PCI DSS COMPLIANCE DATA AND PROTECTION FROM RESULTS Technology
CONTENTS Overview.... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities Related to PCI DSS... 6 Validation... 6 Achieving PCI DSS Compliance with RESULTS.... 7 Summary.... 8 info@resultstechnology.com 877.435.8877 Page 1
Overview Every electronic transaction creates an opportunity for unscrupulous activities to occur. When these activities are corrupted, the damage can be significant; ranging from a simple one-time illegal purchase by a clerk or waitress using a customer s credit information, to a full-blown identity theft using thousands (even millions) of people s stolen personal data. Neither situation is desirable or tolerable in the business community, especially when both can be prevented or curtailed with the implementation of industry-proven security best practices and the proper systems. That s why businesses that deal with credit transactions must remain particularly diligent, addressing each of the specific danger areas associated with processing. Without the proper security processes and technologies in place, your data could be compromised or stolen, and the repercussions of a breach go much further than lost customer confidence. Lawsuits and financial restitution can be significant, especially if the activity is the result of the retailer not following well publicized best practices. In order to provide greater guidance to businesses that accept credit cards and ensure that their clients are properly protected, the major payment card organizations established a set of standards that have been implemented over the past few years. American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. came together to create the Payment Card Industry Data Security Standard (PCI DSS). These rules provide an actionable framework for securing payment card data, including deterrence, discovery and the appropriate response to breaches and other security-related events. PCI DSS version 2.0 (implemented January 1, 2012) applies equally to all businesses that store, process or transmit bank cardholder data. Failure to comply with these rules can result in hefty penalties, regardless of a merchant s intent or lack of awareness. The latest version extends the implementation, feedback, review and revision processes to a three-year cycle (previously two-years), and updates key security provisions including firewall protection, password and key management, and related documentation. These standards impact a number of organizations that participate in retail operations, including merchants, payment card issuing banks, processors, developers and technology vendors. The Basics of PCI DSS In order to help merchants navigate and better understand the conditions and implications of these standards, the PCI Security Standards Council has taken great pains to distribute the most critical information to everyone involved. Despite their efforts, the material can be cumbersome and hard for many retailers to comprehend. That s where we can help, filtering out the critical details and offering sound advice to help you meet the compliance requirements that pertain to your organization. Even though the PCI Security Standards Council developed the specific standards addressed in this paper, compliance is actually mandated by the individual payment card companies. Visa, MasterCard, American Express, Discover and JCB International each have their own specific requirements and compliance levels. While many of these are minor, merchants need to understand the nuances of each to ensure your data is aptly protected. info@resultstechnology.com 877.435.8877 Page 2
For example, while PCI DSS compliance is divided into four general merchant categories, each credit card company may add their own stipulations to each. Retailers need to not only understand the differences, but also ensure your payment processes adhere to those variations. The general PCI DSS categories include: Compliance Level 1: Merchants processing more than 6 million Visa transactions on an annual basis fall into this category. This includes all types of acceptance channels, meaning debit, credit, prepaid and beyond. Those merchants that fall into this category will need to meet Level 1 merchant requirements to avoid fines and penalties. On-site reviews by internal auditors and network scans are required for merchants at Level 1. Compliance Level 2: When the merchant is processing between 1 million and 6 million Visa transactions annually, it falls into Level 2. The demands are bit less stringent, but the entity must still complete network scans from an approved third-party vendor and submit selfassessments each year. Compliance Level 3: Merchants processing between 20,000 and 1 million Visa e-commerce transactions annually will need to follow the guidelines of Level 3 compliance, which involve network scans and self-assessment questionnaires similar to those under Level 2 compliance. Compliance Level 4: Finally, Level 4 is comprised of merchants that process fewer than 20,000 e-commerce transactions annually. As a note, the PCI Council also affirms that merchants processing as many as 1 million transactions per year through all different acceptance channels also fall into this category of compliance. Requirements will be similar to those under Levels 2 and 3. Although they conduct the fewest transactions, Compliance Level 4 retailers make up approximately 99% of the businesses that process credit cards in the United States and typically have the least amount of IT support. The lack of a dedicated onsite security professional presents a serious risk for retailers. With many businesses lessening their dependence on cash only policies, and others moving to cashless transactions, the focus on PCI DSS compliance is expected to intensify. The first thing merchants need to know is the three critical steps in PCI DSS compliance. 1. PCI DSS Compliance: Assess: identify cardholder data, inventory the company s IT assets and business processes for payment card processing, and analyze each for security weaknesses. Remediate: address perceived vulnerabilities and remove unneeded cardholder data. Report: compile and submit remediation authentication records (if applicable), and provide compliance reports to each bank and payment card company they do business with. info@resultstechnology.com 877.435.8877 Page 3
PCI DSS standards mirror the practices that security-oriented organizations already employ, following industry practices to properly protect the data and infrastructure of the business. While some of the terms and acronyms used by retailers and payment processing vendors may be unique, the basic processes and technologies required to secure their information and infrastructure don t differ significantly. 2. The Solution Provider Role (and Accountability) While PCI DSS can be complicated for the novice solution provider, the payment card industry understands the important part they play in compliance. To help those who build and support secure payment applications, the PCI Security Council created a number of compliance-related resources and programs. That includes the Payment Application Data Security Standard (PA- DSS) and a list of Validated Payment Applications to select from, along with Self-Assessment Questionnaires that allow merchants to authenticate their current security procedures. Compliance goes beyond credit card processing systems. It extends to the network, data storage infrastructure and any method involved in the management or transport of customer data, with responsibility falling on the merchant and those who support it. Solution providers who fail to implement PCI DSS compliant solutions may find themselves liable (at least in part) for any damages their clients and their customers suffer. Noncompliance penalties can range from $1,000 to $100,000 per month for PCI-related violations, while these initial penalties will first be levied by payment brands and from banks. The PCI Council pointed out that this fine will be passed down to the merchant, leading to higher direct costs, as well as hindered relationships with the bank and often higher transaction fees. To ensure your data is protected, solution providers must follow the six control objectives for PCI DSS: 1. Build and Maintain a Secure Network Install and maintain an effective firewall configuration to protect cardholder data Avoid vendor-supplied defaults for system passwords and related protection measures 2. Protect Cardholder Data Protect all stored cardholder data Encrypt transmission of cardholder data across open, public networks 3. Maintain a Vulnerability Management Program Employ and update anti-virus software on a continual basis Develop and maintain secure systems and solutions info@resultstechnology.com 877.435.8877 Page 4
4. Implement Strong Access Control Measures Restrict access to cardholder data by business necessity Assign a unique identification to each person with system and network access 5. Restrict physical access to cardholder data (door locks, alarms and other safeguards) Regularly Monitor and Test Networks Track and monitor all access to networks, applications and cardholder data 6. Regularly test system protection and processes Maintain an Information Security Policy Maintain a policy that addresses data security To address the specific requirements of PCI DSS, providers need to validate every procedure and technology solution you use in electronic payments, from the card swipe device to your data storage policies. That attention to detail must also include a continual review of all vendor offerings, verifying that their data protection methods are effective and identifying (and fixing) potential vulnerabilities. The same diligence is required when it comes to evaluating cloud applications and offsite storage services. By ensuring that vendor offerings are PCI DSS compliant when properly implemented, and periodically validating those systems security settings, we fulfill a big part of your PCI DSS responsibilities. Of course, we still need to work closely with suppliers to communicate potential risks, failures or other issues that could compromise the security of your data. 3. Concerns and Opportunities Related to PCI DSS Keep the Proper Focus The number one goal of any PCI DSS solution is ensuring end-to-end security, from the moment a customer pulls out their credit or debit card until the card-holder data is fully erased from the system. For a brick-and-mortar retailer that protection includes every employee who touches (or sees) the payment card and/or the information it contains. For example, by adding mobile card readers at restaurants, patrons can swipe their own cards at their table, preventing unscrupulous employees from copying the information in back rooms (or anywhere out of eyesight). Other physical security measures that should be implemented include proper system lockdown with a separate PIN for each employee. That not only makes it difficult for unauthorized individuals to gain access to the system and cardholder data, but allows business to better track their employees activities. info@resultstechnology.com 877.435.8877 Page 5
By focusing on two specific areas you can meet the vast majority of requirements: 1. Protect stored cardholder data 2. Encrypt transmission of cardholder data across open, public networks. By amending your onsite payment processes and implementing the proper security technologies, you can begin to meet the PCI DSS requirements, but that still leaves serious gaps outside the business. Has the network been locked down, with effective access protection? Is cardholder data stored improperly onsite, and do you use effective and secure data backup and recovery systems? That s an area where we can really help you meet full PCI DSS compliance, implementing a full solution (from terminal to network support) that addresses each industry best practice and rule. 4. Validation Another key aspect of PCI DSS compliance is the required reporting schedules. Credit card companies validate that retailers and their providers are abiding by the regulations on an annual basis, with the volume of transactions (and risk) determining the depth of that evaluation (as covered previously in The Basics of PCI DSS ). Along with requiring participating businesses to complete a self-assessment questionnaire, MasterCard and Visa perform on-site visits and network scans performed by authorized PCI compliance scanning vendors. The information contained in PCI DSS Reports includes: Summary of findings: a general statement and details of the security assessment Business information: business description, contacts, and provider/processor details Card payment infrastructure: network schematics, transaction flow diagram, terminal and POS (point of sale) solutions employed, wireless network details Third-party relationships: companies with access to cardholder data, such as solution providers, banking institutions and payment card vendors Achieving PCI DSS Compliance with RESULTS Technology We can help you meet PCI DSS compliance regulations with a solution that provides cloud and local backup and data recovery, proactive data security and reliable data retention and restoration. We offer complete data protection services with support for desktops, laptops, and servers, files and folders, Microsoft Exchange Information Store, Exchange mailbox, SQL, System State and VMware and Hyper-V info@resultstechnology.com 877.435.8877 Page 6
images. Backups are highly automated and enable fast and easy restores and are performed from a single management console. Protection of Card Holder Data: Encryption in Storage and Transfer Our solution was developed with PCI DSS compliance regulations in mind, protecting against threats to consumer privacy. We offer a configurable solution to help you conform to these critical compliances and alleviate the security risks associated with data loss and breaches. We can minimize the threat of lost or stolen data during the transfer and storage of data across open networks with multiple layers of encryption. We use 256-bit AES local file encryption and secure data in transit using 128-bit encryption with SSL (Secure Socket Layers) technology. Data that is moved to the cloud is stored and replicated in dual military-grade, SSAE 16 Type 2 certified data facilities which are located on differing coasts for redundancy and security. Data centers have 24/7 biometric controlled security and surveillance, backup generators and redundant connections to the Internet. Data Retention Our solution features the most robust data retention settings in the industry, enabling a PCI DSS compliant-ready solution. The software configures to fit the needs of different file types, number of revisions needed and required length of storage time so the right historical data is retained for the right period of time. Once stored, data is never accessible without a private encryption key, mitigating the risk of unauthorized data access. Data Recovery and Testing Providing a PCI compliance solution requires the ability to test and restore your data. This process must be easy and reliable to ensure compliance. With our solution, we can restore data directly back to your server, guaranteeing that data is recovered quickly and accurately, without the need to connect to the computer remotely or be onsite at your place of business. Performing a test restore is just as easy. We can restore back to your production server or our own office, making the process to test a restore fast and reliable. Summary PCI DSS compliance is one of the largest challenges facing merchants, though it s just one of the many barriers to success. The complex variables relating to PCI make it a challenge to comply, but our team has the technology and expertise to help you meet regulatory standards. We understand PCI s data retention and transportation requirements and have the software and services you need to store your data in a fashion that satisfies regulations. Please note that nothing in this white paper is intended to constitute legal advice. For more information about PCI and compliance with PCI requirements please consult your legal counsel. info@resultstechnology.com 877.435.8877 Page 7