Original air date:
March 24, 2016
Recording available at http://www.mhmcpa.com.
Due to growing concerns with credit card fraud, the Payment Card Industry (PCI) has established data security standards (DSS) to protect customers and merchants involved in payment card transactions.
Although more commonly associated with the commercial sector, PCI compliance plays an important role in nonprofits as well. Donors increasingly rely on credit cards to make their contributions. Complying with the PCI DSS can help reduce the risk of a data breach and instill trust in your donors that your organization can keep their valuable data secure.
Join us as we discuss the notable requirements and clarifications that have been introduced in the most recent PCI DSS. Our presenter will also provide best practices for how you can protect your organization from further risk.
Webinar Slides: Payment Card Industry Data Security Standards – PCI-DSS Update
1. #cbizmhmwebinar 1
CBIZ & MHM
Executive Education Series™
Payment Card Industry Data Security
Standards – PCI-DSS Update
Karen Cassella & Brenda Brigman
March 24 & March 29, 2016
2. #cbizmhmwebinar 2
Before We Get Started…
• To view this webinar in full screen mode, click on view options
in the upper right hand corner.
• Click the Support tab for technical assistance.
• If you have a question during the presentation, please use the
Q&A feature at the bottom of your screen.
3. #cbizmhmwebinar 3
CPE Credit
This webinar is eligible for CPE
credit. To receive credit, you will
need to answer periodic
participation markers
throughout the webinar.
External participants will receive
their CPE certificate via email
immediately following the
webinar.
4. #cbizmhmwebinar 4
Disclaimer
The information in this Executive Education Series
course is a brief summary and may not include all
the details relevant to your situation.
Please contact your service provider to further
discuss the impact on your business.
5. #cbizmhmwebinar 5
Karen Cassella is a Managing Director in the CBIZ Risk & Advisory
Services practice and has more than 20 years experience performing
internal and external audits, fraud investigations, SOX-404 compliance,
PCI compliance and various regulatory audit and consulting services in
the public and private sectors.
Karen led the effort for CBIZ to become a certified Qualified Security
Assessor (QSA) Company that is certified and approved by the Payment
Card Industry (PCI) Security Standards Council. Her team performs PCI
audits for merchants and service providers in the public and private
sectors at all levels.
901.842.2859 • kcassella@cbiz.com
KAREN CASSELLA, CICA
Managing Director
Presenters
6. #cbizmhmwebinar 6
Presenters
Brenda is the National PCI Practice Leader for CBIZ Security & Advisory
Services. She has over 15 years of experience in Information Technology
Management and over 10 years of experience in Information Technology
Auditing, including internal audit and risk management. She has served
as an Engagement Manager on multiple Level 1 PCI engagements and
her industry experience includes in IT, manufacturing, financial services,
healthcare, insurance, hospitality, nonprofit and government.
Prior to joining CBIZ, Brenda has experience with KPMG as a Manager in
their Risk Assurance Services practice and served over 20 years with
Federal Express.
901.685.5575 •bbrigman@cbiz.com
BRENDA BRIGMAN, QSA,
PCIP, CCSK, CISA, CISSP
PCI National Practice Leader
9. #cbizmhmwebinar 9
Who Must Comply?
All organizations, including merchants and service providers, that
store, process and/or transmit cardholder data must validate that
they are compliant with PCI DSS and provide proof of compliance to
their acquirer once every year.
10. #cbizmhmwebinar 10
What is PCI-DSS?
Payment Card Industry Data Security Standard (PCI DSS) is a
set of technical and operational requirements designed to
protect credit card data. The credit card brands enforce the
requirements which include an annual validation.
13. #cbizmhmwebinar 13
Six Objectives and 12 Requirements
Goals Requirements
Build and Maintain a
Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong
Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and
Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security for all personnel
14. #cbizmhmwebinar 14
Merchant Levels (VISA)
Level Merchant Criteria
1
Any merchant-regardless of acceptance channel-processing
over 6,000,000 Visa transactions per year or any merchant that has suffered
a data breach.
2
Any merchant-regardless of acceptance channel-processing 1,000,000 to
6,000,000 Visa transactions per year.
3 Any merchant processing 20,000 to 1,000,000 e-commerce transactions
per year.
4
Any merchant processing fewer than 20,000 e-commerce transactions per
year, and all other merchants-regardless of acceptance channel-processing up to
1,000,000 transactions per year.
15. #cbizmhmwebinar 15
Merchant Validation Requirements (VISA)
Level Validation Requirements
1
• Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal
Security Assessor (ISA) if signed by officer of the company
• Quarterly network scan by Approved Scan Vendor (ASV)
• Attestation of Compliance Form (AOC)
2
• Annual Self-Assessment Questionnaire (SAQ)
• Quarterly network scan by ASV
•AOC
3
• Annual SAQ
• Quarterly network scan by ASV
•AOC
4
• Annual SAQ
• Quarterly network scan by ASVif applicable
• Compliance validation requirements set by merchant bank
16. #cbizmhmwebinar 16
Payment Methods & Validation Requirements
SAQ
Validation Type Merchant Payment Method
A
Card-not-present merchants (e-commerce or mail/telephone-order)
that have fully outsourced all cardholder data functions to PCI DSS
validated third party service providers with no electronic storage,
processing or transmission of any cardholder data on the merchant’s
systems or premised.
A-EP
E-commerce merchants who outsource all payment processing to PCI
DSS validated third parties and who have a website(s) that does not
directly receive cardholder data but can impact the security of the
payment transaction. No electronic storage, processing, or transmission
of any cardholder data on the merchants systems or premises.
B
Merchants using only imprint machines with no electronic cardholder
storage and/or standalone, analog dial-out terminals with no electronic
cardholder data storage.
B-IP
Merchants using only standalone, PTS-approved payment terminals with
an IP connection to the payment processor, with no electronic
cardholder data storage.
www.pcisecuritystandards.org
17. #cbizmhmwebinar 17
Payment Methods & Validation Requirements
SAQ
Validation Type Merchant Payment Method
C-VT
Merchant manually entering a single transaction at a time through a
keyboard into an internet-based virtual payment terminal solution that
is provided and hosted by a PCI-DSS validated third party service
provider, no electronic cardholder data storage.
C
Merchants with payment application systems connected to the internet,
no electronic cardholder data storage.
P2PE
Merchants using only hardware payment terminals that are included in
and managed via a validated, PCI SSC-listed P2PE solution, with no
cardholder data storage.
D
Merchants - all merchants not included in descriptions for the above
SAQ types.
Service Providers - all Service Providers defined by a payment brand as
eligible to complete SAQ.
www.pcisecuritystandards.org
18. #cbizmhmwebinar 18
Questions for PCI DSS BASICS
• Who must validate compliance annually:
A. Only merchants and service providers that have had a data breach
B. All merchants that store, process or transmit cardholder data.
C. All merchants and service providers that store, process or transmit
cardholder data regardless of the number of transactions.
D. Only Merchants and service providers that process more than 20,000
transactions per year.
• If I need help understanding whether I can self-assess and which self-
assessment form to use, my best course of action is to:
A. Obtain the forms from www.pcisecuritystandards.org
B. Seek the assistance of a Qualified Security Assessor (QSA)
C. Ignore the requirement because no one will ever know
D. Both A and B
21. #cbizmhmwebinar 21
2015 Breaches by Industry
53%
19%
12%
8%
8% 2015
Business Sector
Government & Non-Profit
Medical
Unknown
Education
Source: Security Affairs: DATA BREACH QUICKVIEW
25. #cbizmhmwebinar 25
Data Security Observation – RISK!
“Some organizations will be a target regardless of
what they do, but most become a target because of
what they do.”
26. #cbizmhmwebinar 26
Questions for Anatomy of a Breach?
• If I do not validate PCI DSS compliance annually:
A. the acquirer can revoke my right to accept credit cards
B. I am at greater risk for a data breach
C. All merchants and service providers
D. Both A and B
• I do not have to worry about a data breach because I
have cyber security insurance.
A. True or False
• I do not have to worry about a data breach because I
process very few transactions.
A. True or False
28. #cbizmhmwebinar 28
PCI Non-Compliance
Merchants and service providers that do not submit proof of
compliance to their acquirer can be subject to the following:
• Penalties and fines for non-compliance (breach of contract)
• Fines from card brands passed on seen in increased processing
fees
• The ability to accept credit card payments can be revoked
• Failure to implement PCI DSS requirements can lead to data
breach
29. #cbizmhmwebinar 29
Data Breach Costs
The merchant can incur or be held liable for the following costs
associated with a data breach:
• Cost to notify victims and provide credit monitoring
• Cost to replace payment cards (credit, debit, HSA, gift)
• Cost associated with fraudulent transactions
• Forensic investigations
• Increasing validation requirements and frequency
• Incurring expense associated with revalidation by a QSA
Once a merchant has been breached, the merchant can no
longer self-assess
30. #cbizmhmwebinar 30
What’s at Stake for Nonprofits and Public Sector?
• Significant risk to reputation
• Donor’s trust
• Credit card data stored for recurring membership or donations
payments are at risk
• Funding can be difficult to obtain or allocate for internal
projects
• Mobile payments at conferences or events pose a greater risk
32. #cbizmhmwebinar 32
Questions for Cost of Non Compliance ?
• If I do not validate PCI DSS compliance annually:
A. the acquirer can assess costly fines and penalties
B. I am at greater risk for a data breach
C. the ability to accept credit cards can be revoked
D. All the above
• My acquirer has not requested proof of compliance for me
so I do not have to validate my compliance.
A. True or False
34. #cbizmhmwebinar 34
Six Objectives and Twelve Requirements
Goals Requirements
Build and Maintain a
Secure Network
1. Install and Maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and
Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security for all personnel
https://www.pcisecuritystandards.org
35. #cbizmhmwebinar 35
Robust PCI DSS Compliance Program
• Executive commitment and oversight
• Scoped accurate
• Controls and control tests must be objective, valid,
reliable and economical
• Report annually
• Monitor and nurture PCI sustainment program
37. #cbizmhmwebinar 37
Controls, Test and Evidence Clearly Defined
• Objective
• Test must be fair
• Valid
• Must consistently measure a specific ability
• Reliable
• Sufficient evidence and clear understanding of
accountable individuals
• Economical
• Design control tests to be efficient and cost conscious
38. #cbizmhmwebinar 38
Report Annually
• File your Attestation of Compliance (AOC) with your
acquirer on an annual basis.
• Inform your acquirer if your assessment results will be
delayed.
• Maintain evidence with the report for at least two
years (or in accordance with your company data
retention policy).
39. #cbizmhmwebinar 39
Monitor and Nurture PCI Sustainment Program
• Define a test schedule for the year and monitor
controls throughout the year.
• Monitor and report the status of control testing on a
consistent basis.
• Ensure that any control failures are remediated and
retested in a timely manner.
40. #cbizmhmwebinar 40
Questions for Building a Robust PCI Compliance Program
• True or False: Scoping is one of the most important
functions of the annual PCI compliance assessment.
• True or False: The best PCI DSS Compliance Programs have a
champion to promote security and build a strong security
culture.
43. #cbizmhmwebinar 43
If You Enjoyed This Webinar…
Upcoming Courses:
• 3/31: Building an Actionable and Easy-to-Implement Business Continuity Plan
• 4/5 & 4/19: Leasing Unleashed - A Deep Dive into the New Standard
• 4/13 & 4/20: First Quarter Accounting and Financial Reporting Issues Update
• 4/28 & 5/17: Top Lessons Learned from the First Year of the Uniform Grant
Guidance Implementation
Recent Publications:
• Report Asks for 501(c)(3) Application Improvements
• Managing Underwater Endowments for Not-for-Profit Organizations
• Does Your Not-for-Profit Need an Audit of Its Marketing, Fundraising Streams and
Advertising?
44. #cbizmhmwebinar 44
Connect with Us
linkedin.com/company/
mayer-hoffman-mccann-p.c.
@mhm_pc
youtube.com/
mayerhoffmanmccann
slideshare.net/mhmpc
linkedin.com/company/
cbiz-mhm-llc
@cbizmhm
youtube.com/
BizTipsVideos
slideshare.net/CBIZInc
MHM CBIZ