Achieving PCI-DSS Compliance with ZirMed financial services Darren J. Hobbs, CPA and James S. Lacy, JD THE PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS Goals PCI-DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management 5. Use and regularly update anti-virus software Program 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security 1 Bureau of Justice Statistics: Identity Theft Series November 30, 2011 2 Identity Theft Resource Center. 2007 Data Breach Stats.
2 ZirMed Performance Series: Achieving PCI-DSS Compliance with ZirMed Financial Services THE COSTS OF NON-COMPLIANCE Data Breach Cost Per Exposed Record 4 Direct Incremental Costs $54 Indirect Productivity Costs $30 Customer Opportunity Costs $98 Total Cost Per Exposed Record $182 PCI-DSS FOR HEALTHCARE PROVIDERS 4 Ponemon Institute, LLC. 2006 Annual Cost Study: Cost of a Data Breach 5 Hines, Matt. Bottom line impact of data breaches unclear. InfoWorld, April 2007. 6 Baum, Neil and Gretchen Henkel. Marketing Your Clinical Practice, Third Edition. Jones and Bartlett Publishers, Inc., 2004.
3 ZirMed Performance Series: Achieving PCI-DSS Compliance with ZirMed Financial Services ZIRMED YOUR SOLUTION TO PCI-DSS COMPLIANCE Questions Yes No Is access to cardholder data limited to those individuals whose jobs require such access? Does your system prevent storage of the full magnetic strip contents and card verification values? Are all pieces of paper with cardholder information cross-cut shredded, incinerated, or pulped when no longer needed? Do you have a formal security awareness program in place which addresses cardholder data? Have you established, published, maintained, and disseminated an information security policy? If you answered No to any of the questions, or if you were unsure of the answer, your business may not be in compliance with PCI-DSS. For more information, or to view the complete Self-Assessment Questionnaire, please visit www.pcisecuritystandards.org. 7 Rothke, Ben. The Smart Approach to PCI-DSS Compliance Braintree Payment Solutions. 8 Verizon Business Risk Team. 2008 Data Breach Investigation Report
4 ZirMed Performance Series: Achieving PCI-DSS Compliance with ZirMed Financial Services Disaster Plan Essentials To be compliant with PCI-DSS, all merchants must have an information security policy and disaster recovery plan in place. The disaster recovery planning process should include the following elements: Notify Senior Management Contact and establish a disaster recovery team Determine the degree of disaster/breach Review the PCI-DSS regulations related to disclosures and reporting, along with state and federal laws and regulations Evaluate whether disaster also affected HIPAA, Gramm-Leach- Bliley or other privacy and security laws Implement proper recovery plan dependent on extent of the disaster Monitor progress Inform all necessary personnel Notify vendors, banks, auditors, lawyers, etc. Create follow-up checklist and monitoring
5 ZirMed Performance Series: Achieving PCI-DSS Compliance with ZirMed Financial Services CONCLUSIONS PCI-DSS Requirements ZirMed 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security = ZirMed addresses all requirements = ZirMed addresses most, but not all, requirements About ZirMed Copyright c2011 ZirMed, Inc. All rights reserved. www.zirmed.com (877) 494-1032