8/13/2019

1

What Is Payment Card Industry (PCI) Compliance?& Do I Need It?

August 14, 2019

To Receive CPE Credit› Individuals

• Participate in entire webinar• Answer polls when they are provided

› Groups

• Group leader is the person who registered & logged on to the webinar• Answer polls when they are provided• Complete group attendance form • Group leader sign bottom of form• Submit group attendance form to training@bkd.com within 24 hours of webinar

› If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar

8/13/2019

2

Presenter

Rex Johnson, CISSP®, CISA®, CIPT, PMP®, PCIP™, QSADirector rjohnson@bkd.com

› Credit cards account for most instances of identity theft› With the rollout of the EMV chip, credit card application fraud is

expected to increase in the U.S.› Most fraud for credit cards are called card-not-present (CNP)› Internationally, CNP fraud rose by 7%, resulting in $242.1 million in

losses› Interestingly enough, credit cards go for $1 each on the dark web

Credit Cards Are the Most Frequently Available Item on the Dark Web

Sources: FICO, https://www.fico.com/enterprisefraud/ Fortune, http://fortune.com/2017/02/01/credit-card-chips-fraud/ Australian Payments Network, 2018 https://www.auspaynet.com.au/

8/13/2019

3

› Many years ago, the payment card brands elected to have a standard for assessing the protection of cardholder data (CHD)

› Implemented the Payment Card Industry Data Security Standard (PCI DSS)

› If an organization accepts card payment, & stores, processes or transmits cardholder data, they need to be PCI DSS compliant

› PCI DSS is a set of rules, not a law, that is enforced by the payment brands &governed by the PCI Security Council

What Is PCI Compliance?

What Is the Security Standards Council?› PCI standards are required by the card brands & administered by the

Payment Card Industry Security Standards Council› Created to increase controls around cardholder data to reduce credit

card fraud› Qualifies companies & individuals to be PCI assessors, known as

Qualified Security Assessors (QSA)

P2PE

Merchants & Service Providers

PCI DSS

Secure Environment

Software Developers

PCI PA-DSS

Payment Applications

ManufacturersPCI PTS

Pin Entry Devices

8/13/2019

4

› PCI DSS defines technical & operational requirements for • Organizations accepting or processing card payment transactions; & • Software developers & manufacturers of applications & devices used in those

transactions

› QSAs are trained to conduct PCI DSS assessments• Code of conduct that sets standards to include avoiding a conflict of interest• Requires initial training & certification exam • Annual training & recertification exam• Must maintain working papers for assessments for three years

PCI DSS

› Organizations (called merchants in the PCI world) typically have more than one way to take a payment

› Known as a payment channel• In person• Payment devices (POS POI)• Mail order• Online• Phone

How Do You Take Credit Card Payments?

TELEPHONE ORDERS

8/13/2019

5

Two Types of Assessments

ROC

• Report on compliance (ROC)• Must be performed by an

independent organization • Led by a QSA• Level 1 merchants & service

providers• Acquiring banks may elect

other levels to do a ROC

SAQ

• Self-assessment questionnaire (SAQ)

• Intended to assist merchants & service providers in self-evaluating their PCI DSS compliance

• May engage a QSA to assist or perform

• Eight different types of SAQs• All levels except Level 1

Attestation of Compliance

The organization’s bank (acquirer) or card

brands will determine type of assessment

ROC SAQ

Level Annual Transactions Validation Actions Validated By

1 6 to 20 million • Annual on-site security audit (ROC)

**&**• Quarterly network scan

• Independent assessor(QSA) or IA with PCI training

• Scans conducted by ASV

2 1 to 6 million • Annual self-assessment questionnaire (SAQ)

**&**• Quarterly network scan

• Merchant (self-assessment)

• Scans conducted byASV

3 20,000 to 1 million

4 20,000 or less network scan recommended

PCI Levels – Merchants in General

8/13/2019

6

Service Providers› A service provider is a business that is not a payment brand & is directly involved in the

processing, storage or transmission of cardholder data

› Performs these duties on behalf of another entity

› Includes companies that provide services to merchants, other service providers or other entities that control or could impact the security of cardholder data

› Examples include• Data centers

• Transaction processors

• Managed service providers (MSP)

• Payment gateways

• Vendors that provide POS maintenance

Level Validation Actions Validated By

1Payment gateways &

processors

• Annual on-site security audit

**&**

• Quarterly network scan

• Independent assessor (QSA) or IA with PCI training

• Scans conducted by ASV

2(Storage/transmission/ process above 1 million

transactions)

• Annual SAQ

**&**

• Quarterly network scan

• Self-assessment

• Scans conducted by ASV

3(Storage/transmission/ process below 1 million

transactions)

PCI Levels – Service Providers in General

8/13/2019

7

PCI SAQ Types› Type of SAQ depends on the type of merchant environment & confirmed by

acquirer• A: card-not-present merchants (e-commerce or mail/telephone order)

• A-EP: e-commerce merchants who outsourced payment processing to third parties

• B: merchants using a) imprint machines or b) standalone dial-out terminals

• B-IP: standalone, PTS-approved payment terminals

• C-VT: manually enter a single transaction at a time virtual payment (not e-commerce)

• C: payment applications connected to the internet, no electronic CHD storage

• P2PE: hardware payment terminals managed by P2PE solution (not e-commerce)

• D: all merchants not included in the above

PCI DSS RequirementsGoals PCI DSS Requirement

Build & maintain a secure network1. Install & maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords & other

security parameters

Protect cardholder data3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public

networksMaintain a vulnerability management program

5. Use & regularly update anti-virus software or programs6. Develop & maintain secure systems & applications

Implement strong access control measures

7. Restrict access to cardholder data by business need to know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly monitor & test networks 10. Track & monitor all access to network resources & cardholder data11. Regularly test security systems & processes

Maintain information security policy 12. Maintain a policy that addresses information security for all personnel

8/13/2019

8

› Firewalls are required to protect the CDE

› Restrict traffic from “untrusted” networks & hosts

› Prohibit direct public access from internet to CDE

› Although network segmentation is a good idea, it is not required

Requirement 1: Install & Maintain Firewall Configuration to Protect Cardholder Data

› Network devices come with default passwords

› Remove/change these defaults for better security

› Configuration standards are part of this requirement• NIST

• ISO

• SANS

• CIT

Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords & Other Security Parameters

Default Password

8/13/2019

9

› Implement data retention & disposal processes

› Do not store the whole PAN• OK to display first six & last four digits of a card

› Encryption for additional protection

› Consider additional security measures, such as tokenization

Requirement 3: Protect Stored Cardholder Data

› The process of replacing a credit card number (PAN) with a unique set of numbers that have no bearing on the original data

› Creates specific characters that only work during the transaction› Reduces risk of credit card data theft or misuse

Tokenization

8/13/2019

10

› Use strong encryption where CHD is transmitted over public networks

› Includes wireless networks

› Never send unprotected PANs by end user messaging• Don’t email CC#• Don’t send over IM

Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks

› Use anti-virus software on systems

› Maintain & actively run current anti-virus definitions

› Prevent the ability to disable anti-virus

› Generate & review activity logs

Requirement 5: Use & Regularly Update Anti-Virus Software or Programs

8/13/2019

11

› Keep system patches current• Critical patches deployed within 30 days

of release

› Risk ranking to vulnerabilities

› Change control processes & procedures

› Secure coding guidelines

Requirement 6: Develop & Maintain Secure Systems & Applications

› Limit access only to those whose job requires

› Documented approval for access

› Access control systems in place• Deny all unless specifically allowed• Only those with a business need

Requirement 7: Restrict Access to Cardholder Data by Business Need to Know

8/13/2019

12

› Unique IDs required & proper authentication› Strong password parameters› Multifactor authentication

• Two or more authentication methods› Something you know (password),

› Have (token) or

› Are (biometric)

› Do not use group, shared or generic IDs

Requirement 8: Identify & Authenticate Access to System Components

› Limit & monitor physical access to systems in the CDE› Procedures to distinguish between on-site personnel & visitors› Visitors are authorized & a log maintained› Backups are secure› Media is classified & safeguarded› Destroy media when no longer in use› Training for identifying tampered devices

Requirement 9: Restrict Physical Access to Cardholder Data

8/13/2019

13

› A skimming device is a camouflaged counterfeit card reader to record the card’s information

› It will still allow the cardholder to perform their transaction

› Used at ATM machines, retail stores, restaurants & taxis

› Can sometimes be a hand-held skimmer small enough to fit into a pocket

Device Tampering: Skimming

› Audit trail for users who have access to CHD› Logging of invalid attempts› Restricted access to logs› Prevent log tampering› Time synchronization

• Critical systems time synchronized• Unable to tamper with time data

› Retain audit history for at least one year

Requirement 10: Track & Monitor All Access to Network Resources & Cardholder Data

8/13/2019

14

› Identify wireless access points

› Run internal & external network vulnerability scans quarterly

› Internal & external penetration testing annually (or twice a year for service providers)

› Intrusion detection & prevention in place

Requirement 11: Regularly Test Security Systems & Processes

› Establish, publish & maintain security policies for PCI› Daily operational security procedures› Usage policies for technology in the CDE› Assign personnel with security responsibilities› Security awareness program› Employee screening prior to hiring› Policies for service providers with CDE access› Incident response plan in place

Requirement 12: Maintain a Policy that Addresses Information Security for All Personnel

8/13/2019

15

› Appendix A1: additional PCI DSS Requirements for Shared Hosting Providers

• Protecting each entity’s hosted environment & data• Restrict the entity’s access only to their environment

› Appendix A2: additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections

› Appendix A3: Designated Entities Supplemental Validation (DESV)• Only entities designated by payment brand or acquirer• Additional valuation steps as required

Appendices

Why Is PCI DSS Compliance Important?› Hackers & large international organized crime target

merchants & their payment channels› High fees for noncompliance with PCI DSS

• At the discretion of the payment brands

• $5,000 to $10,000 per month

› The fallouts of a card data breach• The resulting costs can be significant

• Breach could result in an average cost of $200 per card number lost

• Long-term reputational effects to an organization

8/13/2019

16

Lack of PCI Compliance Can Cost› Lost confidence & customers go to other merchants

› Diminished sales

› Cost of reissuing new payment cards

› Fines

› Fraud losses

› Higher subsequent costs of compliance

› Termination of the ability to accept credit cards

› Going out of business

Benefits of PCI Compliance› The security of cardholder data affects everyone

› Increases security of cardholder data

› Customer confidence

› Better protection for clients

› Universal principles

› Avoidance of fines

› Reduces the cost of a breach

8/13/2019

17

› In the event that an organization does not meet a PCI control, the assessor can determine if compensating controls are in place

› Compensating controls worksheet is listed in the ROC template1. Constraints

2. Objectives

3. Identified Risk

4. Definition of Compensating Controls

5. Validation of Compensating Controls

6. Maintenance

› Must address risk & be stronger than the control it is replacing

› Management must approve compensating controls every year

Compensating Controls

› PCI compliance is a requirement, but not a law, from the card brands for any organization that stores, processes or transmits payment card data

› Card brands set the standards & has the right to invoke penalties for organizations that fail PCI compliance

› PCI Security Standards Council is the governing board who trains & qualifies assessors (QSAs)

› Organizations with more than six million card transactions annually must have a report on compliance (ROC) by an independent QSA company

› Other organizations are able to do a self-assessment questionnaire (SAQ)

› There are 12 requirements to PCI, which have a number of questions/controls each

› Cost of noncompliance is significant

Summary

8/13/2019

18

Continuing Professional Education Credit

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org

8/13/2019

19

CPE Credit

› CPE credit may be awarded upon verification of participant attendance

› For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at training@bkd.com

bkd.com | @BKDLLP

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered

Rex Johnson | rjohnson@bkd.com@BKDCyber