GUIDE TO STAYING OUT OF PCI SCOPE FIND ANSWERS TO... - What does PCI Compliance Mean? - How to Follow Sensitive Data Guidelines - What Does In Scope Mean? - How Can Noncompliance Damage a Business? - How to Stay Out of Scope - Future Data Security Trends...and more!
PCI 101 What is PCI Compliance? Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard for organizations that handle branded credit cards from Visa, Mastercard, American Express and Discover. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually. PA DSS vs. PCI DSS: It s important to understand the difference between PA DSS and PCI DSS. PA DSS is an installed application that must adhere to compliance standards. Compliance covers the payment application specifically, and ensures that the payment application follows the best practices regarding sensitive data retention, policies, and protections. PCI DSS applies to services providers, such as gateways, cloud/web-based applications and terminal or hardware manufacturers. Compliance includes a higher level, broader-reaching mandate and covers an organization or platform. Primary Types of Data Targeted: 50% of incidents involved a malicious or criminal attack 27% involved system glitches that include both IT and business process failures 23% were caused by negligent employees Card Track Data & CNP (Card Not Present) data are targeted most frequently Ponemon Institute, June 2016 Cost of Data Breach Study; ITRC 2016 Data Breach Stats; Trustwave Global Security Report 2016 2
Sensitive Data Guidelines CARDHOLDER DATA DATA ELEMENT PRIMARY ACCOUNT NUMBER (PAN) STORAGE PERMITTED YES RENDER STORED DATA UNREADABLE PER REQUIREMENT 3.4 YES CARDHOLDER NAME YES NO SERVICE CODE YES NO EXPIRATION DATE YES NO SENSITIVE AUTHENTICATION DATA FULL TRACK DATA NO CANNOT STORE PER REQUIREMENT 3.2 CAV2/CVC2/ CVV2/CID NO CANNOT STORE PER REQUIREMENT 3.2 PIN/PIN BLOCK NO CANNOT STORE PER REQUIREMENT 3.2 PCI DSS Requirement 3.4: If storing PAN data, it must be rendered as unrecoverable and unreadable (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN) Truncation (hashing cannot be used to replace the truncated segment of PAN) Index tokens and pads (pads must be securely stored) Strong cryptography with associated key-management processes and procedures pcisecuritystandards.org pcicomplianceguide.org 3
What Does In Scope Mean? All network devices transporting or directing cardholder traffic (e.g. border router, DMZ firewall, intranet firewall, etc). Support systems (e.g. Active Directory, syslog server, PC s performing support functions such as system administration, etc). Systems processing cardholder data (e.g. web servers, application servers, etc). Devices that create media containing cardholder data (e.g. fax machine, printer, backup tape silo). QSA Audits: Level 2 Provider: If you do over a million transactions annually across all customers In reference to the chart below, how many requirements are you actively meeting? REQUIREMENT LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 TRANSACTION VOLUME ON SITE QSA AUDIT ANNUALLY SELF ASSESSMENT QUESTIONNAIRE (SAQ) ANNUALLY AUTHORIZED SCANNING VENDOR SCAN (ASV) QUARTERLY SECURITY AWARENESS TRAINING UPON HIRE + ANNUALLY POLICY REVIEW & ACCEPTANCE ANNUALLY >6 MILLION 1-6 MILLION 20,000-1 MILLION BY A QSA/ISA ALL OTHER MERCHANTS 4
GUIDE TO STAYING OUT OF PCI SCOPE: The Fundamentals The best way to stay out of PCI scope is utilizing a gateway, such as Zeamster, so you don t have to pass, transmit or store cardholder data within your software. If a breach occurs, the breached party is on the hook for the investigative fees, fines, lawsuits, direct & indirect costs to fix the problem... the list is long and very expensive! Direct Damages from Non-Compliance: Your Time Damage to Brand Reputation & Bad Press Loss of Payment Card Privileges Mandatory Forensic Examination Notification of Customers Credit Monitoring for Affected Customers PCI Compliance Fines Liability for Fraud Charges Card Replacement Costs Upgrade or Replacement of POS System Reassessment for PCI Compliance 5
How to Stay Out of Scope Do you pass, transmit or store cardholder data? If not, you are out of scope as an ISV! Methods: The most important thing to do as an ISV to remain out of scope is to utilize a gateway, such as Zeamster, where all data traffic flows through the gateway itself and not your software. If Card is NOT Present: Utilize the functionality for tokens Hosted payment page If Card IS Present: Utilize an API to trigger a transaction request where the terminal talks directly to the gateway Utilize a PCI-validated P2PE solution If Collecting Payments Within a Mobile App: Utilize an encrypted device so no raw card data is viewable by your application USE A PAYMENT GATEWAY! 6
Future Data Security Trends 2017-2018: Data Breach costs have fluctuated significantly. Organizations must be prepared to deal with this cost and incorporate it into their data protection strategies. The biggest financial consequence to organizations is lost business. Most data breaches are caused by criminal and malicious attacks. These breaches also take the most time to detect and contain, resulting in the highest cost per record. Improvements in data governance will reduce the cost of data breach. Incident response plans, employee training and awareness programs and a business continuity management strategy continue to result in cost savings. Investments in certain data loss prevention controls and activities, such as encryption and endpoint security solutions, are important for preventing data breaches. 7