450 likes | 756 Views
www.ahla.com. Payment Card Industry (PCI) Compliance Webinar: A necessary tutorial for protecting your property, guests, and reputation. PCI Standard sets forth the detailed procedures which every merchant must comply with to safeguard personal information of its guests or customers.
E N D
www.ahla.com Payment Card Industry (PCI) Compliance Webinar: A necessary tutorial for protecting your property, guests, and reputation
PCI Standard sets forth the detailed procedures which every merchant must comply with to safeguard personal information of its guests or customers. • All lodging operators who accept debit or credit cards – even the smallest bed and breakfast inns – are covered by this sweeping, ever-changing standard, and a failure to comply fully with it can be disastrous, even lethal, for your business. • The personal information it covers consists of all cardholder data (this includes the cardholder’s name, primary account number, and expiration date), as well as all sensitive authentication data (that is, the full magnetic strip data, personal identification numbers, and card validation numbers).
The Standard covers every aspect of a merchant’s business that relates in any way to the collection, storage, and use of the personal information – including activities handled electronically and activities that are handled using paper and manual actions. • If a merchant fails to comply with the PCI Standard, it is liable for fines, cost of ensuring and proving ongoing compliance, recovery costs and damages, and, ultimately, loss of the right to accept payment cards.
SecurityEnvironment Increasing industry, regulatory and legislative focus on security due to high profile data compromises • Criminals are targeting full track data, Card Verification Value 2 (CVV2) and PINs in data compromises • Merchant compliance with the Payment Card Industry Data Security Standard (PCI DSS) is growing among large merchants • Small merchant education, awareness and compliance efforts are comprehensive and ramping up • Industry-wide coordination is increasing with the establishment of the PCI Security Standards Council (SSC) • Legislators and regulators have become involved and there are a number of state laws, as well as pending federal legislative initiatives • Consumer confidence is impacted by data compromises
Card Compromise Trends Notable increase in cardholder compromises over past years • Number of compromise events identified in the U.S. more than doubled between 2006 and 2007 • Evenly split between card present (brick & mortar) and e-commerce • Vast majority of compromised accounts consist of track data • Large (Level 1) merchant and processor breaches account for majority of compromised accounts, yet small (Level 4) merchants account for over 80 percent of compromise events • Restaurants, brick and mortar retailers and universities have been the most common targets *Based on U.S. compromise events reported to Visa Inc.
Card Compromise Trends Top 5 most common vulnerabilities contributing to system breaches include: 1. Storage of prohibited data (e.g., full track, CVV2, PIN blocks) • Use of vulnerable payment applications • Prohibited data storage in logs and other system files 2. Unpatched systems 3. Unsecured remote access • Vendor or employee remote access 4. Vendor default settings and passwords • Unsecured wireless settings 5. Poorly coded web-facing applications resulting in SQL injection
PCI DSS PCI DSS is based on fundamental data security practices
Industry Collaboration • Payment industry developed the Payment Card Industry Data Security Standard (PCI DSS) to promote the protection of cardholder data • PCI Security Standards Council, launched in September 2006, is a global forum for the ongoing development and enhancement of security standards for account data protection, including the PCI DSS • Visa, Amex, Discover, JCB and MasterCard are founding members • Payment card industry stakeholders are invited to join as Participating Organizations and can be elected to an Advisory Board • Participating organizations are invited to attend community meetings, comment on DSS revisions and future security standards and participate in implementation "best practice" discussions
Visa Inc. & PCI SSC Roles VisaInc.CardholderInformationSecurityProgram(CISP) • EnforcesandmonitorscompliancewiththePCIDSS • EstablishesPCIDSSvalidationrequirements • SupportsVisaclients’compliancevalidation efforts • Manages securitycommunications to educate stakeholders on compromise trends and compliance learnings • Provides training to banks, merchants, service providers and vendors • ManagestheListofCompliantServiceProvidersandListofValidatedPaymentApplications Payment Card Industry Security Standard Council (PCI SSC) • Owns and manages PCI DSS and related documents, including maintenance and distribution • Self Assessment Questionnaire • Security Audit Procedures • PA-DSS (pending) • QSAs and ASVs • Provides interpretations for PCI DSS • Defines common audit requirements to validate PCI DSS compliance • Manages certification process for security assessors (QSA) and network scanning vendors (ASV)
Security Initiatives for 2008 • Secure the Payment System • Foster communication and collaboration with key stakeholders to improve overall payment system security • Eliminate prohibited data retention, including track, CVV2 and PIN data • “Don’t store it, if you don’t need it!” • Drive merchant, processor and agent compliance with the PCI DSS • Support small merchant awareness and use of secure payment applications • Establish payment application mandates www.visa.com/cisp
Quick Fixes That Can Help • Don’t have passwords readily available… • Taped to monitor, under keyboard (mate, mouse pad), change your password often… • Never have printed reports listing credit card information • Update your receipt equipment to hide credit card information • Destroy/shred imprinted credit card slips • Always change the default passwords • Lock/secure the area where sensitive information is stored… • Use a password required Screen Saver (10-15 minutes)
Over 72% of the Breaches are from internal sources • What can happen? • Extreme fees per individual card breach • You may be forced to have an audit (that you pay) for an extended period of time… • Ask yourself the questions… • Can my business function without any credit cards? • What would the negative publicity do to my business?
PCI Compliance Acceleration Program Provide monetary incentives and administer fines to accelerate U.S. merchant PCI DSS compliance
U.S. Merchant Compliance Validation Requirements * Merchants generally have 12-months to validate full compliance from the date of identification at the new level by the merchant’s acquirer
U.S. PCI DSS Compliance Status PCI DSS effective in protecting data and supporting fraud prevention * As of January 31, 2008 ** Excludes 38 Level 1 and 305 Level 2 merchants identified in 2007; due 9/30/08 and 12/31/08 respectively *** Represents merchant acceptance locations
Level 4 Small Merchant Initiatives Executing a plan to address small merchants • Level 4 merchants account for more than 80% of all compromises identified since 2005, but less than 5% of potentially exposed accounts • Most small merchant compromises involve vulnerable payment applications • Outreach to all active acquirers to promote small merchant security • Education and awareness campaign including a webinar series, regular data security alerts and bulletins • Publish list of vulnerable payment applications quarterly and promote use of PABP-validated applications • 100% of 231 acquirers provided Visa with Level 4 compliance plans • Acquirers to provide program updates by 6/30/08
Payment Application Security Milestones in the adoption of secure payment applications • List of validated payment applications published monthly since January 2006 • As of 1/31/08, 270 products across 119 vendors independently validated by a Qualified Security Assessor (QSA) • List of vulnerable payment applications published quarterly since February 2007 • Visa organized and hosted a PABP Vendor Conference December 2006 attended by over 100 product vendors • Session planned for 2008 • Elevate PABP to an industry standard through PCI SSC while driving Visa mandates www.visa.com/pabp
Payment Application Mandates Visa USA plans to aggressively drive the adoption of secure payment applications in the marketplace * In-house use only developed applications & stand-alone POS terminals are not applicable ** VisaNet Processors and agents must decertify vulnerable payment applications within 12 months of identification ***Date is aligned with TDES mandate for all POS PEDs to support TDES and be Visa-Approved/Lab-Evaluated
Three Step Approach • 1) Eliminate prohibited cardholder data • Full magnetic stripe data (i.e., track 1, track 2), CVV2, and PIN blocks must not be retained subsequent to transaction authorization • Do not use Vulnerable Payment Applications identified by Visa • 2) Protect cardholder data using secure payment applications • Minimize data storage, only storing account number, expiration date or name if business needs exist - If you don’t need it, don’t store it! • Use PABP-validated applications listed at www.visa.com/pabp • 3) Secure the environment according to the PCI DSS • Validate PCI DSS compliance on systems where cardholder data is stored, processed or transmitted • Utilize compliant agents listed at www.visa.com/cisp
Call to Action Cardholder data security is a shared responsibility and all participants must do their part to prevent fraud • Issuers must use available fraud prevention services and ensure their processors and agents are PCI DSS compliant • Acquirers must ensure merchants and agents are PCI DSS compliant with key focus on prevention of track data storage • Merchants must ensure they do not store track data, only store necessary cardholder data and confirm that they and their agents comply with PCI DSS • Visa will execute presented strategy and work with members to ensure the safety and soundness of the payment system
Reference Tools PCI Security Standards Council (PCI SSC) • Data Security Standard • Security Audit Procedures • Self-Assessment Questionnaire • Security Scanning Procedures • Qualified Security Assessor List • Approved Scan Vendor List • Glossary of Terms Visa CISP • Archive of Data Security Alerts, bulletins and webinars • What To Do If Compromised guide • Qualified CISP Incident Response Assessor List • List of CISP-Compliant Service Providers • Payment Application Best Practices • List of Validated Payment Applications www.visa.com/cisp www.visa.com/pabp www.pcisecuritystandards.org
Processing Fees • Overall goal is to reduce “Effective Processing Fees” • Take your annual fee statement to multiple vendors – Challenge them to offer you a better plan and overall “Effective Processing Fee/Rate” • Many companies/hoteliers are paying an excess of 33-50% in annual fees • Do not get sold on a fee schedule • There maybe numerous hidden stipulations whereas you may not achieve any gain but pay more in fees
Processing Fees • Have your current vendor provide you with a detailed assessment of “ALL” of your fees • Request a detailed audit of all of you fees • Provide this to the potential vendors and ask them to develop a “Best Practices” plan for your property • They should also be able to provide an estimate of savings if you follow the recommendations
Processing Fees • Remember “Everything you are asking is Free” • Remember “The processing vendor wants your business” • Most importantly “If you don’t take these steps, you are potentially giving money away…”
Hospitality: Protecting Cardholder DataIncreasing in Priority Base: 677 IT security decision makers directly or indirectly involved in protecting credit card data within their organizations Source: PCI Custom Study, Forrester Consulting, July 2007
Hospitality: Protecting Cardholder DataIncreasing Funding Base: 677 IT security decision makers directly or indirectly involved in protecting credit card data within their organizations Source: PCI Custom Study, Forrester Consulting, July 2007
Hospitality: PCI DSS ComplianceStill work to do Base: 677 IT security decision makers directly or indirectly involved in protecting credit card data within their organizations Source: PCI Custom Study, Forrester Consulting, July 2007
Hospitality: Protecting Cardholder DataSignificant Challenges Base: 677 IT security decision makers directly or indirectly involved in protecting credit card data within their organizations Source: PCI Custom Study, Forrester Consulting, July 2007
Three Best Practices for Compliance Extend Beyond the Audit Understand Assets Protect at all Times and Locations Maximize Investment Discover and Assess Information-Centric Security PCI Requirements Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update anti-virus software Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security
Storage Recovery CustomerService Marketing Maintenance email Websites Laptops Understand Cardholder AssetsDiscover, Assess & Manage Not every merchant knows • Where the data is • What systems and applications are connected to the data Reduce scope • Consolidate and segment Create policy for cardholder data management and security Reports Production Gateway
? ? ? ? ? People Transactions ? ? ? ? Protect at All Times and LocationsImplement Security Controls • PCI explicitly requires a variety of security controls focused on protecting cardholder data at all times and locations • Build secure networks • Direct data protection at all times and locations • Strong user authentication • Role based authorization • Monitor and track access Data Infrastructure
Collect Centralize Correlate Report Leverage Extend Beyond the AuditSustain Compliance & Maximize the Investment Applications App Servers, RDBMS, Web Caching, etc. “Passing the audit” is not necessarily a long term strategy Deploy processes and technology that enable sustained controls Leverage investment to maximize ROI Storage SAN, NAS, CAS Network devices Hubs, Switches, Firewalls OS HIPPA SOX ISO ???
PCI DSSA Starting Point Best Practices PCI DSS SOX LDPL GLBA COBIT 4.0 ISO Maintain a Secure Network Req. 1,2 Protect Data Req. 3, 4 Maintain a Vulnerability Management Program Req. 5, 6 Implement Strong Access Control Methods Req. 7, 8, 9 Regularly Monitor and Test Networks Req. 10,11 Maintain an Information Security Policy Req. 12
Resources • Case Study: Accor North America • Solution Brief: Protecting Credit Card Data • White Paper: Forrester Consulting: The State of PCI Compliance • Visit RSA.com/PCI for additional materials
PCI Compliance from a Hotelier’s Perspective Chris Zoladz Vice President, Information Protection & Privacy Marriott International, Inc.
PCI Compliance – Getting Started • Appoint an internal champion or acquire the services of a third party to manage the effort • Don’t assume if you are a franchisee that your franchisor is handling your compliance • Identify the systems and business processes that involve the collection, processing, storage or transmission of card data • Computer systems, your website • Paper reports, forms, registration cards • Identify the gaps between your current systems and processes and the Standard
Top 10 Tips from the Frontline • Good credit card security=CUSTOMER TRUST=PCI Compliance • Keep it simple - eliminate card data wherever you can • Redundant data stores such as imprints on registration cards • Pay special attention to physical security around computer systems and paper documents • User ID management – unique user IDs and passwords for each person • Evaluate if software you purchased or licensed, or third party service providers you use for card processing are PCI compliant • Check www.visa.com/cisp for compliance status • Ensure your agreements with providers require them to make available compliant versions or services • Be aware of compliant products that require they be installed and used in a specific manner to be compliant • Ask whether licensed software stores “track data”
Top 10 Tips from the Frontline - continued • There is more than one way to meet any specific security requirement – don’t forget about compensating controls • Design and implement solutions that you can sustain over time as compliance is on-going and not a one time event
www.ahla.com Payment Card Industry (PCI) Compliance Webinar: A necessary tutorial for protecting your property, guests, and reputation