PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
-
Upload
lily-logan -
Category
Documents
-
view
213 -
download
0
Transcript of PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
PCI Compliance
Forrest Walsh
Director, Information Technology
California Chamber of Commerce
PCI-Data Security Standards
• What is PCI-DSS?
• Does PCI-DSS Apply to My Business?
• What are the Consequences of Non-Compliance?
• What are My Next Steps?
• Resources
What is PCI-DSS?
• 5 Major Credit Card Companies Created the Payment Card Security Standards Council
• Established (Almost) Common Data Security Standards for Credit Card Data
Does PCI-DSS Apply to My Business?
• “Payment Card Industry (PCI) Data Security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.”
• Applies to all system components which are defined as “any network component, server, or application included in, or connected to, the cardholder data environment”.
Merchant Levels
Level Description
1
Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year.
Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
3Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
4
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
Compliance Requirements Vary By Merchant Level
Compliance Validation Requirements
Level Merchant Validation Requirements
1Annual onsite review by QSA (PCI DSS Assessment) and Quarterly Network
Scan by ASV
2 Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
3 Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
4 Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
Validation Requirements Vary By Merchant Level
Consequences of Non-Compliance
• Increased Bank Fees
• Reclassification of Merchant Level
• Potential loss of card processing privileges
Consequences of a Breach
• Damage to Brand• Mandatory involvement of federal law
enforcement• Merchant banks may pass along
substantial fines levied by the credit card companies
• Up to $500,000 per incident from Visa• Civil liability and cost of providing Identity
Theft protection
PCI Goals and Requirements6 Goals, 12 Requirements
Build and Maintain a Secure Network • Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data • Protect stored cardholder data• Encrypt transmission of cardholder data across open,
public networks
Maintain a Vulnerability Management Program
• Use and regularly update anti-virus software• Develop and maintain secure systems and applications
Implement Strong Access Control Measures
• Restrict access to cardholder data by business need-to-know
• Restrict physical access to cardholder data• Assign a unique ID to each person with computer
access
Regularly Monitor and Test Networks • Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
Maintain an Information Security Policy • Maintain a policy that addresses information security
Next Steps
• Complete the SAQ• Create a remediation plan• Find an ASV and schedule your quarterly
network scans• Check with your bank or credit card
authority to find out when they expect to receive your SAQs and ASV scans.
• Obtain a statement of compliance or SAQ from each of your service providers.
Resources
• Your Bank
• PCI Security Council Website https://www.pcisecuritystandards.org/index.shtml