This document discusses navigating PCI compliance and payment security standards. It provides an overview of the PCI Security Standards Council, the development of the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard. It outlines requirements for companies that accept credit cards, including adhering to PCI compliance standards, conducting quarterly vulnerability scans, and the consequences of non-compliance such as fines and legal liability. The document stresses the importance of security training to address the human element of data breaches and provides tips to reduce risk such as not storing card data, using validated payment systems, strong passwords, and updating software.
2. This Is Where it All Began
December 15, 2004
PCI DSS V1.0 is launced
3. Payment Credit Card Security Standards
Who is the PCI Security Standards Council?
• The PCI Security Standards Council is an open global forum responsible for
the development, management, education, and awareness of the PCI Security
Standards
• Work closely with the five founding global payment brands: American
Express, Discover Financial Services, JCB International, MasterCard,
and Visa Inc.
• PCI Council official launch occurred in 2006
• Current Data Security Standard is V3.0 published in November 2013
• Standards Committee has established: Data Security Standard (PCI DSS),
Payment Application Data Security Standard (PA-DSS), and PIN Transaction
Security (PTS) requirements.
4. What is PCI DSS and PA-DSS?
• PCI Data Security Standard (PCI DSS) provides an actionable
framework for developing a robust payment card data security
process including prevention, detection and appropriate reaction
to security incidents.
• This applies to any organization with a Merchant ID (MID)
• PCI DSS V3.0 requirements must be completed by December 31st
• Payment Application Data Security Standard (PA-DSS) is the
global security standard created by the PCI Council in an effort to
provide the definitive data standard for software vendors that
develop payment applications
• (ie. POS application or website ecommerce)
5. How Does This Affect My Business?
Managing the Requirements:
• Companies that accept, process,
transmit, or store payment credit
cardholder data must adhere to PCI
Compliance requirements
• Having a SSL certificate for
your website is not enough as
this doesn’t prevent malicious
attacks or intrusions from
occurring
• If you electronically store cardholder
data post authorization or if your
processing systems have any
internet connectivity, a quarterly
scan by a PCI SSC Approved
Scanning Vendor (ASV) is required
Positive Impact and Benefits:
• Compliance with the PCI DSS
means that your systems are
secure, and you earn customer’s
trust in managing their personal
information resulting in future
business potential
• Helps you to be better prepared to
comply with other regulations as
they come along, such as HIPAA,
SOX, etc.
• Establishes a baseline corporate
security strategy
• Assists in identification of methods
to improve the efficiency of your IT
infrastructure
6. What Happens if I don’t Comply?
• Payment brands may, at their discretion, fine
an acquiring bank $5,000 to $100,000 per
month for PCI compliance violations
• Banks will also most likely either terminate
your relationship or increase transaction fees
if your organization is non PCI compliant
• Potential for lost revenues, customer
transitions, and an overall negative image in
the marketplace could negatively impact
future earnings potential
• Liable for lawsuits, insurance claims,
cancelled accounts, payment card issuer
fines, along with government fines
8. Current State of Data Security
• Breaches make headlines
• Businesses at risk
regardless of size
• The enemy is getting
smarter
• Companies must:
• Understand the threats
• Take steps to protect
themselves and their
customers.
9. • Industry demand has never
been higher
• The weakest link: The human
• Social engineering
• Lost/compromised login
credentials
• Careless behavior accounts for
most incidents
Need for Training
10. Reduce the Risk – Don’t Store Data
• Don’t store any payment card
data
• The less you have, the smaller a
target you’ll be
• Know what your vendors are
storing.
11. Reducing Risk – 3rd Party Data Security
• Use PCI validated Point of Sale
systems
• Confirm that your vendors follow
the PCI DSS and the PA DSS
• Talk to your bank about
reviewing your technology and
data storage practices
12. Reducing Risk – Strong Passwords
• Changing default
passwords could have
helped avoid the majority
of compromises.
• Nearly 80% of breaches of
confidential consumer
information involved
compromised passwords.
13. Reducing Risk – Updating Software
• Hackers take advantage of
software bugs
• Product vendors deal with
this by releasing software
updates and patches
• Use automated alert
services
14. Become Part of the Solution
1. Understanding of PCI Compliance and Requirements
2. Ongoing Education and Awareness
3. Take Steps to Safeguard your Business
4. Get Involved
5. Have a Plan
Notas del editor
The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. PCI Council is a non profit organization whose mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. The standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data.
These requirements specify the framework for a secure payments environment; for purposes of PCI compliance, their essence is three steps: Assess, Remediate and Report.
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.
Build and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
Compliance is an ongoing process, not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but in the future:
As data compromise becomes ever more sophisticated, it becomes ever more difficult for an individual merchant to stay ahead of the threats
The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals
When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise
But if you are not compliant, it could be disastrous:
Compromised data negatively affects consumers, merchants, and financial institutions
Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future
Account data breaches can lead to catastrophic loss of sales, relationships and standing in your community, and depressed share price if yours is a public company
One area that continues to grow in importance is the need for user training as people whom are involved in the processing, store, managing, or handling of personal credit cardholder information this affects everything from updating your passwords to avoiding phishing techniques and social engineering ploys to protecting your mobile devices by keeping software current. There are numerous real world examples that highlight the need for ongoing training and education so that users don’t fall prey or become victims to these potential threats.
One organization that provides some good insights into this topic is the Ponemon Institute- an independent research firm that focuses on education to advance responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. In a recent research report prepared by the Ponemon Institute ‘Exposing the Cybersecurity Cracks: A Global Perspective’ the following information was presented:
Raising the Human Security IQ:
Fifty-two percent of companies do not provide cybersecurity education to their employees, with only 4 percent planning to do so in the next 12 months.
Under half (42 percent) had undergone a cyber threat modelling process in their present role. Of those that did, nearly all, (94 percent) found it to be important in terms of managing their cyber risk.
In a recent UK survey of financial services cyber security skills programs: almost all employers are looking for experienced staff, not trainees - and few have the skills in-house to organize a training program. There is, however, serious interest in using the frameworks on a modular basis to upgrade the skills of those in post and to cross-train users who understand the business.”
With criminals looking to steal valuable payment card information, businesses of all sizes are at risk.
And persistent hackers are growing increasingly sophisticated and creative, so it’s important to clearly understand the nature of the threats that face us and take the necessary steps to protect our businesses and our customers.
Employees are the first line of defense against security attacks. But a lack of proper training and awareness can turn employees from assets into liabilities.
In fact, a recent forensics report highlights the importance of educating employees on best security practices, including strong password creation and awareness of social engineering techniques like phishing…
However an Enterprise Management Association report states that 54% of employees have not received any security Awareness education – so you can see there’s quite a need for in additional education the market
So in addition to improving training and education, there are other steps you can take to reduce your risk.
Most businesses don’t need to store any payment card data, so the number one thing you can do to limit your risk is to not store it unless absolutely necessary for business purposes!!
The less you have, the less of a target you’ll be for hackers - so you need to make sure that you are not storing this data in your computers or on paper.
In addition to knowing what data you store, it’s important to know what your technology vendors are storing.
If you are using commercially available point-of-sale, or POS systems, ask your payment software vendor to confirm that your software version has been PCI validated as not storing this data. Or, even better, go to the PCI Council’s website yourself and check the listing of validated payment software to see if yours is on there.
Also confirm with your payment processor that they are following the PCI Data Security Standard and the Payment Application Data Security Standard – and that all cardholder data storage is necessary and appropriate for the transaction type.
And don’t forget to talk to your bank about reviewing your technology and data storage practices.
Data breach reports continue to highlight that simple security measures such as changing passwords could have helped companies avoid the majority of compromises.
Are you still using the blank or default password that came with your computer or payment software or device? Or are you using 12345 or password1?
By using easy or default passwords, you leave the door wide open for attacks on your business.
It’s been estimated that nearly 80% of breaches of confidential consumer information involved compromised passwords.
Hackers are always looking to take advantage of the latest known software bugs as well as uncover unknown problems with commercially available software products.
Product vendors deal with this by releasing software updates or patches - but these are only good if you’re actually using them!
Not doing your security software updates is like having locks on your doors but not locking them!
Without the latest protections for your computer against viruses, spyware and other malicious software that can compromise your business, you’re leaving the door wide open for hackers.
Many vendors now offer automated alert services that provide prompt notification to their clients.
Some vendors also provide automated patching mechanisms.
Take these alerts seriously and make sure you’re taking advantage of the latest updates to protect your computers and your business.
The best way to learn more about PCI Compliance is to keep current with industry news by keeping you and your teams educated on the latest threats and learn how to avoid these risks. In many cases the easiest way to prevent an attack is by having users trained on what to watch out for and consider implementing a security awareness training program for your company. The PCI Council has some great free resources on their website which you can leverage and you have the opportunity to participate via planning committees, community meetings, and updates via ongoing communications.