Symbiotic Consulting Group LLCPCI Compliance – Background, Importance
and Options for your OrganizationSeptember 10, 2015www.symbioticconsultinggroup.com
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Key Topics• PCI Meaning and Definition• PCI Evolution• Meaning of PCI DSS• PCI Compliance Criteria• What does this mean to my company?• Case Study: 2013 Breach of Target
Page 2
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Meaning and DefinitionThe Payment Card Industry (PCI) standard is a set of requirements designed to ensure that ALL organizations that store, process, or transmit cardholder and customer data do so in a secure environment!• This has to be a joint effort between IT and Business
teams
Page 3
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Meaning and Definition (cont.)
Common PCI Myths• We don’t take enough cards to necessitate compliance,
hence PCI is irrelevant• Our company outsources card processing so we are
compliant• PCI is just an IT issue and they will deal with it• PCI is unreasonable / difficult• PCI compliance makes us secure• We can’t be a target
Page 4
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Team Work!
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Key Topics• PCI Meaning and Definition• PCI Evolution• Meaning of PCI DSS• PCI Compliance Criteria• What does this mean to my company?• Case Study: 2013 Breach of Target
Page 6
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI EvolutionPCI Security Standards Council was founded in year 2006 by some of the major card brands:
• Visa• MasterCard• Amex• Discover• JCB
Each card brand has inputs and feedback into the guidance provided by the council.
Page 7
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Evolution (cont.)A credit card as defined by the Council is any card that is backed by a major card brand, including but not limited to the following:
• Credit• Debit• HSA• FSA• Payroll• Others
Page 8
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Evolution (cont.)PCI Security Standard Council is responsible for the oversight of the PCI Standards, which include guidance relative to the following:• PCI DSS• PA-DSS• P2PE• PTS
Page 9
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Collaboration!
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Key Topics• PCI Meaning and Definition• PCI Evolution• Meaning of PCI DSS• PCI Compliance Criteria• What does this mean to my company?• Case Study: 2013 Breach of Target
Page 11
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Meaning of PCI DSS• Core set of best security practices• Set of 12 requirements broken down into 6
categories, as follows:1. Build and maintain a secure network2. Protect cardholder data3. Maintain a vulnerability management program4. Implement strong access control measures5. Monitor and test networks6. Maintain an information security policy
Page 12
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Meaning of PCI DSS (cont.)
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Meaning of PCI DSS (cont.)
• PCI DSS can include the following depending on the organization: PA-DSS P2PE Solution Provider PTS
Page 14
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
True “Symbiotic” Nature
Of Our Business!
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Key Topics• PCI Meaning and Definition• PCI Evolution• Meaning of PCI DSS• PCI Compliance Criteria• What does this mean to my company?• Case Study: 2013 Breach of Target
Page 16
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Compliance Criteria• Compliance is determined based on how your
organization stores, processes, and/or transmits cardholder data across your infrastructure
• Compliance is based on “Level” and “Type”• Level is based on the number of transactions performed
in a 12-month period• Type is defined by how your organization takes credit
cards
Page 17
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Compliance Criteria (cont.)
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Compliance Criteria (cont.)
Levels are based on the number of transactions. Visa defines them as follows:
Page 19
Level Description1 Organizations with over 6M Visa transactions per year
ORAny organization that Visa, at its sole discretion, determines should meet the Level 1 requirements to minimize the risk to Visa
2 Organization with 1M to 6M Visa transactions per year
3 Organization with 20,000 to 1M Visa e-commerce transactions per year
4 Organizations with fewer than 20,000 Visa e-commerce transactions per year, and all other merchants - regardless of acceptance channel - processing up to 1M Visa transactions per year
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
PCI Compliance Criteria (cont.)
Types are defined by how your organization takes credit cards and are broken down as follows:
Page 20
Type Description
A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced; this would never apply to face-to-face merchants
B Imprint-only merchants with no cardholder data storageORStand-alone dial-up terminal merchants, no cardholder data storage
C Merchants with payment application systems connected to the Internet, no cardholder data storage
C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage
D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Key Topics• PCI Meaning and Definition• PCI Evolution• Meaning of PCI DSS• PCI Compliance Criteria• What does this mean to my company?• Case Study: 2013 Breach of Target
Page 21
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
What does this mean to my company?Action on your organization’s part for PCI:
• Depending on what “Type” of organization you are, you will have to address anywhere from 15 to 200 + controls
Cost Impact:• Hardware• Software• Application Maintenance (Data encryption, security
etc)• Internal Resources• External Resources
Page 22
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
What does this mean to my company?(cont.)
Based on the volume of transactions, organizations would be required to perform the following:
Page 23
Level Visa Description
1 • Annual report on compliance (“ROC”) to be completed by Qualified Security Assessor (“QSA”)
• Quarterly network scan by Approved Scan Vendor (“ASV”)• Attestation of Compliance Form
2 • Annual Self-Assessment Questionnaire (“SAQ”)• Quarterly network scan by ASV• Attestation of Compliance Form
3 • Annual SAQ• Quarterly network scan by ASV• Attestation of Compliance Form
4 • Annual SAQ recommended• Quarterly network scan by ASV• Compliance validation requirements set by merchant bank
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Key Topics• PCI Meaning and Definition• PCI Evolution• Meaning of PCI DSS• PCI Compliance Criteria• What does this mean to my company?• Case Study: 2013 Breach of Target
Page 24
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Case Study: 2013 Breach of Target What happened:
• Lost ~40 million credit and debit cards, ~ 70 million data files
• Theft period: November 27 – December 15• Malware on point-of-sale terminals
Not detected until December 15
Page 25
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Case Study: 2013 Breach of Target(cont.)Common Questions1. How could this happen?2. Was Target PCI compliant?3. How do I know if I was affected?
Costs?• Credit score monitoring• Fines, sanctions and lawsuits• Reputational damage
Page 26
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 2015
Case Study: 2013 Breach of Target(cont.)
Symbiotic Consulting Group LLC Confidential, All Rights Reserved 201528
Thank You!!!
Phone: 561-922-0120Email: [email protected]
Our Global Office Locations
USA Headquarters Office Florida2701, N.W. 2nd Avenue #214Boca Raton, FL - 33431Tel : 561-922-0120Fax: 561-455-9893
USA Texas Branch9660 Audelia Road, Suite 123-51Dallas, TX 75238Tel : 561-922-0120, Fax: 561-455-9893
Europe (Romania) Shared Services Branch Aviatorilor 5A, Suite 47Baia Mare, Maramures430223, Romania, EuropeTel: +40 362 881 664
India (Pune) BranchC-30, KPCT Mall, Fatima NagarPune, Maharashtra, 411040Tel : 561-922-0120Fax: 561-455-9893