The Devil is in the Details: The Secrets to Complying with PCI Requirements Michelle Kaiser Bray Faegre Baker Daniels 1
PCI DSS: What? PCI DSS = Payment Card Industry Data Security Standard Payment card data technical security requirements (five founding global payment brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.) Process for maintaining a secure environment (prevention, detection and appropriate response to security incidents) State laws incorporating PCI DSS (Nevada, Minnesota, Washington) CREDIT CARDS DEBIT CARDS CHARGE CARDS DIGITAL WALLETS? 2
PCI DSS: Who? MERCHANTS Binding on ALL companies that process, store or transmit payment card information, i.e., any merchant that has a Merchant ID (MID) Merchants fall under four levels of compliance (based on number of transactions processed annually, and whether transactions are through brick and mortar or Internet) CORPORATE FRANCHISE SERVICERS Corporate entity or franchisor that provides or controls a centralized or hosted network environment, connected physical/logical assets or shared locations Level 1 Merchant Service Provider (Third Party Agent) VENDORS Service Providers (and Merchants) that use third party-provided payment applications are subject to Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS) Device vendors and manufacturers (Pin Transaction Security (PTS) Requirements) 3
PCI DSS: When? NOW Privacy and security threats (computer hacking, credit card fraud and identity theft) are rapidly rising Hotel and restaurant franchises are most vulnerable to security breaches - preferred target of data thieves Hackers are using inadequate remote admin. services to take payment data from POS systems ONGOING Assess (Self-Assessment Questionnaires, Qualified Security Assessors (QSAs), Internal Security Assessor (ISA) (education program)) Remediate (Network scanning, reviewing/ranking/fixing vulnerabilities, patches) Report (Quarterly scan reports completed by a PCI SSC-approved ASV; annual onsite assessment completed by a PCI SSC-approved QSA and submission of findings to each acquirer (large businesses)) 4
PCI DSS: Where? PAYMENT BRAND OR ACQUIRING BANK American Express: www.americanexpress.com/datasecurity Discover Financial Services: http://www.discovernetwork.com/merchants/fraud-protection JCB International: http://partner.jcbcard.com/security/jcbprogram/index.html MasterCard Worldwide: http://www.mastercard.com/sdp Visa Inc: http://www.visa.com/cisp Visa Europe: http://www.visaeurope.com/ais 5
PCI DSS: How? TWELVE STEPS PCI DSS 2.0 Build and Maintain a Secure Network 1) Install and maintain firewall 2) No default system passwords Protect Cardholder Data 3) Protect stored data 4) Encrypt transmission of data across open public networks Maintain a Vulnerability Management Program 5) Use and regularly update anti-virus software/programs 6) Develop and maintain secure systems and applications 6
PCI DSS: How? (cont.) PCI DSS 2.0 (Twelve Steps) Implement Strong Access Control Measures 7) Restrict access to data (business need to know) 8) Assign unique IDs 9) Restrict physical access to data Regularly Monitor and Test Networks 10) Track and monitor access to network resources and data 11) Regularly test security systems and processes Maintain an Information Security Policy 12) Address information security for all personnel 7
PCI DSS: Why? Risk Fraud Identity Theft Insiders Cyber-Attacks Rules Fines Transaction Fees Termination Lawsuits Reputation Brand Customer 8
PCI DSS: Additional Resources PCI SSC Data Security Standards Overview: https://www.pcisecuritystandards.org/security_standards/index.php PCI DSS ROC (Report on Compliance) Reporting Instructions: https://www.pcisecuritystandards.org/documents/pci_dss_2.0_roc_reporting_instructions.pdf Corporate Franchise Servicer (Visa): http://usa.visa.com/merchants/risk_management/cisp_service_providers.html 2013 Data Breach Investigations Report: http://www.verizonenterprise.com/dbir/2013/ Partner with Payment Processing Providers! 9
The Devil is in the Details: The Secrets to Complying with PCI Requirements Michelle Kaiser Bray Faegre Baker Daniels 10