Compliance With the PCI DSS Credit Card Security Standards

Presented By:

This manual was created for online viewing. State specific information in this manual is used for illustration and is an example only.

mail: P.O. Box 509 Eau Claire, WI 54702-0509 • telephone: 866-352-9539 • fax: 715-833-3953email: customerservice@lorman.com • website: www.lorman.com • seminar id: 394531

Branden R. Williams, CISSP, CISM, Sysnet Global Solutions

Compliance With the PCI DSS Credit Card Security Standards

©2014 Lorman Education Services. All Rights Reserved.

All Rights Reserved. Lorman programs are copyrighted and may not be recorded or transcribed in whole or part without its express prior written permission. Your attendance at a Lorman seminar constitutes your agreement not to record or transcribe all or any part of it.

Full terms and conditions available at www.lorman.com/terms.php.

This publication is designed to provide general information on the topic presented. It is sold with the understanding that the publisher is not engaged in rendering any legal or professional services. The opinions or viewpoints expressed by faculty members do not necessarily reflect those of Lorman Education Services. These materials were

prepared by the faculty who are solely responsible for the correctness and appropriateness of the content. Although this manual is prepared by professionals, the content and information provided should not be used as a substitute for professional services, and such content and information does not constitute legal or other professional

advice. If legal or other professional advice is required, the services of a professional should be sought. Lorman Education Services is in no way responsible or liable for any advice or information provided by the faculty.

This disclosure may be required by the Circular 230 regulations of the U.S. Treasury and the Internal Revenue Service. We inform you that any federal tax advice contained in this written communication (including any attachments) is not intended to be used, and cannot be used, for the purpose of (i) avoiding federal tax penalties imposed by

the federal government or (ii) promoting, marketing or recommending to another party any tax related matters addressed herein.

mail: P.O. Box 509 Eau Claire, WI 54702-0509 • telephone: 866-352-9539 • fax: 715-833-3953email: customerservice@lorman.com • website: www.lorman.com • seminar id: 394531

Prepared By:Branden R. Williams, CISSP, CISM, Sysnet Global Solutions

Truste

d by

1.4 Milli

on Customers

Get Starte

d Today

Ph: 800-678-3940

With more than 26 years of experience and 1.4 million customers and counting, we here at Lorman Education Services still have one core belief: learning drives development and innovation. So at no cost to you the Lorman Affiliate Program allows you to earn extra revenue while expanding continuing

education offerings to your organization and customers.

Personalized Affiliate Portal Marketing Assistance

Dedicated Account Manager Revenue Share

• Easily filter through all of the courses Lorman offers so you only promote the courses your members and customers are interested in

• In-depth analytics allows you to sell more effectively by tracking who, how much and what course they purchased

• Our staff will help create turnkey marketing emails and social media promotions to help you get your marketing off the ground and working

• We can provide you with a list of courses that are doing well to help increase your sales because when you win we win

• We believe that a true partnership is two parties working together so that is why every Affiliate Partner, no matter the size, is assigned their own dedicated account manager

• Our account managers will reach out to you and act as your go to resource for any questions or concerns

• Why wait for your money? Lorman sends out your commission check monthly so you can reinvest in your organization and grow

• We want you to succeed so that is why we have an aggressive revenue share program that gives you the ability to offer discounts to your organizationand subscribers

Become a

AffiliateEDUCATION SERVICES

R

A DIVISION OF LORMAN BUSINESS CENTER, INC.

www.lorman.com/affiliateprogram/

For more information please check out our Lorman Affiliate video.

Lead

ersh

ipM

anag

emen

torganization

trust

productivity

Live Webinars60 to 100-minute live streaming programs

OnDemand WebinarsStreaming programs available anytime

Live SeminarsOne and two-day programs in your area

Save 30% on your next purchase.

Use Discount ID: SeminarAttendee

(Discount ID valid for 30 days after day of seminar)

Contact a membership specialist to guarantee the best rate:

drew.brock@lorman.com or call 1-877-296-2169

www.lorman.com/membership-sales/

train

develop

grow

educatemotivate

Be Part of

Something

BIGengage

Fuel Your ProfessionalDevelopment With AllThat Lorman Offers:• Live Seminars

• Live Webinars

• OnDemand Webinars

• Audio, Manuals & Books

Lorman MembershipsLorman has a membership for everyone.Contact a membership specialist to seewhich one best fits your needs and startgetting more training for less!

What is the cost of in-house training?Our pricing is structured to meet the distinct needs of each client. Since each customer experience is different, we will work with you to get you the most affordable price based on your training needs.

How many employees should we train?We recommend a minimum of 10 employees to be trained at one time; however, there is no limit to the number of employees that can be trained at any event. A higher number of attendees benefits the group dynamics and increases your cost efficiency.

How long does the training last?You determine the schedule. We can provide training for half-day, full-day and multiday sessions; and we even present in-house training via live webinar. Every attempt will be made to accommodate any schedule requirement you may have.

Getting started ... Get an initial consultation quickly. We will determine your individual training needs, expectations and the timeframe you would like to schedule the event.Call our in-house training account manager at 877-214-9727 or email us at inhouse@lorman.com.

Lorman In-House Training

• Train together in the convenience of your office• Confidential, convenient and cost-effective• Choose from programs already designed or customize your

agenda• Credits available for various programs• Expert speakers

Contact us at 877-214-9727 or inhouse@lorman.com

Train More for LessDo you need training for your staff,

but can’t send them all to a pre-scheduled event? Stay compliant while saving money

by having the experts come right to you.

Compliance With the PCI DSS Credit Card Security Standards

What you need to know to survive!

Dr. Branden R. Williams

@BrandenWilliams

http://brandenwilliams.com

1

2

Agenda

Payment Card Industry Compliance – What has changed in PCI DSS 3.0?

– What does this mean for ongoing compliance programs?

– What’s missing?

Brand Enforcement– What are the brands doing to enforce PCI Compliance?

– What does PCI compliance mean globally?

Scope Reduction, Speedy Compliance– What are some common scope reduction techniques?

– What is Tokenization, and how can it benefit me?

– Are there any shortcuts to compliance?

Briefly: What is PCI DSS?

3

Credit Card Security

PCI DSS has 12 main security requirements.

It’s akin to locking doors, setting alarms, and protecting your valuables.

Better yet, it’s like running a clean restaurant.

The difference, is card data doesn’t belong to you, yet you use it for the exchange of goods & services.

Many breaches forced the creation of the standard.

The History Leading to 3.0

Key Dates for 2013:– Release date: November 7, 2013

– Draft published to POs on September 12

– Most of the changes published there are intact

Lifecycle Notes– 2010 changed from 2 years to 3

– No errata published in 2.0

– Review/Feedback lead to 3.0

Effective date, 1/1/2014

PCI DSS 2.0 retire date: 12/31/2014

4

Key Facts/Info Sources

PCI Council Website: http://www.pcisecuritystandards.org

Visa CISP Program:http://www.visa.com/cisp

Branden’s Bloghttp://blog.brandenwilliams.com/

6 6

What has Changed?

5

Keys to remember from PCI DSS 2.0

PCI DSS is on a 3-year lifecycle

Virtualization Included in PCI DSS– But nothing on cloud

– This extends to mobility

Third Party Due Diligence– Expect continued increases to inspection to third parties

MORE INSPECTION by your QSA!

Themes that drove PCI DSS v3.0 changes

Education and Awareness

Increased Flexibility

Security as a Shared Responsibility

Fix the following:– Lack of education and awareness

– Weak passwords and authentication practices

– Third party risks

– Limited capability to detect breaches and/or malware

– Lack of consistency in assessment

6

What are the New Developments?

P2PE Solutions now available– Focuses on HW/HW

– Needs SW/HW

– It’s up to you to help drive direction!

Alternative Payment Schemes– Square

– Paypal

– SRED (how to use iPad/iPod?)

Where is PCI going?– ASV Task Force

Some Words on Scoping

Responsibility for scoping is that of the organisation under assessment

A QSA does not define the scope of an assessment

A QSA validates the scope that has been determined by the organisation as part of the assessment

7

Now, here’s something strange…

Biggest complaint about PCI DSS process:– Too Restrictive (let me do risk mgt)

– Too Loose (tell me what I have to do)

– Too much interpretation variance

Two sides to every room:– TOO RESTRICTIVE

– TOO OPEN FOR INTERPRETATION

Council waged war: “should” & “periodic”

New version reverses trend:– Periodic: 20 times (up from 8)

– Should: 103 times (up from 27)

Some of the Great Additions

From the “How do you do this without these instructions” dept– Cardholder Data Flow diagrams required Don’t do this on a network diagram

See “Data Flows Made Easy”

– Managing list of in-scope systems Helps with scoping overall

Cloud/Virtualization.. Whaaaa?

Could be a challenge

Overall, the documentation requirements are much higher

Be sure to allocate time and resources to this (automation potential!)

8

Some of the Ugly, Weird, or Questionable

Malware discovery:– On platforms NOT commonly affected

– Yes, you read that right

– Interpretation will be interesting

Penetration Testing:– Approved methodology

– Approved by…

– Why not reference SP800-115?

Lack of Linkage to Emerging Tech– Where is Mobile?

– What about NFC?

What is missing?

No mention of Cloud– Yet virtualization makes an appearance

Sampling Remains an Issue– Up to QSA to define and stick to a methodology

– Causes variance in “feel-goodery”

Wireless IDS/IPS

DLP/Scope Clarification

9

Impacts to Ongoing Compliance

Current compliance programs should finish by December 31, 2014

New programs begin January 1, 2015

Discuss specific impacts with pending changes– Requirement 9.9, June 2015

Brand Enforcement

10

Brand Enforcement: VISA

US: Visa CAP– Dates passed

– Fines for Levels 1 & 2 merchants

Global: Visa CAP– Not including EU

– Fines for Levels 1 & 2 merchants

– Additional fines at discretion

Problems:– Payment systems vary vastly among geos

– Must enforce!

Brand Enforcement: MasterCard

Global:– Fines are in process, selectively

– Levels 1, 2, & 3 affected

– Reciprocity with Visa

Heavier fines than Visa

All global, but selective enforcement

No more Level 1 & 2 Self Assessments without certification (ISA)

11

Brand Enforcement: Others

Selective enforcement from other brands

Focus on Visa/MasterCard

actually.... focus on SECURITY, then get COMPLIANCE free

© Branden Williams. All rights reserved CONFIDENTIAL

Global PCI Compliance

12

Global PCI Compliance

US-Based companies have a leg-up

Global companies with US Entities may retrofit knowledge into their orgs

Hot regions:– South Africa (country and continent)

– Australia

Enforcement will be GEO based

Nike: “Just Do It.”®

Dr. B: “Just Outsource It.”

Scope Reduction /Speedy Compliance

13

Common Scope Reduction Ideas

Segmentation– Still the most effective way to reduce scope

24

24

VPNs

Used in conjunction with segmentation

Create zones of cardholder data in separate physical or logical locations

14

Outsourcing

In what world should someone who is successful at being a merchant take on building a complex payment processing environment?

Consider complete outsourcing of payments for both card present and card not present transactions

Data Discovery and Deletion

Data discovery tools help validate and reduce PCI Scope

Find data you didn’t know existed (yet are still responsible for securing!)

Validate that no data exists in out of scope environments

Assistance in mapping of data flows

15

Tokenization

What is Tokenization?

A method by which live PANs are replaced with dummy values, or “Tokens”

Tokens are then used throughout the environment to track a payment

Tokens could be unique per transaction or unique per payment instrument

16

What to look for in a token?

Tokens should NOT have any mathematical relationship to the original value– Why not hashes?

– Why not encrypted values with no key?

Who is responsible for a breach with mathematically related values?

Why a token?

Using tokens devalues data

Still accomplish business analytics

Reduced security on token values– Laptops

– Spreadsheets

– Cloud

DRAMATIC scope reduction potential

17

Is there a shortcut to compliance?

Short answer?

18

Long answer:

Compliance with any standard should be a function of security

Focusing on security will get you to compliance faster

Compliance will become a tweak to your company, not an overhaul

Questions?

19

214.727.8227

brw@brandenwilliams.com

brandenwilliams.com

@BrandenWilliams

facebook.com/BrandenRWilliams

linkedin.com/in/bwilliams

This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Branden R. Williams reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

This work is an unpublished work and contains confidential, proprietary and trade secret information of Branden R. Williams. Access to this work is restricted to Branden R. Williams and any employee who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected or adapted without the prior written consent of Branden R. Williams.

20

Notes