Symbiotic Consulting Group LLC - PCI Compliance Overview
1. Symbiotic Consulting Group LLC
PCI Compliance – Background, Importance
and Options for your Organization
September 10, 2015www.symbioticconsultinggroup.com
2. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Key Topics
• PCI Meaning and Definition
• PCI Evolution
• Meaning of PCI DSS
• PCI Compliance Criteria
• What does this mean to my company?
• Case Study: 2013 Breach of Target
Page 2
3. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Meaning and Definition
The Payment Card Industry (PCI) standard is a set of
requirements designed to ensure that ALL organizations
that store, process, or transmit cardholder and customer
data do so in a secure environment!
• This has to be a joint effort between IT and Business
teams
Page 3
4. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Meaning and Definition (cont.)
Common PCI Myths
• We don’t take enough cards to necessitate compliance,
hence PCI is irrelevant
• Our company outsources card processing so we are
compliant
• PCI is just an IT issue and they will deal with it
• PCI is unreasonable / difficult
• PCI compliance makes us secure
• We can’t be a target
Page 4
6. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Key Topics
• PCI Meaning and Definition
• PCI Evolution
• Meaning of PCI DSS
• PCI Compliance Criteria
• What does this mean to my company?
• Case Study: 2013 Breach of Target
Page 6
7. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Evolution
PCI Security Standards Council was founded in year 2006 by
some of the major card brands:
• Visa
• MasterCard
• Amex
• Discover
• JCB
Each card brand has inputs and feedback into the guidance
provided by the council.
Page 7
8. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Evolution (cont.)
A credit card as defined by the Council is any card that is
backed by a major card brand, including but not limited to
the following:
• Credit
• Debit
• HSA
• FSA
• Payroll
• Others
Page 8
9. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Evolution (cont.)
PCI Security Standard Council is responsible for the
oversight of the PCI Standards, which include guidance
relative to the following:
• PCI DSS
• PA-DSS
• P2PE
• PTS
Page 9
11. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Key Topics
• PCI Meaning and Definition
• PCI Evolution
• Meaning of PCI DSS
• PCI Compliance Criteria
• What does this mean to my company?
• Case Study: 2013 Breach of Target
Page 11
12. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Meaning of PCI DSS
• Core set of best security practices
• Set of 12 requirements broken down into 6
categories, as follows:
1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Monitor and test networks
6. Maintain an information security policy
Page 12
14. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Meaning of PCI DSS (cont.)
• PCI DSS can include the following depending on the
organization:
PA-DSS
P2PE Solution Provider
PTS
Page 14
16. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Key Topics
• PCI Meaning and Definition
• PCI Evolution
• Meaning of PCI DSS
• PCI Compliance Criteria
• What does this mean to my company?
• Case Study: 2013 Breach of Target
Page 16
17. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Compliance Criteria
• Compliance is determined based on how your
organization stores, processes, and/or transmits
cardholder data across your infrastructure
• Compliance is based on “Level” and “Type”
• Level is based on the number of transactions performed
in a 12-month period
• Type is defined by how your organization takes credit
cards
Page 17
19. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Compliance Criteria (cont.)
Levels are based on the number of transactions. Visa defines
them as follows:
Page 19
Level Description
1 Organizations with over 6M Visa transactions per year
OR
Any organization that Visa, at its sole discretion, determines should meet the Level
1 requirements to minimize the risk to Visa
2 Organization with 1M to 6M Visa transactions per year
3 Organization with 20,000 to 1M Visa e-commerce transactions per year
4 Organizations with fewer than 20,000 Visa e-commerce transactions per year, and
all other merchants - regardless of acceptance channel - processing up to 1M Visa
transactions per year
20. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Compliance Criteria (cont.)
Types are defined by how your organization takes
credit cards and are broken down as follows:
Page 20
Type Description
A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder
data functions outsourced; this would never apply to face-to-face merchants
B Imprint-only merchants with no cardholder data storage
OR
Stand-alone dial-up terminal merchants, no cardholder data storage
C Merchants with payment application systems connected to the Internet, no
cardholder data storage
C-VT Merchants using only web-based virtual terminals, no electronic cardholder data
storage
D All other merchants not included in descriptions for SAQ types A through C above,
and all service providers defined by a payment brand as eligible to complete an
SAQ
21. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Key Topics
• PCI Meaning and Definition
• PCI Evolution
• Meaning of PCI DSS
• PCI Compliance Criteria
• What does this mean to my company?
• Case Study: 2013 Breach of Target
Page 21
22. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
What does this mean to my company?
Action on your organization’s part for PCI:
• Depending on what “Type” of organization you are,
you will have to address anywhere from 15 to 200
+ controls
Cost Impact:
• Hardware
• Software
• Application Maintenance (Data encryption, security
etc)
• Internal Resources
• External Resources
Page 22
23. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
What does this mean to my company?(cont.)
Based on the volume of transactions, organizations would
be required to perform the following:
Page 23
Level Visa Description
1 • Annual report on compliance (“ROC”) to be completed by Qualified Security
Assessor (“QSA”)
• Quarterly network scan by Approved Scan Vendor (“ASV”)
• Attestation of Compliance Form
2 • Annual Self-Assessment Questionnaire (“SAQ”)
• Quarterly network scan by ASV
• Attestation of Compliance Form
3 • Annual SAQ
• Quarterly network scan by ASV
• Attestation of Compliance Form
4 • Annual SAQ recommended
• Quarterly network scan by ASV
• Compliance validation requirements set by merchant bank
24. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Key Topics
• PCI Meaning and Definition
• PCI Evolution
• Meaning of PCI DSS
• PCI Compliance Criteria
• What does this mean to my company?
• Case Study: 2013 Breach of Target
Page 24
25. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Case Study: 2013 Breach of Target
What happened:
• Lost ~40 million credit and debit cards, ~ 70 million
data files
• Theft period: November 27 – December 15
• Malware on point-of-sale terminals
Not detected until December 15
Page 25
26. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Case Study: 2013 Breach of Target(cont.)
Common Questions
1. How could this happen?
2. Was Target PCI compliant?
3. How do I know if I was affected?
Costs?
• Credit score monitoring
• Fines, sanctions and lawsuits
• Reputational damage
Page 26
27. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Case Study: 2013 Breach of Target(cont.)
28. Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
28
Thank You!!!
Phone: 561-922-0120
Email: info@symbioticconsultinggroup.com
Our Global Office Locations
USA Headquarters Office Florida
2701, N.W. 2nd Avenue #214
Boca Raton, FL - 33431
Tel : 561-922-0120
Fax: 561-455-9893
USA Texas Branch
9660 Audelia Road, Suite 123-51
Dallas, TX 75238
Tel : 561-922-0120,
Fax: 561-455-9893
Europe (Romania) Shared Services Branch
Aviatorilor 5A, Suite 47
Baia Mare, Maramures
430223, Romania, Europe
Tel: +40 362 881 664
India (Pune) Branch
C-30, KPCT Mall, Fatima Nagar
Pune, Maharashtra, 411040
Tel : 561-922-0120
Fax: 561-455-9893