The ABC's of PCI DSS - Utility Payment Conference
advertisement
Utility Payment Conference Eric Beschinski Relationship Manager The ABC’s of PCI DSS & Kay Limbaugh Specialist, Electronic Bills & Payments Awareness Benefits & Consequences What is PCI Compliance? • Misnomer… PCI DSS v2.0 • Comprehensive security standards – QRG is 34 pages – Official Document is 75 pages • PCI SSC • Standards endorsed by the card brands Moving Target • Snapshot (point in time) • Requires continual monitoring • One minor change could remove the organization from compliance What isn’t PCI Compliance? • Not legislation • Not a “one-time-deal” • Not just your processor or POS provider’s problem • Not a one-size-fits-all scenario – Different for each merchant – Different for each card brand PCI DSS Overview Goals: Requirements: • Build & Maintain a secure Network 1. Firewall 2. Change all passwords from system defaults • Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks (the Internet) • Maintain a Vulnerability Management Program 5. Use updated antivirus software 6. Develop and maintain secure systems & applications PCI DSS Overview Goals: Requirements: • Implement Strong Access Control Measures 7. Restrict access to cardholder data by “need-to-know” 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data • Regularly Monitor & Test Networks 10. Track & monitor all access to network resources and cardholder data 11. Regularly test security systems and processes • Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel Big Picture Accountability Best Practices Consumer Safety Steps Assess ↔ Remediate ↔ Report You are not compliant if you don’t… 1. Complete the SAQ annually ( 2. Have your network scanned for vulnerabilities quarterly by an ASV (for processing via system connected to the internet) 3. QSA or Internal audit Who really knows if you’re compliant? • Only top-level management (and maybe a QSA) • NOT… – Your processor – Your POS provider – Your IT company – A sales person • Nobody without a SAQ Enforcement? • • • • Lacking No problem until there’s a problem Like the Health Dept... From those in authority, it’s enforcement after-the-fact • Up to you to be proactively selfenforced to prevent a breach Why be concerned? • • • • • • • • Investigative fees Fines Cost to upgrade/fix the problem Lawsuits Blacklist Media Customer confidence Very, very expensive! Another Breach & Counting… • 333 breaches as of 8/1 with almost 23M records affected including – – – – Sony Epsilon Citigroup Lockheed Martin • 603 breaches in 2010 affecting over 12M records • Since 2005, over 2600 breaches affecting over 535M records Data provided by PrivacyRights.org Top 10 Breaches 10. TD Ameritrade Holding Corp (2007) 9. Fidelity National Information Services/Certegy Check Services Inc. (2007) 8. Sony, PlayStation Network (PSN), Sony Online Entertainment (SOE) (2011) 7. Bank of New York Mellon (2008) 6. Countrywide Financial Corp. (2008) 5. US Dept. of Veterans Affairs (2006) 4. CardSystems (2005) 3. US Military Veterans (2009) 2. TJ Stores (2007) 1. Heartland (2009) Heartland • Certified compliant just weeks before the breach • Security breach discovered in Jan 2009 (had been in place for possibly 6 months prior) • De-certified post-breach • Hundreds of Millions in fines/fees/lawsuits • Bad press Turning it around • • • • • • • Re-certified May 2009 Proactive response Good press National Restaurant Association Launched E3 May 2010 Earnings up Stronger than ever Lessons to be learned from the Heartland breach • PCI DSS is a good minimum standard but will not guarantee safety • If your company is big enough you will become a target • No security is fail-proof • Criminals working continually to breakin Who is most at risk? • All merchants – Level 1 & 2 (High Value) – Level 3 (High Risk) – Level 4 (High Success / Quick Return) Then What Good is PCI DSS? • Ensures that you are not an EASY target (low-hanging fruit) • Common sense security measures • Possibly some protection from fines/lawsuits – Good faith argument – Responsible party argument Key Issues for Utility Industry Applications: • Software – – – – POS Antivirus Firewall Web/Payment Gateway • Hardware – Firewall – POS – Pin Pads • Business Procedures – Recording calls – Storing card data – Access Control • Connection – VOIP – Encryption Myths 1. One vendor/product will make us compliant 2. Outsourcing card processing will make us compliant 3. Compliance is an IT project 4. Compliance will make us secure 5. PCI DSS is unreasonable; it requires too much Myths 6. PCI DSS requires us to hire a QSA 7. We don’t take enough credit cards to require compliance 8. We completed a SAQ so we’re compliant 9. PCI DSS makes us store cardholder data 10.PCI DSS is too hard In Conclusion Always Be Compliant! Alphabet Soup • • • • • • • • • • • • • • • • AOC – Attestation of Compliance ASV – Approved Scanning Vendor DSS – Data Security Standards ISA – Internal Security Assessor PA-DSS – Payment Application Data Security Standards PAN – Primary Account Number PCI – Payment Card Industry PED – PIN Entry Device PFI – PCI Forensic Investigator PIN – Personal Identification Number PTS – PIN Transaction Security (formerly PED) QRG – Quick Reference Guide QSA – Qualified Security Assessor ROC – Report On Compliance SAQ – Self Assessment Questionnaire SSC – Security Standards Council Q&A Eric Beschinski Kay Limbaugh Heartland Payment Systems 219-448-5169 Portland General Electric 503-612-3640 Relationship Manager eric.beschinski@e-hps.com Specialist, Electronic Bills & Payments Kay.Limbaugh@pgn.com
