PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card...
Transcript of PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card...
![Page 1: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/1.jpg)
![Page 2: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/2.jpg)
PCI Compliance
![Page 3: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/3.jpg)
Introduction
• Scott Jerabek
Product Manager
• The CBORD Group
• Founded in 1975
• Foodservice, Campus
Card and Security
solutions to College
and University and
Healthcare markets
![Page 4: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/4.jpg)
CBORD Product Portfolio
College & University Applications
• Card Systems
• Foodservice
• Housing
• Online Ordering
• Commerce
• Security
![Page 5: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/5.jpg)
Agenda
• Introduction
• Payment Card Industry standards
• Credit card risks
• CBORD® products and PCI
• MICROS® point-of-sale
• Changes in PCI regulations
• Discussion
![Page 6: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/6.jpg)
Payment Card Industry
Standards
Entities that store, process, or transmit cardholder data
• PCI Data Security Standard (PCI-DSS)
• Covers merchants and service providers
• Payment Application Data Security Standard (PA-DSS)
• Covers third-party applications deployed on site
![Page 7: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/7.jpg)
PCI Landscape
• CBORD® is a Service Provider and provides validated payment applications.
• MICROS provides validated payment applications.
• MerchantLink , Elavon, and Shift4 are credit card gateway solutions for MICROS.
![Page 8: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/8.jpg)
Merchant
Link
IssuerAcquiring Bank /
Merchant Bank
Merchant
Processor
Service Provider /
CBORD
Merchant /
University
Cardholder /
Member / Patron
Webfood
MMID
NetCardManager
GET Funds
Settlement
CS Gold or
Odyssey PCSMicros
Payment Gateway
Tsys / Vital Processing
Global Payments
Chase Paymentech
Evalon / Nova
Fifth Third Processing
RBS Lynk
First Tennessee (FHMS)
Heartland Payments
First Data
Bank of America / NPC
Stored Value Systems
Little & Co.
Mercury Payment Systems
Card Brands (Visa, MasterCard, AmEx, etc)
![Page 9: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/9.jpg)
Who Is Responsible for Compliance?
• On-site systems: the merchant
• Systems hosted 100% off-site: the service
provider
• Hybrid systems with off-site and on-site
components that handle cardholder
data
• Service provider responsible for off-site
• Merchant responsible for on-site
![Page 10: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/10.jpg)
Goal Requirement
Build and Maintain a
Secure Network 1. Install and maintain a firewall configuration to protect
cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications
Implement Strong
Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security for employees and contractors
PCI DSS
![Page 11: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/11.jpg)
Impact of Compliance
• Policies and procedures
• Ex: Password and remote access policies
• Ex: Quarterly vulnerability scans
• Training
• Ex: Information security training for staff
• Implementation
• Ex: Using firewalls to secure network resources
• Ex: Intrusion detection and anti-virus software
• Annual compliance assessment and remediation
![Page 12: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/12.jpg)
PCI Scope
• Any network component, server, or application that is included in or connected to the cardholder data environment
• Reducing scope reduces risk and cost of compliance
• Move cardholder data processing off-site to third parties
• Segment on-site systems that touch cardholder data
• Limit number of personnel with full access to cardholder data (personnel other than cashiers)
![Page 13: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/13.jpg)
Credit Card Risks
• PCI DSS represents a minimum level of
security that should be applied to your
organization‟s handling of credit cards.
• A security breach will:
• Damage your reputation
• Cost significant time, effort, and dollars
• Negatively impact your customers
![Page 14: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/14.jpg)
Breach Liabilities • Average cost to institution
₁
• $202/breached patron record ($90 to $305)
• Average $6.6M in direct and indirect costs
• TJX
• 100 million credit card numbers
• Estimated cost to TJX range from $118M to $1.3B
• Target
• One of the largest breaches in U.S. retail history
• Investigation is ongoing
• 70 million credit card numbers
1 Forrester Research
![Page 15: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/15.jpg)
• Required forensic audit ($50k)
• Treated at Level 1 (no more self
assessment)
• Fines up to $500k
• May not be able to continue to accept
credit cards
Breach Liabilities
![Page 16: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/16.jpg)
CBORD Products and Services
• CBORD supports your MICROS point-of-sale
• Support uses tools that allow you to maintain compliance
• Hosted products
• CBORD responsible for compliance (service provider)
• Minimal PCI impact on your organization
• ManageMyID®/NetCardManager®
• Webfood® online ordering
• GET Funds
![Page 17: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/17.jpg)
CBORD Products (cont.)
• Housing systems
• Website payment integration with third parties
• Catering
• All credit card processing is hosted by CBORD
![Page 18: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/18.jpg)
CBORD Hosting
• Layered Tech
• PCI compliant, SSAE 16 Type 2 compliant
• Physical and Virtual Machines
• Validation Process
• CBORD uses Trustwave for validation
• Trustwave reviews our environment &
processes, performs monthly and yearly
scans
![Page 19: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/19.jpg)
MICROS Point-of-Sale
• MICROS information security resources
• MICROS PA-DSS validated versions
• Implementation guides and other
documentation
• MICROS security patch documentation
• Operating-system patch testing results
• http://www.micros.com/ServicesAndSupport/InformationSecurity/
• Use network segmentation to separate MICROS
from the rest of your network, including
CS Gold® /Odyssey PCS ®
![Page 20: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/20.jpg)
MICROS 3700/RES • Refer to MICROS information security link for
versions
• MICROS implementation guide
• Password policies
• Database/transport encryption
• Auditing, purging, etc.
• Vaulting used to move cardholder data off-site
• TransactionVault from MerchantLink
• Card data never stored in on-site MICROS database
• Point-to-Point Encryption
• Merchantlink or Shift4 solutions utilize external readers
![Page 21: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/21.jpg)
MICROS 9700/HMS
• Refer to MICROS information security link for versions
• MICROS implementation guide
• Password policies
• Database/transport encryption
• Auditing, purging, etc.
• Vaulting used to move cardholder data off-site
• Shift4
• Card data never stored in on-site MICROS database
• Point-to-Point Encryption
• Shift4 solution utilizes external readers
![Page 22: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/22.jpg)
MICROS Simphony
• Refer to MICROS information security link for versions
• MICROS implementation guide
• Password policies
• Database/transport encryption
• Auditing, purging, etc.
• Vaulting used to move cardholder data off-site
• Merchantlink, Shift4, Elavon
• Point-to-Point Encryption
• Merchantlink (Simphony 2.5, coming in 1.7), Shift4
![Page 23: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/23.jpg)
www.micros.com/ServicesAndSupport/InformationSecurity/
Micros Resources
![Page 24: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/24.jpg)
Grandfathering PA-DSS
• Acceptable for existing
• Acceptable for new deployments
• New criteria:
• Adding credit cards (new)
• Adding Merchant ID (new)
• Add revenue center (existing)
![Page 25: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/25.jpg)
Where are we headed?
![Page 26: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/26.jpg)
PA-DSS and PCI-DSS 3.0
• Effective January 1, 2014
• PCI-DSS 2.0 remains active until
December 31, 2014
![Page 27: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/27.jpg)
PCI-DSS 3.0
• Updates include:
• Penetration testing must follow an industry accepted methodology
• In Scope component inventory
• Evaluate malware threats for systems not commonly affected by malware
• Protect POS terminals from tampering and substitution
• Maintain information about which PCI requirements are managed by service providers vs. merchant
![Page 28: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/28.jpg)
• Card data is encrypted at the reader
and transmitted in encrypted format
• POS server never “sees” protected card
data
• P2PE can reduce PCI scope
Point-to-Point Encryption (P2PE)
![Page 29: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/29.jpg)
P2PE roadmap - Micros
• Micros 3700 – Available now with Merchantlink Transaction Shield
• Micros 9700 – Available now with Shift4
• Micros Simphony –
• Simphony 2.5 MR4 (Merchantlink Transaction Shield)
• Simphony 1.7 (Q1 2014) (Merchantlink)
• Shift4 is testing on both platforms & waiting for a few Micros bug fixes
![Page 30: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/30.jpg)
• Visa has issued incentives to drive smart
card adoption (EMV)
• Both Issuers and Acquirers impacted
• Carrots: Relief from PCI-DSS
• Sticks: Liability Shift (October 2015)
Micros, Merchantlink, & Shift4 are all
working on EMV though it is not yet
available on any Micros platforms.
EMV Initiatives
![Page 31: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/31.jpg)
Resources
• PCI Security Standards Council
• https://www.pcisecuritystandards.org
• Quick Reference Guide
• https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
• Prioritized Approach for Beginners
• https://www.pcisecuritystandards.org/documents/Prioritized_Approach_V2.0.pdf
• Ten Common PCI Myths
• https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf
• Validated Service Providers
• http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
• Validated Payment Applications
• https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html
![Page 33: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/33.jpg)
![Page 34: PCI Compliance - SASANY.ORG • Introduction • Payment Card Industry standards • Credit card risks • CBORD® products and PCI • MICROS® point-of …](https://reader031.fdocuments.net/reader031/viewer/2022030811/5b1c97d97f8b9a2d258ff7b8/html5/thumbnails/34.jpg)
Forrester Research • Breakdown of Individual Breach Costs
In order to account for the different variable costs that can be incurred during a data breach, a survey conducted by Forrester Research provided averages in five major cost categories:
• Discovery, Response and Notification on average run about $50 per record. This cost includes “outside legal fees, notification costs, increased call center costs, marketing and PR costs, and discounted product offers.”
• Lost employee productivity on average costs about $30 per record. Dealing with the bad press and legal responsibilities are the major distractions for employees after a breach.
• Additional regulatory fines. This cost can vary greatly from $0.00 to $10 million, as ChoicePoint found out when paying civil penalties to settle the Federal Trade Commission case. Also, Visa increased the fine for mismanaging sensitive customer data from $3.4 million in 2005 to $4.6 million in 2006.
• Opportunity costs average about $98 per record, but it significantly varies from industry to industry. Forrester estimates “10% - 20% of potential customers will be scared away by a security breach in a given year,” and Ponemon‟s survey indicated that 74% of its respondents lost current customers due to the breach.
• Indirect costs (for high-profile breaches) often include:
• Restitution costs - ChoicePoint is the first security breach victim to have to pay restitution costs, wherein they agreed to establish a $5 million consumer restitution fund.
• Additional security and audit requirements - For example, “DSW‟s settlement with the FTC in its 2005 data breach of more than 1.4 million records requires DSW to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. It also requires DSW to obtain, every two years for 20 years, an audit from a qualified, independent, third-party professional to assure that its security program meets the standards of the order,” per Forrester Research.
• Other liabilities - Replacing credit cards is a substantial „other cost.‟ For example, Sovereign Bank was hit twice by the BJ‟s Wholesale Club breach, as the first set of 81,000 replacement cards was malfunctioned.