PCI Compliance Overview

PCI Compliance OverviewHow to Safely Accept Credit Cards

What is PCI?

When you accept credit cards, you must also follow a set of guidelines for protecting credit card data

Payment Card Industry Data Security Standard (PCI-DSS)•Set of regulations developed and enforced by the major card brands. •Requires an annual Self Assessment Questionnaire (SAQ) as a way to •evaluatethesecurityinyouroffice.Depending on how you process credit cards, your SAQ might ask •questions pertaining to how you store credit card data, who has access to your machine, or whether you process credit cards via a wireless connection. The process helps identify potential security risks and protects both •you and your clients from fraud.

Build and maintain a secure network•

Protect cardholder data•

Maintain a vulnerability management program•

Implement strong access control measures•

Regularly monitor and test networks•

Maintain an information security policy•

Goals of PCI-DSS

More than 80% of attacks target small merchants•

Criminals are turning their attention to smaller merchants •with lax security

Most attacks can be prevented by simple methods•

FollowingthePCI-DSScanhelpprotectyourlawfirm•fromfraudand/orcostlyfines

Just the Facts

Any merchant that processes, transmits, or stores •credit card data

Every merchant is responsible for compliance even if •usingPCICertifiedServiceProviders

Every merchant must validate compliance every year•

Who Must Comply?

Build and Maintain a Secure Network•Requirement1:Installandmaintainafirewallconfigurationtoprotectcardholderdata•Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters•

Protect Cardholder Data•Requirement 3: Protect stored cardholder data•Requirement 4: Encrypt transmission of cardholder data across open, public networks•

Maintain a Vulnerability Management Program•Requirement 5: Use and regularly update anti-virus software•Requirement 6: Develop and maintain secure systems and applications•

Implement Strong Access Control Measures•Requirement 7: Restrict access to cardholder data by business need-to-know•Requirement 8: Assign a unique ID to each person with computer access•Requirement 9: Restrict physical access to cardholder data•

Regularly Monitor and Test Networks•Requirement 10: Track and monitor all access to network resources and cardholder data•Requirement 11: Regularly test security systems and processes•

Maintain and Information Security Policy•Requirement 12: Maintain a policy that addresses information security•

12 Requirements for Compliance

Encrypt transmission of cardholder data across open, public networks

Practical Application•

Do not send unencrypted credit card data by email, •chat programs, instant messaging, etc.

Requirement 4 -- Examples

Emailing the full credit card number is one of the most •common violations

Unencrypted faxes•

Contractor emails 27,000 names and social security •numbers to home email *

“Email, (especially if internal-to-internal) is often •perceived as private and escapes the examination of information security teams…” **

* http://www.datalossdb.org/** http://www.verizonbusiness.com/resources/reports/rp_2010-payment-card-industry-compliance-report_en_xg.pdf

Case Studies – Requirement 4

Restrict access to cardholder data by business need to know

Practical Application•

Onlygrantpermissiontoselectpeopleinyouroffice•to run credit card transactions and have access to stored credit card data

Requirement 7 -- Example

“…The typical U.S. organization loses 7% of its • annual revenues to fraudulent activity” *

Small organizations have a higher median loss•

Establish internal controls•

Case Studies – Requirement 7

Restrict physical access to cardholder data

Practical Application•

Paper receipts with full credit card data must be •kept under lock and key. A process is in place to securely transport data if necessary. All credit card data is securely destroyed when no longer needed.

Requirement 9 -- Example

Credit Union improperly disposed of credit card data •and exposes 257 records.

Non-profit worker misplaces 212 files containing•birthdates, social security numbers, addresses, and phone numbers.

Case Studies – Requirement 9

Maintain a policy that addresses information security

Practical Application•

Develop comprehensive policies and procedures •to address employee responsibilities, incident response plans, service provider monitoring, etc.

Requirement 12 -- Example

“…The overwhelming majority of data breaches •(especially of cardholder data) come down to a failure to do what is planned.” *

PCI is not a date on a calendar. It is an ongoing •event.

Case Studies – Requirement 12

You’re already on the right track•AffiniPayandLawPay’sPCICentralprovidesasimplified•solution Replaces the cumbersome and time consuming paper •process Guides you through the 12 requirements & SAQ•Online SAQ can be completed in 20-30 minutes •All online – PCI Central stores your information, generates •anelectroniccertificateandknowsall therules,soyoudon’t have to

Becoming Compliant