Webinar Slides: Payment Card Industry Data Security Standards – PCI-DSS Update
-
Upload
mhm-mayer-hoffman-mccann-pc -
Category
Economy & Finance
-
view
563 -
download
0
Transcript of Webinar Slides: Payment Card Industry Data Security Standards – PCI-DSS Update
#cbizmhmwebinar 1
CBIZ & MHM Executive Education Series™
Payment Card Industry Data Security Standards – PCI-DSS Update Karen Cassella & Brenda Brigman March 24 & March 29, 2016
#cbizmhmwebinar 2
Before We Get Started…
• To view this webinar in full screen mode, click on view options in the upper right hand corner.
• Click the Support tab for technical assistance.
• If you have a question during the presentation, please use the Q&A feature at the bottom of your screen.
#cbizmhmwebinar 3
CPE Credit
This webinar is eligible for CPE credit. To receive credit, you will need to answer periodic participation markers throughout the webinar. External participants will receive their CPE certificate via email immediately following the webinar.
#cbizmhmwebinar 4
Disclaimer
The information in this Executive Education Series course is a brief summary and may not include all
the details relevant to your situation.
Please contact your service provider to further discuss the impact on your business.
#cbizmhmwebinar 5
Karen Cassella is a Managing Director in the CBIZ Risk & Advisory
Services practice and has more than 20 years experience performing
internal and external audits, fraud investigations, SOX-404 compliance,
PCI compliance and various regulatory audit and consulting services in
the public and private sectors.
Karen led the effort for CBIZ to become a certified Qualified Security
Assessor (QSA) Company that is certified and approved by the Payment
Card Industry (PCI) Security Standards Council. Her team performs PCI
audits for merchants and service providers in the public and private
sectors at all levels.
901.842.2859 • [email protected]
KAREN CASSELLA, CICA Managing Director
Presenters
#cbizmhmwebinar 6
Presenters
Brenda is the National PCI Practice Leader for CBIZ Security & Advisory
Services. She has over 15 years of experience in Information Technology
Management and over 10 years of experience in Information Technology
Auditing, including internal audit and risk management. She has served
as an Engagement Manager on multiple Level 1 PCI engagements and
her industry experience includes in IT, manufacturing, financial services,
healthcare, insurance, hospitality, nonprofit and government.
Prior to joining CBIZ, Brenda has experience with KPMG as a Manager in
their Risk Assurance Services practice and served over 20 years with
Federal Express.
901.685.5575 •[email protected]
BRENDA BRIGMAN, QSA, PCIP, CCSK, CISA, CISSP PCI National Practice Leader
#cbizmhmwebinar 7
Agenda
PCI-DSS Introduction – The Basics
02
01
03
04
Anatomy of a Breach
Cost of Noncompliance
Building a Robust PCI Compliance Program
05 Questions
#cbizmhmwebinar 9
Who Must Comply?
All organizations, including merchants and service providers, that store, process and/or transmit cardholder data must validate that they are compliant with PCI DSS and provide proof of compliance to their acquirer once every year.
#cbizmhmwebinar 10
What is PCI-DSS?
Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational requirements designed to protect credit card data. The credit card brands enforce the requirements which include an annual validation.
#cbizmhmwebinar 13
Six Objectives and 12 Requirements
Goals Requirements
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
#cbizmhmwebinar 14
Merchant Levels (VISA)
Level Merchant Criteria
1 Any merchant-regardless of acceptance channel-processing
over 6,000,000 Visa transactions per year or any merchant that has suffered a data breach.
2 Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
3 Any merchant processing 20,000 to 1,000,000 e-commerce transactions per year.
4 Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 transactions per year.
#cbizmhmwebinar 15
Merchant Validation Requirements (VISA)
Level Validation Requirements
1
• Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal
Security Assessor (ISA) if signed by officer of the company
• Quarterly network scan by Approved Scan Vendor (ASV) • Attestation of Compliance Form (AOC)
2 • Annual Self-Assessment Questionnaire (SAQ) • Quarterly network scan by ASV •AOC
3 • Annual SAQ • Quarterly network scan by ASV •AOC
4 • Annual SAQ • Quarterly network scan by ASV if applicable • Compliance validation requirements set by merchant bank
#cbizmhmwebinar 16
Payment Methods & Validation Requirements
SAQ Validation Type Merchant Payment Method
A Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third party service providers with no electronic storage, processing or transmission of any cardholder data on the merchant’s systems or premised.
A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties and who have a website(s) that does not directly receive cardholder data but can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchants systems or premises.
B Merchants using only imprint machines with no electronic cardholder storage and/or standalone, analog dial-out terminals with no electronic cardholder data storage.
B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
www.pcisecuritystandards.org
#cbizmhmwebinar 17
Payment Methods & Validation Requirements
SAQ Validation Type Merchant Payment Method
C-VT Merchant manually entering a single transaction at a time through a keyboard into an internet-based virtual payment terminal solution that is provided and hosted by a PCI-DSS validated third party service provider, no electronic cardholder data storage.
C Merchants with payment application systems connected to the internet, no electronic cardholder data storage.
P2PE Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no cardholder data storage.
D Merchants - all merchants not included in descriptions for the above SAQ types. Service Providers - all Service Providers defined by a payment brand as eligible to complete SAQ.
www.pcisecuritystandards.org
#cbizmhmwebinar 18
Questions for PCI DSS BASICS
• Who must validate compliance annually: A. Only merchants and service providers that have had a data breach B. All merchants that store, process or transmit cardholder data. C. All merchants and service providers that store, process or transmit
cardholder data regardless of the number of transactions. D. Only Merchants and service providers that process more than 20,000
transactions per year.
• If I need help understanding whether I can self-assess and which self-assessment form to use, my best course of action is to:
A. Obtain the forms from www.pcisecuritystandards.org B. Seek the assistance of a Qualified Security Assessor (QSA) C. Ignore the requirement because no one will ever know D. Both A and B
#cbizmhmwebinar 21
2015 Breaches by Industry
53%
19%
12%
8%
8% 2015
Business Sector
Government & Non-Profit
Medical
Unknown
Education
Source: Security Affairs: DATA BREACH QUICKVIEW
#cbizmhmwebinar 23
Data Breach - Methods of Intrusion
Method Percentage
Weak remote access security 28%
Weak passwords 28%
Weak or non existent validation 15%
Unpatched vulnerability 15%
Misconfiguration 8%
Malicious Insider 6%
#cbizmhmwebinar 25
Data Security Observation – RISK!
“Some organizations will be a target regardless of what they do, but most become a target because of what they do.”
#cbizmhmwebinar 26
Questions for Anatomy of a Breach?
• If I do not validate PCI DSS compliance annually: A. the acquirer can revoke my right to accept credit cards B. I am at greater risk for a data breach C. All merchants and service providers D. Both A and B
• I do not have to worry about a data breach because I have cyber security insurance. A. True or False
• I do not have to worry about a data breach because I process very few transactions. A. True or False
#cbizmhmwebinar 28
PCI Non-Compliance
Merchants and service providers that do not submit proof of compliance to their acquirer can be subject to the following: • Penalties and fines for non-compliance (breach of contract) • Fines from card brands passed on seen in increased processing
fees • The ability to accept credit card payments can be revoked • Failure to implement PCI DSS requirements can lead to data
breach
#cbizmhmwebinar 29
Data Breach Costs
The merchant can incur or be held liable for the following costs associated with a data breach:
• Cost to notify victims and provide credit monitoring • Cost to replace payment cards (credit, debit, HSA, gift) • Cost associated with fraudulent transactions • Forensic investigations • Increasing validation requirements and frequency • Incurring expense associated with revalidation by a QSA
Once a merchant has been breached, the merchant can no longer self-assess
#cbizmhmwebinar 30
What’s at Stake for Nonprofits and Public Sector?
• Significant risk to reputation • Donor’s trust • Credit card data stored for recurring membership or donations
payments are at risk • Funding can be difficult to obtain or allocate for internal
projects • Mobile payments at conferences or events pose a greater risk
#cbizmhmwebinar 32
Questions for Cost of Non Compliance ?
• If I do not validate PCI DSS compliance annually: A. the acquirer can assess costly fines and penalties B. I am at greater risk for a data breach C. the ability to accept credit cards can be revoked D. All the above
• My acquirer has not requested proof of compliance for me
so I do not have to validate my compliance. A. True or False
#cbizmhmwebinar 34
Six Objectives and Twelve Requirements
Goals Requirements
Build and Maintain a Secure Network
1. Install and Maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
https://www.pcisecuritystandards.org
#cbizmhmwebinar 35
Robust PCI DSS Compliance Program
• Executive commitment and oversight
• Scoped accurate
• Controls and control tests must be objective, valid,
reliable and economical
• Report annually
• Monitor and nurture PCI sustainment program
#cbizmhmwebinar 37
Controls, Test and Evidence Clearly Defined
• Objective • Test must be fair
• Valid • Must consistently measure a specific ability
• Reliable • Sufficient evidence and clear understanding of
accountable individuals • Economical
• Design control tests to be efficient and cost conscious
#cbizmhmwebinar 38
Report Annually
• File your Attestation of Compliance (AOC) with your acquirer on an annual basis.
• Inform your acquirer if your assessment results will be delayed.
• Maintain evidence with the report for at least two years (or in accordance with your company data retention policy).
#cbizmhmwebinar 39
Monitor and Nurture PCI Sustainment Program
• Define a test schedule for the year and monitor controls throughout the year.
• Monitor and report the status of control testing on a consistent basis.
• Ensure that any control failures are remediated and retested in a timely manner.
#cbizmhmwebinar 40
Questions for Building a Robust PCI Compliance Program
• True or False: Scoping is one of the most important functions of the annual PCI compliance assessment.
• True or False: The best PCI DSS Compliance Programs have a champion to promote security and build a strong security culture.
#cbizmhmwebinar 41
Marketability of your PCI Compliance
Once your organization is PCI compliant, publish this stamp on your website.
#cbizmhmwebinar 43
If You Enjoyed This Webinar…
Upcoming Courses: • 3/31: Building an Actionable and Easy-to-Implement Business Continuity Plan
• 4/5 & 4/19: Leasing Unleashed - A Deep Dive into the New Standard
• 4/13 & 4/20: First Quarter Accounting and Financial Reporting Issues Update
• 4/28 & 5/17: Top Lessons Learned from the First Year of the Uniform Grant Guidance Implementation
Recent Publications: • Report Asks for 501(c)(3) Application Improvements
• Managing Underwater Endowments for Not-for-Profit Organizations
• Does Your Not-for-Profit Need an Audit of Its Marketing, Fundraising Streams and Advertising?
#cbizmhmwebinar 44
Connect with Us
linkedin.com/company/ mayer-hoffman-mccann-p.c.
@mhm_pc
youtube.com/ mayerhoffmanmccann
slideshare.net/mhmpc
linkedin.com/company/ cbiz-mhm-llc
@cbizmhm
youtube.com/ BizTipsVideos
slideshare.net/CBIZInc
MHM CBIZ