Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A practical guides to PCI compliance

by Matthew Page

  • Login to see the comments

A practical guides to PCI compliance

  1. 1. A practical guide to PCI compliance Matthew Page, IT security manager, Leeds Beckett University 14/11/2017
  2. 2. A Practical Guide to PCI Compliance Matthew Page – IT Security Manager PCI ISA
  3. 3. • To help those who are starting out on the PCI compliance journey • Where to find help and documentation • Formal courses tend to discuss the 12 requirements rather than how to become compliant • It can be quite daunting, so I aim to provide an overview of PCI • I’m not going to discuss: – The requirements in detail – The payment cycle *For further information on these please review the documents referenced in the resources section. A Practical Guide to PCI The Purpose of this Presentation
  4. 4. A Practical Guide to PCI • Payment Card Industries What is PCI?
  5. 5. A Practical Guide to PCI • Payment card data and transactions, not direct debits or PayPal payments What is PCI? *Courtesy of PCIDSSSIG
  6. 6. A Practical Guide to PCI • Its not a legal requirement • It’s a contractual requirement • 12 main requirements (essentially a check list) • Mainly technical requirements with procedural and policy based requirements • Who is PCI compliant? What is PCI?
  7. 7. A Practical Guide to PCI • Its very valuable data to hackers • US company Target breach 2013-2014 – 40 millions card details affected – Cost target $350 million – 46% drop in profits – 1-3 million cards sold on the black market – Resignation of CEO • Reputational impact Why Protect this Data? *Data source Axelos Resilia
  8. 8. A Practical Guide to PCI 6 Goals of PCI Compliance
  9. 9. A Practical Guide to PCI Goal 1 – Build and maintain a secure network and systems *Barclaycard Associated Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
  10. 10. A Practical Guide to PCI Goal 2 – Protect Cardholder data *Barclaycard Associated Requirements 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
  11. 11. A Practical Guide to PCI Goal 3 – Maintain a vulnerability management program *Barclaycard Associated Requirements 5. Protect all systems against malware and regularly update antivirus software or programs 6. Develop and maintain secure systems and applications (patching and config)
  12. 12. A Practical Guide to PCI Goal 4 – Implement strong access control measures *Barclaycard Associated Requirements 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data
  13. 13. A Practical Guide to PCI Goal 5 – Regularly monitor and test networks *Barclaycard Associated Requirements 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes (pen tests, vulnerability scans, etc.)
  14. 14. A Practical Guide to PCI Goal 6 – Maintain an information security policy *Barclaycard Associated Requirements 12. Maintain a policy that addresses information security for all personnel
  15. 15. A Practical Guide to PCI Where are you now? *Barclaycard • Many of the goals and requirements will be already in place • Some may need fine tuning and some will need significant effort to bring into line with the standard
  16. 16. A Practical Guide to PCI • 12 high level requirements • All the requirements have sub requirements totalling over 300 across the standard • That’s a lot! • Very expensive to adhere to them all and time consuming to support and maintain • Good news, hopefully you won’t have to adhere to them all • That’s not to say you should take short cuts • Depending on your environment you may not need to comply with all the requirements to be compliant • This is where SAQs will help 12 Requirements & Sub Requirements
  17. 17. A Practical Guide to PCI The SAQs
  18. 18. A Practical Guide to PCI The SAQs Web Payments • A and A-EP
  19. 19. A Practical Guide to PCI Payment Terminals (Chip & Pin) • B, B-IP & P2PE The SAQs
  20. 20. A Practical Guide to PCI Merchants who use a payment application system or Virtual Terminal to process card payments • C & C-VT The SAQs
  21. 21. A Practical Guide to PCI Merchants who store cardholder data • D The SAQs
  22. 22. Requirement Description SAQ D SAQ C SAQ C-VT B-IP B A-EP* A P2PE 1 Firewall config Full Partial Partial Partial Partial 2 Vendor defaults Full Partial Partial Partial Partial Partial 3 Stored CHD Full Partial Partial Partial Partial Partial Partial 4 Encryption Full Partial Partial Partial Partial Partial 5 AV & patching Full Partial Partial Partial 6 Development Full Partial Partial Partial Partial 7 Restrict access Full Partial Partial Partial Partial Partial 8 Identify & authenticate Full Partial Partial Partial Partial Partial 9 Restrict physical access Full Partial Partial Partial Partial Partial Partial Partial 10 Track and monitor Full Partial Partial 11 Vulnerability testing Full Partial Partial Partial 12 Policies Full Partial Partial Partial Partial Partial Partial Partial A Practical Guide to PCI • Refer to the ‘PCI SAQ Instructions and Guidelines’ document to determine which of your merchant accounts align with which SAQ and speak to your acquirer to confirm SAQ Requirements
  23. 23. A Practical Guide to PCI PCI SAQ Instructions and Guidelines Document
  24. 24. A Practical Guide to PCI Merchant Levels & Assessment Criteria Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form QSA Services • PCI assessment • ROC • Attestation sign off • Gap analysis ASV • Tool to scan the network environment for Vulnerabilities. Any high vulnerabilities are failures.
  25. 25. A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form
  26. 26. A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
  27. 27. A Practical Guide to PCI Merchant Levels Level Merchant criteria Validation requirements 1 Merchants processing more than six million Visa transactions annually via all channels or global merchants identified as level one by any Visa region.  Annual Report on Compliance (ROC) to follow an on-site audit by either a Qualified Security Assessor or qualified internal security resource  Quarterly network scan by Approved Scan Vendor (ASV)  Attestation of Compliance form 2 Merchants processing one million to six million Visa transactions annually via all channels.  Annual Self-Assessment Questionnaire (SAQ)  Quarterly network scan by ASV  Attestation of Compliance form 3 Merchants processing 20,000 to one million Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ) 4 E-commerce merchants only Merchants processing fewer than 20,000 Visa e- commerce transactions annually.  Use a service provider that has certified their PCI DSS compliance (certified providers are listed on Visa Europe’s website: www.visaeurope.com) OR  Have certified their own PCI DSS compliance to the acquirer (who must, on request, be able to validate that compliance to Visa Europe) (SAQ)
  28. 28. A Practical Guide to PCI • Who are the acquirers? An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The acquirer enables merchants to accept card payments. • They can help provide information regarding the number of merchant accounts in use and the volume of transactions being processed through them • They are responsible for ensuring their associated merchants are PCI compliant and will ask you to provide an AOC • If you are unable to do this you may start to receive threatening letters Acquirers
  29. 29. A Practical Guide to PCI • Who are the acquirers? An acquiring bank (simply known as an acquirer) is a bank that processes credit or debit card payments on behalf of a merchant. The acquirer enables merchants to accept card payments. • They can help provide information regarding the number of merchant accounts in use and the volume of transactions being processed through them • They are responsible for ensuring their associated merchants are PCI compliant and will ask you to provide an AOC • If you are unable to do this you may start to receive threatening letters Acquirers • Don’t be afraid to challenge your acquirer • Find your business relationship manager and build a relationship
  30. 30. A Practical Guide to PCI • Identify where payments are being taken through out the university • Identify how card data traverses the network • Is cardholder data stored as part of the process? • Identify the SAQ level • Identify Merchant level • Speak to your acquirer they will help verify your Merchant and SAQ levels Your Payment Gateways
  31. 31. A Practical Guide to PCI • Are card payments segregated from the rest of your network? • Can you segregate your networks? • Avoid storing card holder data • Be aware of the problems with descoping – perceptions that the entire network is as secure as the card holder environment when in fact they have been descoped and therefore may not be maintained to the same standard. • Determine the cost of descoping is it just easier to include everything? • Remember PCI should be part of data security strategy Reduce the Scope
  32. 32. A Practical Guide to PCI • Its project - create a plan • Use the prioritised approach provided by PCI • Collaborative approach with: – IT – Finance – Governance – Other relevant departments – Acquirers • Who should drive the project? – IT – Finance – Governance – ? • Get buy in – You can’t do this alone The PCI Project
  33. 33. A Practical Guide to PCI • Find a QSA https://www.pcisecuritystandards.org/assessors_and_so lutions/qualified_security_assessors • Your Acquirer • Merchant levels • MasterCard https://www.mastercard.us/en- us/merchants/safety-security/security- recommendations/merchants-need-to-know.html • Visa https://www.visaeurope.com/receiving- payments/security/merchants • PCIDSSSIG – Training courses – Foundation, Practitioner and ISA (free if you are a member) – Resources http://www.pcidsssig.org.uk/ • PCI Document library https://www.pcisecuritystandards.org/document_library • PCI Prioritised approach https://www.pcisecuritystandards.org/documents/Priorit ized-Approach-for-PCI_DSS-v3_2.pdf • Guidance for Network Segmentation https://www.pcisecuritystandards.org/documents/Guida nce-PCI-DSS-Scoping-and- Segmentation_v1_1.pdf?agreement=true&time=15100 49283753 Resources
  34. 34. A Practical Guide to PCI • It’s a check list so you can take one step at a time • Training/reading/familarise yourself with the standard • Get Project buy in • Speak to people (Finance, Acquirers, staff) • Determine the scope • Work with the acquirers • The goals of PCI are just the best practice elements we should all be implementing. • Different security/compliance standards will aid each other • You don’t need to be an ISA, but it helps. Final Thoughts
  35. 35. Questions?
  36. 36. A Practical Guide to PCI • Find a QSA https://www.pcisecuritystandards.org/assessors_and_so lutions/qualified_security_assessors • Your Acquirer • Merchant levels • MasterCard https://www.mastercard.us/en- us/merchants/safety-security/security- recommendations/merchants-need-to-know.html • Visa https://www.visaeurope.com/receiving- payments/security/merchants • PCIDSSSIG – Training courses – Foundation, Practitioner and ISA (free if you are a member) – Resources http://www.pcidsssig.org.uk/ • PCI Document library https://www.pcisecuritystandards.org/document_librar y • PCI Prioritized approach https://www.pcisecuritystandards.org/documents/Prior itized-Approach-for-PCI_DSS-v3_2.pdf • Guidance for Network Segmentation https://www.pcisecuritystandards.org/documents/Guid ance-PCI-DSS-Scoping-and- Segmentation_v1_1.pdf?agreement=true&time=1510 049283753 Resources

×