Payment Card Acceptance PCI Compliance for Local Governments 2012

Payment Card Acceptance

PCI Compliance for Local Governments

© 2012 Maze & Associates 2

eCommerce & Credit Card Processing

• Risks associated with cc processing• What is PCI?• Why is it important?• What do we have to do?

06-Feb-12

© 2012 Maze & Associates 5

The Problem

Albert Gonzalez, 28

With accomplices, he was involved in data breaches of most of the major data breaches: Heartland, Hannaford Bros., 7-Eleven, T.J. Maxx, Marshalls, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Dave & Busters, Boston Market, Forever 21, DSW and others.

06-Feb-12

© 2012 Maze & Associates 6

Who is behind data breaches?

• 70% from external agents• 48% caused by insiders• 11% implicated business partners• 27% involved multiple parties

Source:06-Feb-12

© 2012 Maze & Associates 7

Risks

• Fraud• Theft• Fines (bank and card brands)• Credit monitoring fees for customers• Litigation costs• Reputation

06-Feb-12

© 2012 Maze & Associates 13

Players• Acquirer (Merchant Bank)– Bankcard association member that initiates

and maintains relationships with merchants that accept payment cards

• Hosting Provider– Offer various services to merchants and

other service providers.• Merchant– Provides goods and services for

compensation• Cardholder– Customer to whom a card is issued or

individual authorized to use the card

Card Brand

Acquirer

Hosting Provider

Merchant

Cardholder06-Feb-12

© 2012 Maze & Associates 14

Players

• Card Brand– Issue fines– Determine compliance

requirements

• PCI Security Standards Council– Maintain standards for PCI– Administer ASV & QSA

• Qualified Security Assessors– Certified to provide annual audits

• Approved Scanning Vendor– Certified to provide quarterly

scans

Card Brands

PCI SSC

QSA

ASV

06-Feb-12

© 2012 Maze & Associates 15

PCI Council Standards

American Express, DSOP

Discover Network, DISC

Master Card, SDP

Visa, CISP JCB

PCI Data Security Standard

06-Feb-12

© 2012 Maze & Associates 16

What does the PCI Council do?

• Own and manage PCI DSS, including maintenance, revisions, interpretation and distribution

• Define common audit requirements to validate compliance

• Manage certification process for security assessors and network scanning vendors

• Establish minimum qualification requirements• Maintain and publish a list of certified assessors

and vendors06-Feb-12

© 2012 Maze & Associates 17

Website

https://www.pcisecuritystandards.org/06-Feb-12

© 2012 Maze & Associates 18

What are the Standards?

• PCI DSS: PCI Data Security Standard– Overall standard, applies to all

• PA DSS: Payment Application Data Security Standard– Supporting standard for payment applications

• PTS (was PED): PIN Transaction Security Standard– Supporting standard for PIN entry devices– Supporting standard for unattended payment

terminals (UPT)06-Feb-12

© 2012 Maze & Associates 22

Who must comply?

• With PCI DSS– Any organization that processes, stores or transmits credit

card information. • With PA DSS

– Payment application developers– Merchants will be required to use only compliant

applications by July 2010.• With PTS

– Manufactures of PIN entry devices– Merchants will be required to use only compliant hardware

by July 2010.– MasterCard PTS to incorporate into PCI SSC April 30, 2010

06-Feb-12

© 2012 Maze & Associates 23

PCI Compliance

• This includes: • Organizations who only use paper based

processing• Organizations who outsource the credit

card processing• Organizations that process credit cards in

house

06-Feb-12

© 2012 Maze & Associates 25

What if we are a small organization?

• “All merchants, whether small or large, need to be PCI compliant.

• The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.”– PCI SSC

06-Feb-12

© 2012 Maze & Associates 27

Cost?• What happens when there is a data

breach?– Depends if the merchant can reach safe

harbor.

06-Feb-12

© 2012 Maze & Associates 28

What’s Safe Harbor?

Incident

Evaluation

Safe Harbor

$$$$$$

06-Feb-12

© 2012 Maze & Associates 29

Safe Harbor Notes:

• For a merchant to be considered compliant, any Service Providers that store, process or transmit credit card account data on behalf of the merchant must also be compliant.

• The submission of compliance validation documentation alone does not provide the merchant with safe harbor status.

06-Feb-12

© 2012 Maze & Associates 30

Outside the Safe Harbor

• Losses of cardholders• Losses of banks• Losses of card brands– Fines from the Card brands– Possible restrictions on process credit cards– Cost of forensic audit

06-Feb-12

© 2012 Maze & Associates 31

FinesMerchants may be subject to fines by the card associations if deemed non-compliant. For your convenience fine schedules for Visa and MasterCard are outlined below.

http://www.firstnationalmerchants.com/ms/html/en/pci_compliance/pci_data_secur_stand.html

06-Feb-12

© 2012 Maze & Associates 37

Continuous Process

• “PCI DSS compliance is much more than a “project” with a beginning and end – It’s an ongoing process of assessment, remediation and reporting” - PCI SSC

Assess

ReportRemediate

06-Feb-12

© 2012 Maze & Associates 38

Continuous Process

• Many of the PCI requirements have specific time interval requirements

• Create a schedule for time based requirements

• Some organizations already have ‘maintenance calendars’ for these type of actions

06-Feb-12

© 2012 Maze & Associates 39

Common Findings

• Clients think they are compliant– Because they do quarterly networks scans– Because they filled out the SAQ– Because they have too few transactions

• Reality– Validation is not compliance– Compliance is an ongoing process– PCI DSS is required for all merchants,

regardless of the number of transactions

06-Feb-12

© 2012 Maze & Associates 40

Common Findings• Payment card information on paper• No network segmentation• Logging Access• Shared Passwords• Verifying compliance of outsourced

processing• No one is assigned responsibility• Not aware of PAN storage in

application

06-Feb-12

© 2012 Maze & Associates 41

PCI Pitfalls• PCI will not make an organization’s

network or data secure• PCI DSS focuses on one type of

data: payment card transactions• The organization runs the risk of

focusing on one class of data to the detriment of everything else

06-Feb-12

© 2012 Maze & Associates 42

Important

• Senior management support• PCI knowledge• Support from merchant bank• PCI early in lifecycle– PCI reviewed when new applications or

systems are purchased– Should included all PII (Personally Identifiable

Information)

06-Feb-12

© 2012 Maze & Associates 61

Cardholder DataData Element Storage

PermittedProtectionRequired

PCI DSS 3.4

Cardholder Data

Primary Account Number (PAN) Yes Yes Yes

Cardholder Name Yes Yes No

Service Code Yes Yes No

Expiration Date Yes Yes No

SensitiveAuthentication

Data

Full Magnetic Stripe Data No N/A N/A

CVC2 / CVV2 / CID / CAV2 No N/A N/A

PIN / PIN Block No N/A N/A

06-Feb-12

© 2012 Maze & Associates 62

Places to look for CHD

• Electronic Image Files• SANS• Fax Servers• Scan Archive• Pinter Spool• Laser Fiche• Log Files

• Audio Recording: customer service call recordings

• Voicemail• Email Server/Archive• Backup Media• Copier Scanner Cache • Data bases

Perform a search for CHD every 6 months

06-Feb-12

© 2012 Maze & Associates 68

Risk Mitigation

• Teamwork– Finance department takes the lead (payment

processing and associated controls)– IT department – technical expertise– Legal department – policy etc…– Associated departments – payment

processing in support of other City functions (golf, parks & rec, classes, theater, licenses, PD, utilities, library etc…)

06-Feb-12

© 2012 Maze & Associates 69

Risk Mitigation

• Start implementing the data security standard starting with policies

• Start with high level polices– “The City shall not store PAN (Credit Card

Numbers) electronically or physically. Employees shall be trained on PCI standard annually. Background checks will be performed on all staff with access to credit card information.”

06-Feb-12

© 2012 Maze & Associates 70

Policy Examples

• “The City shall develop procedures to ensure that information security and privacy best practices are followed to include compliance with all laws or contractual requirements.”

• “The City shall adopt information security and privacy procedures based on industry standards such as NIST and PCI security standards.”

06-Feb-12

© 2012 Maze & Associates 81

Risk Mitigation

• The merchant is ultimately responsible– Not the hardware manufacturer’s

responsibility– Not application vendor’s responsibility– Not the bank’s responsibility– Not the customer’s responsibility

06-Feb-12