Professional Documents
Culture Documents
Joel Garmon
garmonjs@wfu.edu
Wake Forest University
What is PCI-DSS?
• PCI-DSS = Payment Card Industry Data Security Standard
• Common set of industry tools and measurements to ensure safe handling of
sensitive information.
• The PCI-DSS is a multifaceted security standard that includes requirements for
security management, policies, procedures, network architecture, software design
and other critical protective measures.
• Established by the credit card industry in response to an increase in identity theft
and credit card fraud.
• Every merchant who handles credit card data is responsible for safeguarding that
information and can be held liable for security compromises and must comply with
PCI-DSS.
• Credit Card = Debit Card.
2
Scope of the Standard
Manual Credit Card Electronic
Handwritten Manual
3
Background
• 7/1/2006 - PCI DSS v1.0
• 1/1/2011 – PCI DSS v2.0 - begin 3-year cycle)
• 1/1/2014 – PCI DSS v3.0
• 1/1/2017 (projected) – v4.0
Merchants Background (cont.)
Merchant Level Description
2 • 1M-6M xacts/year
If Allowed to
A Storage Protection Store- Must
C Data Element Permitted Required Render
C Unreadable
O
U Cardholder Data Primary Account Number YES Yes YES
N (PAN)
T
Cardholder Name YES YES NO
D Service Code YES YES NO
A
T Expiration Date YES YES NO
A
Sensitive Authentication Data Full Magnetic Stripe Data NO n/a n/a
9
Merchant SAQs - Background (cont.)
• Must be able to answer Yes or n/a with
comments
• Document Compensating Controls
“meet the intent and rigor” of the original PCI DSS
requirement.
“Provide similar level of defense”
See Appendix B “Compensating Controls”
guidelines – PCI DSS 3.1
SAQ vs ROC - Background (cont.)
• If you “Self-Assess” you submit an SAQ
• If you use a QSA to assess your compliance,
the QSA must use the ROC for your institution
Executive Support
• Old cliché – Need executive buy-in
Socialize and network with different departments
Finance Legal
Compliance Audit
Provost Athletics
Bookstore Advancement (Alumni Affairs)
• Executive Sponsorship
Individual such as CFO or existing committee of senior executive leadership
• PCI Committee
Usually chaired by CISO and someone from Finance
Include all major areas that accept credit cards
Written policy and procedures – you will get push back
Training and education to key stakeholders
New merchant IDs reviewed and approved by PCI Committee
13
Getting Certified
• Identify senior person in the department for each merchant ID
Can be responsible for multiple merchant IDs
Is responsible to insure all requirements are met and documented
Highly recommend using bank or QSA website to maintain documentation.
Keep copy on your systems as completed
Signs off on PCI certification
Signature of Merchant Executive Officer (signature block from PCI DSS Attestation of Compliance)
Highlights that this is a merchant requirement, not an IT requirement
• IT Security
Assists merchants with understanding of requirements
Provides or coordinates any technical support required
Firewalls, patching, AV, …
Assists with documentation
Internal Security Assessor (ISA) also signs certification (if used)
Encourages use of P2PE where ever possible
• Work closely with Finance since they already have a relationship with the departments /
merchants
• Progress should be monitored by PCI committee or other governance body 14
Determine What Questionnaire to Complete Per Merchant
• Identify the applicable SAQ for your environment – refer to the Self-Assessment Questionnaire
Instructions and Guidelines document on PCI SSC website for information.
• SAQ A. Card-not-present merchants (e-commerce or mail/telephone-order), that have fully
outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with
no electronic storage, processing, or transmission of any cardholder data on the merchant’s
systems or premises.
Not applicable to face-to-face channels.
• SAQ A-EP. E-commerce merchants who outsource all payment processing to PCI DSS validated
third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can
impact the security of the payment transaction. No storage, processing, or transmission of
cardholder data on merchant’s systems or premises.
Applicable only to e-commerce channels.
• SAQ B. Merchants using only:
Imprint machines with no electronic cardholder data storage, and/or
Standalone, dial-out terminals with no electronic cardholder data storage.
Not applicable to e-commerce channels.
15
Determine What Questionnaire to Complete Per Merchant
• SAQ B-IP. Merchants using only standalone, PIN Transaction Security (PTS) approved
payment terminals with an IP connection to the payment processor with no electronic
cardholder data storage. Not applicable to e-commerce channels.
• SAQ C-VT. Merchants who manually enter a single transaction at a time via a keyboard into
an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI
DSS validated third-party service provider. No electronic cardholder data storage. Not
applicable to e-commerce channels.
• SAQ D All merchants not included in descriptions for the above SAQ types. 16
Requirements Overview
Requirement Sub-Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
and Systems 2. Do not use vendor-supplied defaults for system passwords and other security
parameters
Maintain a Vulnerability Management 5. Protect all systems against malware and regularly update anti-virus software or
Program programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control 7. Restrict access to cardholder data by business need to know
Measures 8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security 12. Maintain a policy that addresses information security for all personnel
Policy
These 12 sub-requirements can be further refined into 240 requirements depending on the
type of merchant.
17
Example -- SAQ B Information
Requirement Total Number of
Questions
3 - Protect stored cardholder data 5
4 - Encrypt transmission of cardholder data across open, public 1
networks
7 - Restrict access to cardholder data by business need to know 3
Total Questions 38
21
Discussion Questions
• What is a Payment Application Data Security Standard (PA-DSS) compliant
application
• How do I find if an application is PA-DSS certified
• www.pcisecuritystandards.org/assessors_and_solutions/payment_applications
• Is encrypted data still in scope for PCI DSS
• Is VoIP in scope for PCI DSS
• Are operating systems that are no longer supported by the vendor non-
compliant with the PCI DSS
• Can I fax payment card numbers and still be PCI DSS Compliant
• Can an entity be PCI DSS compliant if they have performed quarterly
scans, but do not have four “passing” scans
22
Discussion Questions
• Can I store the security code (CAV2/CVC2/CVV2/CID) in paper format
• Are hashed Primary Account Numbers (PAN) considered cardholder
data that must be protected in accordance with PCI DSS
• Does PCI DSS apply to debit cards, debit payments, and debit systems
• Are digital images containing cardholder data and/or sensitive
authentication data included in the scope of the PCI DSS
• Can VLANS be used for network segmentation
23