Burton Group Take 5!The PCI Half-Dozen: 6 Recommendations for PCI ComplianceDiana Kelley, VP & Service DirectorMarch, 2007
The PCI Half-Dozen It’s 5pm – do you know where your credit card numbers are? • “BJ'S Wholesale Club Settles FTC Charges” • ~Thousands of credit and debit card numbers • http://www.ftc.gov/opa/2005/06/bjswholesale.htm • “Customer Data Breach Began in 2005, TJX Says” • ~card numbers impacted?– still investigating • http://www.washingtonpost.com/wp-yn/content/article/2007/02/21/AR2007022102039_pf.html • “CardSystems' Data Left Unsecured” • ~40 million card numbers impacted • http://www.wired.com/news/technology/0,1282,67980,00.html
The PCI Half-Dozen Covered Data Elements (Data Source: PCI DSS Version 1.1, September 2006)
The PCI Half-Dozen • Get the Facts • Go to the source – the PCI Data Security Standard and the PCI DSS Security Audit Procedures • Self assess – uncover and remediate gaps in advance • 2. Segment the Scope • PCI DSS applies to the cardholder data environment • Reduce scope through zoning and segmentation • 3. Don’t Store What You Don’t Need • No Track II/Sensitive Auth Data! • But do you need the Cardholder data at all?
The PCI Half-Dozen 4. Be Prepared and Be a Partner • Work with Qualified Security Assessors (QSA) or in-house assessors • Agree on the scope up-front • Prepare supporting documentation – including for compensating controls • Build remediation plans – and follow them 5. Get Involved • Changes were made between v1.0 and v1.1 in part, due to feedback • Merchants and Payment Service Providers can become “Participating Organizations” of the SSC 6. Build a Compliance Program • Compliance is about more than PCI • Take a long-view approach to compliance as a whole
Thank you! For more information: • Burton Group Security and Risk Management Strategies Overview – “What and Why PCI? Inside the Payment Card Industry Data Security Standards,” http://www.burtongroup.com/content/doc.aspx?cid=1001 • The PCI Security Standards Council, http://www.pcisecuritystandards.org • Payment Card Industry (PCI) Data Security Standard, Version 1.1, https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm • PCI DSS Security Audit Procedures, • https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf