Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger rargetsinger@dmdiocese.org 515-237-5007 Members of the PCI Security Standards Council Include: American Express, Discover, JCB, MasterCard & Visa. Does your organization accept payment or gifts via credit cards? Then you MUST meet some form of PCI DSS Compliance Prioritized Approach Help stakeholders understand where they can act to reduce risk. *No single milestone in the Prioritized Approach will provide comprehensive security or PCI DSS Compliance, but following it’s guidelines will help stakeholders to expedite the process of securing cardholder data. Prioritized Approach Provides six security milestones that will help merchants & other organizations incrementally protect against the hightest risk factors & escalating threats while on the road to PCI DSS Compliance. * To achieve PCI DSS compliance, an organization must meet all PCI DSS requirements. Prioritized Approach Milestones 1: Goal: Remove sensitive authentication data and limit data retention. 2: Goal: Protect systems & networks, and be prepared to respond to a system breach. 3: Goal: Secure payment card applications. 4: Goal: Monitor and control access to your systems. 5: Goal: Protect stored cardholder data. 6: Goal: Finalize remaining compliance efforts, and ensure all controls are in place. • • • • PCI DSS Requirements There are twelve requirements. Each requirement has sub-requirements that need to be met to fulfill the requirement. The Prioritized Approach maps out which sub-requirements should have a higher priority than others. Note: Counting all sub-requirements, there are a total of 229 items that need to be met (depending upon which type of merchant you are!) 1. PCI DSS Requirements Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks. 5. PCI DSS Requirements Use and regularly update anti-virus software or programs. 6. Develop and maintain secure systems and applications. 7. Restrict access to cardholder data by business need to know. 8. Assign a unique ID to each person with computer access. 9. PCI DSS Requirements Restrict physical access to cardholder data. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. 12. Maintain a policy that addresses information security for all personnel. Self Assessment Questionnaire SAQ: Validation tool intended to assist merchants & service providers in self-evaluating their compliance with PCI DSS. There are multiple versions of the SAQ to meet various scenarios. The SAQ Validation tool is for merchants & service providers not required to submit an onsite data security assessment Report on Compliance (ROC). • Keep in mind: Compensating Controls = may be considered for most PCI DSS requirements where an organization can not meet the technical specification of a requirement, but has sufficiently mitigated the associated risk through alternative controls. SAQ Form(s) A = Card not present (eCommerce). All cardholder data functions outsourced (13 pages) B = Imprint only – no electronic cardholder data storage, or stand-alone dial out terminal merchants with no electronic cardholder data storage (18 pages) C-VT = Merchants using only web based virtual terminals – no electronic cardholder data storage (26 pages) SAQ Form(s) C = Merchants with payment application systems connected to the internet, no electronic cardholder data storage (40 pages) D = All Others • I.E. More pages = more questions = more requirements to satisfy! www.pcisecuritystandards.org