The ABC’s of PCI DSS

Eric BeschinskiRelationship Manager

Utility Payment Conference

Kay LimbaughSpecialist, Electronic Bills &

Payments

&

Awareness

Benefits &

Consequences

What is PCI Compliance?

• Misnomer… PCI DSS v2.0• Comprehensive security standards

– QRG is 34 pages– Official Document is 75 pages

• PCI SSC• Standards endorsed by the card brands

Moving Target

• Snapshot (point in time)• Requires continual monitoring• One minor change could remove the

organization from compliance

What isn’t PCI Compliance?

• Not legislation• Not a “one-time-deal”• Not just your processor or POS

provider’s problem• Not a one-size-fits-all scenario

– Different for each merchant– Different for each card brand

PCI DSS OverviewGoals:• Build & Maintain a

secure Network

• Protect Cardholder Data

• Maintain a Vulnerability Management Program

Requirements:1. Firewall2. Change all passwords from system

defaults

3. Protect stored cardholder data4. Encrypt transmission of cardholder data

across open, public networks (the Internet)

5. Use updated antivirus software6. Develop and maintain secure systems

& applications

PCI DSS OverviewGoals:

• Implement Strong Access Control Measures

• Regularly Monitor & Test Networks

• Maintain an Information Security Policy

Requirements:7. Restrict access to cardholder data by

“need-to-know”8. Assign a unique ID to each person with

computer access9. Restrict physical access to cardholder data

10. Track & monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security for all personnel

Big Picture

Accountability

Best Practices

Consumer Safety

Steps

Assess ↔ Remediate ↔ Report

You are not compliant if you don’t…

1. Complete the SAQ annually (2. Have your network scanned for

vulnerabilities quarterly by an ASV (for processing via system connected to the internet)

3. QSA or Internal audit

Who really knows if you’re compliant?

• Only top-level management (and maybe a QSA)

• NOT…– Your processor– Your POS provider– Your IT company– A sales person

• Nobody without a SAQ

Enforcement?

• Lacking• No problem until there’s a problem• Like the Health Dept...• From those in authority, it’s enforcement

after-the-fact• Up to you to be proactively self-

enforced to prevent a breach

Why be concerned?• Investigative fees• Fines• Cost to upgrade/fix the problem• Lawsuits• Blacklist• Media• Customer confidence• Very, very expensive!

Another Breach & Counting…• 333 breaches as of 8/1 with almost 23M records

affected including– Sony– Epsilon– Citigroup– Lockheed Martin

• 603 breaches in 2010 affecting over 12M records• Since 2005, over 2600 breaches affecting over

535M records

Data provided by PrivacyRights.org

Top 10 Breaches10. TD Ameritrade Holding Corp (2007)9. Fidelity National Information Services/Certegy Check Services Inc. (2007)8. Sony, PlayStation Network (PSN), Sony Online Entertainment (SOE) (2011)7. Bank of New York Mellon (2008)11. Countrywide Financial Corp. (2008)12.US Dept. of Veterans Affairs (2006)13.CardSystems (2005)3. US Military Veterans (2009)2. TJ Stores (2007)1. Heartland (2009)

Heartland

• Certified compliant just weeks before the breach

• Security breach discovered in Jan 2009 (had been in place for possibly 6 months prior)

• De-certified post-breach• Hundreds of Millions in

fines/fees/lawsuits• Bad press

Turning it around

• Re-certified May 2009• Proactive response• Good press• National Restaurant Association• Launched E3 May 2010• Earnings up • Stronger than ever

Lessons to be learned from the Heartland breach

• PCI DSS is a good minimum standard but will not guarantee safety

• If your company is big enough you will become a target

• No security is fail-proof• Criminals working continually to break-

in

Who is most at risk?

• All merchants– Level 1 & 2 (High Value)– Level 3 (High Risk)– Level 4 (High Success / Quick Return)

Then What Good is PCI DSS?

• Ensures that you are not an EASY target (low-hanging fruit)

• Common sense security measures• Possibly some protection from

fines/lawsuits– Good faith argument– Responsible party argument

Key Issues for Utility IndustryApplications:• Software

– POS– Antivirus– Firewall– Web/Payment

Gateway

• Hardware– Firewall– POS

– Pin Pads• Business Procedures

– Recording calls– Storing card data– Access Control

• Connection– VOIP– Encryption

Myths

1. One vendor/product will make us compliant

2. Outsourcing card processing will make us compliant

3. Compliance is an IT project4. Compliance will make us secure5. PCI DSS is unreasonable; it requires

too much

Myths

6. PCI DSS requires us to hire a QSA7. We don’t take enough credit cards to

require compliance8. We completed a SAQ so we’re

compliant9. PCI DSS makes us store cardholder

data10.PCI DSS is too hard

In Conclusion

Always

Be

Compliant!

Alphabet Soup• AOC – Attestation of Compliance• ASV – Approved Scanning Vendor• DSS – Data Security Standards• ISA – Internal Security Assessor• PA-DSS – Payment Application Data Security Standards • PAN – Primary Account Number• PCI – Payment Card Industry• PED – PIN Entry Device• PFI – PCI Forensic Investigator• PIN – Personal Identification Number• PTS – PIN Transaction Security (formerly PED)• QRG – Quick Reference Guide• QSA – Qualified Security Assessor• ROC – Report On Compliance• SAQ – Self Assessment Questionnaire• SSC – Security Standards Council

Q & A

Eric BeschinskiRelationship ManagerHeartland Payment Systems219-448-5169eric.beschinski@e-hps.com

Kay LimbaughSpecialist, Electronic Bills & PaymentsPortland General Electric503-612-3640Kay.Limbaugh@pgn.com