GenAI and AI GCC State of AI_Object Automation Inc
A practical guides to PCI compliance
1. A practical guide to PCI compliance
Matthew Page, IT security manager, Leeds Beckett University
14/11/2017
2. A Practical Guide to PCI
Compliance
Matthew Page – IT Security Manager
PCI ISA
3. • To help those who are starting out on the PCI compliance journey
• Where to find help and documentation
• Formal courses tend to discuss the 12 requirements rather than how to
become compliant
• It can be quite daunting, so I aim to provide an overview of PCI
• I’m not going to discuss:
– The requirements in detail
– The payment cycle
*For further information on these please review the documents
referenced in the resources section.
A Practical Guide to PCI
The Purpose of this Presentation
5. A Practical Guide to PCI
• Payment card data and transactions, not direct debits or
PayPal payments
What is PCI?
*Courtesy of PCIDSSSIG
6. A Practical Guide to PCI
• Its not a legal requirement
• It’s a contractual requirement
• 12 main requirements (essentially a check list)
• Mainly technical requirements with procedural and policy
based requirements
• Who is PCI compliant?
What is PCI?
7. A Practical Guide to PCI
• Its very valuable data to hackers
• US company Target breach 2013-2014
– 40 millions card details affected
– Cost target $350 million
– 46% drop in profits
– 1-3 million cards sold on the black market
– Resignation of CEO
• Reputational impact
Why Protect this Data?
*Data source Axelos Resilia
9. A Practical Guide to PCI
Goal 1 – Build and maintain a secure network and systems
*Barclaycard
Associated Requirements
1. Install and maintain a firewall
configuration to protect
cardholder data
2. Do not use vendor-supplied
defaults for system passwords
and other security parameters
10. A Practical Guide to PCI
Goal 2 – Protect Cardholder data
*Barclaycard
Associated Requirements
3. Protect stored cardholder data
4. Encrypt transmission of
cardholder data across open,
public networks
11. A Practical Guide to PCI
Goal 3 – Maintain a vulnerability management program
*Barclaycard
Associated Requirements
5. Protect all systems against
malware and regularly update
antivirus software or programs
6. Develop and maintain secure
systems and applications
(patching and config)
12. A Practical Guide to PCI
Goal 4 – Implement strong access control measures
*Barclaycard
Associated Requirements
7. Restrict access to cardholder
data by business need to
know
8. Identify and authenticate
access to system components
9. Restrict physical access to
cardholder data
13. A Practical Guide to PCI
Goal 5 – Regularly monitor and test networks
*Barclaycard
Associated Requirements
10. Track and monitor all access
to network resources and
cardholder data
11. Regularly test security
systems and processes (pen
tests, vulnerability scans, etc.)
14. A Practical Guide to PCI
Goal 6 – Maintain an information security policy
*Barclaycard
Associated Requirements
12. Maintain a policy that
addresses information
security for all personnel
15. A Practical Guide to PCI
Where are you now?
*Barclaycard
• Many of the goals and
requirements will be already in
place
• Some may need fine tuning and
some will need significant effort
to bring into line with the
standard
16. A Practical Guide to PCI
• 12 high level requirements
• All the requirements have sub requirements totalling over 300 across the
standard
• That’s a lot!
• Very expensive to adhere to them all and time consuming to support and
maintain
• Good news, hopefully you won’t have to adhere to them all
• That’s not to say you should take short cuts
• Depending on your environment you may not need to comply
with all the requirements to be compliant
• This is where SAQs will help
12 Requirements & Sub Requirements
19. A Practical Guide to PCI
Payment Terminals
(Chip & Pin)
• B, B-IP & P2PE
The SAQs
20. A Practical Guide to PCI
Merchants who
use a payment
application system
or Virtual Terminal
to process card
payments
• C & C-VT
The SAQs
21. A Practical Guide to PCI
Merchants who
store cardholder
data
• D
The SAQs
22. Requirement Description SAQ D SAQ C SAQ C-VT B-IP B A-EP* A P2PE
1 Firewall config Full Partial Partial Partial Partial
2 Vendor defaults Full Partial Partial Partial Partial Partial
3 Stored CHD Full Partial Partial Partial Partial Partial Partial
4 Encryption Full Partial Partial Partial Partial Partial
5 AV & patching Full Partial Partial Partial
6 Development Full Partial Partial Partial Partial
7 Restrict access Full Partial Partial Partial Partial Partial
8 Identify & authenticate Full Partial Partial Partial Partial Partial
9 Restrict physical access Full Partial Partial Partial Partial Partial Partial Partial
10 Track and monitor Full Partial Partial
11 Vulnerability testing Full Partial Partial Partial
12 Policies Full Partial Partial Partial Partial Partial Partial Partial
A Practical Guide to PCI
• Refer to the ‘PCI SAQ Instructions and Guidelines’
document to determine which of your merchant accounts
align with which SAQ and speak to your acquirer to confirm
SAQ Requirements
23. A Practical Guide to PCI
PCI SAQ Instructions and Guidelines Document
24. A Practical Guide to PCI
Merchant Levels & Assessment Criteria
Level Merchant criteria Validation requirements
1 Merchants processing more than six million Visa
transactions annually via all channels or global
merchants identified as level one by any Visa
region.
Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security
Assessor or qualified internal security resource
Quarterly network scan by Approved Scan Vendor (ASV)
Attestation of Compliance form
QSA Services
• PCI assessment
• ROC
• Attestation sign off
• Gap analysis
ASV
• Tool to scan the network environment for Vulnerabilities. Any
high vulnerabilities are failures.
25. A Practical Guide to PCI
Merchant Levels
Level Merchant criteria Validation requirements
1 Merchants processing more than six million Visa
transactions annually via all channels or global
merchants identified as level one by any Visa
region.
Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security
Assessor or qualified internal security resource
Quarterly network scan by Approved Scan Vendor (ASV)
Attestation of Compliance form
2 Merchants processing one million to six million Visa
transactions annually via all channels.
Annual Self-Assessment Questionnaire (SAQ)
Quarterly network scan by ASV
Attestation of Compliance form
26. A Practical Guide to PCI
Merchant Levels
Level Merchant criteria Validation requirements
1 Merchants processing more than six million Visa
transactions annually via all channels or global
merchants identified as level one by any Visa
region.
Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security
Assessor or qualified internal security resource
Quarterly network scan by Approved Scan Vendor (ASV)
Attestation of Compliance form
2 Merchants processing one million to six million Visa
transactions annually via all channels.
Annual Self-Assessment Questionnaire (SAQ)
Quarterly network scan by ASV
Attestation of Compliance form
3 Merchants processing 20,000 to one million Visa e-
commerce transactions annually.
Use a service provider that has certified their PCI DSS compliance (certified providers are
listed on Visa Europe’s website: www.visaeurope.com)
OR
Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able
to validate that compliance to Visa Europe) (SAQ)
27. A Practical Guide to PCI
Merchant Levels
Level Merchant criteria Validation requirements
1 Merchants processing more than six million Visa
transactions annually via all channels or global
merchants identified as level one by any Visa
region.
Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security
Assessor or qualified internal security resource
Quarterly network scan by Approved Scan Vendor (ASV)
Attestation of Compliance form
2 Merchants processing one million to six million Visa
transactions annually via all channels.
Annual Self-Assessment Questionnaire (SAQ)
Quarterly network scan by ASV
Attestation of Compliance form
3 Merchants processing 20,000 to one million Visa e-
commerce transactions annually.
Use a service provider that has certified their PCI DSS compliance (certified providers are
listed on Visa Europe’s website: www.visaeurope.com)
OR
Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able
to validate that compliance to Visa Europe) (SAQ)
4 E-commerce merchants only
Merchants processing fewer than 20,000 Visa e-
commerce transactions annually.
Use a service provider that has certified their PCI DSS compliance (certified providers are
listed on Visa Europe’s website: www.visaeurope.com)
OR
Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able
to validate that compliance to Visa Europe) (SAQ)
28. A Practical Guide to PCI
• Who are the acquirers?
An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The
acquirer enables merchants to accept card payments.
• They can help provide information regarding the number of merchant accounts in
use and the volume of transactions being processed through them
• They are responsible for ensuring their associated merchants are PCI compliant
and will ask you to provide an AOC
• If you are unable to do this you may start to receive threatening letters
Acquirers
29. A Practical Guide to PCI
• Who are the acquirers?
An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The
acquirer enables merchants to accept card payments.
• They can help provide information regarding the number of merchant accounts in
use and the volume of transactions being processed through them
• They are responsible for ensuring their associated merchants are PCI compliant
and will ask you to provide an AOC
• If you are unable to do this you may start to receive threatening letters
Acquirers
• Don’t be afraid to challenge your acquirer
• Find your business relationship manager and build a relationship
30. A Practical Guide to PCI
• Identify where payments are being taken through out the university
• Identify how card data traverses the network
• Is cardholder data stored as part of the process?
• Identify the SAQ level
• Identify Merchant level
• Speak to your acquirer they will help verify your Merchant and SAQ
levels
Your Payment Gateways
31. A Practical Guide to PCI
• Are card payments segregated from the rest of your
network?
• Can you segregate your networks?
• Avoid storing card holder data
• Be aware of the problems with descoping
– perceptions that the entire network is as secure as the card
holder environment when in fact they have been descoped and
therefore may not be maintained to the same standard.
• Determine the cost of descoping is it just easier to
include everything?
• Remember PCI should be part of data
security strategy
Reduce the Scope
32. A Practical Guide to PCI
• Its project - create a plan
• Use the prioritised approach
provided by PCI
• Collaborative approach with:
– IT
– Finance
– Governance
– Other relevant departments
– Acquirers
• Who should drive the project?
– IT
– Finance
– Governance
– ?
• Get buy in
– You can’t do this alone
The PCI Project
33. A Practical Guide to PCI
• Find a QSA
https://www.pcisecuritystandards.org/assessors_and_so
lutions/qualified_security_assessors
• Your Acquirer
• Merchant levels
• MasterCard https://www.mastercard.us/en-
us/merchants/safety-security/security-
recommendations/merchants-need-to-know.html
• Visa https://www.visaeurope.com/receiving-
payments/security/merchants
• PCIDSSSIG
– Training courses
– Foundation, Practitioner and ISA (free if you are
a member)
– Resources http://www.pcidsssig.org.uk/
• PCI Document library
https://www.pcisecuritystandards.org/document_library
• PCI Prioritised approach
https://www.pcisecuritystandards.org/documents/Priorit
ized-Approach-for-PCI_DSS-v3_2.pdf
• Guidance for Network Segmentation
https://www.pcisecuritystandards.org/documents/Guida
nce-PCI-DSS-Scoping-and-
Segmentation_v1_1.pdf?agreement=true&time=15100
49283753
Resources
34. A Practical Guide to PCI
• It’s a check list so you can take one step at a time
• Training/reading/familarise yourself with the standard
• Get Project buy in
• Speak to people (Finance, Acquirers, staff)
• Determine the scope
• Work with the acquirers
• The goals of PCI are just the best practice elements we should all be
implementing.
• Different security/compliance standards will aid each other
• You don’t need to be an ISA, but it helps.
Final Thoughts
36. A Practical Guide to PCI
• Find a QSA
https://www.pcisecuritystandards.org/assessors_and_so
lutions/qualified_security_assessors
• Your Acquirer
• Merchant levels
• MasterCard https://www.mastercard.us/en-
us/merchants/safety-security/security-
recommendations/merchants-need-to-know.html
• Visa https://www.visaeurope.com/receiving-
payments/security/merchants
• PCIDSSSIG
– Training courses
– Foundation, Practitioner and ISA (free if you are
a member)
– Resources http://www.pcidsssig.org.uk/
• PCI Document library
https://www.pcisecuritystandards.org/document_librar
y
• PCI Prioritized approach
https://www.pcisecuritystandards.org/documents/Prior
itized-Approach-for-PCI_DSS-v3_2.pdf
• Guidance for Network Segmentation
https://www.pcisecuritystandards.org/documents/Guid
ance-PCI-DSS-Scoping-and-
Segmentation_v1_1.pdf?agreement=true&time=1510
049283753
Resources
Editor's Notes
Thanks to Jisc for the late shift I hope you have all had a coffee at break