Embed Size (px)
Citation preview
5 TIPS TO PAY LESS FOR PCI COMPLIANCESIMPLE STEPS TO REDUCE YOUR PCI SCOPE
Ebook
© 2015 SecurityMetrics
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 1
5 TIPS TO PAY LESS FOR PCI COMPLIANCE
SIMPLE STEPS TO REDUCE YOUR PCI SCOPE
ABOUT THIS EBOOK
WHO SHOULD READ THIS EBOOK?
• IT directors and managers in charge of PCI compliance and data security
• Acquirers, ISOs, and portfolio managers
• Anyone interested in network, data, or payment security
READ THIS EBOOK TO LEARN:
• How to define your cardholder data inflows and outflows
• Why storing PAN might increase your PCI scope
• 5 tips to save your business money and reduce PCI scope
MORE OF A VIDEO PERSON? Check out the full-length webinar for additional
insights and info.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 2
INTRODUCTIONWith the recent changes in PCI DSS 3.0 and PCI 3.1, many or-ganizations have found it’s more expensive and difficult to keep up with PCI compliance latest data security requirements. The most dramatic changes are the introduction of new Self-Assess-ment Questionnaire (SAQ) categories and extended PCI scope. This ebook discusses tips to reduce your current PCI scope, which may help you save money on managed services, decrease internal resources, and reduce your long-term workload.
A CARDHOLDER DATA ENVIRONMENT IS
COMPRISED OF PEOPLE, PROCESSES, AND
TECHNOLOGIES THAT STORE, PROCESS, OR
TRANSMIT CARDHOLDER DATA OR SENSITIVE
AUTHENTICATION.
WHAT IS PCI SCOPE?Scope deals with environment systems that must be tested and protected to become PCI compliant, while SAQ is simply a validation tool for merchants and service providers to self-evaluate compliance with PCI DSS.
Here’s a quick list of system components that are probably in scope in your environment:
• Networking devices
• Firewalls
• Servers
• Switches routers
• Computing devices
• Applications
The bottom line is: if the people/process/
technology/component stores, processes, or transmits card data (or is connected to systems that do), it’s considered in scope.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 3
PCI 3.0 SCOPE CHANGESPCI DSS 3.0 clarified that there are secondary systems not directly related to processing card information that are now in scope for PCI, such as log servers, Network Time Protocol (NTP), and Domain Name System (DNS).
PCI 3.0 has offered greater clarity on which system components are in scope:
• Systems that provide security services (e.g., authentication servers), facilitate segmentation (e.g., internal firewalls), or may impact the security of (e.g., name resolution or web redirection servers) the cardholder data environment (CDE).
• Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.
• Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.
• Server types including but not limited to web, application, database, authentication, mail, proxy, NTP, and DNS.
• Applications including all purchased and custom applications, and internal and external (e.g., Internet) applications.
• Any other component or device located within or connected to the CDE.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 4
Let me give you an example. PCI Requirement 10 requires you to log all the events in your system and store them in a centralized log server. Now these log servers and any connected systems are in scope, unless you segment your network accordingly.
These new changes likely mean you will have to spend more time and resources becoming compliant that you may not have expected or budgeted for.
Keep these PCI 3.0 changes in mind as you reduce your scope and comply with PCI DSS requirements.
IN MOST CASES, YOUR PCI SCOPE WILL HAVE CHANGED FROM PCI DSS 2.0 TO 3.0
WHAT ABOUT 3.0 SAQS?Often people associate PCI scope with Self-Assessment Questionnaires (SAQs), but these are two different parts of PCI compliance.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 5
INCREASE SECURITY, DECREASE WORKLOADReducing scope means that you either outsource or change aspects of your PCI compliance. For example, you can out-source your management of firewalls, or you can change where you store primary account numbers (PAN) to your merchant’s system.
What does reducing PCI scope do for your organization? Reducing scope, particularly by removing or outsourcing PAN, can change which SAQ you qualify for (decreasing the number of SAQ questions you are required to follow). This means that you will have to spend less time and internal resources for PCI compliance.
REDUCING SCOPE MEANS THAT YOU EITHER OUTSOURCE OR CHANGE ASPECTS OF YOUR PCI COMPLIANCE.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 6
DECREASING YOUR PCI SCOPETo reduce scope, you must understand the actual method you use to process card data. Only then can you look at procedures that can be eliminated or outsourced.
Think through the different processes of how cardholder information is received and sent via your network. How does cardholder data enter in your environment? What devices are you using to collect cardholder data? Where do you send the data? How do you process this information?
Your answers to these and similar questions will help determine the exact breadth of your PCI scope.
Remember, even infrequent flows of cardholder data are still important and will affect your PCI scope, even if they only happen once a year.
HERE ARE SOME SPECIFIC EXAMPLES TO GET YOU THINKING OF HOW CARDHOLDER DATA FLOWS IN YOUR NETWORK.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 7
HOW DOES CARD DATA COME INTO YOUR NETWORK?
• Point of sale (POS) system
• Mobile POS system
• Ecommerce website
• Mail order telephone systems
• Virtual terminals
• Outsourced procedures processing under your merchant ID
WHAT HAPPENS TO THE CARDHOLDER DATA INSIDE YOUR NETWORK?
• Is your website hosted at your location or through a third party?
• Does your system batch at the end of the day?
• How does your terminal connect? (e.g. Internet, cellular, analog, etc.)
• Where is card data stored in your environment?
WHERE DO YOU SEND CARDHOLDER DATA AFTER PAYMENT?
• Processor
• Backhouse server
• Backup server
• Third party that stores or handles PAN
• Outsourced management of your systems or infrastructure
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 8
HOW TO CREATE A CARD FLOW DIAGRAMKeeping track of all cardholder data flows, what systems they interact with, and where card data is stored at your organization can be difficult. That’s where a card flow diagram comes in.
The PCI DSS version 3.0 Requirement 1.1.3 requires you to have a current cardholder flow diagram for all card flows in your organization. A card flow diagram is simply a graphical represen-tation of how card data moves at your organization.
To accurately craft your card flow diagram, ask yourself ques-tions such as:
• What device am I using for the transaction? A virtual terminal? POS system?
• What happens to the card data after a transaction?
• When is data encrypted? Is it even encrypted at all?
• Do I store card data before it is sent to the processor for approval?
• When I send data for approval, does it go in and back through a firewall? Is the firewall PCI compliant?
• How is data authorized and returned by the bank?
• Is card data backed-up on my system? Is it encrypted? Is my backup server at a different data center?
ONCE YOU KNOW YOUR FLOWS AND KNOW WHAT SYSTEMS THEY INTERACT WITH YOU CAN EASILY CREATE A CARD FLOW DIAGRAM OF HOW CARD DATA MOVES WITHIN YOUR NETWORK.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 9
Think of your card flow diagrams as card pro-cessing spring-cleaning. Imagine you are doing a little spring-cleaning, and you find a storage box labeled “Christmas.” After opening it, you find Christmas lights but also gardening sheers inside.
Card flow diagrams are like that box. Often businesses believe their labeled boxes (or card flows) are set up a certain way, and contain certain things. In reality, they are much different than originally thought.
Mistakes in the flow of card data could have been made in a variety of ways. Perhaps a point of sale terminal was set-up incorrectly. May-be an employee went in after the system was correctly set up and accidentally changed a process, much like accidentally placing garden-ing sheers in a Christmas storage box. There are many possible ways of making mistakes in how you process and store your card data.
Like relabeling storage boxes after a thorough spring-cleaning, card flow diagrams help you know which processes must be changed for better organization. They also show possible ways to reduce your scope, like condensing all gardening supplies from five boxes into one.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 10
ARE YOU UNKNOWINGLY STORING PAN?When defining scope it is important to understand the impact of storing card numbers, especially if they are unencrypted.
If you electronically store the PAN on a credit or debit card, you automatically qualify for PCI SAQ D, which has 335 require-ments.
You are also required to make sure all stored PAN is encrypted. The problem is, many merchants don’t know they store unen-crypted PANs. In the latest study by SecurityMetrics, 61% of merchants were found to store unencrypted PANs.
Do you have a refund process? If so, you may store PAN. For ex-ample, finance departments often receive bank statements with full cardholder numbers. Sometimes the finance team will get a notification of a disputed transaction via email and because they have data retention requirements, they’ll save that information without encryption..
Therefore, as you are defining your environment, it’s important to ask all organizations and departments whether they receive cardholder information or not. Then you need to define exactly how this changes your card flows.
PAN (PRIMARY ACCOUNT NUMBER): The digits on the front of a payment card. Also called a bankcard number. You are allowed to store full card details with the exception of track data, if properly encrypted.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 11
REMOVING PAN FROM YOUR ENVIRONMENTTo avoid being in the dark about your own PAN storage, make sure you ask your vendor exactly how your POS system works. For example, does it automatically store cardholder data? Does it write cardholder data to a database and keep a transaction record for 30 days to easily process refunds?
In addition, you should regularly run a card-holder data discovery tool (such as PANscan). These tools help you find unencrypted PAN data and where it resides. Knowing where PAN data is stored helps you to confirm whether or not your CDE is what you think it is. It also helps you to identify which processes or flows might need to be fixed. Once you identify new processes, you can begin to determine what you can do to either fix the process or add it into your normal environment processes.
KNOWING WHERE PAN DATA IS STORED HELPS YOU TO CONFIRM WHETHER OR NOT YOUR CDE IS WHAT YOU THINK IT IS.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 12
Customers use a gift card. If the gift card you accept is not one of the five major brands’ (VISA, Mastercard, Amex, JCB, and Discover), then the gift card vendor sets the requirements to secure the credit card information. This means that gift cards are not required to be protected by PCI DSS regulations.
Customers fax you their card information. In most cases, your customer is sending you an eFax and sending it by email, which needs to be encrypted (even if it is in PDF format). Yet if your customer is sending you a fax, the phone system is not in scope; you only need to make sure that the fax machine is in a secure area and that you monitor incoming faxes.
Customers email you PAN. Emails are one of the most difficult aspects to secure and remain PCI compliant. If you do receive PAN over email, it needs to be encrypted. You should not accept any unencrypted PAN over email because once it enters the public domain of the Internet; it is almost impossible to protect. We recommend you find an alternative solution if it regularly happens in your environment.
PAN STORAGE CASE STUDIES
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 13
5 TIPS TO REDUCE YOUR PCI SCOPENow that you understand what scope is, and how to define it at your unique organization, how do you reduce your scope to decrease your workload? Reducing scope is done by either outsourcing or changing aspects of your PCI compliance, specifically processes dealing with PAN data. Reducing scope often changes the SAQ you qualify for and decreases the number of SAQ questions you are required to follow.
REDUCING SCOPE OFTEN CHANGES THE SAQ
YOU QUALIFY FOR AND DECREASES THE NUMBER
OF SAQ QUESTIONS YOU ARE REQUIRED TO FOLLOW.
SAQs with bigger scopes require increased security measures and additional testing pro-cedures, which expands your staff’s workload in order to fulfill an intensive SAQ. The more rigor-ous the SAQ, the more time consuming it can be for your staff to make sure the proper security measures are in place. It also can be so compli-cated that it requires assistance from expensive managed systems (particularly IT services).
The following are tips to help you reduce your PCI scope, so that you can decrease your work-load and save you time and money.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 14
1: DON’T STORE PAN
Those that store PAN qualify for SAQ D (335 requirements), which is quite extensive when compared to other SAQs like SAQ A (14 requirements).
SAQ D includes:
• File integrity monitoring (FIM)
• Intrusion detection system or intrusion prevention system (IDS/IPS)
• Annual penetration testing (internal and external)
• Physical security for systems that store data
• Firewall
• Change control
• Internal and external scanning
• And . . . the whole PCI DSS standard
Qualifying for an SAQ D does not simplify PCI compliance.
You might think storing PAN makes life easier. For example, perhaps you process a lot of refunds. Or perhaps you store credit cards for frequent customers. That seems like a good decision at first because it increases sales by making transactions faster for your customers. The downside is you still store PAN and qualify for an SAQ D.
If you must store PAN, consider an alternate method. For exam-ple, can your bank store the card numbers, and then provide you access through a portal when doing refunds? Can you outsource the entirety of your payment page to a third party? (If so, you potentially qualify for SAQ A, B, or C.)
Bottom line is: if you don’t have a compelling business need to store PAN, don’t store it!
IF YOU DON’T NEED PAN, DON’T STORE IT!
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 15
2: OUTSOURCE PCI ASPECTS
Could service providers take on some of your more daunting PCI requirements, such as firewall management, log collection/monitoring, or systems hosting?
If you don’t have to hire personnel to manage outsourced devic-es, you can have your staff spend more time on other job duties.
However, it is important to understand that outsourcing all aspects of PCI compliance does not necessarily take away all of your responsibilities. PCI Requirements 12.8 and 12.9 require that you specify who is in charge of which PCI aspects. For ex-ample, you are required to provide a list of all third party service providers in use, all PCI requirements the service providers meet, and the PCI requirements you are required to meet.
Requirement 12.8 specifically requires a clear delineation of roles, with both parties signing an agreement acknowledging their responsibilities. You also need to maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
OUTSOURCING IS A GREAT WAY TO REDUCE YOUR SCOPE.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 16
3: POINT-TO-POINT ENCRYPTION (P2PE)
Another option for scope reduction is point-to-point encryption (P2PE). P2PE is defined by PCI DSS as a process “provided by a third party solution provider, and is a combination of secure devices, applications and processes that encrypt data from the point of interaction (for example, at the point of swipe or dip) until the data reaches the solution provider’s secure decryption environment.”
A POS terminal is the most common P2PE process.
The POS terminal process is as follows: first, the data is entered into the point of sale terminal; then before the data is stored/transmitted, it is transformed into unreadable code, and finally, only with a special key can the data become readable once again.
Because card data is immediately encrypted as the card is swiped, it prevents non-encrypted information from residing on the payment environment, even for one millisecond. Even if a hacker installed memory scraping software on the POS register, it would only pick up useless strings of encrypted card numbers with no way to decode them.
In a nutshell, if you properly implement a P2PE validation solu-tion and have no access to unencrypted data or encryption keys or the system that controls the keys, you may qualify for a P2PE SAQ, with only 35 questions.
THE MOST COMMON P2PE PROCESS IS A POS TERMINAL, WHICH SHOULD IMPLEMENT A P2PE VALIDATION SOLUTION AND HAVE NO ACCESS TO UNENCRYPTED DATA.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 17
4: TOKENIZATION
Tokenization is a process where a service provider takes the cardholder data and completely replaces the PAN in an environment with a surrogate value called a “token.” Usually service providers collect the PAN at the transaction, so that way you never have access to this information. Then anytime you want to run another transaction with that custom-er, you send that token and the transaction details to a 3rd party provider. They put it back into PAN and send it out for authorization.
If you properly implement tokenization so that PAN is not retrievable from any system component, you can store tokens in your database with no security consequences. Tokens are not considered PAN, so storing tokens would not be in scope.
Just make sure that if you implement tokeniza-tion, you’re still not storing the PAN, or storing old caches of PAN in your environment. Make sure you run data discovery tools to find all PAN caches, so you can replace them with tokens. Anytime PAN is negated on an environment, scope is reduced.
AVOID THESE COMMON TOKENIZATION MISTAKESTokenization might not be properly implemented for call centers that use IVR (integrated voice response) systems, which allow customers to put in their number over the phone. The system will often store PAN from the transaction unless you outsource the collection process.
Tokenization might not be properly implemented in ecommerce environments. If you manually enter customer cardholder data via a website, PAN might be stored in your browser memory (If your website is configured to cache webpages and the encrypt-ed pages in your browser).
TOKENIZATION IS AN EASY WAY TO REDUCE YOUR SCOPE, POSSIBLY EVEN CHANGING YOUR SAQ TYPE.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 18
5: NETWORK SEGMENTATION
Network segmentation is a method of separat-ing environment systems that store, process, or transmit cardholder data from those that don’t.
Merchants often are setup with big flat net-works, where everything inside the network can connect to everything else. They may have one firewall at the edge of their network, but that’s it.
Flat networks make securing your card data extremely difficult because if an attacker gets inside of the network, they have access to everything. As a result, your entire network is in scope for PCI.
That’s why network segmentation is such a great method to reduce scope. You simply don’t allow systems with PAN or other sensitive information to connect with other parts of your network.
NETWORK SEGMENTATION IS ONE OF THE BEST WAYS TO REDUCE THE NUMBER OF SYSTEMS THAT STORE, PROCESS, OR TRANSMIT CARD DATA (IN TURN, REDUCING YOUR SCOPE).
Here’s a great example of network segmentation via a firewall. Say you install and configure a multi-interface firewall at the edge of your net-work. From there, you create one interface on the firewall dedicated just to the systems that store/process/transmit cardholder data. If that interface doesn’t allow any other traffic into our out of any other zones, that’s proper network segmentation.
A way to properly segment a network without a firewall is through an air gap. Air gaps just mean having truly separate network environments for card data environments. Specifically, the actu-al network equipment that runs the card data environment is totally separate from your office environment.
If you properly segment networks, you aren’t re-quired to implement PCI requirements for out-of-scope networks. Although PCI isn’t required, it still contains good security practices for your business.
5 TIPS TO PAY LESS FOR PCI COMPLIANCE | 19
CONCLUSIONTo reduce your PCI scope, you need to know the flows of card-holder data in your unique environment. Until you understand your flows, it’s impossible to understand exactly what must be secured. Because of all the recent changes and new require-ments, now is an ideal time to rethink your data security and reduce your PCI compliance workload. Reducing scope will help you to save money and free your staff to focus on other work responsibilities, saving you both time and resources.
ABOUT SECURITYMETRICSSecurityMetrics has helped over 800,000 organizations comply with financial and healthcare mandates. Its solutions combine innovative technology that streamlines validation with the personal support you need to fully understand compliance requirements.
For more information about how we can help protect your customer data and reduce your PCI scope contact us at 801.705.5656 or email [email protected].
