary PCI compliance is a requirement, but not a law, from the card brands for any organization that stores, processes or transmits payment card data Card brands set the standards & has the right to invoke penalties for organizations that fail PCI compliance PCI Security Standards Council is the governing board who trains & qualifies assessors (QSAs) Organizations with over six million card transactions annually must have a report on compliance (ROC) by an independent QSA company Other organizations are able to do a self-assessment questionnaire (SAQ) There are 12 requirements to PCI, which have a number of questions/controls each Cost of noncompliance is significant 18

19 Continuing Professional Education Credit BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered CPE Credit CPE credit may be awarded upon verification of participant attendance For questions, concerns or comments regarding CPE credit, please the BKD Learning & Development Department at training@bkd.com 19

20 The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered 20