1 / 26

The ABC’s of PCI DSS

Utility Payment Conference. Eric Beschinski Relationship Manager. The ABC’s of PCI DSS . &. Kay Limbaugh Specialist, Electronic Bills & Payments. A wareness. B enefits &. C onsequences. What is PCI Compliance?. Misnomer… PCI DSS v2.0 Comprehensive security standards QRG is 34 pages

chelsi
Download Presentation

The ABC’s of PCI DSS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Utility Payment Conference Eric Beschinski Relationship Manager The ABC’s of PCI DSS & Kay Limbaugh Specialist, Electronic Bills & Payments

  2. Awareness Benefits & Consequences

  3. What is PCI Compliance? • Misnomer… PCI DSS v2.0 • Comprehensive security standards • QRG is 34 pages • Official Document is 75 pages • PCI SSC • Standards endorsed by the card brands

  4. Moving Target • Snapshot (point in time) • Requires continual monitoring • One minor change could remove the organization from compliance

  5. What isn’t PCI Compliance? • Not legislation • Not a “one-time-deal” • Not just your processor or POS provider’s problem • Not a one-size-fits-all scenario • Different for each merchant • Different for each card brand

  6. PCI DSS Overview Goals: Requirements: Firewall Change all passwords from system defaults Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks (the Internet) Use updated antivirus software Develop and maintain secure systems & applications • Build & Maintain a secure Network • Protect Cardholder Data • Maintain a Vulnerability Management Program

  7. PCI DSS Overview Goals: Requirements: Restrict access to cardholder data by “need-to-know” Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track & monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security for all personnel • Implement Strong Access Control Measures • Regularly Monitor & Test Networks • Maintain an Information Security Policy

  8. Big Picture Accountability Best Practices Consumer Safety

  9. Steps Assess ↔Remediate ↔Report

  10. You are not compliant if you don’t… • Complete the SAQ annually ( • Have your network scanned for vulnerabilities quarterly by an ASV (for processing via system connected to the internet) • QSA or Internal audit

  11. Who really knows if you’re compliant? • Only top-level management (and maybe a QSA) • NOT… • Your processor • Your POS provider • Your IT company • A sales person • Nobody without a SAQ

  12. Enforcement? • Lacking • No problem until there’s a problem • Like the Health Dept... • From those in authority, it’s enforcement after-the-fact • Up to you to be proactively self-enforced to prevent a breach

  13. Why be concerned? • Investigative fees • Fines • Cost to upgrade/fix the problem • Lawsuits • Blacklist • Media • Customer confidence • Very, very expensive!

  14. Another Breach & Counting… • 333 breaches as of 8/1 with almost 23M records affected including • Sony • Epsilon • Citigroup • Lockheed Martin • 603 breaches in 2010 affecting over 12M records • Since 2005, over 2600 breaches affecting over 535M records Data provided by PrivacyRights.org

  15. Top 10 Breaches • TD Ameritrade Holding Corp (2007) 9. Fidelity National Information Services/Certegy Check Services Inc. (2007) 8. Sony, PlayStation Network (PSN), Sony Online Entertainment (SOE) (2011) 7. Bank of New York Mellon (2008) • Countrywide Financial Corp. (2008) • US Dept. of Veterans Affairs (2006) • CardSystems (2005) 3. US Military Veterans (2009) 2. TJ Stores (2007) 1. Heartland (2009)

  16. Heartland • Certified compliant just weeks before the breach • Security breach discovered in Jan 2009 (had been in place for possibly 6 months prior) • De-certified post-breach • Hundreds of Millions in fines/fees/lawsuits • Bad press

  17. Turning it around • Re-certified May 2009 • Proactive response • Good press • National Restaurant Association • Launched E3 May 2010 • Earnings up • Stronger than ever

  18. Lessons to be learned from the Heartland breach • PCI DSS is a good minimum standard but will not guarantee safety • If your company is big enough you will become a target • No security is fail-proof • Criminals working continually to break-in

  19. Who is most at risk? • All merchants • Level 1 & 2 (High Value) • Level 3 (High Risk) • Level 4 (High Success / Quick Return)

  20. Then What Good is PCI DSS? • Ensures that you are not an EASY target (low-hanging fruit) • Common sense security measures • Possibly some protection from fines/lawsuits • Good faith argument • Responsible party argument

  21. Key Issues for Utility Industry Applications: • Software • POS • Antivirus • Firewall • Web/Payment Gateway • Hardware • Firewall • POS • Pin Pads • Business Procedures • Recording calls • Storing card data • Access Control • Connection • VOIP • Encryption

  22. Myths • One vendor/product will make us compliant • Outsourcing card processing will make us compliant • Compliance is an IT project • Compliance will make us secure • PCI DSS is unreasonable; it requires too much

  23. Myths • PCI DSS requires us to hire a QSA • We don’t take enough credit cards to require compliance • We completed a SAQ so we’re compliant • PCI DSS makes us store cardholder data • PCI DSS is too hard

  24. In Conclusion Always Be Compliant!

  25. Alphabet Soup • AOC – Attestation of Compliance • ASV – Approved Scanning Vendor • DSS – Data Security Standards • ISA – Internal Security Assessor • PA-DSS – Payment Application Data Security Standards • PAN – Primary Account Number • PCI – Payment Card Industry • PED – PIN Entry Device • PFI – PCI Forensic Investigator • PIN – Personal Identification Number • PTS – PIN Transaction Security (formerly PED) • QRG – Quick Reference Guide • QSA – Qualified Security Assessor • ROC – Report On Compliance • SAQ – Self Assessment Questionnaire • SSC – Security Standards Council

  26. Q & A Eric Beschinski Relationship Manager Heartland Payment Systems 219-448-5169 eric.beschinski@e-hps.com Kay Limbaugh Specialist, Electronic Bills & Payments Portland General Electric 503-612-3640 Kay.Limbaugh@pgn.com

More Related