1 / 22

Electronic Payments: PCI Compliance Program Overview

Electronic Payments: PCI Compliance Program Overview. Rick Dakin, QSA Rick.dakin@coalfiresystems.com August 2008. Who is Coalfire?. Founded in 2001, with offices in Denver, Seattle and NYC with over 30 full time IT Auditors. Clients include Fortune 100, retail, government, education,

sana
Télécharger la présentation

Electronic Payments: PCI Compliance Program Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Payments: PCI Compliance Program Overview Rick Dakin, QSA Rick.dakin@coalfiresystems.com August 2008

  2. Who is Coalfire? Founded in 2001, with offices in Denver, Seattle and NYC with over 30 full time IT Auditors Clients include Fortune 100, retail, government, education, financial, healthcare, Law Firm and manufacturing Security, Governance, Compliance Management, Audit – GLBA, SOX, PCI, HIPAA, SAS70 & Government IT Governance and Compliance Management Practice areas: Risk and Vulnerability Assessment, E-discovery and Forensic Analysis Solutions: Policy Development, Data Classification, Logging and Monitoring, Incident Response, Etc. Application Security: PABP Certification, Code Audits, Penetration Testing, SDL Development

  3. Compliance Overview Cyber Threats Payment Card Overview PCI Compliance Controls Framework Agenda Questions

  4. Compliance Trends The Regulatory Environment Represents a New Enterprise Challenge 2000- Present 1970-1980 • COPPA • USA Patriot Act 2001 • EC Data Privacy Directive • CLERP 9 • CAN-SPAM Act • FISMA • Sarbanes Oxley (SOX) • CIPA 2002 • Basel II • NERC CIP 02-09) • CISP • Payment Card Industry (PCI) • California Individual Privacy SB1386 • Other State Privacy Laws (38) 1990-2000 • Privacy Act of 1974 • Foreign Corrupt Practice Actof 1977 • EU Data Protection • HIPAA • FDA 21CFR Part 11 • C6-Canada • GLBA 1980-1990 • Computer Security Act of 1987

  5. State Privacy Laws Businesses must establish basic information security programs In the event of an actual or suspected security breach businesses have a legal obligation to notify impacted consumers resulting in new security requirements Businesses must proactively manage their confidential consumer information Businesses must take steps to know when their defenses have been breached Compliant infrastructures are required!

  6. Risks Have Increased as Technology Changed

  7. Unauthorized Users

  8. Attack Vectors • Virus Attack • Spyware (intentional and unintentional) • Worms and Trojans • Image embedded Trojans • Targeted attacks that exploit poor system configuration and vulnerabilities • Targeted attacks against a "friendly" who either loses your data or passes along the attack • Physical theft • System misuse by an authorized user • Internal staff • Third parties

  9. Stolen Account Data Value

  10. Scary Bedtime Stories What is the cost of non-compliance • Other headlines…. • TJ MAX causes several states to introduce new legislation to protect cardholder data. • Card Systems International forced to sell operations at a loss. • Ongoing compromises are driving changes in the DSS to include dual factor authentication and wireless security. • DSW Shoe Warehouse customer database was hacked and 1.4 million records were stolen and records over $6.5 million reserve on 2005 financial statements. • FTC fines Choice Point $10 million for unfair business practices for failure to protect consumer data.

  11. Costs of a PCI Compromise A hypothetical merchant compromises 10,000 accounts when a third party service provider has a server stolen. What is the potential financial impact? • Notify Clients and Provide Privacy Guard • Fines and Penalties • Loss of Clients • Fraud liability (ADCR) • Reputation Loss $50 x 10,000 = $500,000 $10,000 to $1 million 10,000 clients – 15% = 1,500 clients 1,500 x $100 in fees = $150,000 in lost fees 1,000 accounts x $500 = $500,000 PRICELESS!

  12. Cardholder Verification Number (CVV2) Cardholder Verification Number (CVN) (CID/CVV2/CVC2) CVV2 CVV

  13. PCI Relationship Matrix Acquiring Bank Issuing Bank Acquiring Bank Merchant Cardholder Environment Cardholder App Vendors Processor Gateway Service Provider Merchant

  14. PCI Data Security Standard

  15. Merchant Level 1 Merchant Level 2 MerchantLevel 3 MerchantLevel 4 PCI Compliance Levels Any merchant processing over 6 million VISA or MasterCard transactions per year OR identified as any card brand as a Level 1 merchant. Any merchant processing 1 to 6 million VISA or MasterCard transactions per year. Any merchant processing 20,000 to 1 million VISA or MasterCard e-commerce transactions per year. Any merchant processing less than 20,000 VISA or MasterCard e-commerce transactions per year, and all other merchants with less than 1 million transactions

  16. Compliance Validation Requirements

  17. New Self Assessment Questionnaire (SAQ)

  18. Visa Fine Schedule*(other card associations have different costs) • Data compromise or non-compliance with PCI requirements: • First Violation -- Up to $50,000 • Second Violation -- Up to $100,000 • Third Violation -- At Visa’s discretion for more than two violations in 12 months • Merchants who store full-track data: • Initial penalty of $50,000 • Thereafter Visa assesses fines up to $100,000 monthly until track data is removed • Representative fine structure based on public information distributed by Chase Paymentech. Actual fines to merchants may vary based on their acquirer.

  19. Assessment Scope Where is the card holder data? Customer Production Environment POS Terminals (card present in stores and parking facilities) Web Server (card not present) Authorization Transaction Servers or Payment Gateway Transaction Record & Archive Phone, Fax, Email Admin Environment Batch Settlement • Marketing • Customer Service • Ecommerce • Phone / Fax • Gift Cards • Fraud • Accounting / Administration Application Servers Back Office & Customer Svc Data Warehouse Payment Gateway and Transaction Database Acquiring Bank Wells Fargo, BoA, Chase Document Vaults Paper records Portal Access to Reconciliation Data (Charge Back / Sales Audit)

  20. New Visa Application Requirements Oct 23 Announcement from Visa: “It is critical that merchants and agents do not use payment applications known to retain prohibited data elements and that corrective action is immediately taken to address any identified deficiencies because these applications are at risk of being compromised.”

  21. Summary • Assessment – vs - Audit • Penalties for non-compliance is high but guidelines on “Assessment” procedures are marginal (sample size, evidence of control effectiveness, retention period, testing oversight) • The testing procedures for each control activities are PRECRIPTIVE .. Maintain evidence of controls • Self Assessment Questionnaire must track to the environment • Organizations may not understand the cardholder environment • Reporting process depends on the acquiring bank • More risks to manage than test procedures measure (example Hannaford)

  22. Questions Knowledge – Action = Negligence Rick Dakin Rick.dakin@coalfiresystems.com 303.554.6333 ext. 7001

More Related