210 likes | 365 Views
PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA. PCI DSS Program Overview. PCI Standards Council Payment Industry Terminology What Level Are We? (Levels) It’s Not Just IT !! Myths & Reality…. Why Do We Need To Focus On The DSS
E N D
PCI DSS ReadinessPresented By:Paul Grégoire, CISSP, QSA, PA-QSA
PCI DSS Program Overview PCI Standards Council Payment Industry Terminology What Level Are We? (Levels) It’s Not Just IT !! Myths & Reality…. Why Do We Need To Focus On The DSS PGSecure Can Help (QSA, only 1800 Certified Worldwide)
PCI DSS Program Overview An independent industry standards body providing oversight of the development and management of Payment Card Industry Security Standards on a global basis Founding Brand Members American Express Discover Financial JCB MasterCard Worldwide Visa Inc.
Payment Industry Terminology • Cardholder • Customer purchasing goods either as a “Card Present” or “Card Not Present” transaction • Receives the payment card and bills from the issuer • Issuer • Bank or other organization issuing a payment card on behalf of a Payment Brand • Payment Brand issuing a payment card directly (Amex, Discover, JCB) • Merchant • Organization accepting the payment card for payment during a purchase • QSAC - QSA • QSA’s are only certified and Valid if working for a Qualified Security Assessor Company
Payment Industry Terminology • Acquirer • Bank or entity the merchant uses to process their payment card transactions • Receive authorization request from merchant and forward to Issuer for approval • Provide authorization, clearing and settlement services to merchants • Determines and advises the Merchant Level (1-4) of all merchants. • Acquirer is also called: • Merchant Bank • ISO
Payment Industry Terminology • The merchant will incur any liability that may result as a non compliance with payment brand compliance programs • Merchant are not compliant until all requirements have been met and validated • Acquirer is responsible for providing merchant status to the payment brands • Acquirer is responsible for merchant compliance • Ensure that their merchants understand PCI DSS Compliance requirements and track compliance efforts • Manage merchant communications • Merchant Levels are: • Defined by the Payment Brand • Determined by the Acquirer based on transaction volume of each card brand
Payment Industry Levels 1 to 4 Canada - Mandatory signoff by a QSA for all SAQ’s
It’s Not just IT – Myths Vs. Reality ? Myth # 1 • PCI just does not apply to us, because… • We are to small, a small Company or Non Profit Org., only do some e-commerce or POS, we outsourced “everything”… • Reality: PCI DSS DOES apply to you if you “accept, capture, store, transmit or process credit card holder data,” no exceptions! • The organization must be compliant not just IT !
It’s Not just IT – Myths Vs. Reality ? Myth # 2 • Myth : PCIis easy: just have to “say Yes” on SAQ and “get scanned” • Reality: Not exactly – you need to: • A) Get a scan 4 times a year and resolve the vulnerabilities found – Need 4 clean scans per year. • B)Really do the things the questions refer to – and Prove It!! • C) Keep doing it – forever! • D) SAQ Signoff by a Qualified Security Assessor working for a QSAC
It’s Not just IT – Myths Vs. Reality ? Myth # 3 • Myth : My tools are PCI compliant, my network and apps are too!! • Reality: there is no such thing as “PCI compliant tools or networks: • Fact – The PCI DSS applies to the organization as a whole. • PCI DSS combines technical AND process, policy, management issues; awareness and practices as well. • Example: An application may be compliant however this is only 1 element of the standard in overall compliancy.
Why do we need to focus on the PCI DSS ? • Where do the attacks come from? • Most come from foreign soil – very difficult to track and seek legal action against – Most of all loss of reputation is the biggest factor. “Remember the Passport incident?” - NO CHD lost however “Web attacks” compromised many peoples personal information…
PCI DSS It Can’t Happen To Me !!! “Direct correlation to number of employees in a company and breach percentage.”
PCI DSS It Can’t Happen To Me !!! • PCI Data Breach Fines and Penalties • • Stiff fines and penalties ranging from $10K - $500K per month for non-compliance • • $500K fine per credit card data compromise incident if not PCI compliant • • $100K fine if Visa is not immediately notified of a suspected data breach • • If track data or other sensitive data elements was compromised, the merchant can be assessed the estimated cost of fraud under Visa’s ADCR Program as well as cost of • cardreissuance (est. $7-$20 per card) • • Probable termination of credit card processing privileges for a period of time. • Other: • • Cost associated with brand damage and lost revenue • • Forensics assessment, incident investigation and containment • • Identity protection for impacted individuals (~$30 per person) • • IT and security remediation and enhancements • • Potential lawsuits and liability in the event that privacy data was compromised • • Cost of recertification • • Cost of Level 1 mandated assessments (75K or more annually) until the acquirer is satisfied to move the merchant back to the true merchant level.
Steps in the process… Identify the major gaps and opportunities to improve your current security posture PCI Data Security Readiness Review A full Data Security Assessment performed in accordance with the PCI Data Security Standard and Audit Procedures PCI Data Security Assessment Provide consulting services to help client understand the intent of each requirement in the Self Assessment Questionnaire SAQ ConsultingSignoff A consolidation and remediation of gaps found in your cardholder information processing environment after a PCI Security Assessment. PCI Data Security Remediation Service
Why Us ? • We have extensive experience working with government and large Canadian cities. (Nomination for Gov of Alberta Award of Excellence) • We have local based QSA’s out of the 1800 certified worldwide. • We have local based PA-QSA’s out of 350 certified worldwide. • We are focused only on Security, Compliance and forensics.
PCI DSS V1.2 Questions ? Paul Grégoire, QSA, PA-QSA Senior Security Architect | Compliance Paul@pgsecure.com Phone: 204.899.6662