Download - Pci dss-for-it-providers
![Page 1: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/1.jpg)
PCI DSS for IT Providers The rules and impact on MSPs and VARs
For PCI DSS Version 3.0
![Page 2: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/2.jpg)
#webclinic
What is PCI DSS? • Payment Card Industry Data
Security Standard
• Enforced by PCI Security Standard Council
• Council formed by the five major card brands shown
![Page 3: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/3.jpg)
#webclinic
What’s the goal?
• Cardholder data: – Primary account number – Cardholder name – Expiration date – Service code
• Sensitive authentication data:
– Full track data (from magnetic strip) – CAV2 / CVC2 / CVV2 / CID – PIN blocks
• Protect cardholder data and sensitive auth. data
![Page 4: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/4.jpg)
#webclinic
What does it cover? • All components of the “cardholder data environment”
• Includes all people, processes, and
technology that handle cardholder data
• Examples: – Payment card readers, POS systems, PCs – Firewalls, routers, switches, servers – Purchased and custom applications
![Page 5: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/5.jpg)
#webclinic
The Threat is Real • Top motivation of cyber
threats: money
• POS malware is proliferating
• Retailers large and small are being breached
Source: 2014 Verizon Data Breach Investigation Report
![Page 6: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/6.jpg)
#webclinic
Who has to comply?
• Merchants • Processors • Financial institutions • Service providers
• Anyone who stores, processes, or transmits
cardholder data
![Page 7: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/7.jpg)
#webclinic
What about MSPs and VARs?
• Must comply internally if you accept payment cards • Must conform services to comply for clients • Our Recommendation: Find a compliance expert
![Page 8: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/8.jpg)
#webclinic
Clients need your expertise
Offer new products and services for compliance Security is more than “compliance”, so offer enhanced protection
PCI DSS = Opportunity for IT Providers
![Page 9: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/9.jpg)
#webclinic
• Failure to comply could cost you:
Customer confidence Sales and revenue Reputation, brand damage Malpractice lawsuits Fines and penalties Cost of reissuing cards
PCI DSS = Potential trap for IT Providers
![Page 10: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/10.jpg)
#webclinic
Penalties for Noncompliance
• Card brands can issue fines of $5,000 to $100,000 per month
• Higher transaction fees
• Many small victims go out of
business – Cost of breach can include containment,
forensic investigation, legal fees, audits, card replacement
![Page 11: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/11.jpg)
#webclinic
What are the rules? • Build and Maintain a Secure Network and Systems
– 1. Install and maintain a firewall configuration to protect cardholder data – 2. Do not use vendor-supplied defaults for system passwords and other
security parameters • Protect Cardholder Data
– 3. Protect stored cardholder data – 4. Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
– 5. Protect all systems against malware and regularly update anti-virus software or programs
– 6. Develop and maintain secure systems and applications
![Page 12: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/12.jpg)
#webclinic
What are the rules? • Implement Strong Access Control Measures
– 7. Restrict access to cardholder data by business need to know – 8. Identify and authenticate access to system components – 9. Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
– 10. Track and monitor all access to network resources and cardholder data
– 11. Regularly test security systems and processes • Maintain an Information Security Policy
– 12. Maintain a policy that addresses information security for all personnel
![Page 13: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/13.jpg)
#webclinic
How do I comply? • Ask your merchant acquirer to walk
you though the steps
• Small merchants typically must : 1. Complete a self assessment
questionnaire (SAQ) 2. Sign attestation of compliance 3. Send required documents to the
merchant acquirer
![Page 14: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/14.jpg)
#webclinic
How do I comply? • Required documents include:
1. Vulnerability scan results 2. Security policy 3. Network diagram
![Page 15: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/15.jpg)
#webclinic
Vulnerability scans • External scan of network
• Required by PCI DSS • Results based on settings and
condition of firewall • Performed by merchant acquirer or
approved vendor – Examples: SecurityMetrics; Trustwave
![Page 16: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/16.jpg)
#webclinic
About Calyptix
Calyptix makes network security easy for small and medium networks. Our all-in-one solution, AccessEnforcer, delivers advanced protection in a simple platform. Learn more: Calyptix.com
[email protected] 704-971-8989
![Page 17: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/17.jpg)
#webclinic
Calyptix Resources
• PCI DSS for IT Providers: 4 steps for compliance – http://www.calyptix.com/pci-dss-it-providers-4-steps-for-compliance/
• PCI DSS and AccessEnforcer
– http://www.calyptix.com/pci-dss-accessenforcer/
• PCI DSS: Easier and cheaper compliance with SAQs
– http://www.calyptix.com/2014/07/pci-dss-make-compliance-easier-and-cheaper/
![Page 18: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/18.jpg)
#webclinic
Additional Resources • Requirements and Security Assessment Procedures:
– https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
• Report on Compliance Reporting Template – https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_ROC_Reporting_Te
mplate.pdf
• Attestation of Validation – https://www.pcisecuritystandards.org/documents/PA-
DSS_Attestation_of_Validation_v3_0.docx • Glossary of Terms, Abbreviations, and Acronyms:
– https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3.pdf
![Page 19: Pci dss-for-it-providers](https://reader034.vdocuments.mx/reader034/viewer/2022052411/557c32d1d8b42aad418b505a/html5/thumbnails/19.jpg)
#webclinic
Additional Resources • Understanding the SAQs for PCI DSS v3.0 https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf
• Self-Assessment Questionnaires – A – https://www.pcisecuritystandards.org/documents/SAQ_A_v3.docx
– B – https://www.pcisecuritystandards.org/documents/SAQ_B_v3.docx
– C – https://www.pcisecuritystandards.org/documents/SAQ_C_v3.docx
– D (Merchant) https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.docx
– D (Service Provider)
https://www.pcisecuritystandards.org/documents/SAQ_D_v3_ServiceProvider.docx