Symbiotic Consulting Group LLC - PCI Compliance Overview

Symbiotic Consulting Group LLCPCI Compliance – Background, Importance

and Options for your OrganizationSeptember 10, 2015www.symbioticconsultinggroup.com

http://www.symbioticconsultinggroup.com/

Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015

Key Topics• PCI Meaning and Definition• PCI Evolution• Meaning of PCI DSS• PCI Compliance Criteria• What does this mean to my company?• Case Study: 2013 Breach of Target


PCI Meaning and DefinitionThe Payment Card Industry (PCI) standard is a set of requirements designed to ensure that ALL organizations that store, process, or transmit cardholder and customer data do so in a secure environment!• This has to be a joint effort between IT and Business

teams


PCI Meaning and Definition (cont.)

Common PCI Myths• We don’t take enough cards to necessitate compliance,

hence PCI is irrelevant• Our company outsources card processing so we are

compliant• PCI is just an IT issue and they will deal with it• PCI is unreasonable / difficult• PCI compliance makes us secure• We can’t be a target


Team Work!


PCI EvolutionPCI Security Standards Council was founded in year 2006 by some of the major card brands:

• Visa• MasterCard• Amex• Discover• JCB

Each card brand has inputs and feedback into the guidance provided by the council.

http://www.google.com/imgres?imgurl=http://www.intraining.com.au/img/logos/Card%20Logos/visa-logo.jpg&imgrefurl=http://www.intraining.com.au/default.asp?contentID=704&usg=__Lsdghvoj3L0fDl1z9jZr9AmdCOY=&h=714&w=1135&sz=43&hl=en&start=3&zoom=1&um=1&itbs=1&tbnid=ngVczJu8dXQtAM:&tbnh=94&tbnw=150&prev=/images?q=visa&um=1&hl=en&tbs=isch:1

http://www.google.com/imgres?imgurl=http://www.abersochqh.co.uk/assets/images/MasterCard-Logo.jpg&imgrefurl=http://www.abersochqh.co.uk/&usg=__q_B4fhHQZ7DXyd8-yH2FQVTVmgo=&h=617&w=974&sz=197&hl=en&start=2&zoom=1&um=1&itbs=1&tbnid=x7G0zS2KfEsjvM:&tbnh=94&tbnw=149&prev=/images?q=Master+card&um=1&hl=en&tbs=isch:1

http://www.google.com/imgres?imgurl=http://www.comparecards.com/uploads/fckimages/AmexCenturionBlackCard(1).jpg&imgrefurl=http://www.comparecards.com/blog/the-fine-print/Important%20Facts%20About%20the%20AMEX%20Black%20Card.html&usg=__sNyLU6s8QKSsa9bGOiKCqul9a24=&h=497&w=800&sz=74&hl=en&start=9&zoom=1&um=1&itbs=1&tbnid=2W9cvTV5h1I2-M:&tbnh=89&tbnw=143&prev=/images?q=amex&um=1&hl=en&tbs=isch:1

http://www.google.com/imgres?imgurl=http://dir.coolclips.com/Business/Finance_Money/Personal_Credit/Credit_Cards/discover_card_CoolClips_busi0346.jpg&imgrefurl=http://dir.coolclips.com/Business/Finance_Money/Personal_Credit/Credit_Cards/Discover_card_busi0346.html&usg=__3RQlxFF6Gl-b_te9TdCoTungT0k=&h=243&w=375&sz=28&hl=en&start=18&zoom=1&um=1&itbs=1&tbnid=OPsQFk6_kvz1rM:&tbnh=79&tbnw=122&prev=/images?q=discover+card&um=1&hl=en&tbs=isch:1

http://www.google.com/imgres?imgurl=https://www.jcbinternational.com/image/about/card7.gif&imgrefurl=https://www.jcbinternational.com/htm/about/product.htm&usg=__MEJPbT4q6HlwRkUguSg4xmnf1HU=&h=147&w=229&sz=27&hl=en&start=1&zoom=1&um=1&itbs=1&tbnid=7XwBdYfMzy6l6M:&tbnh=69&tbnw=108&prev=/images?q=JCB+card&um=1&hl=en&tbs=isch:1


PCI Evolution (cont.)A credit card as defined by the Council is any card that is backed by a major card brand, including but not limited to the following:

• Credit• Debit• HSA• FSA• Payroll• Others


PCI Evolution (cont.)PCI Security Standard Council is responsible for the oversight of the PCI Standards, which include guidance relative to the following:• PCI DSS• PA-DSS• P2PE• PTS


Collaboration!


Meaning of PCI DSS• Core set of best security practices• Set of 12 requirements broken down into 6

categories, as follows:1. Build and maintain a secure network2. Protect cardholder data3. Maintain a vulnerability management program4. Implement strong access control measures5. Monitor and test networks6. Maintain an information security policy


Meaning of PCI DSS (cont.)


Meaning of PCI DSS (cont.)

• PCI DSS can include the following depending on the organization: PA-DSS P2PE Solution Provider PTS


True “Symbiotic” Nature

Of Our Business!


PCI Compliance Criteria• Compliance is determined based on how your

organization stores, processes, and/or transmits cardholder data across your infrastructure

• Compliance is based on “Level” and “Type”• Level is based on the number of transactions performed

in a 12-month period• Type is defined by how your organization takes credit

cards


PCI Compliance Criteria (cont.)



Levels are based on the number of transactions. Visa defines them as follows:

Level Description1 Organizations with over 6M Visa transactions per year

ORAny organization that Visa, at its sole discretion, determines should meet the Level 1 requirements to minimize the risk to Visa

2 Organization with 1M to 6M Visa transactions per year

3 Organization with 20,000 to 1M Visa e-commerce transactions per year

4 Organizations with fewer than 20,000 Visa e-commerce transactions per year, and all other merchants - regardless of acceptance channel - processing up to 1M Visa transactions per year



Types are defined by how your organization takes credit cards and are broken down as follows:

Type Description

A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced; this would never apply to face-to-face merchants

B Imprint-only merchants with no cardholder data storageORStand-alone dial-up terminal merchants, no cardholder data storage

C Merchants with payment application systems connected to the Internet, no cardholder data storage

C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage

D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ


What does this mean to my company?Action on your organization’s part for PCI:

• Depending on what “Type” of organization you are, you will have to address anywhere from 15 to 200 + controls

Cost Impact:• Hardware• Software• Application Maintenance (Data encryption, security

etc)• Internal Resources• External Resources


What does this mean to my company?(cont.)

Based on the volume of transactions, organizations would be required to perform the following:

Level Visa Description

1 • Annual report on compliance (“ROC”) to be completed by Qualified Security Assessor (“QSA”)

• Quarterly network scan by Approved Scan Vendor (“ASV”)• Attestation of Compliance Form

2 • Annual Self-Assessment Questionnaire (“SAQ”)• Quarterly network scan by ASV• Attestation of Compliance Form

3 • Annual SAQ• Quarterly network scan by ASV• Attestation of Compliance Form

4 • Annual SAQ recommended• Quarterly network scan by ASV• Compliance validation requirements set by merchant bank


Case Study: 2013 Breach of Target What happened:

• Lost ~40 million credit and debit cards, ~ 70 million data files

• Theft period: November 27 – December 15• Malware on point-of-sale terminals

Not detected until December 15


Case Study: 2013 Breach of Target(cont.)Common Questions1. How could this happen?2. Was Target PCI compliant?3. How do I know if I was affected?

Costs?• Credit score monitoring• Fines, sanctions and lawsuits• Reputational damage


Case Study: 2013 Breach of Target(cont.)


Thank You!!!

Phone: 561-922-0120Email: [email protected]

Our Global Office Locations

USA Headquarters Office Florida2701, N.W. 2nd Avenue #214Boca Raton, FL - 33431Tel : 561-922-0120Fax: 561-455-9893

USA Texas Branch9660 Audelia Road, Suite 123-51Dallas, TX 75238Tel : 561-922-0120, Fax: 561-455-9893

Europe (Romania) Shared Services Branch Aviatorilor 5A, Suite 47Baia Mare, Maramures430223, Romania, EuropeTel: +40 362 881 664

India (Pune) BranchC-30, KPCT Mall, Fatima NagarPune, Maharashtra, 411040Tel : 561-922-0120Fax: 561-455-9893

http://www.symbioticconsultinggroup.com/

Symbiotic Consulting Group LLC - PCI Compliance Overview

Documents

Transcript of Symbiotic Consulting Group LLC - PCI Compliance Overview