PCI DSS for IT Providers The rules and impact on MSPs and VARs For PCI DSS Version 3.0
Pci dss-for-it-providers
Jun 13, 2015
The Payment Card Industry Data Security Standard leaves IT service providers with more questions than answers. Get an overview of PCI DSS, what it means for MSPs and VARs, and get a list of resources to learn more and achieve compliance for your own organization and clients.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
PCI DSS for IT Providers The rules and impact on MSPs and VARs
For PCI DSS Version 3.0
#webclinic
What is PCI DSS? • Payment Card Industry Data
Security Standard
• Enforced by PCI Security Standard Council
• Council formed by the five major card brands shown
#webclinic
What’s the goal?
• Cardholder data: – Primary account number – Cardholder name – Expiration date – Service code
• Sensitive authentication data:
– Full track data (from magnetic strip) – CAV2 / CVC2 / CVV2 / CID – PIN blocks
• Protect cardholder data and sensitive auth. data
#webclinic
What does it cover? • All components of the “cardholder data environment”
• Includes all people, processes, and
technology that handle cardholder data
• Examples: – Payment card readers, POS systems, PCs – Firewalls, routers, switches, servers – Purchased and custom applications
#webclinic
The Threat is Real • Top motivation of cyber
threats: money
• POS malware is proliferating
• Retailers large and small are being breached
Source: 2014 Verizon Data Breach Investigation Report
#webclinic
Who has to comply?
• Merchants • Processors • Financial institutions • Service providers
• Anyone who stores, processes, or transmits
cardholder data
#webclinic
What about MSPs and VARs?
• Must comply internally if you accept payment cards • Must conform services to comply for clients • Our Recommendation: Find a compliance expert
#webclinic
Clients need your expertise
Offer new products and services for compliance Security is more than “compliance”, so offer enhanced protection
PCI DSS = Opportunity for IT Providers
#webclinic
• Failure to comply could cost you:
Customer confidence Sales and revenue Reputation, brand damage Malpractice lawsuits Fines and penalties Cost of reissuing cards
PCI DSS = Potential trap for IT Providers
#webclinic
Penalties for Noncompliance
• Card brands can issue fines of $5,000 to $100,000 per month
• Higher transaction fees
• Many small victims go out of
business – Cost of breach can include containment,
forensic investigation, legal fees, audits, card replacement
#webclinic
What are the rules? • Build and Maintain a Secure Network and Systems
– 1. Install and maintain a firewall configuration to protect cardholder data – 2. Do not use vendor-supplied defaults for system passwords and other
security parameters • Protect Cardholder Data
– 3. Protect stored cardholder data – 4. Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
– 5. Protect all systems against malware and regularly update anti-virus software or programs
– 6. Develop and maintain secure systems and applications
#webclinic
What are the rules? • Implement Strong Access Control Measures
– 7. Restrict access to cardholder data by business need to know – 8. Identify and authenticate access to system components – 9. Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
– 10. Track and monitor all access to network resources and cardholder data
– 11. Regularly test security systems and processes • Maintain an Information Security Policy
– 12. Maintain a policy that addresses information security for all personnel
#webclinic
How do I comply? • Ask your merchant acquirer to walk
you though the steps
• Small merchants typically must : 1. Complete a self assessment
questionnaire (SAQ) 2. Sign attestation of compliance 3. Send required documents to the
merchant acquirer
#webclinic
How do I comply? • Required documents include:
1. Vulnerability scan results 2. Security policy 3. Network diagram
#webclinic
Vulnerability scans • External scan of network
• Required by PCI DSS • Results based on settings and
condition of firewall • Performed by merchant acquirer or
approved vendor – Examples: SecurityMetrics; Trustwave
#webclinic
About Calyptix
Calyptix makes network security easy for small and medium networks. Our all-in-one solution, AccessEnforcer, delivers advanced protection in a simple platform. Learn more: Calyptix.com
[email protected] 704-971-8989
#webclinic
Calyptix Resources
• PCI DSS for IT Providers: 4 steps for compliance – http://www.calyptix.com/pci-dss-it-providers-4-steps-for-compliance/
• PCI DSS and AccessEnforcer
– http://www.calyptix.com/pci-dss-accessenforcer/
• PCI DSS: Easier and cheaper compliance with SAQs
– http://www.calyptix.com/2014/07/pci-dss-make-compliance-easier-and-cheaper/
#webclinic
Additional Resources • Requirements and Security Assessment Procedures:
– https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
• Report on Compliance Reporting Template – https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_ROC_Reporting_Te
mplate.pdf
• Attestation of Validation – https://www.pcisecuritystandards.org/documents/PA-
DSS_Attestation_of_Validation_v3_0.docx • Glossary of Terms, Abbreviations, and Acronyms:
– https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3.pdf
#webclinic
Additional Resources • Understanding the SAQs for PCI DSS v3.0 https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf
• Self-Assessment Questionnaires – A – https://www.pcisecuritystandards.org/documents/SAQ_A_v3.docx
– B – https://www.pcisecuritystandards.org/documents/SAQ_B_v3.docx
– C – https://www.pcisecuritystandards.org/documents/SAQ_C_v3.docx
– D (Merchant) https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.docx
– D (Service Provider)
https://www.pcisecuritystandards.org/documents/SAQ_D_v3_ServiceProvider.docx
Related Documents
