DRAFT PCI DSS Version 3.0 For Controllers and Business Users November 10, 2014 Luke Harris, Office of State the Controller David Reavis, UNC General Administration PCI DSS Version 3.0 For Controllers and Business Users • Not intended to: – Educate you on what PCI is • Standard has been in effect since 2005 • Info available on PCI Council’s website – Scare you into becoming PCI compliant • Target and Home Depot sufficient examples • Potential fines and loss of employment sufficient • Intended to focus on responsibilities of the business office (Campus Controller) 2 PCI DSS Version 3.0 For Controllers and Business Users Whose Responsibility is PCI? • PCI is a business problem, primarily with an IT solution – Vulnerability Scanning, Penetration Testing – Firewalls, encryption, software updates, etc. – Business should be familiar with various IT requirements • However, some elements require the business office (campus controller) involvement – – – – Ensuring/monitoring of service providers’ compliance Physical protection of capture devices and cardholder data Employee awareness training and attestation Security Incident Response Plan and annual testing • Coordination between IT and business staff critical 3 PCI DSS Version 3.0 For Controllers and Business Users What’s New – 3.0 • Business-as-usual theme – Emphasis on being security aware on a continuous basis, not just once per year • Clarification of some requirements, with added subrequirements • Required penetration testing, in addition to vulnerability scanning • Physical protection of card capture devices • Eight SAQs instead of four • Version 3.0 Assessment Document https://www.pcisecuritystandards.org/documents/PCI_DSS_v 3.pdf 4 PCI DSS Version 3.0 For Controllers and Business Users Penetration Testing Vs. Scanning • Requires quarterly external vulnerability scanning of external IP addresses by an ASV • Requires quarterly internal vulnerability scanning (Req. 11-2) – Can be performed internally • After first year, four quarters of passing vulnerability scans must have occurred to be considered compliant • Effective July 2015, requirement 11.3.4 requires annual external and internal penetration tests to validate that segmentation methods are “operational and effective.” (Advanced hacker techniques to bypass security controls.) • Business office should inquire of IT if vulnerability scanning and penetration testing is required/performed. 5 PCI DSS Version 3.0 For Controllers and Business Users Physical Protection of Devices • 9.9. Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution – New requirement effective July 2015 – Card reading devices for card-present transactions POS terminals – Required for swipe devices, but recommended for key devices such as keyboards and POS keypads 6 PCI DSS Version 3.0 For Controllers and Business Users Protection of Devices – Cont. • 9.9.1. Maintain an up-to-date list of devices • 9.9.2. Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). • 9.9.3. Provide training for personnel to be aware of attempted tampering or replacement of devices – Verify the identity of any third-party persons claiming to be repair or maintenance personnel – Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices) 7 PCI DSS Version 3.0 For Controllers and Business Users Service Providers • 12.8. Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: – 12.8.1. Maintain a list of service providers. – 12.8.2. Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. 8 PCI DSS Version 3.0 For Controllers and Business Users Service Providers – cont’d • 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement • 12.8.4. Maintain a program to monitor service providers’ PCI DSS compliance status at least annually • 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider and which are managed by the entity 9 PCI DSS Version 3.0 For Controllers and Business Users Security Incident Plan • Target’s breach criticism was not responding timely • 12.10.1. Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: (Edited for business office) – Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands… – Analysis of legal requirements for reporting compromises – Reference or inclusion of incident response procedures from the payment brands • 12.10.2. Test the plan at least annually 10 PCI DSS Version 3.0 For Controllers and Business Users OSC’s Policy for Incident • Notify OSC immediately (within 24 hours) • OSC will coordinate notification to card processor and the card brands • Applicability of NC Identity Theft Act to be considered • Campus’s legal council to be involved • OSC will advise of timing of any press releases http://www.osc.nc.gov/policy/EC/500.10_Merchant_Cards_Security_Incident_Plan.pdf 11 PCI DSS Version 3.0 For Controllers and Business Users Face-to-Face and MOTO Only eCommerce Only B POS analog not connected to IP * A Card-not-present fully outsourced * B-IP POS connected to IP * # AEP Outsourced, but website redirect can impact security of payment * # C-VT Virtual Terminal IP, dedicated or segmented, and keyed only * # C POS Software connected to IP, dedicated or segmented* # P2PE -HW POS hardware managed w/ Point to Point Encryption * D Cardholder data is stored # D Cardholder data is either processed, transmitted, or stored # Combination of Face-to-Face and eCommerce D All merchants not included entirely in any one of the above, or where cardholder data is stored (Systems are connected / Not segmented) # 12 * Indicates cardholder data is not stored; # Indicates vulnerability scanning required.- PCI DSS Version 3.0 For Controllers and Business Users SAQ A vs. SAQ A-EP • SAQ A and SAQ A-EP are for merchants that use eCommerce channels only (no face-to-face) • Initial interpretation of standard was that a website that has a “redirect” to a payment gateway is required to prepare SAQ AEP, which requires vulnerability scanning. • May 2014 guidance document, however, clarifies that a “URL redirect” (e.g., TouchNet) can still use SAQ-A, if cardholder data is not entered on merchant’s website. • However, if merchant also has face-to-face applications in addition to eCommerce, SAQ-D applies anyway 13 PCI DSS Version 3.0 For Controllers and Business Users Impact of New SAQs • Under 3.0, SAQ required is determined – eCommerce channel only – Face-to-face and MOTO only – Combination of eCommerce and face-to-face • Some campuses currently use SAQ-D and will continue to do so • Most campuses currently using A, B, and C will now have to use SAQ-D, since combination • SAQ-D should not scare you, as it has a column for N/A 14 PCI DSS Version 3.0 For Controllers and Business Users New Validation Portal • Appropriate SAQ will still be answered at the doing business as level or chain level • OSC is in the middle of the RFP process and bids are currently being evaluated. • Communication will be sent out to participants once an award is finalized. 15 PCI DSS Version 3.0 For Controllers and Business Users Contact Information: 16 David Reavis Luke Harris Office of Compliance and Audit Services Statewide Accounting UNC General Administration North Carolina Office of the State Controller 140 Friday Center Drive 1410 Mail Service Center Chapel Hill, NC 27517 Raleigh, NC 27699-1410 Cell: 919-801-9417 Phone: 919-707-0667 Email: dcreavis@northcarolina.edu Email: luke.harris@osc.nc.gov